Basic Trustsec – Implementing Manual SGTs and SGACLs

Trustsec is a mature and interesting policy mechanism available in most Cisco gear. The features and capabilities vary depending on device type and class. One of the frustrations I have is that almost every Trustsec reference I find focuses on the use of ISE. While I consider ISE a key component, I think a manual configuration is a better way to understand the components of the solution.

This post is the first in a series that will go through the configuration of Trustsec in various places in the network. I hope to examine classification and tag assignment, propagation techniques and enforcement. Ultimately, I will introduce ISE but it will be the tool that makes this technology dynamic and robust. The goal is to build a better foundation by taking a step by step approach into the world of Trustsec.

In this article, I will simply build a network with a Catalyst 9300 and two devices. One device will be assigned an SGT of 2 and the other will receive an SGT of 3. I understand that many are concerned about the fact that they don’t have this class of switch at the access layer. Future articles will address how Trustsec Continue reading

Basic Trustsec – Implementing Manual SGTs and SGACLs

Trustsec is a mature and interesting policy mechanism available in most Cisco gear. The features and capabilities vary depending on device type and class. One of the frustrations I have is that almost every Trustsec reference I find focuses on the use of ISE. While I consider ISE a key component, I think a manual configuration is a better way to understand the components of the solution.

This post is the first in a series that will go through the configuration of Trustsec in various places in the network. I hope to examine classification and tag assignment, propagation techniques and enforcement. Ultimately, I will introduce ISE but it will be the tool that makes this technology dynamic and robust. The goal is to build a better foundation by taking a step by step approach into the world of Trustsec.

In this article, I will simply build a network with a Catalyst 9300 and two devices. One device will be assigned an SGT of 2 and the other will receive an SGT of 3. I understand that many are concerned about the fact that they don’t have this class of switch at the access layer. Future articles will address how Trustsec Continue reading

Basic Trustsec – Implementing Manual SGTs and SGACLs

Trustsec is a mature and interesting policy mechanism available in most Cisco gear. The features and capabilities vary depending on device type and class. One of the frustrations I have is that almost every Trustsec reference I find focuses on the use of ISE. While I consider ISE a key component, I think a manual configuration is a better way to understand the components of the solution.

This post is the first in a series that will go through the configuration of Trustsec in various places in the network. I hope to examine classification and tag assignment, propagation techniques and enforcement. Ultimately, I will introduce ISE but it will be the tool that makes this technology dynamic and robust. The goal is to build a better foundation by taking a step by step approach into the world of Trustsec.

In this article, I will simply build a network with a Catalyst 9300 and two devices. One device will be assigned an SGT of 2 and the other will receive an SGT of 3. I understand that many are concerned about the fact that they don’t have this class of switch at the access layer. Future articles will address how Trustsec Continue reading

IETF 101, Day 1: Would you IPv6 it?

It’s another packed week at IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. Monday is a very full day with two important IPv6 working groups, one on IoT, a couple on routing, and another couple related to crypto.

The week begins bright and early at 09.00 GMT/UTC with V6OPS, although it has a relatively light agenda with a discussion on implementing IPv6-preferred data centres to start the meeting, and 7 drafts on which comments are being requested.
The couple of new drafts are Requirements for IPv6 Routers that defines a set of recommendations for routers, switches, and middleboxes deployed in IPv6 networks; and Using Conditional Router Advertisements for Enterprise Multihoming that proposes a solution to the problem of enterprise multihoming without address translation by using Router Advertisements to influence the host source address.

NOTE: If you are unable Continue reading

Route-based VPN on Linux with WireGuard

In a previous article, I described an implementation of redundant site-to-site VPNs using IPsec (with strongSwan as an IKE daemon) and BGP (with BIRD) to achieve this: ?

Redundant VPNs between 3 sites

The two strengths of such a setup are:

  1. Routing daemons distribute routes to be protected by the VPNs. They provide high availability and decrease the administrative burden when many subnets are present on each side.
  2. Encapsulation and decapsulation are executed in a different network namespace. This enables a clean separation between a private routing instance (where VPN users are) and a public routing instance (where VPN endpoints are).

As an alternative to IPsec, WireGuard is an extremely simple (less than 5,000 lines of code) yet fast and modern VPN that utilizes state-of-the-art and opinionated cryptography (Curve25519, ChaCha20, Poly1305) and whose protocol, based on Noise, has been formally verified. It is currently available as an out-of-tree module for Linux but is likely to be merged when the protocol is not subject to change anymore. Compared to IPsec, its major weakness is its lack of interoperability.

It can easily replace strongSwan in our site-to-site setup. On Linux, it already acts as a route-based VPN. As a first Continue reading

Worth Reading: Magical Thinking in Internet Security

Someone pointed me to this article by dr. Paul Vixie (of the DNS fame). The best part (as I’m not a security person):

The TCO of new technology products and services, including security-related products and services, should be fudge-factored by at least 3X to account for the cost of reduced understanding. That extra 2X is a source of new spending: on training, on auditing, on staff growth and retention, on in-house integration.

In case you didn’t get it: figure out how much you think the magic unicorn-based software-defined solution will cost, then multiply it by three. Of course nobody wants to admit that.

Let’s Reform the IGF to Ensure Its Healthy Future

It seems like yesterday we were in Tunis at the 2005 World Summit on the Information Society (WSIS), where I was involved in the negotiations that led to the formation of the Internet Governance Forum (IGF). When I look back at the evolution of Internet governance since then, it is amazing!

But the decisions we have made before are in constant scrutiny of the reality check. Geopolitical forces around the world have been changing and increased challenges with rapid Internet evolution have impacted global society as never before. Nevertheless, the IGF community is showing signs of fatigue – less government and high level attendance, difficulties to confirm the host country in advance, fewer contributions for the intersessional work – while there are heated debates on the Internet front regarding cybersecurity, the digital economy, and the future of jobs and education with IoT and AI.

Thus, it is urgent that the community takes the responsibility of introducing the reform the IGF needs to continue its brilliant journey. The IGF has an amazing opportunity ahead to adapt and inspire people to work effectively in support of people-centered development.

The world is much better with the IGF than without it!

The IGF Continue reading

MPLS explained

The thing about MPLS is that it’s a technique, not a service — so it can deliver anything from IP VPNs to metro Ethernet. It's expensive, so with the advent of SD-WAN enterprises are trying to figure how to optimize its use vs. less expensive connections like the internet.Did you ever order something online from a distant retailer and then track the package as it makes strange and seemingly illogical stops all over the country.That’s similar to the way IP routing on the Internet works. When an internet router receives an IP packet, that packet carries no information beyond a destination IP address. There is no instruction on how that packet should get to its destination or how it should be treated along the way.To read this article in full, please click here

MPLS explained

The thing about MPLS is that it’s a technique, not a service — so it can deliver anything from IP VPNs to metro Ethernet. It's expensive, so with the advent of SD-WAN enterprises are trying to figure how to optimize its use vs. less expensive connections like the internet.Did you ever order something online from a distant retailer and then track the package as it makes strange and seemingly illogical stops all over the country.That’s similar to the way IP routing on the Internet works. When an internet router receives an IP packet, that packet carries no information beyond a destination IP address. There is no instruction on how that packet should get to its destination or how it should be treated along the way.To read this article in full, please click here

We’ve Added a New CCIE Security Course to Our Video Library!

This course is part of INE’s CCIE Security v5 Technology Series. This series consists of several modules focused on many different aspects of the Group Encrypted Transport VPN (GETVPN) technology, such as operations, configuration, and redundancy. The course covers all important and exam-relevant topics and technologies, including GETVPN Data & Control Plane Components, Registration, IPv6 support, COOP KS, G-IKEv2, implementation, verification, and more, such as design considerations.


 

This course is taught by Poitr Kaluzny and is 2 hours and 38 minutes long. For those who are INE All Access Pass members, you can watch this course on the streaming site. This course is also available for purchase at ine.com.

About The Instructor

Piotr Kaluzny started his networking career during his studies. He was able to get his first job in production right after graduating in 2007 (Piotr holds MSc in Computer Science). He progressed his career by working in different routing & switching and security roles, with responsibilities ranging from operations and engineering to consulting and management. Since the beginning, Piotr has focused heavily on the security track. He passed the CCIE Security certification exam (#25565) in 2009 on his first attempt.



Piotr already has an extensive Continue reading

Link Propagation 110

Welcome to Link Propagation, a Packet Pushers newsletter. Link Propagation is included in your free membership. Each week we scour the InterWebs to find the most relevant practitioner blog posts, tech news, and product announcements. We drink from the fire hose so you can sip from a coffee cup. A note from Greg Why Link […]

How Spectre And Meltdown Mitigation Hits Xeon Performance

It has been more than two months since Google revealed its research on the Spectre and Meltdown speculative execution security vulnerabilities in modern processors, and caused the whole IT industry to slam on the brakes and brace for the impact. The initial microbenchmark results on the mitigations for these security holes, put out by Red Hat, showed the impact could be quite dramatic. But according to recent tests done by Intel, the impact is not as bad as one might think in many cases. In other cases, the impact is quite severe.

The Next Platform has gotten its hands on

How Spectre And Meltdown Mitigation Hits Xeon Performance was written by Timothy Prickett Morgan at The Next Platform.

Rough Guide to IETF 101: DNSSEC, DANE, DNS Security and Privacy

It’s going to be a crazy busy week in London next week in the world of DNS security and privacy! As part of our Rough Guide to IETF 101, here’s a quick view on what’s happening in the world of DNS.  (See the full agenda online for everything else.)

IETF 101 Hackathon

As usual, there will be a good-sized “DNS team” at the IETF 101 Hackathon starting tomorrow. The IETF 101 Hackathon wiki outlines the work (scroll down to see it). Major security/privacy projects include:

  • Implementing some of the initial ideas for DNS privacy communication between DNS resolvers and authoritative servers.
  • Implementation and testing of the drafts related to DNS-over-HTTPS (from the new DOH working group).
  • Work on DANE authentication within systems using the DNS Privacy (DPRIVE) mechanisms.

Anyone is welcome to join us for part or all of that event.

Thursday Sponsor Lunch about DNSSEC Root Key Rollover

On Thursday, March 22, at 12:30 UTC, ICANN CTO David Conrad will speak on “Rolling the DNS Root Key Based on Input from Many ICANN Communities“. As the abstract notes, he’ll be talking about how ICANN got to where it is today with the Continue reading

Is NRE The Evolution Of A Network Architect?

While the various concepts behind automation and programmability have trickled into the network space at an exponential rate, enterprises have been left scratching their heads regarding the most effective way to incorporate these ideas into their teams.  Do you send your entire team on a week long Python retreat and assume everyone can immediately start […]

Short-term Internet Shutdown in Bali Tied to Holiday

The Indonesian province of Bali has asked mobile providers to shut down customers’ access to the Internet during Nyepi, a Hindu holiday known as the Day of Silence.

Mobile Internet access will be cut off at 6 a.m. local time Saturday, March 17, and the island’s airport will also close for 24 hours during the New Year celebration. Other Internet access will be available during the holiday, the Bali government said.

Internet advocates oppose shutdowns, saying they can hurt local economies and endanger users who depend on connections to contact emergency and health services. Internet shutdowns cost countries $2.4 billion in 2015, according to a Brookings Institute study.

“In a globally connected world, social and economic freedoms depend on reliable access to the Internet,” Sally Shipman Wentworth, the Internet Society’s vice president of global policy development, wrote in Quartz recently. “The internet is the lifeline to the global economy and each shutdown contributes to a more divided world.”

Without Internet access, many business activities are also disrupted, she said. Digital payments can’t be made, contracts can’t be signed, and data in the cloud can’t be accessed.

Although the Internet outage in Bali is limited, it can Continue reading

1 1,676 1,677 1,678 1,679 1,680 3,832