0

DDoS flood protection

Denial of Service attacks represents a significant impact to on-going operations of many businesses. When most revenue is derived from on-line operation, a DDoS attack can put a company out of business. There are many flavors of DDoS attacks, but the objective is always the same: to saturate a resource, such as a router, switch, firewall or web server, with multiple simultaneous and bogus requests, from many different sources. These attacks generate large volumes of traffic, 100Gbit/s attacks are now common, making mitigation a challenge.

The 3 minute video demonstrates Flood Protect - a DDoS mitigation solution that leverages industry standard sFlow instrumentation in commodity data center switches to provide real-time detection and mitigation of DDoS attacks. Flood Protect is an application running on InMon's Switch Fabric Accelerator SDN controller. Other applications provide visibility and accelerate fabric performance applying controls reduce latency and increase throughput.

An early version of Flood Protect won the 2014 SDN Idol competition in a joint demonstration with Brocade Networks.

Visit sFlow.com to learn more, evaluate pre-release versions of these products, or discuss requirements.

0

Mikrotik IPsec VPN

If you did not hear yet about Mikrotik I can’t say I blame you. Not exactly something you’ll find in SOHO network shops next to brand like TP-Link, Linksys or Netgear. Mikrotik is a company
in Latvia that produce network hardware under the name of RouterBOARD. The devices are excellent and the RouterOS support an amazing amount of feature for a SOHO product.

Read more on Mikrotik IPsec VPN…

0

Ansible Named a Top 10 Open Source Project by OpenSource.com

We are pleased to announce that Ansible has been named a Top 10 Open Source Project for 2014 by Opensource.com. Be sure to watch Michael DeHaan's presentation on why your IT infrastructure should be boring, read his interview with Opensource.com's Jen Krieger and learn about one of his favorite Star Trek quotes.

View the full list here.

 

 

0

Business Drivers Talk at Interop 2015

This talk is a case study around some of the issues and solutions for TelePost Greenland. I’ll have to give credit to Denise Donohue and the folks there as I go along through the slides, but it’s a unique network with some extreme requirements — and therefore some interesting solutions.

0

Cisco Just Killed The CLI

Gallons of virtual ink have been committed to virtual paper in the last few days with regards to Cisco’s lawsuit against Arista Networks.  Some of it is speculating on the posturing by both companies.  Other writers talk about the old market vs. the new market.  Still others look at SDN as a driver.

I didn’t just want to talk about the lawsuit.  Given that Arista has marketed EOS as a “better IOS than IOS” for a while now, I figured Cisco finally decided to bite back.  They are fiercely protective of IOS and they have to be because of the way the trademark laws in the US work.  If you don’t go after people that infringe you lose your standing to do so and invite others to do it as well.  Is Cisco’s timing suspect? One does have to wonder.  Is this about knocking out a competitor? It’s tough to say.  But one thing is sure to me.  Cisco has effectively killed the command line interface (CLI).

“Industry Standards”

EOS is certainly IOS-like.  While it does introduce some unique features (see the NFD3 video here), the command syntax is very much IOS.  That is purposeful.  There are two Continue reading

0

Open Networking Has Arrived

“My servers run on Linux. My team knows how to manage Linux servers and networks. It just makes sense for my switches to run on Linux too.” 

What most people don’t know is that many high-end network switches already run on Linux.

Switches from Cisco^®, Extreme Networks^® and Arista^® use Linux to run their switch hardware (the operating system is hidden behind abstractions and APIs). As well, most of these share the same switching silicon products from Broadcom^® and Intel^®.

We are in the midst of a major transformation in networking. Innovation from companies like Cumulus Networks^® and Edge-Core^® are leading the way, disrupting the way new networks are deployed and old networks are upgraded.

In my role as head of product engineering at Tuangru, almost every small-to-mid size hosting service provider I talk to is considering open networking. Why? Because it just makes sense.

Open network hardware is more affordable and easy to acquire. The Linux software is familiar and, in most cases, admins prefer it over the next CLI and syntax versions available.

The rise of DevOps and cloud technologies like OpenStack are driving higher levels of automation and uniformity. Continue reading

0

Compliance and Automation Using Ansible

Compliance is a big deal in many industries, from e-commerce and PCI, to healthcare and HIPAA, to federal government and FedRAMP. At the core, compliance is all about making sure that IT systems are secure. The controls for the various industries will inevitably have some overlap; there are fundamental security controls that (should) apply to all IT systems. However, as technology advances, even the fundamental controls need to be refreshed in order to address the ever increasing advancements in security threats. 

When the need comes for your IT environment to be both compliant and automated, Ansible makes the most sense.

Why? For simple but very powerful reasons; readability, encryption, architecture and transport.

Architecture:
For starters, Ansible requires the smallest architecture. In it’s simplest form, none whatsoever, just its installation on your laptop (presuming linux or OSX). Even in our enterprise offering it is a single server. With Ansible there is no notion of Masters, Slaves, Masters of Masters, etc.

Secondly, you don’t/shouldn’t need to change anything. If you run a linux shop, SSH over port 22 is probably already in place for all servers and if you’ve been doing any sort of Windows automation, you likely already have remote Continue reading

0

Unreliable Multicast means Unreliable VMware VSAN

Howard Marks from Deep Storage and long-term curmudgeon sent Ethan & I the following email: As I continue to tilt at the VMware windmill I’m facing fanbois telling me that all you have to do is plug the EVO:RAIL in and turn it on.  This of course leaves out the fact that the little sucker still […]

The post Unreliable Multicast means Unreliable VMware VSAN appeared first on EtherealMind.

0

Great Wi-Fi Starts with Proper Design

I’m sure that we have all experienced poorly designed Wi-Fi networks. When a technology is so ubiquitous, so easily accessible, and is increasingly the most relied upon method of Internet access for mobile devices and cloud computing, then there are bound to be some issues. Unfortunately, the prevalence of underperforming Wi-Fi networks is still much too common for my liking.

Great Wi-Fi starts with proper design. There are various approaches to WLAN design that have evolved over time, ranging from providing basic coverage to maximum capacity and situations in-between. 

At one end of the spectrum, we have a basic coverage oriented design. This was the historical way of designing a WLAN that simply involved ensuring adequate signal strength from access points was present in desired locations. At the other end of the spectrum is a design focusing on maximum capacity. This involves careful RF planning in order to integrate the most Wi-Fi cells as possible into a physical area. 

The problem with both of these approaches is that they are the extremes and aren't applicable for many wireless networks. Basic coverage designs may still work for warehouses and some retailers and maximum capacity designs are great for stadiums and Continue reading

0

Comware5: Send test SNMP traps and syslog messages

When configuring a network device to be managed by an NMS such as HP IMC, you may want to send some test syslog or snmp traps to verify the correct operation of your settings. You can generate traps/logs by triggering … Continue reading →

0

HP 6125XLG FCoE NPV mode white paper

The HP 6125XLG is a Comware 7 based blade interconnect switch which has full support for FCoE. I found this technical whitepaper with a sample FCoE NPV mode configuration, it is shown with uplinks to an existing Nexus 5500/6000 FCoE … Continue reading →

0

HP Unified Wireless: Whitepapers published by HP

The HP Unified Wireless manuals are quite extensive, but it can be challenging to get a complete picture of a certain feature. HP has now published a series of whitepapers covering specific use cases and technologies, they can be found … Continue reading →

0

Just Published: Scaling Overlay Virtual Networking Videos

The edited videos for Scaling Overlay Virtual Networking webinar are available on ipSpace.net Content site. Nuage Networks sponsored the webinar; the videos are thus publicly available (without registration).

0

Network Access Broker Conceptual Demo

The Network Access Broker Conceptual Demo

---

by Kris Olander, Sr. Technical Marketing Engineer - December 16, 2014

Talk is cheap when it comes to SDN, but at Packet Design we’ve created a working SDN analytics and orchestration prototype that will enable network engineers to effectively manage hybrid networks. In this new demo, we outline how our Network Access Broker (NAB) – based on our core Route Explorer™ System – analyzes application requests for network resources, assesses their impact on services, and provisions them optimally using a combination of the following (if you’re already familiar with SDN and its management challenges, you can skip the intro and head straight to the demo at the 2:47 mark): 

1. A layer 3 network topology model maintained in real time (IGP, BGP, and SDN controller-provided topologies like OpenFlow),
2. A traffic demand matrix,
3. Predicted network loads from historical baselines, and
4. Analytics algorithms that compute efficient paths based on link utilizations/end-to-end delays, model new demand, and predict the impact of link/node failures on routing and traffic. Once the optimal paths have been computed, the NAB configures the network to provision them using the SDN controller (OpenDaylight in this example).

In the NAB demo, we use Continue reading

0

Notes on the CIA light-torture report

I'm reading through the Senate report on the CIA's light-torture program, and I came across this giggly bit:

#10: The CIA coordinated the release of classified information to the media, including inaccurate information concerning the effectiveness of the CIA's enhanced interrogation techniques. The CIA's Office of Public Affairs and senior CIA officials coordinated to share classified information on the CIA's Detention and Interrogation Program to select members of the media to counter public criticism, shape public opinion

Of course they did, but then so did the Senate committee itself. They've been selectively leaking bits of the report for over a year. Their description of the "CIA hacking" scandal was completely inaccurate.

Moreover, this Executive Summary wasn't simply published, but given to select people in the media beforehand in order to shape the message.

There's no doubt that the CIA's brutal treatment of prisoners is evil, a stain on the nation's honor, and something that should be prosecuted. But Senator Feinstein and her colleagues are as guilty of this as anybody else. This report is political garbage designed to shield Feinstein from the blame she shares.

0

GNS3 Holiday Mission: Free GNS3 T-Shirt

We want to hear your feedback on the networking products that made the top of your list in 2014.  We are excited to launch our GNS3

0

IPv6

Recently, I’ve heard several people suggest that the advent of IPv6 changes the requirements for data-center virtual network solutions. For instance, making the claim that network overlays are no longer necessary. The assumption made is that once an instance has a globally unique IP address that all requirements are met.

In my view, this analysis fails in two dimensions:

• In the assumption that it is desirable to give instances direct internet access (via a globally routed address);
• In the assumption that overlay solutions are deployed to solve address translation related problems;

Neither of these assumptions hold when examined in detail.

While there are IaaS use cases of users that just want to be able to fire up a single virtual-machine and use it as a personal server, the most interesting use case for IaaS or PaaS platforms is to deploy applications.

These applications, serve content for a specific virtual IP address registered in the DNS and/or global load-balancers; that doesn’t mean that this virtual IP should be associated with any specific instance. There is layer of load-balancing that maps the virtual IP into the specific instance(s) service the content. Typically this is done with a load-balancer in proxy mode.

As an aside, enabling IPv6 in the load-balancer Continue reading

0

Stop thief!

The Host-sFlow project recently added added CPU steal to the set of CPU metrics exported.

steal (since Linux 2.6.11)
       (8) Stolen time, which is the time spent in other operating systems
       when running in a virtualized environment

Keeping close track of the stolen time metric is particularly import when running managing virtual machines in a public cloud. For example, Netflix and Stolen Time includes the discussion:

So how does Netflix handle this problem when using Amazon’s Cloud? Adrian admits that they tracked this statistic so closely that when an instance crossed a stolen time threshold the standard operating procedure at Netflix was to kill the VM and start it up on a different hypervisor. What Netflix realized over time was that once a VM was performing poorly because another VM was crashing the party, usually due to a poorly written or compute intensive application hogging the machine, it never really got any better and their best learned approach was to get off that machine.

The following articles describe how to monitor public cloud instances using Host sFlow agents:

• Amazon Elastic Compute Cloud (EC2)
• Rackspace cloudservers

The CPU steal metric is particularly relevant to Network Function Virtualization (NFV). Virtual Continue reading

0

All malware defeats 90% of defenses

When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

0

Using bird to pull global BGP route counts

For an electronics project I’m working on I wanted a way to check the current global routing table every five minutes for both IPv4 and IPv6. I did not want to log into anyone else’s router or looking glass as checking every 5 minutes may be considered abuse. So I thought to spin up a […]