NetworkingNexus.net

IDP – FN, TN, TP, FP

I have talked with a few security administrators that seem to struggle with the understanding of FN, TN, FP, TP. I have decided to try to create a simple method to remember.

True/False = This either CORRECTLY or INCORRECTLY identifies an attack
Positive/Negative = This performs and event that takes an ACTION or is ACTION-LESS

True Positive (TP) - A legitimate attack (CORRECTLY) which triggers an IDP to produce and alarm/alert or mitigate the risk (ACTION)

False Positive (FP) - An IDP believes there is an attack taking place (INCORRECTLY) and produces an alarm/alert or mitigates the risk (ACTION).This can cause disrupt legitimate traffic and flood your IDP with alerts drowning real alerts that may be taking place. Some traffic that may cause false positives include:

Legitimate applications that do not follow RFC's
Legitimate traffic in one part of an organization that may not follow normal behaviors in another part of the organization causing alerts.
Signatures that we written poorly and identify both legitimate and illegitimate traffic.

False Negative (FN) - There is an attack that has NOT been identified (INCORRECTLY) and no alarm/alert/mitigation was raised (ACTION-LESS). This causes a false sense of security. This can be caused for a variety Continue reading

When Am I Going to Use This?

I imagine that prior to the industrial revolution, people didn’t struggle with niche skillsets that didn’t transfer. They didn’t need to wonder if they were spending countless hours learning something with no particular use outside their current job, listen to well-meaning friends and spouses assure them they’re worrying about nothing, only to face a layoff […]

Author information

Keith Tokash

Keith Tokash, CCIE (R&S) #21236, began his career in 1999, and has spent the last decade running around large content and small ISP networks. He spends his spare time with his newborn son, on the mat at the local Jiu-Jitsu gym, and trying to keep his fat yap shut.

The post When Am I Going to Use This? appeared first on Packet Pushers Podcast and was written by Keith Tokash.

Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion

Greg Ferro and Ethan Banks of PacketPushers.net host a discussion with Dr. Peter Welcher, Brent Salisbury, and Stephen Foskett about many of the presentations from the Network Field Day 5 event held March 6-8, 2013 in San Jose, California. The leading podcast topic was software defined networking, as that was the vendor focus during the […]

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks

The post Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Testing AAA Authentication with ACS – Part 1

Confirming that local authentication on the switch and ACS is working after you finished your configuration perform the following:

Run the "test" command on the switch

sw1#test aaa group tacacs+ ro PASSWORD legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User was successfully authenticated.

sw1#test aaa group tacacs+ admin99 PASSWORD legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User authentication request was rejected by server.

Even though the second attempt was rejected it still confirms that ACS rejected the request and is fully operational.

Step 1. Lets have a look at the ACS server. Once logged in navigate to "Monitoring and Reports" and click "Launch Monitoring and Report Viewer"

Step 2. A new window pops up. Navigate to "Reports", "Catalog", and click "AAA Protocols".

Step 3. On the right pain under reports click "TACACS Authentication. As you can see the first 2 entries correlate to what was seen on the switch. A pass and a fail.

Step 4. Lets look at some more details by clicking the magnifying glass under details. Lets look at the authentication that passed. As you can see there is alot of details. The big thing here is the "Status"

Step 5. Lets look Continue reading

MPLS LDP-IGP Synchronization

This post represents the solution and explanation for quiz-8. Adding a new link into the MPLS cloud created an outage for the customer. Read to understand how LDP-IGP Synchronization might help.

Firewalls: Expensive, Broken Routers

In a previous post on IPS, I made a fairly negative comment on the value that you get from enterprise firewalls in the modern environment. At the time, I said that I was just going leave that comment hanging and see what happened. Well, precisely no one challenged me on it, which means either everybody […]

Author information

Neil Anderson

Neil is a freelance network security architect and contractor working with a number of clients in Scotland and Europe. He is CCIE #18705 and also holds a CISSP. He can often be found sampling beer in remote locations and ranting about tech to anyone too stupid to run away. If you're very unlucky, he may talk to you in Gaelic.

Neil can be occasionally be found on Twitter.

The post Firewalls: Expensive, Broken Routers appeared first on Packet Pushers Podcast and was written by Neil Anderson.

Using IP SLA Delay Feature to Safely Monitor Lossy Links

IP SLA is a great feature if you want to add some automation and intelligence into the network. SLA is no SDN/OpenFlow, but it can be very useful. It can also take down a network. Let’s say you are using DMVPN for a number of spoke locations in your network. You have a primary Internet […]

Author information

Charles Galler

Charles is a network and UC engineer for an integrator. He has worked in the networking industry for about 15 years. He started as a network administrator for a small CLEC (carrier) where he did it all in internal IT and worked on the carrier network. After the CLEC, Charles went to work for a large healthcare organization in the Houston area and stayed with them for about three and a half years. Now he works for a reseller in the professional services part of the organization. He is currently studying for his CCIE in Routing and Switching and plans on passing it sometime. You can find him on the Twitter @twidfeki.

The post Using IP SLA Delay Feature to Safely Monitor Lossy Links appeared first on Packet Pushers Podcast and was written by Charles Galler.

Compiling Firmware for Opengear ACM5000

Opengear gave me two ACM5000 units as a part of my attendance at Network Field Day 4 in October of last year. The gift has not influenced my opinion of the company nor their product: I continue to think they're a bunch of amazingly clever people, and that they make the best out-of-band access equipment on the market. I recommend them without hesitation nor reservation.

I've been waiting anxiously for the release of the Custom Development Kit (CDK) based on release 3.6 code, and it's finally out. The README that comes with the CDK is a bit dated, and not super easy to follow, so I'm sharing my notes on rolling custom firmware here.

I started with Ubuntu 12.04.2 Server i386 installed inside VMware Fusion on my MacBook. I pretty much took the defaults, allowing VMware to manage the install for me (how cool is this feature?)

Remote Access
Pretty soon I was looking at an Ubuntu login prompt in the VMware console, I logged in and then did:

sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install openssh-server
ifconfig eth0

Downloads

Now I could log in via SSH, so I was done Continue reading

Weird NX-OS stuff

Some weird NX-OS stuff!

For enabling 'FEX' feature on the Nexus 7K switches, following steps are required:

config t

vdc Production

install feature-set fex

feature-set fex

Wonder why FEX cannot be enabled by entering feature fex or feature-set fex on the switch.

When you do a 'show feature', FEX shows up as disabled. On a 'show feature-set', FEX shows up as enabled.

After configuring an interface as a fex-fabric mode,

Cisco developed two commands on NX-OS to do the same thing. Define a hostname for the switch. 'switchname' and 'hostname'.

No feedback really required here. Boring post. I could just delete it. Naah I'll keep it. Peace m/.

Nexus 7000 vPC configuration

vPC configuration on a pair of NX7K switches

For a pair of Nexus 7009 switches running NX-OS 6.0(4), configuring vPC (virtual Port Channel) was an easy breezy task. In a few minutes and less than 15 commands, the two switches stood up as a vPC pair. There are 3 non default VDCs and each VDC has its own vPC domain, vpc peer-links and vpc peer-keepalive links. Cisco recommends each VDC has its own unique vPC domain ID. The port-channel ID need not be unique across the VDCs. Also, vPC will not work if port-channel members are interfaces allocated to separate VDCs.

On the CLI, switch to the non default VDC.

Each feature needs to be enabled on individual VDCs. Simply enabling it on the admin VDC does not propagate the features to the non default VDCs. For vPC, we need link aggregation control protocol for port-channel load-balancing (LACP) and the vPC feature.

feature lacp

feature vpc

The two switches need to exchange heartbeats to maintain a vPC role over the vPC keep alive links. Cisco recommends this traffic must be isolated to a VRF. If we do not specify a VRF for the keep alive link, by default Continue reading

VPN-IPSEC

Its been a while but I am going to try to post weekly.

Here is a sample configuration for IPSEC VPN between in 2 routers.
Note: 172.16.1.X/32 are loopback interfaces.

R1
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2

Define pre-shared key
(config)#crypto isakmp key 0 $pass@word$ address 192.168.1.2

Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac

Create ACL to match interesting traffic
(config)#access-list 150 permit ip 172.16.1.1 0.0.0.0 172.16.1.2 0.0.0.0

Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.2
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150

Apply Cypto Map to Interface
(config)#interface fas0
(config-if)#crypto map VPN-MAP-R1-R2

Create a route
(config)#ip route 172.16.1.2 255.255.255.255 fas0

R2
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2

Define pre-shared key
(config)#crypto isakmp kep 0 $pass@word$ address 192.168.1.1

Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac

Create ACL to match interesting Continue reading

IPv6 Next-Hop Best Practices

The concept of a link-local address is new to some, seeing as the term is not widely talked about in IPv4 circles, despite the fact that some folks see them daily. In IPv4, the range 169.254.1.0 through 169.254.254.255 has been reserved for this purpose. You may see this in the “ipconfig” output of a windows host that failed to pull a DHCP address. In IPv6, fe80::/10 is reserved for this purpose, though link-local addresses are always configured with a fe80::/64 prefix.

IPv6 Next-Hop Best Practices

Surprised by Spam

I attended my first in person meeting of the ISOC Advisory Council this last week — I’m a newly minted co-chair, and already haven’t been participating as much as I should (just like I don’t blog here as much as I should, a situation I’m undertaking to resolve!). We had a long discussion on the […]

Author information

Russ White

Principal Engineer at Ericsson

Russ White has scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, nibbled and noodled at a lot of networks, and done a lot of other stuff you either already know about — or don't really care about. You can find Russ at 'net Work, the Internet Protocol Journal, and his author page on Amazon.

The post Surprised by Spam appeared first on Packet Pushers Podcast and was written by Russ White.

IPv6 Host Networking and Insomnia

I’ve been running IPv6 on my home network for a while. The solution in place has evolved over time, from terminating tunnels to a linux VM using gogo6 all the way to front-ending with a Cisco ISR using Hurricane Electric, the goal has always been the same - to practice what I preach. Running IPv6 at home and REFUSING to turn it off when problems arise is one of the best ways to learn the protocol.

IPv6 Host Networking and Insomnia

Juniper PTX3000 – thin is in…

Juniper just launched the PTX3000, which has some nice features – such as being small enough to be installed by one technician, and pushing 0.5Gbps per cubic inch. The thing is, we still can’t work out who is going to buy these things…

Anywhoo, here’s the info on the Juniper website, with a nice side-view so you can marvel at its 10 inches:

http://www.juniper.net/us/en/dm/ptx-3000/?utm_source=promo&utm_medium=home_page&utm_content=carousel&utm_campaign=ptx3000

Six Things About F5 BIGIP v11 iApps

F5 Networks’ Local Traffic Manager (LTM) is my load balancer – okay, Application Delivery Controller, if you insist – of choice. The LTM platform is as feature-rich and well-supported as they come, with all sorts of customizability as well as the iRule scripting language (a superset of TCL) that lets you do fancy transaction manipulation. […]

Author information

Ethan Banks

Co-host at Packet Pushers

The post Six Things About F5 BIGIP v11 iApps appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Administrative Distance, prefix length, metric… Who is the winner?

The Concept Procedural tasks Result table Conclusion The concept The idea of the lab is to test the RIB best route election criteria of a border router. To do so, four overlapping subnets are configured in different parts of the network and available to a border router through different routing protocols. One of them is […]

Packet Design Acquired by Private Equity Firm; Appoints New CEO

Leader in IP Network Route Analytics Receives Cash Infusion to Accelerate Growth

SANTA CLARA, CA — March 19, 2013 — Packet Design, the leading provider of IP network route analytics software announced today that it has been acquired by Lone Rock Technology Group, an Austin-based private equity firm specializing in enterprise software. S3 Ventures, an early stage venture firm with a focus on information technology and also based in Austin, joins Lone Rock as a major investor in the company. With the deal, Packet Design announced it has appointed Scott Sherwood, a network and systems management industry veteran, as its new CEO.

Since it was founded in 2003, Packet Design has pioneered the complex science of route analytics. Its patented technology provides unique visibility into routing and traffic behavior across the entire cloud. Network managers at hundreds of the largest service providers, mobile operators, cable and broadband providers, enterprises and government agencies spanning five continents rely on the intelligence Packet Design provides to optimize the performance and control of their networks.

“We believe Packet Design’s technology, world-class talent, and marquee customers position it extremely well in a market growing over 12% CAGR, and we are excited by the Continue reading

« Previous 1 … 3,794 3,795 3,796 3,797 3,798 … 3,832 Next »