BGPSec – A reality now
The Secure Inter Domain Routing (SIDR) initiative held its first BoF at IETF 64 back in November 2005, and was established as a Working Group in April 2006. Following the Youtube Hijack incident in 2008, the need to secure BGP became increasingly important and SIDR WG charter explains it well:The purpose of the SIDR working group is to reduce vulnerabilities in the inter-domain routing system. The two vulnerabilities that will be addressed are:
- Is an Autonomous System (AS) authorized to originate an IP prefix
- Is the AS-Path represented in the route the same as the path through which the NLRI traveled.
This last vulnerability was the basis for defining an AS Path validation specification which has become known as BGPsec.
BGPsec attempts to assure a BGP peer that the content of a BGP update it has received, correctly represents the inter-AS propagation path of the update from the point of origination to the receiver of the route.
So far, 39 RFCs have originated from the SIDR WG, with three drafts currently under discussion. Seven RFCs were published last month (September 2017) providing a big boost to the securing routing work:
- RFC 8205 (was draft-ietf-sidr-bgpsec-protocol) – BGPsec Protocol Specification
- RFC 8206 Continue reading
Cisco Firepower 4100 Series introduction
Today in this article I am going to talk about the Cisco Firepower 4100 series. As in my earlier articles I talk about the Cisco Firepower 2100 series and Cisco Firepower 9300 series which is one of the most powerful box in security domain.
Before we start with the Cisco 4100 series Firewall, A next generation firewall with NGFW image, below are the Cisco Firepower 2100 and Cisco Firepower 9300 articles. You can go to that articles as well for your references.
Cisco Firepower 9300 Series
Cisco 2100 Series Firepower
Cisco Firepower 2100 BOQ guide
Before we start with the Cisco 4100 series Firewall, A next generation firewall with NGFW image, below are the Cisco Firepower 2100 and Cisco Firepower 9300 articles. You can go to that articles as well for your references.
Cisco Firepower 9300 Series
Cisco 2100 Series Firepower
Cisco Firepower 2100 BOQ guide
Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput range addresses data center and internet edge use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint.
 |
| Fig 1.1- Cisco Firepower 4100 Series |
Cisco Firepower 4100 Series supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. Network Equipment Building Standards (NEBS)-compliance is supported by the Cisco Firepower 4120 platform.
Cisco Firepower 4100 series comes in various models and these models are
- Cisco Firepower 4110
- Cisco Firepower 4120
- Cisco Firepower 4140
- Cisco Firepower 4150
Let's talk about the basic features of Continue reading
Cisco Firepower 9300 Series Introduction
Today I am going to talk about the Cisco Firepower 9300 series which is one of the most powerful box by Cisco systems. Cisco Firepower 9300 is a Next Generation Firewall and has various capabilities of AVC, IPS, AMP and URL filtering with the high throughput value.
- AVC stands for Application Visibility and Control
- IPS stands for Intrusion Prevention System
- AMP stands for Advance Malware Protection
- Cisco Firepower 2100 Series
- Cisco Firepower 4100 Series
- Cisco Firepower 9300 Series
In this article, I will only talk about Cisco 9300 Firepower next generation firewalls. Although you can have two different images in the box. You can use ASA image or NGFW image in all these 3 boxes as per the requirement in your network.
Cisco Firepower 9300 is a highly scalable with carrier-grade, modular platform designed for service providers, high-performance computing centres, large data centres, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput.
 |
| Fig 1.1- Cisco Firepower 9300 NGFW |
Cisco Continue reading
Worth Reading: Things Network Engineers Hate
Some of the things Ethan Banks writes are epic. The latest one I stumbled upon: Things Network Engineers Hate. I particularly loved the rant against long-distance vMotion (no surprise there ;).
Our Fellows Speak: “The Internet of the Future is Feminist“
The Internet Society invited four fellows from Latin America to the Forum on Internet Freedom in Africa 2017, which was held 27-29 September in Johannesburg. Two of the fellows, Veronica Vera and Anais Cordova-Paez of the ISOC Ecuador Chapter, shared their focus of work related to Internet freedom.
By Veronica Vera and Anais Cordova-Paez, ISOC Ecuador Chapter
Actions online are equally important toactions offline, which is why talking about freedom in the Internet is talking about human rights. In a world that is reproducing violence in all fields we need to talk about freedom embracing women’s rights; in this point of history seeking freedom is seeking gender equality.
Can we talk about Internet freedom if we don’t think about how we want Internet to be? And what do we have to do to achieve it? This is a conversation we need to have, because violence against women is everywhere, in all dimensions. In the cyberspace, human rights defenders, activists, or any woman who speaks out loud about her rights becomes a target of abuse, cyberstalking, revenge pornography, body shaming, and all kinds of violence that make us realize why it is really important to have a discussion about the principles of Continue reading
SDxCentral Weekly News Roundup — October 13, 2017
Juniper cuts Q3 forecasts; Vodafone exec calls for vendors to collaborate; and ETSI to connect NFV and OSS.
Show 361: Future Of Networking With Brighten Godfrey
The Packet Pushers' Future Of Networking series continues with guest Brighten Godfrey, CTO and cofounder of Veriflow. We'll talk about intent-based networking and some of the mathematics behind this emerging approach to networking. The post Show 361: Future Of Networking With Brighten Godfrey appeared first on Packet Pushers.
Sysdig Taps its Forensic Platform for Container Security Product
Company claims breadth and depth of its platform differentiates it from rivals.
Google Wants 5G Spectrum to be Shared
“Our goal is abundant bandwidth for everyone.”
Microsoft, Cisco, HPE Top U.S. IoT Vendors, Analyst Report Says
Enterprises selected IoT vendors based on price, robustness of technology, and vendor knowledge.
A Celebration of Learning at Grace Hopper
Photo by Cloudflare Staff
Over the course of my career, I’ve been to many conferences, interacted with thousands of candidates, and attended countless keynotes, roundtables, and sessions. I can say without a doubt, that the Grace Hopper Celebration, stood out from the rest. And I think my team would agree.
During the three day event, we screened more than 50 candidates, conducted 24 onsite interviews, and had more than 600 people visit our booth. Not bad for a booth near the back competing with an AirBnB booth that had a literal house on top of it.
Before the conference, we were expecting about 200 visitors to our booth, so the turnout clearly exceeded our expectations. More importantly, we couldn’t have predicted the breadth of talent we would interact with at the conference. That’s not to say that I was surprised; Grace Hopper attracts women from all over the world, including students, seasoned professionals, hackers, engineers, and business leaders. This year was the biggest yet, with more than 12,000 attendees from across all tech sectors, backgrounds, and interests. So I certainly wasn’t surprised to meet all of these women, but I was definitely inspired.
Photo by Cloudflare Staff
My team Continue reading
Pre-Provisioning Your FEXen For Fun and Profit
In this post, I’ll discuss how to protect your income by using the FEX pre-provisioning capability of NXOS. I discovered the hard way that not pre-provisioning your FEX can have catastrophic side effects. What better story to post on Friday the 13th?
FEXy Time
Attaching a FEX to a Nexus switch is relatively simple; a few commands on each of the two switches the FEX connects to and it’s up and running. It’s also possible to pre-provision the FEX modules in the configuration. The documentation doesn’t make it entirely clear why this would be desirable, beyond the rather cryptic:
In some Virtual Port Channel (vPC) topologies, pre-provisioning is required for the configuration synchronization feature. Pre-provisioning allows you to synchronize the configuration for an interface that is online with one peer but offline with another peer.
Got that? In other words, pre-provisioning makes it possible to configure a FEX module that isn’t there yet, or that is powered down, or is only connected to one side of a VPC pair for some inexplicable reason. Maybe I’ve ordered some
(plural of FEX) and want to configure the ports ahead of time? Whatever the rationale for doing so, I’ve never previously needed pre-provisioning Continue reading
Strong Encryption Is Essential to Our Security, Not a Barrier
Encryption technologies help protect user data from theft and they help secure critical infrastructure and services that societies depend on. But, encryption is also available to criminals and terrorists. This puts law enforcement agencies in a difficult position. In effect, they are faced with the dilemma of how to gather evidence on criminals and other adversaries who may be using encryption, while at the same time, not putting the safety of law-abiding citizens at greater risk. While we at the Internet Society recognize the challenges facing law enforcement, we believe that strong encryption should be available to all Internet users as it is an important technical solution to protect their communications and data.
This dilemma was voiced by U.S. Deputy Attorney General Rod Rosenstein in a recent speech. He argued that “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”
This problem, claimed Rosenstein, can be solved with what he calls “responsible encryption.” To Rosenstein, “responsible encryption” could “involve effective, secure encryption that allows access only with judicial authorization.” Unfortunately, if Continue reading
Network Engineer Persona: Part Four
Part three introduced the first three key skills. This part presents the introduction to the last three core skills and a call to action.
Key Skill Four
I’m trying very hard to refrain from using the term DevOps, but the fundamentals of the DevOps movement are super important. The DevOps fundamental pillars are improving the flow of work, improving the quality using a feedback loop and sharing. A huge array of books have been created on the topic of DevOps in addition to blog posts and podcasts. If we view the persona of the Network Automation Engineer through the lens of the DevOps persona, the two are very similar. If we are to increase the flow of tasks and improve the quality of them using automation, then we need to be able to fix the issues close to the source of the problems and share knowledge. We do that with logging and an attitude change. Logging is critical for successful automation projects as well as attitude.
Knowing how to transmit logs, how to capture logs, how to sort through them and how to realize events from them is an entire skill. There are software stacks dedicated to this mission like Continue reading