Keep out ahead of shadow IT

It's time to face a cold, hard fact: The "shadow IT" parade is passing you by, and if you don't get out in front of it and lead it where you want it to go, you might get run over.Gartner projected in 2012 that marketing department spending on IT will surpass IT department spending on IT in the near future. True, that has yet to happen, but the scales keep tipping. Take a hard look at that future: You may not be in it.[ Navigate the modern hiring landscape with InfoWorld's special report, "The care and feeding of a rockstar developer." | Share your tech story and get a $50 American Express gift cheque if published. Send it to [email protected]. | Keep up with hot topics in programming with InfoWorld's Application Development newsletter. ] Shadow IT has been presented as a new threat to IT departments because of the cloud. Not true -- the cloud has simply made it easier for non-IT personnel to acquire and create their own solutions without waiting for IT's permission. Moreover, the cloud has made this means of technical problem-solving more visible, bringing shadow IT into the light. In fact, Continue reading

New products of the week 09.28.2015

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.BitbucketKey features: Bitbucket Server (formerly named Stash) is a Git solution for professional teams. New capabilities include Git Mirroring for distributed team members, Large File Storage support and help in organizing complex repository structures. More info.To read this article in full or to leave a comment, please click here

New products of the week 09.28.2015

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.BitbucketKey features: Bitbucket Server (formerly named Stash) is a Git solution for professional teams. New capabilities include Git Mirroring for distributed team members, Large File Storage support and help in organizing complex repository structures. More info.To read this article in full or to leave a comment, please click here

NIST joins fight against cybercrime

The Department of Commerce's National Institute of Standards and Technology (NIST) is awarding roughly $3.7 million for three pilot projects designed to make online transactions more private and secure. This fourth round of recipients of the National Strategy for Trusted Identities in Cyberspace (NSTIC) grants will, respectively, pilot technologies designed to safeguard tax returns, secure medical information and protect online storage. The NSTIC, which unites the public and private sectors, launched in 2011. The new grantees are: MorphoTrust USA (Billerica, Mass., $1,005,168)MorphoTrust’s second NSTIC pilot grant will focus on preventing the theft of personal state tax refunds in multiple states. MorphoTrust will leverage trust created during the online driver licensing process, which includes biometrics and more, to build trustworthy electronic IDs. To read this article in full or to leave a comment, please click here

Learn SDN with Virtual Routers and Switches

Bryan would love to get hands-on SDN experience and sent me this question:

I was recently playing around with Arista vEOS to learn some Arista CLI as well as how it operates with an SDN controller. I was wondering if you know of other free products that are available to help people learn.

Let’s try to do another what-is-out-there survey.

Read more ...

Happy 5th Birthday, CloudFlare!

CloudFlare customers recorded videos to celebrate our first five years

Today is September 27, 2015. It's a rare Super Blood Moon. And it's also CloudFlare's birthday. CloudFlare launched 5 years ago today. It was a Monday. While Michelle, Lee, and I had high expectations, we would never have imagined what's happened since then.

In the last five years we've stopped 7 trillion cyber attacks, saved more than 94,116 years worth of time, and served 99.4 trillion requests — nearly half of those in the last 6 months. You can learn more from this timeline of the last five years.

Celebrating by doing the impossible

CloudFlare's Network in China

Every year we like to celebrate our birthday by giving something seemingly impossible back to our users. Two years ago we enabled on our Automatic IPv6 Gateway, allowing our users to support IPv6 without having to update their own servers. Last year we made Universal SSL support available to all our customers, even those on our free plan. And this year, we announced the expansion across Mainland China, building the first truly global performance and security platform.

Internet Summit & Party

We celebrated in San Francisco last week with CloudFlare's first Internet Summit Continue reading

Could VW scandal lead to open-source software for better automobile cybersecurity?

After Volkswagen used software that manipulated exhaust values and defeated emissions tests, it has affected 11 million VW diesel cars built since 2008. A 2007 letter from VW parts supplier Bosch warned Volkswagen not to use the software for regular operations; in 2011, a Volkswagen technician raised concerns about the illegal practices in connection with the emissions levels.“We should be allowed to know how the things we buy work,” Eben Moglen, a Columbia University law professor and technologist told the New York Times. “Let’s say everybody who bought a Volkswagen were guaranteed the right to read the source code of everything in the car. 99% of the buyers would never read anything, but out of the 11 million people whose car was cheating, one of them would have found it. And Volkswagen would have been caught in 2009, not 2015.”To read this article in full or to leave a comment, please click here

Closing out Projects

We put a lot of energy into new projects. We argue about the design, we plan the cutover, we execute it…and then we move on. But decommissioning the old system is critical part of any project. It’s not over until you’ve switched off the old system.

Years ago I was involved in the buildout of a new network. The new network was a thing of beauty. A clear design, the best equipment, redundant everything. It was replacing a legacy network, one that had grown organically.

The new network was built out. Late one night the key services were cut over, and things were looking good. Everyone was happy, and we had a big party to celebrate. The project group disbanded, and everyone moved on to other things. Since the project was closed out, funding & resources stopped. Success, right?

Except…the old equipment was still running. A handful of applications were left on the old network. Some annoying services used undocumented links between the networks. Even worse, disused WAN links were still in place, and still being billed for.

The problem was that the project was officially ‘over.’ Who’s responsible for finishing off that last bit of cleanup?

I’ve seen similar things in Continue reading

Geek Joke of the Week

When encryption is outlawed, bayl bhgynjf jvyy unir rapelcgvba *.If you don't get it or you have a better joke, drop me a note ... * (mouse over, don't click) To read this article in full or to leave a comment, please click here

U.S.-China agreement on cyber espionage is a first step at best

Presidents Obama and Xi agree that the U.S. and China won’t steal corporate secrets from each other, but the wording is so full of loopholes that CISOs shouldn’t take too much comfort in the pact for quite a while.The agreement sets up high-level talks twice a year to deal with complaints the U.S. and China have about whether the other is responding quickly and thoroughly to claims by the other side about malicious cyber activity.It also takes a run at corporate spying in particular: “[N]either country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”To read this article in full or to leave a comment, please click here

Cisco DHCP client bummer

It looks to me like the Cisco IOS DHCP client mis-handles the DNS server option when it's working in a VRF.

I'm working on an IOS 15.4 router with an empty startup-config and only the following configuration applied:
 interface FastEthernet4  
ip address dhcp
no shutdown

debug dhcp detail produces the following when the DHCP lease is claimed:
 Sep 25 19:48:23.316: DHCP: Received a BOOTREP pkt  
Sep 25 19:48:23.316: DHCP: Scan: Message type: DHCP Offer
...
Sep 25 19:48:23.316: DHCP: Scan: DNS Name Server Option: 192.168.100.4

Indeed, we can resolve DNS. We can also see that the DNS server learned from DHCP has been configured (is there a better way to see this?):
 lab-C881#ping google.com  
Translating "google.com"...domain server (192.168.100.4) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 205.158.11.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
lab-C881#show hosts summary
Default domain is fragmentationneeded.net
Name/address lookup uses domain service
Name servers are 192.168.100.4
Cache entries: 5
Cache prune timeout: 50
lab-C881#

If I put the interface into a VRF, Continue reading

Nasty Multicast VSS bug on Catalyst 4500-X

I ran into an “exciting” bug yesterday. It was seen in a 4500-X VSS pair running 3.7.0 code. When there has been a switchover meaning that the secondary switch became active, there’s a risk that information is not properly synced between the switches. What we were seeing was that this VSS pair was “eating” the packets, essentially black holing them. Any multicast that came into the VSS pair would not be properly forwarded even though the Outgoing Interface List (OIL) had been properly built. Everything else looked normal, PIM neighbors were active, OILs were good (except no S,G), routing was there, RPF check was passing and so on.

It turns out that there is a bug called CSCus13479 which requires CCO login to view. The bug is active when Portchannels are used and PIM is run over them. To see if an interface is misbehaving, use the following command:

hrn3-4500x-vss-01#sh platfo hardware rxvlan-map-table vl 200 <<< Ingress port

Executing the command on VSS member switch role = VSS Active, id = 1


Vlan 200:
l2LookupId: 200
srcMissIgnored: 0
ipv4UnicastEn: 1
ipv4MulticastEn: 1 <<<<<
ipv6UnicastEn: 0
ipv6MulticastEn: 0
mplsUnicastEn: 0
mplsMulticastEn: 0
privateVlanMode: Normal
ipv4UcastRpfMode: None
ipv6UcastRpfMode: None
routingTableId: 1
rpSet: 0
flcIpLookupKeyType: IpForUcastAndMcast
flcOtherL3LookupKeyTypeIndex: 0
vlanFlcKeyCtrlTableIndex: 0
vlanFlcCtrl: 0


Executing the command on VSS member switch role = VSS Standby, id = 2


Vlan 200:
l2LookupId: 200
srcMissIgnored: 0
ipv4UnicastEn: 1
ipv4MulticastEn: 0 <<<<<
ipv6UnicastEn: 0
ipv6MulticastEn: 0
mplsUnicastEn: 0
mplsMulticastEn: 0
privateVlanMode: Normal
ipv4UcastRpfMode: None
ipv6UcastRpfMode: None
routingTableId: 1
rpSet: 0
flcIpLookupKeyType: IpForUcastAndMcast
flcOtherL3LookupKeyTypeIndex: 0
vlanFlcKeyCtrlTableIndex: 0
vlanFlcCtrl: 0

From the output you can see that "ipv4MulticastEn" is set to 1 on one switch and 0 to the other one. The state has not been properly synched or somehow misprogrammed which leads to this issue with black holing multicast. It was not an easy one to catch so I hope this post might help someone.

This also shows that there are always drawbacks to clustering so weigh the risk of running in systems in clusters and having bugs affecting both devices as opposed to running them stand alone. There's always a tradeoff between complexity, topologies and how a network can be designed depending on your choice.