0

SElinux policy for icmp checks

Many issues reported with scanning subnets and updating host statuses are related to SElinux being enabled. So far the solution was to completely disable SElinux, but this was more workaround than anything else. Robert was kind enough to share SElinux policy that should be used with phpipam if SElinux is enabled on your server.

 

Basically it permits the opening of raw IP sockets for non-root users, that are required for executing ping command.

 

1) Create the file http_ping.tt and add the following to it:

module http_ping 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };

 

2) Run the following commands (as root user):

checkmodule -M -m -o http_ping.mod http_ping.tt
semodule_package -o http_ping.pp -m http_ping.mod
semodule -i http_ping.pp

brm

0

You Must Understand the Fundamentals to Be Successful

I was speaking with a participant of an SDN event in Zurich after the presentations, and he made an interesting comment: whenever he experienced serious troubleshooting problems in his career, it was due to lack of understanding of networking fundamentals.

Let me give you a few examples: Do you know how ARP works? What is proxy ARP? How does TCP offload work and why is it useful? What is an Ethernet collision and when would you see one? Why do we need MLD in IPv6 neighbor discovery?

0

You must understand the fundamentals to be successful

I was speaking with a participant of the recent SDN event in Zurich after the presentations, and he made an interesting comment: whenever he experienced serious troubleshooting problems in his career, it was due to lack of understanding of networking fundamentals.

Read more ...

0

Netvisor Analytics: Secure the Network/Infrastructure

We recently heard President Obama declare cyber security as one of his top priorities and we saw in recent time major corporations suffer tremendously from breaches and attacks. The most notable one is the breach at Anthem. For those who are still unaware, Anthem is the umbrella company that runs Blue Shield and Blue Cross Insurance as well. The attackers had access to people details, social security, home addresses, and email address for a period of month. What was taken and extent of the damage is still guesswork because network is a black hole that needs extensive tools to figure out what is happening or what happened. This also means the my family is impacted and since we use Blue Shield at Pluribus Networks, every employee and their family is also impacted prompting me to write this blog and a open invitation to the Anthem people and the government to pay attention to the new architecture that makes network play a role similar to NSA in helping protect the infrastructure. It all starts with converting the network from a black hole to something we can measure and monitor. To make this meaningful, lets look at state of the art today Continue reading

0

Fake patient data could have been uploaded through SAP medical app

SAP has fixed two flaws in a mobile medical app, one of which could have allowed an attacker to upload fake patient data.The issues were found in SAP’s Electronic Medical Records (EMR) Unwired, which stores clinical data about patients including lab results and images, said Alexander Polyakov, CTO of ERPScan, a company based in Palo Alto, California, that specializes in enterprise application security.Researchers with ERPScan found a local SQL injection flaw that could allow other applications on a mobile device to get access to an EMR Unwired database. That’s not supposed to happen, as mobile applications are usually sandboxed to prevent other applications from accessing their data.To read this article in full or to leave a comment, please click here

0

Lab: iBGP and OSPF Traffic Engineering

Here's the scenario: An enterprise network with an MPLS core and two branch locations connected to their own Provider Edge (PE) router. In addition to the MPLS link, the PEs are also connected via a DMVPN tunnel. The PEs are peering via iBGP (of course) and are also OSPF neighbors on the DMVPN. Both Customer Edge (CE) routers at the branch are OSPF neighbors with their local PE.

Task: Use the high speed MPLS network as the primary path between the CE routers and only use the DMVPN network if the MPLS network becomes unavailable.

Question: Is the solution as simple as adjusting the Admin Distance (AD) so that the iBGP routes are more preferred?

0

SElinux policy for icmp checks

0

VMWare Player and VM Networking

VMWare Player is the Virtualization software/hypervisor provided free of charge by VMWare. Player is for personal use. Paid versions are available as VMWare Player Pro or VMWare Workstation. Following link covers the differences between different editions. I have used Virtualbox for most of my VM needs. There were few recent scenarios where I had to use … Continue reading VMWare Player and VM Networking →

0

DNSSEC – Moving the Needle

The New Zealand ISP market is dominated by Spark, Vodafone & CallPus/Orcon. A side effect of this is that if one player does the Right Thing™, it really moves the needle. Recently, Spark has done the Right Thing with DNSSEC.

DNSSEC takeup has been low with New Zealand ISPs. The APNIC stats indicated that around 5% of users were using DNS resolvers that had DNSSEC validation capabilities. But in December 2014, that number jumped to ~15%:

It turns out this is because Spark has enabled DNSSEC validation on some of their resolvers. NZRS have done some analysis, and found that Spark turned on 4 new resolvers that do DNSSEC validation:

They’re still running their old resolvers, so right now it’s hit & miss for their customers. But it’s a great start, and presumably they’ll upgrade the remaining systems soon.

So Vodafone, CallPlus, Snap, Trustpower…when are you going to take customer security seriously too? And Spark…how long until DNSSEC is enabled for all your resolvers?

And please, no arguments about “we’re not sure if it will work.” Google has been doing it since March 2013…who do you think processes more DNS requests per day? Google, or your ISP?

0

Raytracing Quake demos

I decided to combine these two problems into one solution:

• Modern CPUs are idle way too much of the time. Why have all this computational power if we don’t use it?
• I have these funny old Quake demos that there’s no good way to convert to something playable.

My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.

Update: New better screenshot:

Quake scene rendered in POV-Ray. Two more here and here.

Quake is closing in on 20 years old now, and it’s starting to get annoying to make it even work. Yes, it’s opensource, and there are a couple of forks. But they’ve also always been annoying to get working. Hell, even GLQuake in Steam won’t start for me. (yes, I know this is a bad reason, but I’m doing this for fun)

Many of the tools and resources are hard to find. I couldn’t find ReMaic, and only found lmpc thanks to FreeBSD having made it a package. Converting demos to an ASCII format using lmpc helped in confirming that my file parsing was correct.

The steps needed to render a demo:

1. Extract .mdl files to .pov and .png (skin) files.
2. Extract . Continue reading

0

Raytracing Quake demos

I decided to combine these two problems into one solution:

• Modern CPUs are idle way too much of the time. Why have all this computational power if we don’t use it?
• I have these funny old Quake demos that there’s no good way to convert to something playable.

My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.

Quake scene rendered in POV-Ray. Two more here and here.

Quake is closing in on 20 years old now, and it’s starting to get annoying to make it even work. Yes, it’s opensource, and there are a couple of forks. But they’ve also always been annoying to get working. Hell, even GLQuake in Steam won’t start for me. (yes, I know this is a bad reason, but I’m doing this for fun)

Many of the tools and resources are hard to find. I couldn’t find ReMaic, and only found lmpc thanks to FreeBSD having made it a package. Converting demos to an ASCII format using lmpc helped in confirming that my file parsing was correct.

The steps needed to render a demo:

1. Extract .mdl files to .pov and .png (skin) files.
2. Extract .bsp files to .pov Continue reading

0

A peek into the USM format

A peek into the USM format

A game that I really liked the visuals off, Crysis 3 uses a video file format called USM, This is a rather odd to me, since when I am used to pulling games apart for their assets, I am used to BINK video being used for th

0

OpenNSL – Thoughts

Recently, Broadcom has opensourced API for their network switching asic as part of OpenNSL project. I tried to dig little deep into what it really means and this blog is a result of that. What is really Opensourced? Following picture from Broadcom OpenNSL project clearly illustrates this: Following are some notes: OpenNSL is a layer … Continue reading OpenNSL – Thoughts →

0

Show 229 – Network Break 32 – Juniper Innovation Showcase & More

Over-opinionated analysis on data network and IT Infrastructure. And virtual doughnuts.

Author information

The post Show 229 – Network Break 32 – Juniper Innovation Showcase & More appeared first on Packet Pushers Podcast and was written by Ethan Banks.

0

My mechanical keyboard

You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.

I spend a lot of time typing on a keyboard, yet I have never looked into what keyboard would be best for me. There are natural keyboards and kinesis keyboards that people speak well of, but I spend a lot of time typing on laptops and don’t want a completely different setup for laptop and desktop.

I had the same concern before switching to Dvorak back when I was a consultant (thus often using other peoples managed machines), but happily switched after verifying that even on a locked down Windows machine as a non-admin user I could select Dvorak. Also there are adapters from Dvorak to Qwerty that I could use in extremely locked down environments such as the CCIE lab (they required a doctors note though, long story).

So it would have to be a keyboard that looks like a normal one. Preferably with Dvorak on the keycaps. It seems that mechanical keyboards are all the rage, so I thought I’d give that a go.

I ended up buying a 88 key Cherry MX brown-based Continue reading

0

My mechanical keyboard

You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.

I spend a lot of time typing on a keyboard, yet I have never looked into what keyboard would be best for me. There are natural keyboards and kinesis keyboards that people speak well of, but I spend a lot of time typing on laptops and don’t want a completely different setup for laptop and desktop.

I had the same concern before switching to Dvorak back when I was a consultant (thus often using other peoples managed machines), but happily switched after verifying that even on a locked down Windows machine as a non-admin user I could select Dvorak. Also there are adapters from Dvorak to Qwerty that I could use in extremely locked down environments such as the CCIE lab (they required a doctors note though, long story).

So it would have to be a keyboard that looks like a normal one. Preferably with Dvorak on the keycaps. It seems that mechanical keyboards are all the rage, so I thought I’d give that a go.

I ended up buying a 88 key Cherry MX brown-based Continue reading

0

Upcoming Apple TV will feature App Store and Siri

Amid reports that Apple is planning to roll out its own streaming TV service later this fall, we now have word regarding what Apple's fourth-gen Apple TV is going to look like.Reporting for Buzzfeed, John Paczkowski reports, that Apple plans to show off a completely revamped version of its Apple TV at WWDC sometime this June. And though previous Apple TV updates have been somewhat limited to internal upgrades, this one promises to be a doozy.First off, the next iteration of the Apple TV will reportedly include, at long last, an App Store. Just as the App Store significantly increased the value proposition of iOS devices, we can expect to see a similar transformation with respect to the Apple TV. Even more so when one considers the possibilities of using external controllers, or even one's iOS device, as a controller while playing games on a big screen HDTV.To read this article in full or to leave a comment, please click here

0

Android’s smart lock now detects when you carry your phone

Google is adding a feature to Android’s smart lock that could significantly cut down on the number of times users need to enter a passcode to unlock their phones while they are out and about.On-body detection uses the accelerometer in the phone to detect when it’s being held or carried by a person. If enabled, the feature requires a passcode the first time the phone is accessed but then keeps the device unlocked until it is placed down.That means, for example, that someone walking down the street won’t have to unlock their phone every time they take it out of their pocket.The feature doesn’t appear to have been announced by Google, but it began appearing in some phones on Friday.To read this article in full or to leave a comment, please click here

0

Could Facebook be your next phone company?

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Could Facebook or LinkedIn become the nexus for your voice calls and other communications? Not yet, but thanks to a technology known as WebRTC you can’t rule out the possibility.

WebRTC — the initials stand for Real Time Communications — is an open-source project that aims to transform the ordinary Web browser into a full-featured unified communications portal. With WebRTC, users establish real-time communication sessions from their browser, search, find and point to the servers of people they want to communicate with, and establish connections — all without needing to know the recipient’s phone number or email address.

To read this article in full or to leave a comment, please click here

0

Bare-metal switches poised to take off in data centers

Bare-metal switches that can be programmed like Linux servers aren’t just for big Web companies anymore. They may show up in a lot more average enterprises in the next few years.Cloud-based service providers like Facebook and Google have been building data-center networks out of generic hardware and homegrown software for years. Now vendors including HP and Dell are beginning to sell switches much like they do bare-metal servers. They may pre-load an operating system and provide ongoing support, but that OS is open and their customers will have much more freedom with this new kind of gear than they do with traditional switches from vendors like Cisco Systems.To read this article in full or to leave a comment, please click here