GETVPN Example

A couple of weeks ago I had the good fortune of attending Jeremy Filliben’s CCDE Bootcamp.
It was a great experience, which I will elaborate on in another post. But one of the technology areas I had a bit of difficult with, was GETVPN.

So in this post a I am going to setup a scenario in which a customer has 3 sites, 2 “normal” sites and a Datacenter site. The customer wants to encrypt traffic from Site 1 to Site 2.

Currently the customer has a regular L3VPN service from a provider (which is beyond the scope of this post). There is full connectivity between the 3 sites through this service.

The topology is as follows:

Topology

GETVPN consists of a few components, namely the Key Server (KS) and Group Members (GM’s), which is where it derives its name: Group Encrypted Transport. A single SA (Security Association) is used for the encryption. The Key Server distributes the information to the Group Members through a secure transport, where the Group Members then use this information (basically an ACL) to encrypt/decrypt the data packets.

The routing for the topology is fairly simple. (See Routing Diagram) Each client as well as the KeyServer Continue reading

Cisco ASA packet capture showing bidirectional traffic flow

Recently I had to troubleshoot some communication issues via a Cisco ASA device and the packet capture on the IOS comes in handy for this task.

When you have a lot of traffic over ASA and you’re interested in a particular IP address, the basic packet capture lesson says that you should configure an access-list to limit the captured packets for the interesting traffic only.

Let’s assume that I have a particular interest for the traffic to and from the IP address 10.0.0.10.

I created a standard ACL to match only the traffic related to 10.0.0.10:

access-list TS standard permit host 10.0.0.10

Afterward I attached the created ACL to a packet capture on a particular interface (let’s call it “lan”).

capture TSHOOT access-list TS interface lan

You can find the above lines in almost any how-to regarding packet capture on Cisco ASA.

Checking the capture I noticed that traffic is unidirectional captured:

FW# show capture TSHOOT

4 packets captured

   1: 20:15:32.757010       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   2: 20:15:33.759283       802.1Q vlan#10 P0 192.168.0.10 > 10. Continue reading

The Micro M3D, affordable 3D printing for the masses

Back in 2013 I read a paper titled Life-Cycle Economic Analysis of Distributed Manufacturing with Open-Source 3-D Printers. The study, which focused on the legendary RepRap 3D printer, was conducted by Joshua Pearce at Michigan Technological University and concluded: The results show that even making the extremely conservative assumption that [a] household would only use the printer to make the selected twenty products a year the avoided purchase cost savings would range from about $300 to $2000/year. Assuming the 25 hours of necessary printing for the selected products is evenly distributed throughout the year these savings provide a simple payback time for the RepRap in 4 months to 2 years and provide an ROI between>200% and >40%.To read this article in full or to leave a comment, please click here

MLAG – An Implementation for Everyone!

I typically don’t to get up on a soapbox and preach the awesomeness of Linux networking, but I think I’m going to make an exception for this one topic: MLAG.

Yes, MLAG, that wonderful non-standard Multi-chassis Link Aggregation protocol that enables layer 2 multipathing from the host to gain either additional bandwidth or link resiliency. Every vendor that supports MLAG does so by using their own custom rolled implementation of it, which means Vendor A’s version of MLAG cannot interoperate with Vendor B’s version of MLAG. So I can’t have one switch be an “X” box and another be a “Y” box and expect the two to be part of the same MLAG configuration with a Dell server.

That ends today (arguably I could have said, that ended January 2015 when Cumulus Networks shipped with MLAG support in Cumulus Linux 2.5, but I’ll get to that in a bit).  Several weeks ago I was with my colleagues Shrijeet Mukherjee and Tuyen Quoc giving a talk about how “Linux Networking Is Awesome” at the 2016 OCP Summit. During our standing room only talk, we explained how Linux networking has become the de-facto networking stack in the data center (and Continue reading

How startups can attract and retain cloud talent

Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.

Today, it’s rare to encounter a company that doesn’t use the cloud. According to a recent RightScale report, 93% of organizations surveyed are running applications in the cloud or experimenting with infrastructure-as-a-service, and 82% of enterprises have a hybrid cloud strategy, up from 74% in 2015.

As cloud adoption rises, employees skilled in cloud development and management are finding themselves a hot commodity in the job market. In fact, many organizations are fighting for highly-coveted cloud computing experts to optimize cloud performance and help them better compete in their respective markets.

To read this article in full or to leave a comment, please click here

Microservices Network Architecture 101

A new god is rising in the world of application development – Microservices

The new god promises if not happiness in the next life, scalability, agility and fault tolerance in this life. At the heart of all this, is a simple, age-old axiom that is a key design goal of Unix: do one thing, and do it well. In the evolution of application architectures, single monolithic applications made way for client-server applications, which in turn made the way for microservices. The upending of the old world continues in data centers.

Communication is at the heart of this new religion (one popular theory of the etymology of the word religion is the word “religio” which means “to reconnect”). Every religion and every new technology introduces its own new vocabulary.

Microservices are no different!

In the domain of communications, the new lingo involves things such as MacVlan, IPVlan, Weave, Flannel and Swarm, to just name a few. What are they ? How are they connected ? Is IPVlan a new encapsulation format ? If it’s not a new encapsulation format, what is it ? If it is a new encapsulation format, how is it related to VxLAN ? Why were they invented ? Which one should I use ? What Continue reading

Worth Reading: Consumer Watchdog Took Millions From Google

An influential tech industry watchdog group that has received millions of dollars from Google has been silent on the internet giant’s recent fight to circumvent Federal Communications Commission restrictions on data collection. The Center for Democracy and Technology, a consumer watchdog group with outsized influence in Washington, took in $2.5 million from Google between 2010 and 2014, according to tax records. The donations amounted to more than double the amount contributed by any other company during the same period. -via Free Beacon

LinkedInTwitterGoogle+FacebookPinterest

The post Worth Reading: Consumer Watchdog Took Millions From Google appeared first on 'net work.

AnsibleFest Call For Speakers Now Open

ansible-fest-sf16-blogheader-2x.png

AnsibleFest is heading back to San Francisco on Thursday, July 28. You can expect all the usual highlights, like product roadmaps and Ask an Expert sessions. Plus, this year we're planning distinct tracks to give you exactly the type of information you need for wherever you are in your Ansible journey. Track themes will include use cases, best practices, and technical deep-dives into trending topics. 

Do you have a story to share about how you're using Ansible?
Submit your abstract during our Call for Speakers - open until June 1. We'll select speakers and notify all participants by June 13.

To see examples of talks that have been accepted in the past, check out the recordings from our last two AnsibleFest events in London and San Francisco

Then buy your tickets now during Super Early Bird pricing. This exclusive $299 pricing ends on May 31 and you won't find a better deal. If you're selected as a speaker, we'll refund your ticket amount. 

See you in San Francisco! 

AnsibleFest 2016

WANT A TASTE OF ANSIBLEFEST?

Watch presentations from AnsibleFest London 2016.

 

Replacement Verizon worker charged with running over striker, hitting officer

Yesterday we noted the light sentence given a Westborough, Mass., man who entombed a Verizon worker in an underground utility shed in 2013. Today comes news that another Verizon worker picketing in that same small town was struck by a pickup truck operated by a replacement worker who police say was driving on a suspended Florida license … allegedly while intoxicated … at just past 8 o’clock Thursday morning.From an entry on the Westborough Police Department’s Facebook page:To read this article in full or to leave a comment, please click here

VMware NSX Fundamentals Live is Coming to a City Near You

Sometimes a webcast isn’t enough – that’s why when VMware brings an NSX seminar to your hometown, you say “yes.” VMware is kicking off the NSX Fundamentals Live U.S. tour, so register now to secure your spot in one of these seminars when it gets to your town.

VMware experts will start off with a business overview of NSX use cases and IT outcomes. Want to know about the future of the software-defined data center and what role network virtualization will play in helping you face new business challenges? Here’s your chance. Want to discover how to bring the operational model of a virtual machine to your data center network, so you can transform the economics of network and security operations? Again, now’s your chance.

Following this business overview, experts will walk you through an in-depth technical overview of NSX architecture and key components. After this session, you’ll fully understand how networking functions and services are implemented within the NSX platform, and how to analyze key workflows for configuring virtual network & security services.

Digital business transformation is creating new opportunities and risks for businesses across every industry. VMware NSX helps you overcome challenges, such as increased risk Continue reading

Securing BGP: A Case Study

What would it take to secure BGP? Let’s begin where any engineering problem should begin: what problem are we trying to solve? This series of posts walks through a wide range of technical and business problems to create a solid set of requirements against which to measure proposed solutions for securing BGP in the global Internet, and then works through several proposed solutions to see how they stack up.

Post 1: An introduction to the problem space
Post 2: What can I prove in a routing system?
Post 3: What I can prove in a routing system?
Post 4: Centralized or decentralized?
Post 5: Centralized or decentralized?
Post 6: Business issues with centralization
Post 7: Technical issues with centralization
Post 8: A full requirements list
Post 9: BGPSEC (S-BGP) compared to the requirements
Post 10: RPKI compared to the requirements

I will continue updating this post as I work through the remaining segments of this series.

LinkedInTwitterGoogle+FacebookPinterest

The post Securing BGP: A Case Study appeared first on 'net work.

Senators will introduce a bill to limit government hacking warrants

A U.S. senator will introduce legislation to roll back new court rules that allow judges to give law enforcement agencies the authority to remotely hack computers.Senator Ron Wyden, an Oregon Democrat, will introduce a bill that would reverse a court procedure rules change, approved by the U.S. Supreme Court last month, that would allow lower judges to issue remote hacking warrants.The rules change, requested by the Department of Justice, expands the geographical reach of police hacking powers beyond local court jurisdictions now allowed through court-ordered warrants. Previously, the Federal Rules of Criminal Procedure prohibited a federal judge from issuing a search warrant outside his or her district.To read this article in full or to leave a comment, please click here

Petya ransomware is now double the trouble

The Petya ransomware now bundles a second file-encrypting program for cases where it cannot replace a computer's master boot record to encrypt its file table.Petya is an unusual ransomware threat that first popped up on security researchers' radar in March. Instead of encrypting a user's files directly, it encrypts the master file table (MFT) used by NTFS disk partitions to hold information about file names, sizes and location on the physical disk.Before encrypting the MFT, Petya replaces the computer's master boot record (MBR), which contains code that initiates the operating system's bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves computers unable to boot.To read this article in full or to leave a comment, please click here

Malware attacks on two banks have links with 2014 Sony Pictures hack

Bangladesh Bank, a commercial bank in Vietnam and ... Sony Pictures are the unlikely bedfellows in a tale of cyber intrigue uncovered by security researchers at BAE Systems.Researchers Sergei Shevchenko and Adrian Nish have found some links between malware involved in the 2014 attack on Sony Pictures and attacks on two banks involving the theft of credentials for the SWIFT financial transfer network.The U.S. Federal Bureau of Investigation said North Korea was to blame for the Sony attack (although security experts are divided on the matter).To read this article in full or to leave a comment, please click here

Worth Reading: Breaches at eMail Providers

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru (MAILRq.L), Russia’s most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security. -via Reuters

LinkedInTwitterGoogle+FacebookPinterest

The post Worth Reading: Breaches at eMail Providers appeared first on 'net work.

1 2,943 2,944 2,945 2,946 2,947 3,819