Disappointed With Check Point
I have recently started working with Check Point products again, after a 5-year break. This has given me a different perspective on how they are progressing. It has been disappointing to see that they’re still suffering from some of the same old bugs. Some of the core functionality is now showing its age, and is no longer appropriate for modern networks.
When you’re using a product or technology on a regular basis, it can be hard to accurately gauge progress. Maybe it feels like there are only incremental changes, with nothing major happening. But then you come across a 5-year old system, and you realise just how far we’ve come. If you don’t think iOS is changing much, find some videos of the first iPhones.
The opposite is when it feels like there are many regular enhancements…but when you step back you see that core product issues are not dealt with. It can be hard to see this when you’re working at the coal-face. You need to step away, work with other products and systems, then return.
That’s what I’ve done with Check Point recently. Through much of the 2000s, I did a huge amount of work with Check Point firewalls. Continue reading
Plexxi Pulse – This Week at Strata + Hadoop World
This week we joined thousands of thought leaders, analysts, vendors and end-users at the O’Reilly Strata + Hadoop World in New York. This event brings together the business and science of Big Data, allowing attendees to learn about emerging technologies through case studies and guest speakers. It’s been a busy week featuring excellent speakers from all over, including The New York Times and Cloudera. While we’re veterans of other industry events such as Interop and VMworld, we’re newbies here, so it’s exciting to experience this all for the first time. Judging by how things have gone so far, you can bet we’ll be back next year for more.
In this week’s PlexxiTube video of the week, Dan Backman highlights how Plexxi integrates with VMware.
Below are our best reads of the week – enjoy!
Data Center SDN growing 65% this year
In a recent article in Network World, Jim Duffy highlights the massive growth within the datacenter market – evidenced by a 65 percent growth in 2014 as reported by the Dell’Oro Group. Personally, I think it will be interesting to see if SDN survives as a separate feature out of the larger networking market. If the datacenter Continue reading
AnsibleFest San Francisco 2014 Recap
For those unable to attend AnsibleFest San Francisco, or those just looking for a copy of presentations, below you'll find links to most of them:
Continue readingMonospaced Fonts and Command Line
Recently I've been on a search for a 'better' font to use in terminals. In an unrelated coincidence, I learned about anti-aliasing, I still don't understand it but it makes a difference.
The post Monospaced Fonts and Command Line appeared first on EtherealMind.
Congratulations on the Birth of SocketPlane!
I wanted to take a quick moment to offer up my congratulations, and share the news about SocketPlane. Their press release announcing that they had received investment from LightSpeed Venture Partners says: SAN FRANCISCO, October 15, 2014 – Today SocketPlane, an … Continue reading
If you liked this post, please do click through to the source at Congratulations on the Birth of SocketPlane! and give me a share/like. Thank you!
The FBI’s statements are Orwellian
Recently, FBI Director James Comey gave a speech at the Brookings Institute decrying crypto. It was transparently Orwellian, arguing for a police-state. In this post, I'll demonstrate why, quoting bits of the speech."the FBI has a sworn duty to keep every American safe from crime and terrorism"
"The people of the FBI are sworn to protect both security and liberty"
"The people of the FBI are sworn to protect both security and liberty"
This is not true. The FBI's oath is to "defend the Constitution". Nowhere in the oath does it say "protect security" or "keep people safe".
This detail is important. Tyrants suppress civil liberties in the name of national security and public safety. This oath taken by FBI agents, military personnel, and the even the president, is designed to prevent such tyrannies.
Comey repeatedly claims that FBI agents both understand their duty and are committed to it. That Comey himself misunderstands his oath disproves both assertions. This reinforces our belief that FBI agents do not see their duty as protecting our rights, but instead see rights as an impediment in pursuit of some other duty.
Freedom is Danger
The book 1984 describes the concept of "doublethink", with political slogans as examples: "War is Peace", "Ignorance is Strength", and Continue reading
This detail is important. Tyrants suppress civil liberties in the name of national security and public safety. This oath taken by FBI agents, military personnel, and the even the president, is designed to prevent such tyrannies.
Comey repeatedly claims that FBI agents both understand their duty and are committed to it. That Comey himself misunderstands his oath disproves both assertions. This reinforces our belief that FBI agents do not see their duty as protecting our rights, but instead see rights as an impediment in pursuit of some other duty.
Freedom is Danger
The book 1984 describes the concept of "doublethink", with political slogans as examples: "War is Peace", "Ignorance is Strength", and Continue reading
Workload Mobility and Reality: Bandwidth Constraints
People talking about long-distance workload mobility and cloudbursting often forget the physical reality documented in the fallacies of distributed computing. Today we’ll focus on bandwidth, in a follow-up blog post we’ll deal with its ugly cousin latency.
TL&DR summary: If you plan to spread application components across the network without understanding their network requirements, you’ll get the results you deserve.
Read more ...Application Routes with onePK and the Need for Better Libraries
It’s been some time since I wrote about Cisco’s onePK. In this post, I’ll look at some of the good and the bad of onePK and also show an example of how to add a route to a device running onePK to help make a few points along the way.
The Bad
I’ve never heard anyone speak positively about onePK and I’m not sure I 100% agree, but I’ll save the positivity for the next section. onePK is a thick Software Development Kit (SDK). If you are a network engineer looking to learn to program from the ground up, it may NOT be the BEST place to start. That said, if you are looking to learn about object oriented programming, listener APIs, etc., and can spare some time, it’s a great place to start. If you’re already a developer, it probably won’t be much different compared to learning any other SDK.
Another thing to be weary of is that onePK was not intended to be a configuration API. I voiced my opinion on this already and I do think things are headed in the right direction, but it always helps knowing the history. Continue reading
I’ve never heard anyone speak positively about onePK and I’m not sure I 100% agree, but I’ll save the positivity for the next section. onePK is a thick Software Development Kit (SDK). If you are a network engineer looking to learn to program from the ground up, it may NOT be the BEST place to start. That said, if you are looking to learn about object oriented programming, listener APIs, etc., and can spare some time, it’s a great place to start. If you’re already a developer, it probably won’t be much different compared to learning any other SDK.
Another thing to be weary of is that onePK was not intended to be a configuration API. I voiced my opinion on this already and I do think things are headed in the right direction, but it always helps knowing the history. Continue reading
Automating the Cabbage Patch Network Today (2014)
“Sometimes my head is a bit of an idiot” is something my daughter might say and that happens to me too, if that time is today and this article, let me know. If you don’t get the Cabbage Patch reference and its juxtaposition to automation, see here. I’ve tried to avoid sarcasm (and arrogance) but have […]
Author information
The post Automating the Cabbage Patch Network Today (2014) appeared first on Packet Pushers Podcast and was written by Steven Iveson.
IOS: show tcp vty
On Cisco IOS, this is a very useful command "show tcp vty xx" to show TCP statistics of the VTY session. If you think your terminal is running slow because of packet loss or delay then this command will provide visibility. The other cause is the CPU/Memory running slow if you don't see any errors on the TCP (as you can see below).
The post IOS: show tcp vty appeared first on EtherealMind.
Cisco ACI Fabric Forwarding In A Nutshell
As I study software defined networking architectures, I’ve observed that none of them are exactly alike. There are common approaches, but once diving into the details of what’s being done and how, even the common approaches seem to have as many differences as similarities. One of the most interesting elements of SDN architectures […]Wrapping up the Debate
What do you want to be when you grow up? Can you picture it? Close your eyes. Now give your mental self a super-hero kind of outfit. What’s emblazoned on your shirt? What job roles do you think you’d like? What technology do you think you’d like to work with?
In the past, most networkers put some cert letters or logo on their mental super-hero selfie. However, I think that the changes in the networking industry mean that we need to pay a little more attention to building that future self-image through better professional development planning. Those plans help try and reach that ideal image of where we want to be in our careers – and how we go about planning our own development has to change along with the rapid changes in the networking industry.
Wrapping the Series
This really will be the last in this series, with posts related somehow to our Interop debate about traditional certs vs. SDN skills development. Here’s a list of the other posts in the series:
30 Blogs In 30 Days: Insanity?
So apparently, over at EtherealMind, that Greg Ferro chap is going slightly insane and has challenged himself and others to a “30 Blogs in 30 Days” challenge. Because I like Greg, I’m not going to make a big deal about … Continue reading
If you liked this post, please do click through to the source at 30 Blogs In 30 Days: Insanity? and give me a share/like. Thank you!
Drupal 7 SA-CORE-2014-005 SQL Injection Protection
Yesterday the Drupal Security Team released a critical security patch for Drupal 7 that fixes a very serious SQL injection vulnerability. At the same time we pushed an update to our Drupal WAF rules to mitigate this problem. Any customer using the WAF and with the Drupal ruleset enabled will have received automatic protection.
Rule D0002 provides protection against this vulnerability. If you do not have that ruleset enabled and are using Drupal clicking the ON button next to CloudFlare Drupal in the WAF Settings will enable protection immediately.
CloudFlare WAF protection can help mitigate vulnerabilities like this, but it is vital that Drupal 7 users upgrade to the safe version of Drupal immediately.
The network won’t fit in your head anymore
Triggered by a discussion with a customer yesterday, it occurred to me (again?) that network engineers are creatures of habit and control. We have strong beliefs of how networks should be architected, designed and build. We have done so for long times and understand it well. We have tweaked our methods, our tools, our configuration templates. We understand our networks inside out. We have a very clear mental view of how they behave and how packets get forwarded, how they should be forwarded. It’s comfort, it’s habit, we feel (mostly) in control of the network because we have a clear model in our head.
I don’t believe this is a network engineering trait per se. Software engineers want to understand algorithms inside out, they want to understand the data modeling, types structures and relationships.
Uncomfortable
Many of us know the feeling. Something new comes around and it’s hard to put your head around it. It challenges the status quo, it changes how we do things, it changes what we (think we) know. When we are giving responsibility of something new, there is a desire to understand “it” inside out, as a mechanism to be able to control “it”.
Border6 Non-Stop Internet: a Commercial BGP-Based SDN
Several SDN solutions that coexist with the traditional control- and data planes instead of ripping them out and replacing them with the new awesomesauce use BGP to modify the network’s forwarding behavior.
Border6 decided to turn that concept into a commercial product that we dissected in Episode 12 of Software Gone Wild podcast.
Enjoy the show (this time in video format).
Automation – Is the cart before the horse?
Over the last year I’ve had the opportunity to hear about lots of new and exciting products in the network and virtualization world. The one clear takeaway from all of these meetings has been that the vendors are putting a lot of their focus into ensuring their product can be automated. While I agree that any new product on the market needs to have a robust interface, I’m also sort of shocked at the way many vendors are approaching this. Before I go further, let me clarify two points. First, when I say ‘interface’ I’m purposefully being generic. An interface can be a user interface, it could be a REST interface, a Python interface, etc. Basically, its any means in which I, or something else, can interact with the product. Secondly, I’ll be the first person to tell you that any new product I look at should have a usable REST API interface. Why do I want REST? Simple, because I know that’s something that most automation tools or orchestrators can consume.
So what’s driving this? Why are we all of a sudden consumed with the need to automate Continue reading
IPv6 to IPv4 basic setup
Lab goal
Configure Alteon to serve IPv6 clients. The servers should use IPv4.
The IPv6 VIP should be fc00:85::10.
The IPv6 VIP should be fc00:85::10.
Setup
The loadbalancer is Radware's Alteon VA version 29.5.1.0
The initial Alteon VA configuration can be found here.
Below is the IPv4 real servers configuration which we will use as a base config.
Below is the IPv4 real servers configuration which we will use as a base config.
1 | /c/slb/real 1 |
Alteon configuration
All we need to do is create a new virt/VIP and assign it with IPv6 address.
Notice that we need the pip which is Proxy IP, a.k.a SNAT. Since we translating from IPv6 to IPv4 we need Alteon to act as a proxy and for that it needs IPv4 address to communicate with the real servers.
1 | /c/slb/virt v6_85_10 |
Notice that we need the pip which is Proxy IP, a.k.a SNAT. Since we translating from IPv6 to IPv4 we need Alteon to act as a proxy and for that it needs IPv4 address to communicate with the real servers.
Test
Summary
That was really simple, wasn't it? Just change the virt/VIP to be IPv6 and we have IPv6 to IPv6 gateway.
Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project
Very, very funny quote in the Pew Research Report: How could people benefit from a gigabit network? One expert in this study, David Weinberger, a senior researcher at Harvard’s Berkman Center for Internet & Society, predicted, “There will be full, always-on, 360-degree environmental awareness, a semantic overlay on the real world, and full-presence massive open […]
The post Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project appeared first on EtherealMind.