Quickly Adding an NMS to VIRL

I’ve spent the last few days experimenting with APIC-EM and the path trace capabilities. My lab environment is currently leveraging VIRL (Virtual Internet Routing LAB). Since it wasn’t obvious how to integrate APIC-EM with the lab platform, I wanted to share my configuration.

TL;DR–When building the topology, click the background and view the properties for the Topology. Change the Management Network to “Shared flat network”. This will put the all of the devices ‘Mgmt-intf’ vrf on the ‘flat’ (172.16.1.0/24 by default) network when the topology is built. 

When I started this process, I really didn’t realize how easy it could be. I actually tried to leverage a manual connection to L2 External (FLAT) to do the management in-band for the topology. This is certainly possible, but there is a much easier way. As most VIRL users have noticed, there is a management IP address that gets assigned to each device. There is a simple configuration change that will allow that address to be one from the ‘FLAT’ pool and connected externally to the ‘L2 External (FLAT)’ network.

flatmgmt

My configuration 

  1. APIC-EM built with IP address 172.16.1.2/24 (172.16.1.2-49 are unassigned and part of the Continue reading

Automating Your Job Away Isn’t Easy

programming

One of the most common complaints about SDN that comes from entry-level networking folks is that SDN is going to take their job away. People fear what SDN represents because it has the ability to replace their everyday tasks and put them out of a job. While this is nowhere close to reality, it’s a common enough argument that I hear it very often during Q&A sessions. How is it that SDN has the ability to ruin so many jobs? And how is it that we just now have found a way to do this?

Measure Twice

One of the biggest reasons that the automation portion of SDN has become so effective in today’s IT environment is that we can finally measure what it is that networks are supposed to be doing and how best to configure them. Think about the work that was done in the past to configure and troubleshoot networks. It’s often a very difficult task that involves a lot of intuition and guesswork. If you tried to explain to someone the best way to do things, you’d likely find yourself at a loss for words.

However, we’ve had boring, predictable standards for many years. Instead of Continue reading

2017 and the Internet: our predictions

An abbreviated version of this post originally appeared on TechCrunch

Looking back over 2016, we saw the good and bad that comes with widespread use and abuse of the Internet.

In both Gabon and Gambia, Internet connectivity was disrupted during elections. The contested election in Gambia started with an Internet blackout that lasted a short time. In Gabon, the Internet shutdown lasted for days. Even as we write this countries like DR Congo are discussing blocking specific Internet services, clearly forgetting the lessons learned in these other countries.

CC BY 2.0 image by Aniket Thakur

DDoS attacks continued throughout the year, hitting websites big and small. Back in March, we wrote about 400 Gbps attacks that were happening over the weekend, and then in December, it looked like attackers were treating attacks as a job to be performed from 9 to 5.

In addition to real DDoS, there were also empty threats from a group calling itself Armada Collective and demanding Bitcoin for sites and APIs to stay online. Another group popped up to copycat the same modus-operandi.

The Internet of Things became what many had warned it would become: an army of devices used for attacks. A botnet Continue reading

When IOS XR Licenses Don’t Activate, What Then?

I came across a small but irritating issue with ASR / IOS XR licensing today, and since I found a way to fix it, I’m sharing my results.

Cisco ASR9006/ IOS XR

Licensing IOS XR on the ASR9k

I have an ASR9006 with two A9K-MOD160-TR linecards on which I need to run VRFs, so I purchased two of the A9K-IVRF-LIC linecard-based VRF licenses. I got the PAK keys from my reseller, and went to Cisco’s licensing portal to fulfill both of them following the usual process with the PID and S/N information taken from admin show license udi. I downloaded the license file and transferred it to an accessible jump server, then from the regular privileged exec mode (rather than the admin exec mode), I used sftp to transfer the file to the router.

Why not use the admin exec to transfer the licenses?

Simple: to transfer the license file within the admin exec means using tftp or ftp:

RP/0/RSP0/CPU0:asr9006-1(admin)#copy ?
  /recurse        Recursively list subdirectories encountered
  WORD            Copy from file
  bootflash:      Copy from bootflash: file system
  disk0:          Copy from disk0: file system
  disk0a:         Copy from disk0a: file system
  disk1:          Copy from disk1: file system
  disk1a:         Copy from disk1a: file system
  disk2:          Copy from disk2: file system
 Continue reading

4 information security threats that will dominate 2017

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017."2016 certainly lived up to expectations," says Steve Durbin, managing director of the ISF. "We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don't think anybody would have anticipated some of the stuff we've seen of late in terms of the Russians getting involved in the recent elections."To read this article in full or to leave a comment, please click here

4 information security threats that will dominate 2017

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017."2016 certainly lived up to expectations," says Steve Durbin, managing director of the ISF. "We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don't think anybody would have anticipated some of the stuff we've seen of late in terms of the Russians getting involved in the recent elections."To read this article in full or to leave a comment, please click here

15 technologies that died in 2016

Gone but not forgottenImage by Dat7 via Creative Commons2016 was brutal year in the tech business. Ambitious projects sputtered out, beloved niche products became unsustainable, and there was at least one colossal corporate embarrassment. Take a look back at all the technology that died this year—then console yourself by imagining it’s still being enjoyed by David Bowie and Prince.To read this article in full or to leave a comment, please click here

2016 in review: The year in Android

Android is in a very different place than it was when 2016 began. While the last 12 months were filled with much of the usual pomp and circumstance surrounding the release of new handsets, connected gadgets, and OS refreshes, the state of Android has never been more promising or less predictable. Google stepped out from behind the curtain and into the spotlight. Headsets took over smartwatches as the trend of the moment. And Samsung’s phablet woes opened the door for smaller players to make big gains.Through it all, one thing was constant: Android’s dominance. Throughout 2016’s wild ride, the mighty platform continued its reign, extending its penetration to a near-90 percent of the global market, and all but ending the OS wars once and for all. And somehow it still seems like Android is still just getting its feet wet. So before we step into what’s shaping up to be an exciting 2017 for Android, let’s take a look at everything that made this year so memorable:To read this article in full or to leave a comment, please click here

Outsourcing trends to watch in 2017

This year, we saw outsourcing integration challenges multiply, production workloads and enterprise systems hit the cloud, and security hit the top of the agenda.So what’s ahead for 2017? Uncertainty for one thing. Industry watchers expect a number of shifts in the IT and business process services space — not least of which will be the initiation of more flexible outsourcing terms as the world watches and waits to see what happens once president elect Donald Trump takes office and Brexit takes hold.[ Related: Trump presidency could sound death knell for offshore outsourcing ]To read this article in full or to leave a comment, please click here

Tech outages of 2016 and how to prevent them in 2017

DowntimeImage by Thinkstock2016 has seen major downtime events lead to lost revenue for a number of highly-recognizable brands and caused a severe knock to their reputation and consumer confidence. One of the most common causes of outages is unplanned configuration changes to a system, often when an immediate fix for a bug or potential system vulnerability unintentionally creates a much larger problem.To read this article in full or to leave a comment, please click here

Tech outages of 2016 and how to prevent them in 2017

DowntimeImage by Thinkstock2016 has seen major downtime events lead to lost revenue for a number of highly-recognizable brands and caused a severe knock to their reputation and consumer confidence. One of the most common causes of outages is unplanned configuration changes to a system, often when an immediate fix for a bug or potential system vulnerability unintentionally creates a much larger problem.To read this article in full or to leave a comment, please click here

Enable Source-Specific Multicast in Iperf

How Does Internet Work - We know what is networking

I was preparing lab environment to test configuration of Source-Specific Multicast on Juniper SRX Equipment and needed a tool to generate and measure Source-Specific Multicast streams. I was aware that Iperf is a good enough tool to generate and measure multicast and unicast traffic but support for SSM was missing from current version. Fortunately there are always some developers which are interested in networking so one of them developed a special Iperf version 2.0.5 with SSM support. The idea here is to show how to make this version of Iperf work on your Cent OS or similar Linux machine. Here

Enable Source-Specific Multicast in Iperf

OpenBSD on the Sixth Generation Intel NUC

Sixth Generation Intel NUC
Sixth Generation Intel NUC

I recently decided it would be fun to upgrade the hardware on my main OpenBSD machine at home (because, you know, geek). These Intel NUC machines are pretty interesting. They are pretty powerful, support a decent amount of RAM, certain models support internal storage, and they are very low power and low noise. Perfect for a machine that is a shell/email/development box.

The model I chose is the NUC6i3SYH.

  • Core i3 processor (because my machine is not at all CPU bound)
  • Very low power consumption (15W)
  • Supports a 2.5″ SSD

OpenBSD 6.0 boots with the GENERIC kernel; no tuning or tweaking required. Full dmesg is at the end of this post. Hightlights of the hardware include:

  • Wired network: Intel I219-V using the em(4) driver
  • Wireless network: Intel Dual Band Wireless AC 8260 using the iwm(4) driver (no support for 802.11ac in OpenBSD at the time of this writing so it’s 802.11n only)
  • Dual-core CPU with hyperthreading (be sure to boot GENERIC.MP)

The kernel recognizes the Intel SpeedStep capabilities of the CPU and will adjust the CPU’s clock speed as needed (further keeping the power consumption of the machine at a very Continue reading

Some notes on IoCs

Obama "sanctioned" Russia today for those DNC/election hacks, kicking out 35 diplomats, closing diplomatic compounds, seizing assets of named individuals/groups. They also published "IoCs" of those attacks, fingerprints/signatures that point back to the attackers, like virus patterns, file hashes, and IP addresses.

These IoCs are of low quality. They are published as a political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.

Consider the Yara rule included in US-CERT's "GRIZZLY STEPPE" announcement:


What is this? What does this mean? What do I do with this information?

It's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward -- such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.

What this YARA rule detects is, as the name suggests, the "PAS TOOL WEB KIT", a web shell tool that's popular among Russia/Ukraine hackers. If you google "PAS TOOL PHP WEB KIT", the second result points to the tool in question. You can download a copy here Continue reading

Technology Short Take #75

Welcome to Technology Short Take #75, the final Technology Short Take for 2016. Fortunately, it’s not the final Technology Short Take ever, as I’ll be back in 2017 with more content. Until then, here’s some data center-related articles and links for your enjoyment.

Networking

  • Ajay Chenampara has some observations about running Ansible at scale against network devices.
  • Andrey Khomyakov shares some information on automating the setup of whitebox switches running Cumulus Linux in part 2 of this series on learning network automation.
  • Russell Bryant has shared the results of some testing comparing ML2+OVS and OVN as backends for OpenStack networking. As Russell indicates in his post, some additional analysis is needed to truly understand what’s happening, but early looks at the results of his tests show performance improvements in OVN versus ML2+OVS when it comes to total time required to boot a VM.
  • Ivan Pepelnjak shares a Python script that creates Ansible inventory from Vagrant’s SSH configuration. Handy.

Servers/Hardware

Nothing this time around!

Security

A Broken Process Placing Consumers at Risk

Below is a chat session I had with Pearson Vue several months ago as I attempted to schedule a recertification exam. Apparently, I have two accounts with them and that prevents next day test scheduling. To put it mildly, I don’t think they adequately explain how they could possibly guarantee non-disclosure of data with email as a transport. Moreover, this seems to indicate a serious disconnect between security and business operations.

Screen Shot 2016-04-07 at 2.00.18 PM

Image Link – for FULL Size View

I’m not going to explain the problems with this, PacketU readers understand why email is not [in and of itself] a secure method for file transport. When I experience an exchange like this, I see how segregated business practices can be and what a negative impact it can have from an information security perspective. Its not a matter of if, but a matter of when, bad things will happen as a result of not taking security seriously.

 —

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

The post A Broken Process Placing Consumers at Risk appeared Continue reading

1 2,458 2,459 2,460 2,461 2,462 3,874