The Network Architect Part 2

I got some great comments from my readers on the first part of this post. I love engaging with readers! So I thought I would write a part two to explain some of my thinking which I described in some of the comments.

Does a network architect need to be technical?

Yes, he/she needs to be technical but what does that mean? Let’s say that two datacenters need to be connected. Layer two needs to be stretched between the two DCs. The architect should be able to know different solutions to the problem such as using fibres between the two DCs, clustering technologies, TRILL, OTV and so on. Does the architect need to be able to configure OTV off the bat? Nope. Does the architect need to know what different timers OTV uses? Nope. Those are not things that need to be considered at that point in time. Now, often the architect is involved in the actual design as well and in that case the architect is involved in creating the design and documenting what commands are needed and so on. So the architect needs to be technical but not super technical.

Does the network architect need operational experience?

Preferably Continue reading

Help Five Projects Connect the World

At Bilkent University in Ankara, students sit at desks littered with bookbags and bottles of water. It looks like a typical classroom, except for the makeup of the students – school-age girls – and when the instructor asks a question, the room comes alive. “Who wants to code again after today?”

The hands shoot up.

The students are participating in Coding Sisters, a program that teaches coding to girls. Soon they are grinning as they raise their certificates of completion into the air. They yell in unison, “Hello world!”

The project was funded by the Internet Society’s Digital schools!” Chapterthon 2017, in partnership with Wikimedia Foundation. From October to November 2017, 30 projects from around the world came together to bring educational opportunities to children, especially girls. Chapterthon has been nominated for a series of prizes to be given out at the World Summit on the Information Society (WSIS), an annual United Nations-sponsored summit focused on the role information and communication plays in our world. TheWSIS Prizes recognize individuals and organizations that advance the Sustainable Development Goals: 17 global goals dedicated to building a better world by 2030.

Four other innovative, Internet Society-funded projects Continue reading

Gimmicky IoT devices detract from IoT’s real potential

Making fun of silly implementations of the Internet of Things (IoT) is easier than shooting fish in a barrel. No matter how ridiculous the last IoT device may seem, there’s always something even more outré in the works.That’s fine — up to a point. It doesn’t necessarily hurt for IoT to enter people’s lives in friendly, non-threatening, non-mission-critical applications. Ideally, that can make IoT seem approachable instead of creepy, mildly useful instead of invasive.Also on Network World: Forget the CES hype, IoT is all about industry But there’s a limit to this approach. The endless parade of pointless IoT gimmicks threatens to trivialize the technology, leading consumers (and business people) to dismiss the IoT as the realm of smart toothbrushes and smart hairbrushes and smart refrigerators — and internet-connected toilets.To read this article in full, please click here

Explain Cisco ETA to Me in a Way That Even My Neighbor Can Understand It

Cisco Encrypted Traffic Analytics (ETA) sounds just a little bit like magic the first time you hear about it. Cisco is basically proposing that when you turn on ETA, your network can (magically!) detect malicious traffic (ie, malware, trojans, ransomware, etc) inside encrypted flows. Further, Cisco proposes that ETA can differentiate legitimate encrypted traffic from malicious encrypted traffic.

Uhmm, how?

The immediate mental model that springs to mind is that of a web proxy that intercepts HTTP traffic. In order to intercept TLS-encrypted HTTPS traffic, there’s a complicated dance that has to happen around building a Certificate Authority, distributing the CA’s public certificate to every device that will connect through the proxy and then actually configuring the endpoints and/or network to push the HTTPS traffic to the proxy. This is often referred to as “man-in-the-middle” (MiTM) because the proxy actually breaks into the encrypted session between the client and the server. In the end, the proxy has access to the clear-text communication.

Is ETA using a similar method and breaking into the encrypted session?

In this article, I’m going to use an analogy to describe how ETA does what it does. Afterwards, you should feel more comfortable about how Continue reading

Automation Win: Cleanup Checkpoint Configuration

Gabriel Sulbaran decided to tackle a pretty challenging problem after watching my Ansible for Networking Engineers webinar: configuring older Checkpoint firewalls.

I had no idea what Ansible was when I started your webinar, and now I already did a really simple but helpful playbook to automate changing the timezone and adding and deleting admin users in a Checkpoint firewall using the command and raw modules. Had to use those modules because there are no official Checkpoint module for the version I'm working on (R77.30).

Did you automate something in your network? Let me know!

Explain Cisco ETA to Me in a Way That Even My Neighbor Can Understand It

Cisco Encrypted Traffic Analytics (ETA) sounds just a little bit like magic the first time you hear about it. Cisco is basically proposing that when you turn on ETA, your network can (magically!) detect malicious traffic (ie, malware, trojans, ransomware, etc) inside encrypted flows. Further, Cisco proposes that ETA can differentiate legitimate encrypted traffic from malicious encrypted traffic.

Uhmm, how?

The immediate mental model that springs to mind is that of a web proxy that intercepts HTTP traffic. In order to intercept TLS-encrypted HTTPS traffic, there's a complicated dance that has to happen around building a Certificate Authority, distributing the CA's public certificate to every device that will connect through the proxy and then actually configuring the endpoints and/or network to push the HTTPS traffic to the proxy. This is often referred to as “man-in-the-middle” (MiTM) because the proxy actually breaks into the encrypted session between the client and the server. In the end, the proxy has access to the clear-text communication.

Is ETA using a similar method and breaking into the encrypted session?

In this article, I'm going to use an analogy to describe how ETA does what it does. Afterwards, you should feel more comfortable about how Continue reading

It’s Hard To Change The Keys To The Internet And It Involves Destroying HSM’s

It’s Hard To Change The Keys To The Internet And It Involves Destroying HSM’s

It’s Hard To Change The Keys To The Internet And It Involves Destroying HSM’sPhoto by Niko Soikkeli / Unsplash

The root of the DNS tree has been using DNSSEC to protect the zone content since 2010. DNSSEC is simply a mechanism to provide cryptographic signatures alongside DNS records that can be validated, i.e. prove the answer is correct and has not been tampered with. To learn more about why DNSSEC is important, you can read our earlier blog post.

Today, the root zone is signed with a 2048 bit RSA “Trust Anchor” key. This key is used to sign further keys and is used to establish the Chain of trust that exists in the public DNS at the moment.

With access to this root Trust Anchor, it would be possible to re-sign the DNS tree and tamper with the content of DNS records on any domain, implementing a man-in-the-middle DNS attack… without causing recursors and resolvers to consider the data invalid.

As explained in this blog the key is very well protected with eye scanners and fingerprint readers and fire-breathing dragons patrolling the gate (okay, maybe not dragons). Operationally though, the root zone uses two different keys, the mentioned Trust Anchor key (that is called the Key Signing Key or KSK for Continue reading

IBM’s 2018 Rollout Plan For Power9 Systems

In a way, the processor market started moving in slow motion through 2017 as server makers and their customers were awaiting a veritable cornucopia of processor options, something the industry has not seen in many a year. We have been predicting that there would be a Cambrian Explosion of compute, first in 2017, but it has taken a bit longer for many of these processors to come to market and it looks like 2018 might be the year.

This might be, in fact, the year when IBM’s Power RISC processors see a long-awaited resurgence, and frankly, if it doesn’t happen

IBM’s 2018 Rollout Plan For Power9 Systems was written by Timothy Prickett Morgan at The Next Platform.

The Network Architect

What’s the difference between a network architect and a network designer? What is network architecture and what is network design? These are questions I asked myself a couple of years ago and that I get asked frequently from others. The reason I wanted to write this post is to help people that want to be network architects understand what it is about. I also wanted to help people that are studying for the CCDE to get into the right mindset. If you go in to the practical with the mindset of a designer, you will fail. You need to think like an architect.

This post is not about if an architect is more advanced than a designer. They are both needed and often they are the same person. I work as both but my title is network architect. Some people use the title to indicate it’s a senior role although the role might not be heavily geared towards design.

So what does a network architect do? And how is that different from the network designer?

The network architect is the one that is fronting the business. What does this mean? The network architect is the one that is meeting stakeholders Continue reading

New Memory Challenges Legacy Approaches to HPC Code

From DRAM to NUMA to memory non-volatile, stacked, remote, or even phase change, the coming years will bring big changes to code developers on the world’s largest parallel supercomputers.

While these memory advancements can translate to major performance leaps, the code complexity these devices will create pose big challenges in terms of performance portability for legacy and newer codes alike.

While the programming side of the emerging memory story may not be as widely appealing as the hardware, work that people like Ron Brightwell, R&D manager at Sandia National Lab and head of numerous exascale programming efforts do to expose

New Memory Challenges Legacy Approaches to HPC Code was written by Nicole Hemsoth at The Next Platform.

Top 5 From The Last 3 Months

 

In today’s day and age, content is king. It’s nearly impossible to keep up with the deluge of information, especially in the tech space where change is constant. We’re aware that the struggle is real. To keep you up-to-date on the latest and greatest in networking, we’ve compiled a round-up blog of the top posts from the past few months.

 

VMware Closes Acquisition of VeloCloud Networks

 In December, VMware NSX completed its acquisition of VeloCloud Networks, bringing their industry-leading, cloud-delivered SD-WAN solution to our own growing software-based networking portfolio. The acquisition of VeloCloud significantly advances our strategy of enabling customers to run, manage, connect and secure any application on any cloud to any device. Learn all about the acquisition from SVP and GM, Networking and Security Business Unit Jeff Jennings.

VMware SDDC with NSX Expands to AWS

With VMware Cloud on AWS, customers can now leverage the best of both worlds – the leading compute, storage and network virtualization stack enabling enterprises for SDDC can now all be enabled with a click of a button on dedicated, elastic, bare-metal and highly available AWS infrastructure. Bonus: because it’s a managed service by VMware, customers can focus on the Continue reading

What is NFV and what are its cost, performance and scaling benefits?

Network functions virtualization (NFV) enables IT pros to modernize their networks with modular software running on standard server platforms.Over time, NFV will deliver high-performance networks with greater scalability, elasticity, and adaptability at reduced costs compared to networks built from traditional networking equipment.  NFV covers a wide range of network applications, but is driven primarily by new network requirements, including video, SD-WAN, Internet of Things and 5G.To read this article in full, please click here

What is NFV and what are its cost, performance and scaling benefits?

Network functions virtualization (NFV) enables IT pros to modernize their networks with modular software running on standard server platforms.Over time, NFV will deliver high-performance networks with greater scalability, elasticity, and adaptability at reduced costs compared to networks built from traditional networking equipment.  NFV covers a wide range of network applications, but is driven primarily by new network requirements, including video, SD-WAN, Internet of Things and 5G.To read this article in full, please click here

1 1,687 1,688 1,689 1,690 1,691 3,794