A couple of months ago, Google announced that it had started using SSL as a factor in SEO ranking. Since the search giant is the referrer for most website traffic, this is the type of announcement that gets the attention of website owners.
Cloudflare, a popular and easy to implement Content Delivery Network, seems to be stepping up to this challenge. Even their free offering has an option to provide forward facing SSL services. As discussed on Packet Pushsers Priority Queue show 34, they are also modifying SSL in ways that allow them to provide services to organizations without the need to obtain the site owner’s private keys. The likely result of the offering is that many existing and many new Cloudflare customers will take advantage of their SSL services. Continue reading
Earlier today, I was listening to Risky Business show #341. In this show Matt Solnik discussed vulnerabilities that he attempted to share at BlackHat. I say attempted, because it sounds like they may have had some issues with audio/video during critical times of the presentation. Nonetheless, it seems like there are many vulnerable implementations of the open mobile administration device management (OMA-DM). I took a minute to dig up some of the videos published by Accuvant that makes this stuff real.
Over the Air Code Execution and Jailbreak
NIA-Based Lock Screen Bypass
Earlier this week I had breakfast with a very interesting group. One of those present had an extensive history with Cisco systems. We talked about his tenure and several of the projects that he had been involved in. For some reason, one that caught my attention was the sweep option that we find in the extended Ping utility. Although it is hard to believe, there was a point in time that this gem didn’t exist.
I’ve written a few articles about the challenges of path MTU discovery and the issues that arise when it misbehaves. Today’s article looks specifically at using a ping sweep and how it can be used to quickly identifying the path MTU ceiling. The topology used for testing is simple and shown below. Notice that the two top routers are connected by a link with a lowered MTU (1492).
Let’s step through the process that an administrator might go through when a networked application isn’t working correctly. He or she would likely determine the endpoints and confirm reachability. For this example, I am testing a connection between 192.168.1.1 and 192.168.4.4. The ping command is the tool of choice for confirming reachability. Continue reading
There is an occasional need for a DNS server in the absence of a dedicated host. This may occur in the following situations–
- Using PAT, Public DNS may return a non-RFC1918 address for internal server
- Lab/Demo Environment
- Other Name Resolution challenges in SOHO, SMB or Branch Office
When these corner-case challenges present, an IOS router may be beneficial by providing basic DNS functions. Assuming the router already has Internet connectivity, the configuration is straightforward–
//enable the dns server functionality
IOS-DNS(config)#ip dns server
//if public requests should be resolved, configure one or more name
//servers as resolvers and confirm domain-lookups are enabled
IOS-DNS(config)#ip name-server 22.214.171.124 126.96.36.199
Throughout this series, we have examined several fundamental building blocks of subnetting. In IP Subnetting Part 4, we looked at what was required to subnet a Class C network. This article takes the fundamentals one step further and looks at subnetting a Class A address. We will also add the complexity of crossing octet the octet boundary for both the subnet and the host portions of the address.
A Class A IP address has the following characteristics–
- I’s first octet begins with binary 0…….
- The first Octet will be in the range of 1 to 63 (0 is invalid)
- The first Octet (leftmost) represent the Network
- The last three Octets (rightmost) represents a Host on a network
You will also recall that a single network can be subnetting into multiple, smaller networks.
Using a consistent syntax, we could represent a Class A network as follows.
IP NAT is a very common configuration. One of the challenges that sometimes surfaces is the need for internal hosts to connect to the public address of a locally hosted server. Anyone who has tried to configure something like the following has likely faced this issue.
In this example, the top of the diagram represents the outside (Internet, ISP, or External Server), the left represents the DMZ area, and the bottom represents the inside. The goal is to enable dynamic port address translation for internal hosts and static port address translation for the host or hosts found in the DMZ area.
This configuration is fairly straightforward and typically covered in the CCNA curriculum. This includes identifying each interface as inside or outside and configuring the appropriate nat statements.
The Sourcefire NGIPS/NGFW solution is a way to quickly get some interesting information about traffic on a network. One of the things I like about the solution is that actionable information is almost immediately available after deployment.
There are five deployment modes for a Sourcefire Firepower appliance:
Passive and inline modes are the two deployment options for the Virtual versions of the Firepower appliances. Inline mode provides significant advantages over simple passive monitoring. Inline mode allows the appliance to block offending traffic or communications that violates the configured policy. Following the installation guide is straightforward and should allow a security engineer to quickly get this solution up and running.
At this point in the PacketU subnetting series, we have worked through the following–
This article takes the concept of subnetting to the next step. Today we are going to look at the concepts required to subnet a Class C network. As we reflect on the Classful IP rules, we recall that a Class C network has the following characteristics–
- First octet begins with binary 110…..
- The first Octet will be in the range of 192 to 223
- The first three (three leftmost) octets represent a Network
- The last (rightmost) octet represents a Host on a network
We also know that this single IP network can be further subdivided into multiple, but smaller, networks. This process is known as subnetting.
Continuing with the syntax used in previous articles, we might represent a Class C Network as follows– Continue reading
I just wanted to take a quick moment to share a site Dan DeBusschere has created. This site is a list of very useful config snippets, information and links. Most of the content is focused on Datacenter and UCS. If you support this type of environment, check it out.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.
Today was a bittersweet day for me. It was my final day working with a great group of people at a prominent community bank. I have nothing but good things to say about the people, the organization, and the interesting projects I’ve been involved in. I’ll miss everyone a lot and plan to stay in touch.
Tomorrow I begin a new role as a Systems Engineer at Cisco Systems. I will be working with the SLED (public sector) sales team in Kentucky and West Virginia. In this role I hope to broaden my knowledge of networking components and spend time helping customers better position their technology infrastructures.
What this means for me–
I will be aggressively learning the Cisco Product lines, including areas that I previously had less exposure to. I will take advantage of the resources I have and marry my vision of the changing network industry to the components Cisco positions into higher education environments. My intentions include better understanding the roadmap and technical details as they pertain to the integration path from traditional networking to software defined approaches.
But what about…
Today’s podcast spotlight goes to Software Gone Wild. This is a newer podcast hosted by our friend Ivan Pepelnjak. The topics are focused on the growing pains the networking industry is experiencing and various forms of automation that are attempting to solve them. This includes various aspects of SDN, NFV and how others are using technology to deliver bigger/better/faster solutions.
Recent episodes include Network Automation @ Spotify and The F-Script with my good friend John Herbert.
Disclaimer: I have no affiliation with the Software Gone Wild podcast or any organization linked to, represented in or derived from content found in this article. This article represents my own opinions and may not be that of my employer.
At some point, Network engineers will likely face some type of issue with MTU or maximum transmittable unit. Their first experience with this may be an eye opening and time consuming effort. After resolving the issue, those with a thirst for knowledge will take the necessary time to understand the issue.
MTU problems are most often seen when Path MTU Discovery, or PMTUD, fails to function. This is the process by which one end host determines the largest possible packet size to another station on the network. Symptoms of this type of issue include two devices having proven reachability, but applications fail to work in a way that indicates a network issue. Some applications may even crash or hang the system.
Symptoms of PMTUD Failure
- Hosts may be able to ping one another
- Service/Port may prove accessible using telnet
- Severe and persistent application issues
- Partial page loads
- Either host appearing to hang
Posted in Network, Technology