Another way to protect your SSH keys
Let's say you don't have a TPM chip, or you hate them, or for some other reason don't want to use it to protect your SSH keys. There's still hope! Here's a way to make it possible to use a key without having access to it. Meaning if you get hacked the key can't be stolen.
No TPM, but key can't be stolen anyway? Surely this is an elaborate ruse? Well yes, it is. My idea is that you essentially bounce off of a Raspberry Pi.
But doing that straightforward is too easy. I've instead made an SSH proxy, and will show you how to automatically bounce off of it. You could do the same by setting up a second SSH server (or the same one), and hack around with PAM and a restricted shell. But this solution can be run as any user, with just the binary and the set of keyfiles. Very simple.
The goal here is to log in to shell.foo.com from your workstation via
a Raspberry Pi. The workstation SSH client presents its SSH client key to the SSH Proxy
on the Raspberry Pi, and if allowed will connect on and present the SSH Continue reading
Docker essentials – Images and Containers
I’ll admit, I jumped into docker pretty quickly and found that I was getting a little ahead of myself. After much googling and discussion, I’ve come to realize a couple things about docker that I think are well worth sharing. I’m hoping to share them through a series of ‘Docker Essentials’ type posts.
NOTE: My first post was going to be about how to interact with docker on the CLI. However, there are lots of other resources out there for that. Namely, the really awesome docker documentation. In addition, the CLI provides help/syntax on commands as well. I’ll list a couple of resources that I used and try to explain along the way, but if you don’t recognize a command I’m using look it up!
The docker user guide – http://docs.docker.com/userguide/
The docker CLI reference – https://docs.docker.com/reference/commandline/cli/
The docker guide book – https://github.com/kencochrane/docker-guidebook
Working with images and Containers
On first glance, I made some assumptions about this images and containers that proved to be wrong. So let’s start with some basics.
Images are read-only. That is, they can never be altered. Containers are built using Continue reading
Port mirroring with Linux bridges
Port mirroring with the most popular Linux bridge implementations.Thought: Why Are There No Good Open Source BGP Implementations ?
It is common wisdom that BGP is awesome because, you know, … something. It runs the Internet therefore it must good. It can be extended and that makes it good. Lots of vendors use it ….. Hang on. When you think about it there are no good, solid BGP implementation in open source. Quagga is […]
The post Thought: Why Are There No Good Open Source BGP Implementations ? appeared first on EtherealMind.
HTIRW: DNS Reverse Lookups and Whois
In our last episode, we discussed how DNS is paid for in the real world — who builds, maintains, and manages all those servers that allow us to put in a domain name, and end up with a web page? This post will look at two other tools or protocols in the DNS system that […]
Author information
Change of focus
I have decided to change my focus quite a bit.
I was planning on tackling the IOS-XR exam this year and was preparing for it by going through the blueprint. However another track kept pulling me towards it, and ofcourse thats the CCDE track.
I have spent the last 6 years learning how to do something, but so far i havent spent alot of time thinking about why that is.
I am not doing the CCDE track in order to pass the exam. I might not even go as far as giving the practical exam a go. I am however going to pursue the written exam for now, as it will give me a target for which to learn new stuff.
To that end, a few of us have created a study group, which im very thrilled about. It will provide an outlet for any ideas and thoughts as well as input. All in all great stuff.
So thats a quick update 
Visibility, Trustship,Sub optimality or whatever you want to call it.
To be honest I really tried hard to find a name for this article. Maybe it is not convenient and if you have better idea please let me know in the comment. I want to mention sub optimality and stretch in the networks while using routing protocols but the idea actually came to me from […]
Author information
The post Visibility, Trustship,Sub optimality or whatever you want to call it. appeared first on Packet Pushers Podcast and was written by Orhan Ergun.
Where to Start with SDN
For the 3rd installment on my three part SDN series, building on A Business Case for SDN, and the SDN Ecosystem, the most practical way to start exploring an SDN deployment is with a proof of concept (POC). But even if you have the approval to go ahead with an SDN POC, it can be difficult to know where to start. Let’s cut through the uncertainty and lay out what it takes to do a successful SDN POC.
Identify a pain point
Start by identifying a key pain point in networking that you’d like to address with SDN. For example, you might want to improve campus security, or improve the performance of collaborative tools, or streamline your data center. Specific tasks in these areas include adding a network tap, increasing the speed of a LAN link, or reassigning VLANs.
We’ll assume you have surveyed business unit leaders, ranked overall IT strategies and come back with one SDN application to start your evolution. Similar to a cloud or BYOD initiative, giving visibility for SDN can help you bring the company together, and can also build support for improving how IT can drive the business. If you understand the Continue reading
ANET Cloud Infrastructure – Arista Definition of ACI
You may have noticed Arista being uncharacteristically quiet throughout an imposed “quiet period” leading up to our IPO (ANET). While the industry continued to speak out on behalf of, or against, Arista, the company remained true to its focus on solving customer problems through disruptive cloud networking architectures and technology. Enabling innovative applications to take advantage of modern networking through Arista EOS remains a key priority for the company.
The migration from legacy “policy per application” to universal cloud networks is crystal clear and underway. The classical 1990s web, file and database tier in client-server architectures, with north-south traffic, is migrating to universal workflow telemetry and workload automation for east-west, server-to-server traffic of the 21st Century. This is particularly true as networks move to mandates of terabit scale for data, control, and management. Arista invented the concept of “Leaf-Spine” and late last year introduced the “SplineTM” as architectures to support these next generation network requirements. Five years later others are still trying to mimic the approach but lack the fundamental software or scale to achieve it.
Through the years we’ve witnessed many failed attempts to lock-in customers with proprietary fabrics (FabricPath, QFabric, etc.) and once again we are witnessing Continue reading
Switch Prices Will Get Cheaper. Design Models Will Change.
For the last 20 years, L2 tree-based network topologies meant that the only practical design methodology was to buy large, vertically scaled switch chassis for the core of the data centre. This limitation was largely due to the tree-structure forced on LAN networking by Spanning Tree Protocol. For every new device at point Access/1 we […]
The post Switch Prices Will Get Cheaper. Design Models Will Change. appeared first on EtherealMind.
Show 192 – Logging Design & Best Practices
Jay Swan, Lennart Koopman, and Wes Kennedy join the Packet Pushers co-hosts Ethan Banks and Greg Ferro in this discussion of effectively managing event logging. Why discuss logging on a show about networking? Because networking has a huge volume of logs coming from routers, switches, and firewalls that need to be managed. And frankly, it’s […]
Author information
The post Show 192 – Logging Design & Best Practices appeared first on Packet Pushers Podcast and was written by Ethan Banks.
Not So Random Thoughts on Privacy and Positioning
Earlier this month at the Apple’s Worldwide Developer’s Conference (WWDC) it was uncovered by Frederic Jacobs that with the upcoming Apple iOS8 operating system, Apple devices will be able to, as a privacy mechanism, hide or mask their MAC address...The Disconnect. Good Enough Is Good Enough.
A Meeting room. Discussing the possible options for product and vendor strategy. Company urgently needs to avoid capital expenditure and reduce maintenance costs. The engineer across the table is wearing a vendor t-shirt, a few years old and looks a bit tatty. The table and chairs are tired and a bit worn. I took a […]
Author information
The post The Disconnect. Good Enough Is Good Enough. appeared first on Packet Pushers Podcast and was written by Greg Ferro.
6125XLG console/aux port access for IRF renumber
For HP Blade enclosures, the 6125XLG can be used as a non-blocking 10G blade server access switch with 4x40G uplink ports. Since it is based on Comware 7 (very similar to the 5900AF model, but in a blade switch form … Continue reading
Getting Started with Docker
It can’t be helped. There’s just too much cool stuff out there and not enough time to spend dedicating myself to one piece of technology. That being said, I fully intend on continuing the Chef posts, but Im going to be mixing in some docker posts as well. Im hoping that there’s some cross-connect as well where we can talk about using docker in conjunction with Chef as well.
Docker is something that I haven’t seen before. From what I have seen so far, it appears to be an incredibly easy way to containerize applications and software on a linux system. The docker website summarizes docker as..
“An open platform for distributed applications for developers and sysadmins.”
That summarizes things nicely, but again, why is a network guy interested in this? First off, I’m a little tired of VMware. Don’t confuse me being tired with a general dislike of the product. I’ve been using VMware for years and for the most part, it works well and provides the functions I need. On the flip side, Im not convinced there’s anything particularly special about VMware.
I’ve been using ProxMox at home for some time and it does everything that I Continue reading
What’s in a Name?
Most home users select their wireless network name without much thought to the actual name except to make it easy for them to see and connect to. So many people never think that the networks name also known as the Service Set Identifier or SSID could be a security risk. Okay, a security risk may be a reach, but let’s just say some SSIDs are more secure than others, and I will list some dos and don’ts when selecting an SSID.
Before the list lets discuss what makes the SSID important. Hackers need to gather several pieces of information including the SSID to crack a networks WPA/WPA2 password. Hackers have pre-configured tables with this information including common or default SSID names and if you’re using one of these common names you have made their job easier and your network more of a target.
- Do change the SSID from the factory set default wireless network name.
- Don’t select a name in top 1000 most common SSIDs. Now this list is very long and at first glance you will notice a lot of factory given default names (dlink, Linksys, 2wire, Netgear, etc…), so as mentioned above change the default name.
- Don’t use your Continue reading
Internets of Interest for 12th June 2014
Collection of useful, relevant or just fun places on the Internets for 12th June 2014 and a bit commentary about what I’ve found interesting about them: Will Network Engineers Become Programmers? « ipSpace.net by @ioshints – Ivan explains his view on the ways that network folks will work with programmers. I think he describes […]
The post Internets of Interest for 12th June 2014 appeared first on EtherealMind.
Amid raging violence, Iraq orders Internet shutdowns
Update (10:00ET, 14-Jun-2014): See below for a copy of Friday’s Iraqi MoC order to disconnect social media.
Iraq is descending into further violence, as militant group ISIL takes control of Mosul and beyond. Renesys has observed two large Internet outages this week (here and here) that our sources confirmed to be government-directed outages. These interruptions appear to coincide with military operations, amid concerns that ISIL forces are using Internet websites to coordinate their attacks.
2nd massive outage this week in Iraq at 14:27UTC lasted over 3hrs. ISPs Earthlink, IQNetworks impacted pic.twitter.com/pR8ab7jFAa
— Renesys Corporation (@renesys) June 12, 2014
#iraq-i government to shutdown internet in #Nenwah #Kirkuk #salah_al_deen #alanbar #leaked -no prove- #email #ISIS pic.twitter.com/eM3OqkVzyo
— Jassey (@eng_mohamedarif) June 12, 2014
The screencapture image in this tweet shows an email message announcing the latest shutdown. It reads:
Dear Valued customers
Due to the current security situation in iraq and as per the MOC instruction sent by the PM Mr Nori Kamel Al-Maliki ,the internet service will be suspended for the below provinces until further notice starting from today Thursday 12/6/2014 , Continue reading
Musing: Cisco Playing the Underdog
Couple of quotes from John Chambers keynote during Cisco Live that I seemed to leap out at me: “You are going to see a brutal, brutal consolidation of the IT industry where out of the top five players, only two or three of us will be meaningful in as quick as five years.” “When we […]
The post Musing: Cisco Playing the Underdog appeared first on EtherealMind.
Coffee Break Show 9
This is “The Coffee Break”. A podcast on state of the networking business where we discuss vendors moves and news, analysis on product and positioning, and look at the business of networking. In the time it takes to have coffee break. Show Links Cisco’s 3 Commandments – Drew’s take on Chambers’ CLUS keynote Cisco Faces […]
Author information
The post Coffee Break Show 9 appeared first on Packet Pushers Podcast and was written by Greg Ferro.