SDN Terminology from Layered Models

Even though we don’t build networks with OSI products, we still use terms from the OSI model. What terms will we end up using for SDN, once the dust settles?

The previous post introduced one document that attempts to define terms and architecture, and today’s post introduces another: the ITU-T Y.3300 document. But how do these documents fit in with our fast-changing networking landscape – and what words should we use? Today’s post looks at the Y.3300 doc, and explores a few of the terms.

Other posts in this series:

 

Big Picture First: ITU-T Y-Series

Most of us don’t have a reason to read docs from standards bodies unless we’re looking for a particular standard or fact. But as long as we’re talking about one doc from the ITU-T Y-series, it’s worth a minute to set the context of what these documents are.

First off, the topic area for the Y-series is broad, but it’s all networking! The title for the ITU-T’s Y-series of documents spells out the big items:

Global information infrastructure, Internet protocol aspects and next-generation networks

Great, so the topic is global network, IP, including next-generation networks. It’s networking! Continue reading

Diving into the DNS

The turning of the DNS from a distributed database query tool into a malicious weapon in the cyber warfare arena has had profound impacts on the thinking about the DNS. I remember hearing the rallying cry some years back: “Lets all work together to find all these open resolvers and shut them down!” These days I don't hear that any more. It seems that, like SPAM in email, we’ve quietly given up on eradication, and are now focusing on how to preserve service in a toxic world. I suppose that this is yet another clear case of markets in action – there is no money in eradication, but there is money in meeting a customer’s requirement to allow their service to work under any circumstances. We’ve changed our self-perception from being the public DNS police to private mercenaries who work diligently to protect the interests of our paying customers. We are being paid to care about the victim, not to catch the attacker or even to prevent the attack.

Fujitsu pushes wearable IoT tags that detect falls, heat stress

Fujitsu has developed stamp-sized wearable sensor tags that can detect whether users have changed their location or posture, fallen down or are experiencing high heat.The tags transmit data via Bluetooth Low Energy and can be worn as wristbands or location badges on lapels or breast pockets. They could be used by people including hospital patients and infrastructure workers to relay data to supervisors.The tags can also be attached to objects such as shopping carts or walkers for the elderly. They’re part of a cloud-based Internet of Things (IoT) platform from Fujitsu called Ubiquitousware that’s aimed at making IoT applications easier for businesses.To read this article in full or to leave a comment, please click here

Starbucks still grappling with fraud in online accounts, gift cards

Starbucks is still grappling with fraud involving its customers’ online accounts and gift cards, with some victims seeing hundreds of dollars stolen.Gift-card related fraud with Starbucks cards is not new, but recent victims were highlighted earlier this week in an article by journalist and author Bob Sullivan.Starbucks officials could not be immediately reached for comment, although Sullivan wrote the company told him that customers would not be liable for charges and transfers they didn’t make.To read this article in full or to leave a comment, please click here

Free tool reveals mobile apps sending unencrypted data

A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn’t protected.The program, called Datapp, comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data.To read this article in full or to leave a comment, please click here

SDN: Integration over Manipulation

I’d like to briefly express a sentiment that I pondered after listening to another one of Ivan’s great podcasts, specifically regarding the true value of a software-defined network approach. The statement was made that ACLs are terrible representations of business policy. This is not inaccurate, but the fact remains that ACLs are currently the de facto representation of business policy on a network device. The “network team” gets a request from an application team to “fix the firewall”, and the policy that is applied to enable that application typically results in an ACL change.

SDN: Integration over Manipulation

I’d like to briefly express a sentiment that I pondered after listening to another one of Ivan’s great podcasts, specifically regarding the true value of a software-defined network approach. The statement was made that ACLs are terrible representations of business policy. This is not inaccurate, but the fact remains that ACLs are currently the de facto representation of business policy on a network device. The “network team” gets a request from an application team to “fix the firewall”, and the policy that is applied to enable that application typically results in an ACL change.

ONUG Spring 2015

I’ll continue to update this throughout the next two days. Feel free to issue a pull request if you’re also here at the conference and want to add to this post.

onug-logo

General

Location: Open Networking User Group (ONUG) at Columbia University

ONUG currently has 6 working groups:

  • NSV
  • SD-WAN
  • Virtual Network Overlays
  • Common Management tools across network, compute, and storage
  • Network State Collection, correlation, and analytics
  • Traffic Monitoring and Visibility

It is interesting and awesome to see that half of the working groups are all about Day 2 operations and management of networks. This is exactly what’s needed in the industry.

Sessions

Creating Business Value with Cloud Infrastructure

Speaker: Adrian Cockcroft

  • Developers don’t need any of that referring to NSV/NFV.
  • 2009 developed the Cloudicorn, took knowledge gained to Battery
  • Docker wasn’t on anyone’s roadmap for 2014. It’s on everyone’s roadmap for 2015
  • 2014 was the year that Enterpises finally embraced cloud and DevOps
  • Optimizing from IT cost to delivery and speed - Nordstrom - ended up yielding lower costs
  • Product IT reports into the business
  • Director is the highest Corp IT title
  • Immutable microservice deployments scales
  • If your QA team is saying there are too many bugs in a release, Continue reading

Greenpeace fingers YouTube, Netflix as threat to greener Internet

The next time you watch “House of Cards” on Netflix, think about the impact you might be having on the environment.As the Internet powers ever more services, from digital video to on-demand food delivery, energy use in data centers will rise. To reduce their impact on the environment, companies like Apple, Google and Facebook have taken big steps to power their operations with renewable energy sources like hydro, geothermal and solar.But despite those efforts, the growth of streaming video from the likes of Netflix, Hulu and Google’s YouTube presents a pesky challenge to the companies’ efforts to go green, according to a report Tuesday from Greenpeace.To read this article in full or to leave a comment, please click here

Salesforce teams with Sage, spawns new cloud platform for SMBs

There’s been a flurry of speculation that Salesforce.com could be up for sale, but an alternative line of thinking points to a deal with Sage Group as the explanation for the team of lawyers Salesforce recently hired.On Tuesday, Sage and Salesforce revealed the proof in the proverbial pudding. The two companies have announced a broad global partnership along with a new service from Sage that’s built on the Salesforce1 platform-as-a-service designed to help small businesses move to the cloud.To read this article in full or to leave a comment, please click here

Ansible Tower Now Available with Vagrant

Screenshot_2015-05-12_11.05.53

Ansible is about simple, yet powerful automation. We want to make automation easy for everyone to learn, use, and deploy, for developers, system administrators, and operators of every skill level.

Every day we hear the success stories of people who have been able to take Ansible’s powerful automation and use it to cut their IT costs, stabilize their deployments, and allow them to get back to their focus of their job rather than continually grinding through manual tasks.

On top of that, we’ve built Ansible Tower, a web interface and API that brings those same simple principles to applying command, control, and delegation to an Ansible deployment. Customers like Nike, Splunk, Grainger, and others use Tower to centralize their Ansible deployment, delegate credentials and tasks to users in a controlled manner, and allow easy self-service access to users without them knowing the specifics of those automation.

We’re always interested in making things simpler for our users, and this extends to deploying and trying Tower as well. That’s why we’ve decided to make Tower available for use with Vagrant - what’s simpler than that?

You can try out Ansible Tower in Vagrant with just a few commands.

$ vagrant init tower

F5 APM, SRX and DTLS NAT Timeout

I have been having issues using the F5 APM client behind a Juniper SRX-110 using hide NAT. I believe I’ve tracked it down to the default timeout settings used for UDP services. Here’s what I did to resolve it.

Constant Connection Timeouts

The laptop client was behind the SRX-110, using hide NAT. The initial client connection would work, and things would look good for a while. The the client would stop receiving packets. Traffic graphs would show a little bit of outbound traffic, and nothing inbound. Eventually, the client might decide it needed to reconnect. But usually, it would sit there for a few minutes doing nothing. Then I would force a disconnect, which would take a while, and then reconnect. Exceedingly frustrating.

Connecting the client to a different network – e.g. using a phone hotspot – worked fine. No dropouts. Using a wired connection behind the SRX had the same issue. So clearly the problem was related to the SRX.

TLS & DTLS

I dug into the traffic flows to better understand what was going on. This SSL VPN solution makes an initial TLS connection using TCP 443. It then switches over to DTLS using UDP 4433 for ongoing encrypted Continue reading

Digging Deeper into the Cisco ASA Firewall REST API

Security orchestration methods, and of course SDN, are driving the need for programmable interfaces in  security products. The Cisco ASA Firewall added a REST API back in December with the 9.3(2) code release. I've asked Mason Harris from Cisco to write up a quick how-to primer on the ASA API capabilities. Thank you Mason for the great information.Author: Mason Harris CCIE #5916, Solutions Architect, Global EnterpriseOver the years I've seen many different custom methods used to manage ASA firewalls. Most of them involve some version of command line interface (CLI) scripting since nearly all ASA features and functions are available in this manner. Perl and Expect scripts are the common scripting languages in use today for managing ASAs.To read this article in full or to leave a comment, please click here

Digging Deeper into the Cisco ASA Firewall REST API

Security orchestration methods and of course SDN is driving the need for programmable interfaces in  security products.  The Cisco ASA Firewall added a REST API back in December with the 9.3(2) code release.  I've asked Mason Harris, from Cisco, to write up a quick how-to primer on the ASA API capabilities.  Thank you Mason for the great information.Author: Mason Harris CCIE #5916Solutions Architect, Global EnterpriseOver the years I’ve seen many different custom methods used to manage ASA firewalls. Most of them involve some version of command line interface (CLI) scripting since nearly all ASA features and functions are available in this manner. Perl and Expect scripts are the common scripting languages in use today for managing ASAs.To read this article in full or to leave a comment, please click here

Broadcom hardware platform gains support for Apple’s HomeKit

Apple’s efforts to allow people to control household appliances from their iPhones through the company’s HomeKit framework are gaining momentum.Chip maker Broadcom announced Tuesday that the SDK for its WICED hardware platform, which allows manufacturers to build so-called smart devices that can connect to the Internet, is fully compliant with HomeKit. The HomeKit protocols from Apple allow manufacturers to create products that can be controlled from an iOS device.For example, if a smart lock was integrated with HomeKit, people could use an app on their iPhones or speak a command to Siri, Apple’s voice-controlled virtual assistant, to unlock a door. Using Siri to handle voice commands when a person isn’t in his house requires an Apple TV, which works as a gateway to a home network.To read this article in full or to leave a comment, please click here

Intel looking to boost horsepower on server chips with ASIC integration

Intel is expanding its custom server chip program by integrating a special processing unit that could speed up specific applications in cloud computing environments.The chip maker said it will integrate ASICs (application-specific integrated circuits) in future Xeon chips, which will speed up cloud, security and big data applications. The ASIC designs will be provided by eASIC, a fabless semiconductor company based in Santa Clara, California.Intel declined to comment on the type of ASICs being integrated, or when they will be integrated in Xeon chips. But the integrated ASICs will be reprogrammable, and customers will be able to add more flexibility to their servers to handle specific types of tasks.To read this article in full or to leave a comment, please click here

1 3,458 3,459 3,460 3,461 3,462 3,808