Archive

Category Archives for "Networking"

Xen’s latest hypervisor updates are missing some security patches

The Xen Project released new versions of its virtual machine hypervisor, but forgot to fully include two security patches that had been previously made available.The Xen hypervisor is widely used by cloud computing providers and virtual private server hosting companies.Xen 4.6.1, released Monday, is flagged as a maintenance release, the kind that are put out roughly every four months and are supposed to include all bug and security patches released in the meantime."Due to two oversights the fixes for both XSA-155 and XSA-162 have only been partially applied to this release," the Xen Project noted in a blog post. The same is true for Xen 4.4.4, the maintenance release for the 4.4 branch that was released on Jan. 28, the Project said.To read this article in full or to leave a comment, please click here

Identifying the security pitfalls in SDN

Software-defined networks can be a boon to savvy organizations, offering opportunities to cut administrative costs while increasing network agility. But SDN technology can also create security risks, and how you manage those risks can mean the difference between a successful implementation and a disastrous one.To read this article in full or to leave a comment, please click here(Insider Story)

Should you worry about the Internet of Hackable Things?

If 2015 was the year of the Internet of Things, 2016 could be the year of the hacked Internet of Things. That could mean a lot of headaches for CIOs, whether they're fans of these new devices themselves or will be dealing with employees connecting them at work and managing the potential security exposure that brings. "The issue to date is that devices are vulnerable just by the fact that they exist and can connect to the Internet," says Jerry Irvine, member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and CIO of Prescient Solutions. "Anybody can get to a device if you don't secure them properly." To read this article in full or to leave a comment, please click here

How to prevent shadow IT

Stopping the armchair IT folksImage by Mette1977 What do complex IT policies, outdated software and lack of IT-supported services have in common? They all contribute to shadow IT, which occurs when employees circumvent procedures to use unapproved services and software. The last thing employees want to do when working on a project is check in with the IT department, so how can IT provide employees with necessary resources so shadow IT is no longer an issue? These InfoSec professionals share their suggestions for preventing shadow IT before it becomes the new normal. To read this article in full or to leave a comment, please click here

Full Stacks and S-Curves

Here’s another interesting coincidence:

Homework for today: listen to the podcast, read the article, and start exploring some new technology (network automation immediately comes to mind).

IBM unveils z13s mainframe focused on security and hybrid clouds

IBM has unveiled its new z13s mainframe, which it claims offers encryption at twice the speed as previous mid-range systems, without compromising performanceThe company, which sold its x86 server business to Lenovo, continues to invest in new designs of its mainframe to handle new compute challenges. It launched in January last year, the z13, its first new mainframe in almost three years, with a new processor design, faster I/O and the ability to address up to 10TB of memory. The design of the z13 was focused on real-time encryption and embedded analytics.To read this article in full or to leave a comment, please click here

Workaround for virtualenvwrapper for windows postactivate script

Virtualenvwrapper’s windows port (virtualenvwrapper-win) helps to manage your venvs on windows platform, yet it is not so straigtforward about using hooks like postactivate. That is what official documentation has to say about this: Hooks To run some commands after mkvirtualenv you can use hooks. First you need to define VIRTUALENVWRAPPER_HOOK_DIR variable. If it is set mkvirtualenv

Ansible up and running

After much delay – I’ve finally found time to take a look at Ansible.  I’ve spent some time looking at possible platforms to automate network deployment and Ansible seems to be a favorite in this arena.  One of the primary reasons for this is that Ansible is ‘clientless’ (I’m putting that in quotes for a reason, more on that in a later post).  So unlike Chef, Puppet, and Salt (Yes – there are proxy modes available in some products) Ansible does not require an installed client on the remote endpoints.  So let’s get right into a basic lab setup.

While the end goal will be to use Ansible to automate network appliances, we’re going to start with the a more standard use case – Linux servers.  The base lab we will start with is two servers, one acting as the Ansible server and the second being a Ansible client or remote server.  Both hosts are CentOS 7 based Linux hosts.  So our base lab looks like this…

image
Pretty exciting right?  I know, it’s not, but I want to start with the basics and build from there…

Note: I’ll refer to ansibleserver as Continue reading

Will Public Cloud Make Us Prisoners Of Pricing?

Let's say the vast majority of compute workloads in the world migrates to public cloud. Will public cloud pricing then become extortionate? Seems plausible if you assume that the technical talent migrates to public cloud companies. In that scenario, public cloud consumers are beholden to their technical master and would have to pay whatever is asked so that they can get their business done. However, I think the situation is more complex than that...

Securing BGP: A Case Study (3)

To recap (or rather, as they used to say in old television shows, “last time on ‘net Work…”), this series is looking at BGP security as an exercise (or case study) in understanding how to approach engineering problems. We started this series by asking three questions, the third of which was:

What is it we can actually prove in a packet switched network?

From there, in part 2 of this series, we looked at this question more deeply, asking three “sub questions” that are designed to help us tease out the answer this third question. Asking the right questions is a subtle, but crucial, part of learning how to deal with engineering problems of all sorts. Those questions can be summed up as:

  • Is the path through this peer going to pass through someone I don’t want it to pass through?
  • Is the path this peer is advertising a valid route to the destination?

Let’s quickly look at the first of these two to see why it’s not provable in the context of a packet switched network, using the network diagram below.

bgp-sec-02

When working with BGP at Internet scale, we tend to think of an autonomous system as one “thing”—we Continue reading

VoIP phone with default password can be used for covert surveillance

If you’d like an attacker to eavesdrop on your calls made on VoIP phones, then leave the default password in place. If not, then change it.Using default or weak passwords will continue to bite companies, but this time instead of spying via IP cameras, it was enterprise-grade VoIP phones being pwned. When a client asked information security consultant Paul Moore how to improve security without disrupting ease of VoIP phone deployment, Moore discovered the company was using the default password.To read this article in full or to leave a comment, please click here

Worth Reading: Virtualization Slides

Server virtualization is a relatively heavy way to drive up utilization on servers, and it has been particularly well suited for Windows workloads where various container technologies have not yet been brought to bear. … While enterprises are not apt to change platforms quickly, the slowing growth in server virtualization means they have virtualized the stacks they can and that they are probably looking at how they might deploy containers either on top of or instead of virtual machines. -via the next platform

The post Worth Reading: Virtualization Slides appeared first on 'net work.

New to Openstack and worried about networking pre-setup? Try VXLAN or GRE first!


As an avid developer/coder I tend to try out various languages. I do have my favorites but when I embark on a new tool or language the first experience definitely leaves behind a mark. Failing at  getting something to work in the very first try is fine as long as you don't end up hating the technology. I guess I've iterated this over and over again on other posts but networking is complex and hard. Getting it right does require some (not really, it's actually a lot :-) ) amount of experimentation. With technologies changing every so often it's imperative to at least give them a try if not jump the train and adopt them.

Openstack being an opensource project as massive as the linux kernel it does have a ton of features. The neutron component that facilitates networking is quite a handful for beginners and it gets even messier when you will need to configure neutron to work with the network architecture that is already present in your datacenter. Getting a production ready neutron setup with say VLAN backed networks is a handful. After working with Neutron for some time now, i've realized that it isn't as bad Continue reading

CCDE – DMVPN Crypto Design Considerations

This post will describe some of the crypto design considerations for DMVPN.

DMVPN Overview and Crypto Overhead

First let’s have a quick recap of what Dynamic Multipoint VPN (DMVPN) is. DMVPN is an overlay technology where multi point GRE tunnels are used to form an overlay where a routing protocol will run across the overlay. DMVPN is a hub and spoke technology where the DMVPN hub acts as a centralized control plane. DMVPN uses Next Hop Resolution Protocol (NHRP) to register the IP addresses of the spokes with the hub. When a router looks in its routing table, the next-hop will be the IP address of the tunnel, not the real outside IP which must be used for the GRE encapsulation. To find the outside IP of the spoke, NHRP is used to resolve the next-hop to the real outside IP.

DMVPN runs over public transport. This means that it’s possible to snoop the traffic while in transit. To prevent this from happening, DMVPN is often combined with IPSec to encrypt the packets. IPSec can run in two modes, transport mode and tunnel mode. In transport mode, the original IP header is not encrypted and there is no additional IP Continue reading

Meet the Engineering Team at Citrix NetScaler

@mrtugs Tweet on Citrix

We had some great vendor presentations at Networking Field Day 11 and in the face of some pretty stiff competition, Citrix won my inaugural Best surprise award, which I have just invented.

Citrix NetScaler

It’s not that the Citrix NetScaler Application Delivery Controller (ADC) is a particularly unique product; after all, I could as easily implement load balancing with the open source HAProxy, and there are impressive ADC hardware vendors in the commercial space, including the ubiquitously expensive F5 Networks and disruptive challenger A10 Networks. What grabbed my interest me however were the performance statistics of the NetScaler appliances, and specifically the process through which the performance was achieved by the Citrix engineering team.

Intel DPDK

If I might side track for a moment, at Networking Field Day 10, Intel discussed their DPDK (Data Plane Development Kit) designed to optimize soft-switched packet performance on their CPUs. Intel had noted that the performance of Open vSwitch (OVS) was nowhere near the native ability of the CPU, and consequently they invested time analyzing in scary detail exactly how packets flowed in order to find out where the bottlenecks were, and to see whether those could be eliminated or optimized in Continue reading

1 2,782 2,783 2,784 2,785 2,786 3,443