Masscan does STARTTLS

Just a quick note: I've updated my port-scanner masscan to support STARTTLS, including Heartbleed checks. Thus, if you scan:

masscan 192.168.0.0/16 -p0-65535 --banners --heartbleed

...then it'll find not only all vulnerable SSL servers, but also vulnerable SMTP/POP3/IMAP4/FTP servers using STARTTLS.

The issue is that there are two ways unencrypted protocols can support SSL. One is to assign a new port number (like 443 instead of 80), establish the SSL connection first, then the normal protocol second within the encrypted tunnel. The second way is the method SMTP uses: it starts the normal unencrypted SMTP session, then issues the "STARTTLS" command to convert the connection to SSL, then continue with SMTP encrypted.

Here's what a scan will look like:

Banner on port 143/tcp on 198.51.100.42: [ssl] cipher:0x39 , imap.example.com  
Banner on port 143/tcp on 198.51.100.42: [vuln] SSL[heartbeat] SSL[HEARTBLEED] 
Banner on port 143/tcp on 198.51.100.42: [imap] * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.x0a* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5x0aa001 OK Capability completed.x0aa002

Because of the --banners option, we see the normal Continue reading

Docker & VMware: 1 + 1 = 3

BLOG-POST-VMWARE Today at VMworld we’re excited to announce a broad partnership with VMware.  The objective is to provide enterprise IT customers with joint solutions that combine the application lifecycle speed and environment interoperability of the Docker platform with the security, reliability, and management of VMware infrastructure.  To deliver this “better together” solution to customers, Docker and VMware are collaborating on a wide range of product, sales, and marketing initiatives. Why join forces now?  In its first 12 months Docker usage rapidly spread among startups and early adopters who valued the platform’s ability to separate the concerns of application development management from those of infrastructure provisioning, configuration, and operations.  Docker gave these early users a new, faster way to build distributed apps as well as a “write once, run anywhere” choice of deployment from laptops to bare metal to VMs to private and public clouds.  These benefits have been widely welcomed and embraced, as reflected in some of our adoption metrics:

  • 13 million downloads of the Docker Engine
  • 30,000 “Dockerized” applications on Docker Hub
  • 14,000 stars on GitHub
  • 570 contributors

In its second year, Docker usage continues to spread and is now experiencing mass adoption by enterprise IT organizations.  These organizations span Continue reading

Why I gave up Networking for Software

It's now been 3 months since I transitioned from Networking to Software. This is a retrospective piece on my reasons for giving up on Networking.

Introduction

You might be reading this thinking:

"another networking guy moving to software... network engineering is doomed".

If you are, stop thinking right now. There is one important thing about my story that is very different. I've been writing software for longer than I have been doing networking albeit not in a professional capacity. Software Engineering is where my passion lies right now and let me explain why...

My Reasons

1. DevOps

DevOps for Networking is still, very slowly, becoming reality. Elsewhere DevOps is very much in full swing. Tools like:

Vagrant, Packer, Puppet, Chef, SaltStack, Ansible, Fig, Docker, Jenkins/TravisCI, Dokku, Heroku, OpenShift (the list goes on)...

have redefined how I work and being in an environment where I can build things with them day to day is a dream come true for me.

I get gersburms just thinking about building Continous Integration/Continous Delivery Pipelines, Automated creation of Dev/Test environments and Configuration as Code.

2. SDN

Software-Defined Networking was the turning point in my career. It enabled me to make the switch in career paths Continue reading

Is SDN API directionality absurd?

I was finally catching up on a number of posts I'd saved to read later and noticed the prevalent use of "Northbound" and "Southbound". I'm now starting to question whether these terms are necessary or accurate.

Dictionary definition

Let's start with the Oxford English Dictionary definition of these terms.

northbound | ˈnɔːθbaʊnd | adjective travelling or leading towards the north: northbound traffic.

southbound | ˈsaʊθbaʊnd | adjective travelling or leading towards the south: southbound traffic | the southbound carriageway of the A1.

As our interfaces are static and can't travel one can assume the intent of these adjectives in our context is to indicate that the interfaces are leading in the specified direction.

On Directionality as a descriptor

Categorizing an API by directionality is rather perplexing IMHO.

Specify directionality without a reference point is misleading For example, OVSDB is a northbound API for Open vSwitch but southbound API for an SDN controller.

For SDN controllers, there are two types of interfaces:

User-Facing or Application-Facing (formerly Northbound) This API is designed to expose higher-order functions in such a way that they can easily be consumed by humans and programmers. By this logic, we can include any " API's" or language bindings Continue reading

Community Show – CCNA Data Center Part1 with Anthony Sequeira and Orhan Ergun

[player] In this first part of CCNA Datacenter sessions , Anthony Sequeira and Orhan Ergun are talking about the topics in the blueprint. They identify all the technologies which you should know for the CCNA Datacenter exam. Topics include : DCICN exam which is the first exam. DCICT exam which is the second exam. Datacenter […]

The post Community Show – CCNA Data Center Part1 with Anthony Sequeira and Orhan Ergun appeared first on Packet Pushers.

Community Show – CCNA Data Center Part1 with Anthony Sequeira and Orhan Ergun

In this first part of CCNA Datacenter sessions , Anthony Sequeira and Orhan Ergun are talking about the topics in the blueprint. They identify all the technologies which you should know for the CCNA Datacenter exam. Topics include : DCICN exam which is the first exam. DCICT exam which is the second exam. Datacenter Fundamentals, […]

Author information

Orhan Ergun

Orhan Ergun, CCIE, CCDE, is a network architect mostly focused on service providers, data centers, virtualization and security.

He has more than 10 years in IT, and has worked on many network design and deployment projects.

In addition, Orhan is a:

Blogger at Network Computing.
Blogger and podcaster at Packet Pushers.
Manager of Google CCDE Group.
On Twitter @OrhanErgunCCDE

The post Community Show – CCNA Data Center Part1 with Anthony Sequeira and Orhan Ergun appeared first on Packet Pushers Podcast and was written by Orhan Ergun.

A Quick Look at MPLS-TE

Introduction

I’m currently designing and implementing a large network which will run MPLS.
This network will replace an old network that was mainly L2 based and did not
run MPLS, only VRF lite. There are a few customers that need to have diverse
paths in the network and quick convergence when a failure occurs.
This led me to consider MPLS-TE for those customers and to have plain MPLS
through LDP for other customers buying VPNs. What is the usage for MPLS-TE?

Weaknesses of IGP

When using normal IP forwarding a least cost path is calculated through an IGP,
such as OSPF or ISIS. The problem though is that only the least cost path will
be utilized, any links not on the best path will sit idle, which is a waste of
bandwidth. IGP metrics can be manipulated but that only moves the problem to
other links, it does not solve the root cause. Manipulating metrics is cumbersome
and prone to error. It’s difficult to think of all the traffic flows in the network
and get all the metrics correct. IGPs also lack the granularity in metrics to
utilize all the bandwidth in the network.

RSVP-TE

RSVP in the past was Continue reading

Finally: a Virtual Switch Supports BPDU Guard

Nexus 1000V release 5.2(1)SV3(1.1) was published on August 22nd (I’m positive that has nothing to do with VMworld starting tomorrow) and I found this gem in the release notes:

Enabling BPDU guard causes the Cisco Nexus 1000V to detect these spurious BPDUs and shut down the virtual machine adapters (the origination BPDUs), thereby avoiding loops.

It took them almost three years, but we finally have BPDU guard on a layer-2 virtual switch (why does it matter). Nice!

Response – Do We Need To Redefine Open?

Tom Hollingsworth wrote a great post on whether or not we need to redefine "Open". My response was too long for a comment, so here it is!

Open Source vs Free Software

The first item is just a point of clarification. While the terms "Open Source" and "Free Software" are often used interchangeably there is a difference.

The two terms describe almost the same category of software, but they stand for views based on fundamentally different values. Open source is a development methodology; free software is a social movement. - Richard Stallman

You can read the full article here but the TL;DR version is that while a high percentage of Open Source software is Free Software, the definition of Open Source is less strict about guaranteeing freedoms.

...with that out of the way, let's move to "open"

On "open" and "openness"

I like the Wikipedia description of "openness":

Openness is an overarching concept or philosophy that is characterized by an emphasis on transparency and free unrestricted access to knowledge and information as well as collaborative or cooperative management and decision making rather than a central authority. - Wikipedia

It highlights some key terms which our "open" things should be adhering Continue reading

Fun with Fig (and Docker)

I first heard of Fig when I read about Docker acquiring Orchard, a container hosting service, back in July. Last week I finally got to read a little more about it and it just so happens it is the missing piece of the puzzle in a couple of projects that I am working on right now!

What does Fig do?

The best way I would describe Fig is like Vagrant for Docker containers. If you don't know what Vagrant is, or aren't using it then you are missing out!

Fig lets you bring up and tear down docker containers (single or multiple) with a simple command. To do this, you express the desired configuration in a YAML file, fig.yml.

Getting started

On OSX, you'll need to have an accessible Docker environment. The easiest way to do this is with Homebrew and boot2docker

brew install docker
brew install boot2docker
boot2docker init
boot2docker start
export DOCKER_HOST=tcp://$(boot2docker ip 2>/dev/null):2375
# Install Fig
pip install fig

If you don't have Python and/or pip installed you may want to install the fig binary

Writing a Fig file for Open vSwitch

Let's say you are doing some integration Continue reading

1 3,714 3,715 3,716 3,717 3,718 3,842