Welcome to Cisco Patch Tuesday…

For some time, us network people have been quietly (ok, sometimes not so quietly!) snickering at our system administrator counterparts. Why? Patches. Every “patch tuesday,” that nefarious day when Microsoft pushes its Windows Updates, across the globe we would walk past the Windows Admin’s cube with just a little bit (ok, sometimes a lot) of smugness and maybe, in some cases, a well-timed remark about the stability and security of our beloved IOS. Then we got to walk past the Linux Admin’s cube as well (ok, it’s the same Admin in the same cube for some of us) and try to console them as their own OS began the endless parade of patches. It seemed like life was pretty good for a network person. Even when Cisco began releasing regular IOS patches for certain vulnerabilities, we (ok me) were able to shrug it off and tell ourselves that these must be pretty isolated, low-risk vulnerabilities. No reason at all for us to fix what wasn’t broken and risk bringing our quietly humming routers and switches to a screeching halt…or reboot anyhow.

Then the unthinkable happened.

Some Security Guy who obviously hates Cisco Admins (well, ok, maybe he just wants to stop the bad guys from doing it first), came up with the first ever rootkit for IOS and plans on spilling the beans soon. Then, as if that weren’t enough, Cisco announces a patch for a DoS vulnerability in SSH, which I’m planning on moving all our network devices to soon since it’s more secure than telnet. Gulp…ok, you have my attention.

Trust me, I want to believe the older network people who say you really shouldn’t touch your IOS unless it’s causing you problems or you need additional features an update can provide. It certainly makes life easier since the process for upgrading an IOS image is tedious at best and nerve-wracking at worst. Still, there are more and more vulnerabilities being found for IOS versions every day and any company has to be concerned about something like an SSH Denial of Service vulnerability. The way I see it, if it’s a vulnerability that would force me to push a patch or an update to a server, why wouldn’t I update my IOS for it?

Oh the conundrum…fall into the dark pit of dispair of continuous patching or endlessly worry that we’re leaving a gaping security hole open…

Do You Know the Way to Use Ebay? Yes, I do…

Well, I probably blew too much of my last paycheck on hardware, but my CCNP lab is finally beginning to start to take shape!!! So far, here’s the list:

1 – 2950 (I want at least another one of these, probably more for BCMSN)
1 – 1710 (I hope this will help with ONT and ISCW and plan on getting another)
2 – 2501’s (For the price, I just couldn’t pass them up!)

I know…not much there…yet, but you’ve got to start somewhere! As soon as I get them all set up I will be taking pictures to post.

US Cyber-Security “Manhattan Project” – Should We Be Afraid?

Apparently, the US government has decided that it’s not enough to secure their own systems and networks and allow corporations to do the same. Department of Homeland Security Chief, Michael Chertoff is afraid enough of a major attack against US financial institutions that he has called for a US Cyber-Security “Manhattan Project.” I can’t help but wonder if I’m the only one made nervous by a project involving the government, the internet, and that it’s all named after a project to create the first atomic bomb.

Basically, most of the details of this proposed project are classified, but from what can be read, it involves the NSA monitoring America’s internet traffic and google searches for signs of a cyber attack.  I can’t help but have mixed feelings.  Of course, like most people, I’ve already accepted that very little of what we do online is private and I would hope that a major attack, such as a distributed attack against financial institutions, would be thwarted.  Still, I can’t say I feel much safer with even more of the government’s eyes on my searches and online activities.  Who is to say down the line that simply doing research about vulnerabilities, something I do every day in the course of doing my job, might bring me squarely in the government’s radar as a potential threat.  Would they wait and see if I used anything I was researching for good or ill or simply decide to act preemptively to protect the nation from what I might do?

I don’t even pretend to have the knowledge or skills to be a threat to anyone, nor would I want to harm anyone’s interests, but that doesn’t mean a large net cast widely wouldn’t scoop up even someone as mundane as me.  It’s a Brave New World, Mr. Orwell.

New Net Neutrality Bill Proposed to Congress

I just read that a new net neutrality bill has been proposed in Congress.  This is interesting as it comes not long after I had an interesting conversation with someone about my QoS studies for ONT and the applications such technologies might have to do away with net neutrality.

I’m a huge believer in net neutrality, the premise that ISP’s should not be able to pick and choose what content has priority and give faster speeds to websites or servers that can pay higher fees, beyond just their uplink speed.  This would mean that if I wanted my site to be seen by the most people or have a faster download time, I’d not only have to get a fast connection to my server, but pay for my traffic to get priority through the networks of the ISP’s.  In effect, smaller companies and individuals would be drowned out by those with more money, reducing those without the money or power to the internet version of a public access cable channel while the fat cats would be HDTV premium cable channels.  To those of us who began using the internet back when it was mainly the home of university students, intellectuals, and the geek fringe and full of horizontal rules and new ideas, this idea is repulsive.  It would be the barbed wire fences destroying our open frontier and leaving so many of us to tell stories of the “good old days” like so many antiquated cowboys.

On the other hand…there is a need for businesses to be able to prioritize traffic, both within their own private networks and over the WAN links that connect their sites.  Essentially, QoS (Quality of Service) technologies arose out of the need to give small VoIP (Voice over IP) packets priority so that calls could be made over networks sharing bandwidth with data and not have jitter or difficult to understand conversations.  If I have a network like this and limited bandwidth over my connections between sites, I want to be able to set priorities on the types of traffic I send over those links and then have those priorities followed by any devices owned by the ISP between my sites.

As I was trying to explain in my conversation about this earlier, QoS is simply a set of technologies, neither good nor bad.  Yes, this could be used to destroy net neutrality, but it can also be used to let a poor startup make the most out of the bandwidth they can afford and continue to compete.  Like any technology, it is how it is used and what the intention is that determines whether it is good or evil.

Great New Link…To Links!

I found this today on Network World – http://www.networkworld.com/community/node/27681 . I don’t know if it’s just me, but it’s tough to navigate the huge amount of information on Cisco’s website, let alone find what you need elsewhere. This blog entry on Network World shows exactly what one experienced Cisco Engineer keeps in his bookmarks and I’m planning on adding many of these to my own.

Among the highlights, a link to a page detailing how to copy IOS files from a tftp server using SNMP, a list of end-of-life, end-of-sale products, error pages, BGP, MPLS, and even submarine cabling systems! There is probably more information in these links than I could ever digest, but I definitely plan on hitting his QoS section hard in the next few weeks!

Growing My Own Little ONT Lab

The ONT exam for CCNP is all about QoS with some wireless and VoIP thrown into the mix. Since we don’t use VoIP where I work (yet!) and we pretty much leave our wireless confined to its own vlan with its own cable modems, I’m thinking that this exam will be the least applicable to everyday work of them all, so I’ve decided to tackle it first rather than leave it looming at the end. So far, I’ve been pleasantly surprised at how much I’ve enjoyed learning about QoS…it’s basically like writing rules for network bouncers…certain packets get special treatment, like a pretty girl in line for the club that only has to stand in line 5 minutes before the bouncer picks her out and lets her in. Other packets like VOIP get the red carpet treatment and never even touch the queue, like Paris Hilton hopping out of her Hummer and strutting right into the club. Other poor packets are like the rest of us, stuck in the line. Some of us get through in decent time if we show up at the right time and others of us are plain just told No and dropped.

In order to practice some of this, I’m building a virtual lab with dynamips. I’m using 4 2811 routers, 3 with Advanced-IP images and 1 with a Security-Plus image. I’m hoping that plus a real wireless AP and some sort of traffic generator ought to do the trick. As soon as I get everything set up, I’ll post a visio of my topology here.

Mainly, though, I’m glad to be back on the learning track again. I was starting to get cobwebs growing in my brain!

Back in the Cisco Saddle Again!

My employer has decided to help me along in my quest to become a real network engineer. To that end, they have agreed to pay for my books and exams for the CCNP. I couldn’t be more excited to get back into study-mode and learn some cool new tricks.

Unfortunately, despite my employer’s generousity, I still do not have the money for a home lab. I’m planning on going the sim route, either using dynamips or the Boson CCNP netsim. I’m leaning more towards dynamips because it’s free and I already have access to IOS images for it through my employer. I did like the Boson netsim, though, for CCNA. It comes already loaded with many labs, making it easier to concentrate on just studying the subject areas and saving you needing to buy separate labs to set up yourself. The equivalent Boson product for CCNP is about $400 and really won’t help you much for other exams like CCSP exams. Like everything else, it’s a trade off.

This does mean another busy summer of studying, but as hot as it is where I live, what else is summer good for?!