Secure browser-to-proxy communication – again

I've previously blogged about a secure connection between browser and proxy. Unfortunately that doesn't work on Android yet, since except if you use Google for Work (an enterprise offering) you can't set Proxy Auto-Config.

This post shows you how to get that working for Android. Also it skips the stunnel hop since it doesn't add value and only makes Squid not know your real address. I'm here also using username and password to authenticate to the proxy instead of client certificates, to make it easier to set up.

Hopefully this feature will be added to Chrome for Android soon (bug here) but until then you'll have to use the Android app Drony.

First, why you would want to do this

  • You have machines behind NAT, and a proxy that can see the inside while still accessible form the outside

    This way you can port forward one port from the NAT box to the proxy, and not have to use different ports everywhere. I'll call this proxy corp-proxy.example.com.

  • You have servers that don't implement their own authentication, and you want the proxy to do it for you

    If you set up so that the only way to Continue reading

IP Subnetting Part 5: Subnetting Across the Octet Boundary

Throughout this series, we have examined several fundamental building blocks of subnetting. In IP Subnetting Part 4, we looked at what was required to subnet a Class C network. This article takes the fundamentals one step further and looks at subnetting a Class A address. We will also add the complexity of crossing octet the octet boundary for both the subnet and the host portions of the address.

A Class A IP address has the following characteristics–

  • I’s first octet begins with binary 0…….
  • The first Octet will be in the range of 1 to 63 (0 is invalid)
  • The first Octet (leftmost) represent the Network
  • The last three Octets (rightmost) represents a Host on a network

You will also recall that a single network can be subnetting into multiple, smaller networks.

Using a consistent syntax, we could represent a Class A network as follows.

10.0.0.0

In this example--

Green represents the Classful Network
Blue represents the Host address

10.0.0.0 is would be a Network based on the fact that the host portion is 0.0.0. This is literally zero. Had the address been 10.0.0.1, 10.0.1.0 or 10.1.0.0 Continue reading

Network Field Day 8 – #NFD8

TF

After watching the Tech Field Day (TFD) events for a while, I decided to fill out the form and apply to be a delegate. With the events being based in the USA, me being based in the UK and my status not being at the power blogger level of the likes of Ethan Banks, Greg Ferro or Ivan Pepelnjak, the perceived chances of actually being selected to go were negligible to none. So how surprised was I when I received an email with an invite? You could have blown me over with a feather, so much so, the whole side of the train carriage I was sitting in at the time all heard the “whoop whoop” I decided to share!

So for any new delegates or those that want to know how it plays out, your travel, accommodation and pretty much all arrangements are taken care of by Gestalt IT and the TFD team. You just have to worry about getting to and from your chosen airport to depart and return.

The week that the event takes place in is northing short of hectic and by my experience was superbly executed by Steve Foskett and Tom Hollingsworth. You can pretty Continue reading

ThousandEyes – NOC for the Internet?

ThousandEyes is a network monitoring company that provides application performance visibility across the Internet. They don’t just show how an application is performing, but can identify where across the Internet issues are occurring. Ethan Banks has written up some of the use cases. Recently I realised I could start thinking of them as a “NOC for the Internet.”

I was fortunate enough to attend Network Field Day 8, where ThousandEyes was one of the presenters. During their presentation Mohit Lad gave a demonstration of using ThousandEyes to investigate performance issues:

The problem with troubleshooting issues across the Internet is that it’s hard to get the complete visibility you need to track down where issues are happening. ThousandEyes helps, by giving you more viewpoints, but there’s still limits. Most of us can’t afford to run tests from hundreds of different public & private locations.

Interpreting data is also a challenge. ThousandEyes has done their best to make the data usable, but you might not have the networking resources to be able to fully understand what’s going on. You need both wider visibility, and the experience to fully interpret it.

That’s why I was very pleased to hear the exchange starting Continue reading

Prescriptive Topology Manager (PTM) support with NX-API on the Nexus 9000?

Cumulus Networks has been talking a lot about Prescriptive Topology Manager (PTM).  A great overview of PTM can be found here, but the high level is that PTM ensures “wiring rules are followed by doing a simple runtime verification of connectivity.”  This means that as a user, you can define what the physical topology, or wiring, is supposed to be and compate it against what it really is by leveraging LLDP.  The PTM daemon (PTMd) is what does this analysis on each switch running Cumulus Linux.  There is even integration with routing protocols such that if two switches are improperly cabled, no routing adjacencies will be permitted on that link.  You can check out the PTM code since it is available under the Eclipse Public License (EPL).
Cumulus is said to have a few, but very large customers --- these customers operate at the highest efficiency levels and it is customers like these (speculating here, just go with me) that probably drove Cumulus to develop a feature like this.  However, this is a real problem for networks of all sizes.  I’ve seen 100s to 1000s of pages of word docs and excel Continue reading

Plexxi Pulse—Adding Flexibility to the Cloud

It’s been a busy week here at Plexxi. On Tuesday, we announced our partnership with Cari.net, a high-performance, scalable and flexible hosting platform based on Microsoft Cloud OS. CARI.net’s newly released CARIcloud service is powered by Plexxi and uses software-defined networking to allow companies to automatically adjust to conditions on their networks and make sure that the most important applications are never starved for performance. The platform enables customers to manage organizations and scale their data centers without being restricted to a single cloud service provider.

In this week’s PlexxiTube of the week, Dan Backman explains how Plexxi’s datacenter fabric transport solution is different from a more traditional WAN gateway.

Hardware Customization in a Software-Driven Universe

Art Cole contributed an interesting piece to Enterprise Networking Planet this week on customizing IT hardware in a “software-driven” universe. In my opinion, we tend to think about the discrete layers within information technology hardware—the boxes that make up the network, the servers that make up compute, and the devices that make up storage. Having flexibility in each layer of hardware is crucial, but we also want the same flexibility in the interconnect that ties them all together. We want programmability Continue reading

Network Break 17

Take a stroll through the Intel IDF 2014 conference which was all about the Software Defined Network/Storage/Infrastructure/Architecture ......

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+

The post Network Break 17 appeared first on Packet Pushers Podcast and was written by Greg Ferro.

SolarWinds Thwack Ambassador for VoIP Management

I know I’ve been quiet of my blog this month, but that’s not because I’ve forgetting about this site! For the month of September I’m spending some extra time over at Thwack, this is SolarWinds community where everyone likes to get together and talk about network management. I’ve talked about Network Management quite a bit […]

IPv6 Networking Detection Case #141 – Part 1: The Facts and Clues

Part #1 – I give you the facts and the clues. Part #2 – I give you what the problem ended up being. Ready to play? This is the IPv6 troubleshooting blog that started off as something else entirely.   I was going to do a post on IPv6 Multicasting, so I grabbed 3 ASR1K and […]

Author information

Denise "Fish" Fishburne

Denise "Fish" Fishburne
CPOC Engineer at Cisco Systems

Denise "Fish" Fishburne, (CCIE #2639, CCDE #2009:0014, Cisco Champion) is a team lead with Cisco's Customer Proof of Concept Lab in Research Triangle Park, N.C. Fish loves playing in the lab, troubleshooting, learning, and passing it on.
Twitter

The post IPv6 Networking Detection Case #141 – Part 1: The Facts and Clues appeared first on Packet Pushers Podcast and was written by Denise "Fish" Fishburne.

Keyless SSL: The Nitty Gritty Technical Details

CloudFlare's Keyless SSL

We announced Keyless SSL yesterday to an overwhelmingly positive response. We read through the comments on this blog, Reddit, Hacker News, and people seem interested in knowing more and getting deeper into the technical details. In this blog post we go into extraordinary detail to answer questions about how Keyless SSL was designed, how it works, and why it’s secure. Before we do so, we need some background about how encryption works on the Internet. If you’re already familiar, feel free to skip ahead.

TLS

Transport Layer Security (TLS) is the workhorse of web security. It lets websites prove their identity to web browsers, and protects all information exchanged from prying eyes using encryption. The TLS protocol has been around for years, but it’s still mysterious to even hardcore tech enthusiasts. Understanding the fundamentals of TLS is the key to understanding Keyless SSL.

Dual goals

TLS has two main goals: confidentiality and authentication. Both are critically important to securely communicating on the Internet.

Communication is considered confidential when two parties are confident that nobody else can understand their conversation. Confidentiality can be achieved using symmetric encryption: use a key known only to the two parties involved to encrypt Continue reading

Virtual Networking in CloudStack

If you mention open-source cloud orchestration tools these days, everyone immediately thinks about OpenStack (including the people who spent months or years trying to make it ready for production use). In the meantime, there are at least two other comparable open-source products (CloudStack and Eucalyptus) that nobody talks about. Obviously having a working product is not as sexy as having 50+ vendors and analysts producing press releases.

Read more ...

Some New Old Books


The Lean Startup approach is for companies that want to be more capital efficient and that leverage human creativity more effectively.  It relies on “validated learning,” rapid scientific experimentation, as well as a number of counter-intuitive practices that shorten product development cycles, measure actual progress without resorting to vanity metrics, and learn what customers really want. It enables a company to shift directions with agility, altering plans inch by inch, minute by minute.

The products lean startup builds are really experiments: the learning about how to build a sustainable business is the outcome of those experiments. That information is much more important, because it can influence and reshape the next set of ideas. And it uses the Build-Measure-Learn feedback loop at the core of Lean Startup model.



In short: build Minimum Viable Product (MVP) or Minimum Viable Service (MVS), launch, collect data to learn in order to perfect the ideas. Or if it doesn't work, fail fast, and pivot to another ideas.

Rather than wasting time creating elaborate plans for new product, it's better to launch quickly and find a way to test the idea continuously, to adapt and adjust before it’s too late.

How to decide which ideas Continue reading

Colour calibration in Linux

This is just a quick note on how to create .icc colour profiles in Linux. You need a colour calibrator (piece of hardware) for this to be useful to you. 
#!/bin/sh
NAME=$1
COLOR=$2
DESC="Some random machine"
QUALITY=h   # or l for low, m for medium
set -e

dispcal -m -H -q $QUALITY -y l -F -t $COLOR -g 2.2 $NAME
targen -v -d 3 -G -e 4 -s 5 -g 17 -f 64 $NAME
dispread -v -H -N -y l -F -k $NAME.cal $NAME
colprof -v -D $DESC -q m -a G -Z p -n c $NAME
dispwin -I $NAME.icc

Using AppShape++ to change a request’s URL

Lab goal

  • When a clients asks for /cgi-bin/* change that to /alpha/a1.html, and serve it from SRV1 
  • Fix the 404 page not found.

Use VIP 10.136.6.13.

Setup


The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

Lets first create the VIP/virt and test it out.


1
2
3
4
5
 /c/slb/virt 6_13
        ena
        vip 10.136.6.13
 /c/slb/virt 6_13/service 80 http
        group 10

To fix the 404 at the bottom of the webpage, we need to change the request URL from /not_here to /here.html.

So lets write the AppShape++ script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
attach group  Continue reading

Why Far-Flung Parts of the Internet Broke Today

VolumeDrive is a Pennsylvania-based hosting company that uses Cogent and (since late May of this year) Atrato for Internet transit. A routing leak this morning by VolumeDrive was passed on to the global Internet by Atrato causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria.

Background

The way Internet transit is supposed to work in BGP is that a provider announces the global routing table to its customers (i.e., a large number of routes). Then, in turn, the customers announce local routes to their respective providers (generally a small number of routes). Each customer selects the routes it prefers from the options it receives. When a transit customer accidentally announces the global routing table to back one of its providers, things get messy. This is what happened earlier today and it had far-reaching consequences.

At 06:49 UTC this morning (18-September), VolumeDrive (AS46664) began announcing to Atrato (AS5580) nearly all the BGP routes it learned from Cogent (AS174). The resulting AS paths were of the following format:

    … 5580 46664 174 …

Normally, VolumeDrive announces 39 prefixes (networks) to Atrato: 27 it originates itself and 12 it transits for two of its downstream Continue reading

ThousandEyes Network Monitoring Use Cases

ThousandEyes is a network monitoring company who’s shining a light on the darkened portion of the network path you don’t own. Rather than the Internet appearing to an enterprise as a generic cloud where magic happens, ThousandEyes looks inside the cloud, revealing details about how your enterprise gets to remote services. For example, […]

CCIE SP — Experience

I have passed the CCIE SP Lab . I will share my experience here. I will only share things pertaining to the SP lab.

>Dont forget to take the config backup before starting the LAB
>Notepad is your  best friend in lab. Many configurations are repetitive. You will save time and reduce the chance of making a mistake by using it.
>Read the LAB end to end carefully before starting.
>Speed and Accuracy is imp ingrediant to pass the LAB.
>Proctator wont help you much after providing intial instruction.You need to listen carefully to protector.
>I lost access to all the device while labbing.I asked protector to help but he advised to check myself.I cleared power cycle and got the access back.
>IMP : Don’t forget to create the BGP_PASS RPL to allow eBGP routes to pass.

Questions are welcome.I would try my best to help you .

Smiles
Crazyrouter


Let’s Talk About NewPosThings

by Dennis Schwarz and Dave Loftus

NewPosThings is a point of sale (PoS) malware family that ASERT has been tracking for a few weeks. It operates similarly to other PoS malware by memory scraping processes looking for credit card track data and then exfiltrating the spoils to a command and control (C2) server. Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014. Since we haven’t come across any public details of this family, we’re releasing our malware analysis for posterity and to get ahead of the threat.

The analyzed sample has an MD5 of 4196c67648003a18f61573a77b6d3be6.

Naming

Its name comes from an embedded PDB pathname string from the analyzed sample:

C:UsersTomdocumentsvisual studio 2012ProjectsNewPosThingsReleaseNewPosThings.pdb

Initialization

The malware initializes itself as follows:

  • Sets some insecure file flags in the Registry:
    • “LowRiskFileTypes” in “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations”
    • “1806” in “HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones”
  • Copies itself to “%APPDATA%JavaJavaUpdate.exe”
  • Checks whether it is running as 64-bit and if so, exits with a MessageBox of “Use 64bit version.”
  • Kills any existing “JavaUpdate.exe” processes
  • Sets up Registry Run persistence (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) under “Java Update Manager”
  • Executes copied executable passing the original executable’s pathname and “RM” as Continue reading
1 3,623 3,624 3,625 3,626 3,627 3,759