OMG: VTP Is Insecure

One of my readers sent me an interesting pointer:

I just watched a YouTube video by a security researcher showing how a five line python script can be used to unilaterally configure a Cisco switch port connected to a host computer into a trunk port. It does this by forging a single virtual trunk protocol (VTP) packet. The host can then eavesdrop on broadcast traffic on all VLANs on the network, as well as prosecute man-in-the-middle of attacks.

I’d say that’s a “startling revelation” along the lines of “OMG, VXLAN is insecure” – a wonderful way for a security researcher to gain instant visibility. From a more pragmatic perspective, if you enable an insecure protocol on a user-facing port, you get the results you deserve1.

While I could end this blog post with the above flippant remark, it’s more fun considering two fundamental questions.

Read more …

OMG: VTP Is Insecure

One of my readers sent me an interesting pointer:

I just watched a YouTube video by a security researcher showing how a five line python script can be used to unilaterally configure a Cisco switch port connected to a host computer into a trunk port. It does this by forging a single virtual trunk protocol (VTP) packet. The host can then eavesdrop on broadcast traffic on all VLANs on the network, as well as prosecute man-in-the-middle of attacks.

I’d say that’s a “startling revelation” along the lines of “OMG, VXLAN is insecure” – a wonderful way for a security researcher to gain instant visibility. From a more pragmatic perspective, if you enable an insecure protocol on a user-facing port, you get the results you deserve1.

While I could end this blog post with the above flippant remark, it’s more fun considering two fundamental questions.

Read more …

Gratuitous ARP – GARP

GARP (Gratuitous ARP): Is an ARP message sent without request. Mainly used to notify other hosts in the network of a MAC address assignment change. When a host receives a GARP it either adds a new entry to the cache table or modifies an existing one. I will expand more about GARP in the next section, as it’s the one that concerns us most from a security point of view.

Gratuitous ARP

GARP messages

GARP Request: A regular ARP request that contains the source IP address as sender and target address, source MAC address as sender, and broadcast MAC address (ff:ff:ff:ff:ff:ff) as a target. There will be no reply to this request

GARP Reply: The source/destination IP addresses AND MAC addresses are set to the sender addresses. This message is sent to no request.

GARP Probe: When an interface goes up with a configured IP address, it sends a probe to make sure no other host is using the same IP; hence, preventing IP conflicts. A probe has the sender IP set to zeros (0.0.0.0), the target IP is the IP being probed, the sender MAC is the source MAC, and the target MAC address Continue reading

Major security vulnerability found in top servers

Security firm Binarly has discovered more than 20 vulnerabilities hiding in BIOS/UEFI software from a wide range of system vendors, including Intel, Microsoft, Lenovo, Dell, Fujitsu, HP, HPE, Siemens, and Bull Atos.Binarly found the issues were associated with the use of InsydeH20, a framework code used to build motherboard unified extensible firmware interfaces (UEFI), the interface between a computer’s operating system and firmware.[Get regularly scheduled insights by signing up for Network World newsletters.] All of the aforementioned vendors used Insyde’s firmware SDK for motherboard development. It is expected that similar types of vulnerabilities exist in other in-house and third-party BIOS-vendor products as well.To read this article in full, please click here

Major security vulnerability found in top servers

Security firm Binarly has discovered more than 20 vulnerabilities hiding in BIOS/UEFI software from a wide range of system vendors, including Intel, Microsoft, Lenovo, Dell, Fujitsu, HP, HPE, Siemens, and Bull Atos.Binarly found the issues were associated with the use of InsydeH20, a framework code used to build motherboard unified extensible firmware interfaces (UEFI), the interface between a computer’s operating system and firmware.[Get regularly scheduled insights by signing up for Network World newsletters.] All of the aforementioned vendors used Insyde’s firmware SDK for motherboard development. It is expected that similar types of vulnerabilities exist in other in-house and third-party BIOS-vendor products as well.To read this article in full, please click here

Major security vulnerability found in top servers

Security firm Binarly has discovered more than 20 vulnerabilities hiding in BIOS/UEFI software from a wide range of system vendors, including Intel, Microsoft, Lenovo, Dell, Fujitsu, HP, HPE, Siemens, and Bull Atos.Binarly found the issues were associated with the use of InsydeH20, a framework code used to build motherboard unified extensible firmware interfaces (UEFI), the interface between a computer’s operating system and firmware.[Get regularly scheduled insights by signing up for Network World newsletters.] All of the aforementioned vendors used Insyde’s firmware SDK for motherboard development. It is expected that similar types of vulnerabilities exist in other in-house and third-party BIOS-vendor products as well.To read this article in full, please click here

Pluribus named a Futuriom 40 Cloud Infrastructure and Communications Company

Scott Raynovich and the team at Futuriom have compiled their list of private companies that are making waves in cloud infrastructure. Futuriom knows this landscape and the customer trends thoroughly and recognizes companies that are innovating to stay ahead of the market, and delivering what customers need to achieve an agile cloud operating model across all of their distributed cloud locations.

2022 Futuriom 40 - Pluribus Networks is a Cloud Market LeaderPluribus is humbled and grateful to be named to the 2022 Futuriom 40, joining a group of companies that are all doing remarkable things in the cloud. As Scott points out in the report and in this Forbes article, the market for cloud technology innovation will remain strong, as “…in many cases, traditional enterprise networking architectures aren’t useful for connecting to the cloud applications and platforms.” Pluribus is dedicated to simplifying cloud networking as organizations grapple with the new realities of the distributed cloud.

Of the top trends in the report, one of them is focused on networking across distributed clouds. Futuriom describes it as follows:

Distributed Cloud Infrastructure: Networking and connectivity platforms need to be engineered to connect cloud resources ranging from the edge to the public cloud. This has computer, networking, and storage elements, Continue reading

Cost of banning Chinese 5G gear soars to $5.6B

Network providers have asked for $5.6 billion to cover the cost of replacing deployed wireless equipment made by Huawei and ZTE, whose gear has been banned from US carrier networks.Congress had set aside $1.9 billion for the program, but a preliminary total of applications for reimbursement revealed a shortfall of $3.7 billion. FCC Chairperson Jessica Rosenworcel seeks Congress to make up whatever the actual amount turns out to be.Wireless equipment manufactured by Huawei and ZTE have been placed on a restricted list by the Commerce Department over concern that they could be a security threat to the US.To read this article in full, please click here

Cisco tightens its SD-WAN ties with Microsoft

Cisco has released a new version of it SD-WAN software that adds the ability to reinforce links between remote users and Microsoft Office 365 applications and better support voice and video networks.The new features are part of the latest release of Cisco’s core SD-WAN software that  can control the connectivity, management, and services between data centers and remote branches or cloud instances.  SD-WAN deployments typically include routers and switches or virtualized customer-premises equipment (vCPE) all running some version of software that handles policy, security, networking functions, and other management tools.To read this article in full, please click here

Cisco tightens it SD-WAN ties with Microsoft

Cisco has released a new version of it SD-WAN software that adds the ability to reinforce links between remote users and Microsoft Office 365 applications and better support voice and video networks.The new features are part of the latest release of Cisco’s core SD-WAN software that  can control the connectivity, management, and services between data centers and remote branches or cloud instances.  SD-WAN deployments typically include routers and switches or virtualized customer-premises equipment (vCPE) all running some version of software that handles policy, security, networking functions, and other management tools.To read this article in full, please click here

Network Engineer Salary

Network Engineer Salary, Average Network Engineer Salary, and Senior Network Engineer Salary

Many people have been searching these words on OrhanErgun.Net for some time.

Many people also have been asking me, how much they can earn monthly if they start their Network Engineering career or if they change the country, as an experienced Senior Network Engineer how much they can get.

Check these courses on  CCNP Course and   CCIE course content for becoming a better Network Engineer and definitely getting a higher salary as well. 

I think the answer depends on many criterias. Since this post will be read by people all around the world, it is important to share some insights on the topic.

Before talking about dependencies, you should know some facts about the CCNA, CCNP, and CCIE certification. These are some of the most popular certifications which help you to get or change jobs. Of course, as of 2022, Cloud Computing and Network Automation jobs are getting very popular and there are some certifications for those technologies as well.

But I will use Cisco examples in this post.

Unlike CCDE, Cisco CCNP and Cisco CCIE Certification is known by the recruiters very Continue reading

is CCIE still worth it in 2022? CCIE vs Network Automation or something else?

Is CCIE still worth it in 2022?

I have been seeing this discussion on social media, especially Linkedin and Twitter for some time. In this post, I will be sharing my opinions on it and hope it can help the decision of some Network Engineers who follow our blog.

As of 2022, you may realize that many Evolving Technologies getting a lot of attention and I think, most of them deserve the attention.

These are SD-WAN, SDA, Cloud Computing, Network Automation and Programmability, SDN, IOT we can say. Of course, there are many other technologies if you are dealing with Security, Wireless, Service Provider, Datacenter or many other domains of IT.

But, as a certification, if we remember the subject of this post: Is CCIE still worth it in 2022?.

CCIE is not just a technology but as a certificate, deals with many technologies and products.

 

orhan ccie

 

And, there are many different CCIE Tracks. CCIE Enterprise is the most popular one and I will give my examples by using CCIE Enterprise Infrastructure Exam as it is the by far most popular and most well-known by the Network Engineering community.

CCIE Enterprise Infrastructure exam doesn’t only cover Continue reading

What Nvidia Can’t Buy, It Can Still Get Through An Arm Partnership

While a $1.25 billion hit to the Nvidia books after the company terminated its $40 billion deal to acquire chip designer Arm Holdings from Japanese conglomerate SoftBank Group this week is a big deal, the fact that Nvidia and SoftBank were going to see a lot of regulatory scrutiny and IT market resistance is no surprise.

What Nvidia Can’t Buy, It Can Still Get Through An Arm Partnership was written by Timothy Prickett Morgan at The Next Platform.

Chiplets: The First Step To Integrated Silicon Photonics For Faster Interconnects At Lower Cost

Merchant silicon applies Moore’s Law to Ethernet switching with astounding results, well documented by tech luminary Andy Bechtolsheim almost four years ago. Since then, switch chips have doubled their throughput to 25.6 Tbps, powering products with up to 64 400GbE interfaces. The problem arises when trying to transmit electrical signals off chip because the power […]

The post Chiplets: The First Step To Integrated Silicon Photonics For Faster Interconnects At Lower Cost appeared first on Packet Pushers.

Microsoft Brings eBPF to Windows

If  you want to run code to provide observability, security or network functionality, running it in the kernel of your operating system gives you a lot of power because that kernel can see and control everything on the system. That’s powerful, but potentially intrusive or dangerous if you get it wrong, whether that’s introducing a vulnerability or just slowing the system down. If you’re looking for a way to take advantage of that kind of privileged context without the potential danger, eBPF is emerging as an alternative — and now it’s coming to Windows. Not Just Networking Originally eBPF stood for “extended Berkeley Packet Filter”, updating the open source networking tool that puts a packet filter in the Linux kernel for higher performance packet tracing (now often called cBPF for classic BPF). But it’s now a generic mechanism for running many kinds of code safely in a privileged context by using a sandbox, with application monitoring, profiling and security workloads as well as networking, so it’s not really an acronym anymore. That privileged context doesn’t even have to be an OS kernel, although it still tends to be, with eBPF being a more stable and secure alternative to kernel modules Continue reading

Cisco NCS 5500 Series Routers

Cisco already supports industry standard sFlow telemetry across a range of products and the recent IOS-XR Release 7.5.1 extends support to Cisco NCS 5500 series routers.

Note: The NCS 5500 series routers also support Cisco Netflow. Rapidly detecting large flows, sFlow vs. NetFlow/IPFIX describes why you should choose sFlow if you are interested in real-time monitoring and control applications.
The following commands configure an NCS 5500 series router to sample packets at 1-in-20,000 and stream telemetry to an sFlow analyzer (192.127.0.1) on UDP port 6343.
flow exporter-map SF-EXP-MAP-1
 version sflow v5
 !
 packet-length 1468
 transport udp 6343
 source GigabitEthernet0/0/0/1
 destination 192.127.0.1
 dfbit set
!

Configure the sFlow analyzer address in an exporter-map.

flow monitor-map SF-MON-MAP
 record sflow
 sflow options
  extended-router
  extended-gateway
  if-counters polling-interval 300
  input ifindex physical
  output ifindex physical
 !
 exporter SF-EXP-MAP-1
!

Configure sFlow options in a monitor-map.

sampler-map SF-SAMP-MAP
 random 1 out-of 20000
!

Define the sampling rate in a sampler-map.

interface GigabitEthernet0/0/0/3
 flow datalinkframesection monitor-map SF-MON-MAP sampler SF-SAMP-MAP ingress

Enable sFlow on each interface for complete visibilty into network traffic.

The diagram shows the general architecture of an sFlow monitoring deployment. All the switches stream sFlow telemetry to a central sFlow analyzer Continue reading

Email Routing is now in open beta, available to everyone

Email Routing is now in open beta, available to everyone
Email Routing is now in open beta, available to everyone

I won’t beat around the bush: we’ve moved Cloudflare Email Routing from closed beta to open beta 🎉

What does this mean? It means that there’s no waitlist anymore; every zone* in every Cloudflare account has Email Routing available to them.

To get started just open one of the zones in your Cloudflare Dashboard and click on Email in the navigation pane.

Email Routing is now in open beta, available to everyone

Our journey so far

Back in September 2021, during Cloudflare’s Birthday Week, we introduced Email Routing as the simplest solution for creating custom email addresses for your domains without the hassle of managing multiple mailboxes.

Many of us at Cloudflare saw a need for this type of product, and we’ve been using it since before it had a UI. After Birthday Week, we started gradually opening it to Cloudflare customers that requested access through the wait list; starting with just a few users per week and gradually ramping up access as we found and fixed edge cases.

Most recently, with users wanting to set up Email Routing for more of their domains and with some of G Suite legacy users looking for an alternative to starting a subscription, we have been onboarding tens of thousands of new zones Continue reading

1 576 577 578 579 580 3,841