A glance into host routes: Tenant networking & routing using Neutron (Openstack)


Software Defined Networks (SDN) and solutions have been making a lot of noise for a few years now. Rather slowly the networking industry has begun to notice this and affect change. Not only this but SDN has also become a pioneer - a big brother - a guide persona to other complementary technologies. We now have Software Defined - Storage, Data Center, Infrastructure and so on. It's Software Defined "everything" and Software Defined "anything". Software is slowly invading the big hardware only players and the sole reason being ease of customization and lower both; capex and opex. Networking in particular is very volatile and extremely configurable.

The neutron project of openstack is also fairly customizable bringing complexity with it. I recently ran into a requirement of having isolated networks talk to each other as well as some specific networks though isolated having access to the outside world (be it outside the cloud or the company WAN). This is what's giving rise to this particular blog post. I will lay out the premise of the discussion and then explain the solution. For networking experts out there, this might seem fairly obvious. I would suggest you stop right here and jump over Continue reading

With new startup, Check Point Software co-founder bets on perimeter-less security

The launch of cloud security startup Cato Networks by cybersecurity expert Shlomo Kramer reminded me of the episode of USA's Mr. Robot when Elliot Alderson explains why he chose his healthcare provider – limited security budget and limited security staff let him break through the perimeter defenses and change his medical records to cover up his lifestyle. In the real world, though, cyber threats are scaling faster than enterprises can respond. Like Elliot, Kramer is counting on enterprises with limited security staff and budgets turning to his new venture for end-to-end, perimeter-less security.According to a report by Reuters, Cato Networks is different because it asks customers to move all their traffic to its encrypted network. In other words, Cato is the opposite of Check Point Software Technologies, the company Kramer co-founded in 1998 that invented a perimeter defense used by almost all enterprises. The mobile internet has changed how the enterprise works. Large numbers of employees operate outside of the traditional security perimeter, necessitating a new way of looking at cyber defenses.To read this article in full or to leave a comment, please click here

Puppet and Powershell DSC

TL;DR: Your servers are no longer servers, they’re now just containers for functionality. Powershell DSC represented a huge step forward for configuration management on Windows, and Puppet’s DSC module compounds that step for both configuration management on Windows and the usefulness of Puppet.  This Puppet module means that you can now effectively control both Windows […]

The post Puppet and Powershell DSC appeared first on Packet Pushers.

Puppet and Powershell DSC

TL;DR: Your servers are no longer servers, they’re now just containers for functionality. Powershell DSC represented a huge step forward for configuration management on Windows, and Puppet’s DSC module compounds that step for both configuration management on Windows and the usefulness of Puppet.  This Puppet module means that you can now effectively control both Windows […]

The post Puppet and Powershell DSC appeared first on Packet Pushers.

Worth Reading: Net Ring Buffers

The problem with things like netmap is that it means the network hardware no longer is a shareable resource, but instead must be reserved for a single application. This violates many principles of a “general purpose operating system”. In addition, it ultimately means that the application is going to have to implement it’s own TCP/IP stack. That means it’s going to repeat all the same mistakes of the past, such as “ping of death” when a packet reassembles to more then 65536 bytes. This introduces a security problem. But these criticisms are nonsense. -via errata security

The post Worth Reading: Net Ring Buffers appeared first on 'net work.

Bringing Fast, Reliable and Secure Wi-Fi to the MDU

By: Wendy Stanton, Marketing Communications Manager In the multi-dwelling housing market, amenities are king! This message is consistent across the board within condos, student housing and assisted living management organizations where everyone understands that potential tenants want one thing: amenities....

Schneier: terrorists will switch to more secure alternatives to avoid encryption backdoors

A study shows that if the U.S. mandates backdoors to decrypt secret messages in order to help law enforcement, there would still be hundreds of alternative encryption products made outside the reach of U.S. law that terrorists and criminals could get their hands on. “Smart criminals and terrorists will easily be able to switch to more secure alternatives,” is the conclusion drawn by the study “A Worldwide Survey of Encryption Products”. The authors were Internet security authority Bruce Schneier of Harvard’s Berkman Center for Internet and Society, independent security researcher Kathleen Seidel, and Saranya Vijayakumar, a Harvard student.To read this article in full or to leave a comment, please click here

Stock-market jitters have rocked network spending, Cisco says

The world's financial markets got off to such a rough start this year that some enterprises froze plans to upgrade their campus networks.After oil prices and stock markets around the globe plunged during the first trading days of the year, there was a slowdown in spending that hurt Cisco Systems results and colored its forecast for the current quarter, CEO Chuck Robbins said Wednesday."You see customers say, 'I want to just wait, see what's going on,'" Robbins said on a conference call about Cisco's fiscal second quarter, which ended Jan. 23.The report was a reminder that what happens in financial markets can echo in IT departments if business management fears shrinking sales or a falling stock price ahead. Cisco has a different financial calendar than most other IT companies and is one of the first to report on a quarter that spilled over into this calendar year. It's the world's dominant supplier of networks.To read this article in full or to leave a comment, please click here

Which security products do enterprises expect too much from?

Enterprises rely on some security products too much while counting on others too little. One product category that companies place too much faith in is encryption, which has vulnerabilities. The OpenSSL web encryption technology’s infamous Heartbleed vulnerability is one example.Enterprises should assess their information security stance in light of the vulnerabilities that have actually given attackers a foothold and lead to costly breaches, whether for their organization or for their peers. Where an off-kilter reliance on some security products is the crack in these defenses, look at a more effective combination of tools. Don’t ignore tools that are effective yet limit some usability. Security products that enable a lot of usability while masking danger are among those that we do and will continue to count on too much.To read this article in full or to leave a comment, please click here

How to conquer the SQL Server 2005 migration challenge

If you still have SQL Server 2005 anywhere in your firm, you now have four months to get a migration program going before Microsoft pulls the plug on support for the aging database. April 12 will be the last day any patches or fixes will be issued. The product will still work, it just won't be fixed if a new flaw or exploit is found. As we discussed when we outlined the challenges of migration, it's believed most enterprises have long since moved off the old database in favor of something newer, either on-premises or possible in the cloud. At best, SQL Server 2005 has been relegated to simple report generation on noncritical data. To read this article in full or to leave a comment, please click here

Indegy finds out when industrial controls go bad (think Stuxnet)

Israeli startup Indegy monitors devices on industrial control networks to detect when their configurations have changed as a way to know when the machines are compromised, an attack vector exploited by the Stuxnet worm that took down Iranian nuclear centrifuges.The company makes an appliance that attaches to span ports on the switches that industrial control devices are connected to. It monitors the control layers of the devices and traffic they send over the network in order to discover changes.+ ALSO: Stuxnet reached its target via the networks of trusted business partners+To read this article in full or to leave a comment, please click here

Research ‘net 0x1339ED3: Traffic engineering versus network complexity

Since spending quality time with complexity theory when writing Navigating Network Complexity, I’ve started seeing the three sided complexity problem crop up all over the place. Remember this? Fast, high quality, cheap: choose two. We face this problem in a number of ways in network design. A recent (last year) paper by researchers from University of Louvain, ETH Zürich and Princeton have figured out how to engineer traffic in a straight IP network (no MPLS) by injecting false nodes into the shortest path tree. You can read the paper here, and listen to Ivan’s podcast with one of the authors here.research-net

What’s interesting to me is the direct tradeoff this paper represents between the amount of state in the control plane and optimal traffic flow through the network. Adding state does, in fact, allow you to optimize traffic flow—at the cost of calculating the state and injecting it into your control plane (in this case OSPF). This state must be carried through the network, increasing the amount of state in the network, and it must change as traffic flows change, increasing the speed at which the state changes in the network. Finally, this idea opens up a new interaction surface Continue reading

Critical VPN key exchange flaw exposes Cisco security appliances to remote hacking

Cisco Systems patched a critical vulnerability that could allow remote attackers to take over Cisco Adaptive Security Appliance (ASA) firewalls configured as virtual private network servers by simply sending malformed network packets to them.For devices that are designed to protect private networks from Internet attacks, this is as bad as it gets. That's why Cisco rated the vulnerability with the maximum score of 10 in the Common Vulnerability Scoring System.The flaw is located in the Cisco ASA code that handles the Internet Key Exchange version 1 (IKEv1) and IKE version 2 (IKEv2) protocols. More precisely, it stems from a buffer overflow condition in the function that processes fragmented IKE payloads.To read this article in full or to leave a comment, please click here

Critical VPN key exchange flaw exposes Cisco security appliances to remote hacking

Cisco Systems patched a critical vulnerability that could allow remote attackers to take over Cisco Adaptive Security Appliance (ASA) firewalls configured as virtual private network servers by simply sending malformed network packets to them.For devices that are designed to protect private networks from Internet attacks, this is as bad as it gets. That's why Cisco rated the vulnerability with the maximum score of 10 in the Common Vulnerability Scoring System.The flaw is located in the Cisco ASA code that handles the Internet Key Exchange version 1 (IKEv1) and IKE version 2 (IKEv2) protocols. More precisely, it stems from a buffer overflow condition in the function that processes fragmented IKE payloads.To read this article in full or to leave a comment, please click here

Saving a Cloonix network topology

The Cloonix network simulator has been updated to version 29, which adds the ability to save network simulation topologies and node configurations to a directory.

Users may save a network topology and all node configurations to a directory of their choice. They may also load saved topologies into Cloonix so they can restore a network scenario they previously created. The save function of Cloonix v29 supports copy-on-write filesystems and also allows users to save the full filesystems of nodes, if they wish.

This post will work through a detailed tutorial showing how to save, load, and re-save topologies and node configurations using the Cloonix GUI or command-line interface.

Different methods to save a Cloonix project

In this tutorial we will show three ways Cloonix may be used to save filesystems and network topologies:

  1. Create a new base filesystem by starting a VM in Cloonix, loading software and configurations, then saving either a full VM disk image or a derived VM disk image.
    • This simple case is useful when upgrading or modifying disk images that will be used in simulation scenarios.
       
  2. Start the Cloonix graph, set up the VMs, load software, and configure them. Then save the topology and filesystems.
1 3,090 3,091 3,092 3,093 3,094 3,787