On a day to day basis I work with Cisco, and with their product lines. While they don't open source their own code, they do showcase how relevant Linux is as a platform to deploy critical network systems on.
They are moving everything, from routers, to firewalls, to voice system on Linux kernels (as well as providing the proper credit). From this foundation they run their own proprietary code. Their is nothing ignorant or hostile with using and crediting open source software, while still retaining intellectual property rights to your own software.
As Cisco's CTO Padmasree Warrior has led many changes inside of Cisco.
1. Green DataCenter initiatives - She has led the charge in lowering power consumption of existing DataCenters by utilizing new technologies, as well as consolidating sites. This has a direct financial impact, as well as being good for the environment.
2. Focus on collaborative tools and teams - she has really pushed to break down the silo's between teams by providing the tools and technologies to seamlessly share information between teams.
Most importantly, she is a forward thinking technologist, not a bureaucrat. If I am going to trust anybody to drive the technical vision of the federal government, I am going to trust Padmasree.
It is like Rsync on steroids. Cisco's Wan optimization and Application Acceleration product allows you to "seed" your remote locations with files. It also utilizes some advanced technology called Dynamic Redundancy Elimination that replaces large data segments that would be sent over your WAN with small signatures.
What this means in a functional sense is that you would push that 4 Gig file over the WAN one time. Any subsequent pushes you would only sync the bit level changes. Effectively transferring only the 10 megabytes that actually changed.
While it is nice to get the propeller spinning, there is no sense reinventing the wheel.
From the referenced article -
"The passwords are so-called "phase one" passwords, and must be combined with a second password to access the network, the source said. "
99% chance they are using some form of Cisco device as their VPN concentrator (most like a VPN3030, ASA or 7200 series router). If they are these passwords (one per group) are in what is called a pcf file in every employees computer that is allowed to connect. Heck, if you use a Cisco vpn it is on your computer in the following location -
C:\Program Files\Cisco Systems\VPN Client\Profiles .
The group pass is encrypted with weak encryption that is commonly cracked to allow linux laptops to connect using vpnc. You can do it on the web here - http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
The thing is, this group password's primary use is to segregate users into different buckets. E.G contractors may have on password, with different authentication methods, while permanent employees are in a different bucket, with their own authentication methods. The key thing, is that once this first password is provided, the end user still has to provide a unique username and password to gain access. So in effect, having the group password alone is meaningless.
On top of that, I frankly would not be surprised or peeved if a network engineer had possession of PCF files for the network he is responsible for. What is next? Is the DA going to try to prosecute him for having diagrams and configs of the network he is managing on his laptop?
If only 5% of DNS servers hadn't updated their root servers list, and this server is listed as 1 of the 13 root servers, then these people will have.38% of the entire internet's DNS requests coming through them.
With "control" of a root server (or at least what a DNS client believed was a root server. They would be free to insert whatever records for anything they want. Think banking, finance, email, etc.
So really, the title of this article should have been if you were in organized crime, what would you do if you could transparent MITM (man in the middle) attack.38% of all web traffic on the internet.
This is not a new idea. VMware is making a killing around this same concept of consolidating load from many servers onto fewer servers.
People tend to forget that an idle server still uses 50% of its peak power utilization.
There is a good write up here on Green Data Center
One thing that is important to point out, is that Cisco is treating Rick Frenkel extremely well. They aren't firing him, restricting him from blogging, or taking other knee jerk reactions. What they are doing is requiring that a Cisco employee put boiler plate on their sites.
Cisco itself has been trying to embrace web2.0 collaboration for a couple years now. In some instances like http://blogs.cisco.com/home/ they do really well, providing a conduit for actual engineers to comment on technology and the companies products. In other instances like second life, they have gone completely off target and missed the whole point (my personal rant, second life is NOT web2.0). The important thing to focus on, is that Cisco is consistently trying to encourage open communications of its employees with the general public, and should be apploauded for their attempts.
Disclaimer -
I am NOT a Cisco employee, and these are my OPINIONS.
You must be one of those fanboy's
my 15" widescreen with a dual core intel cpu and 2 gigs of ram. Is effectively the same as the 15" widescreen with a dual core intel cpu and 2 gigs of ram.
You are right, it doesn't come in white, but performance wise it is neck and neck.
I run Ubuntu 7.10 on a dual core HP laptop. My hardware is effectively a clone of the Mac Book Pro at 1/3 of the price.
I however have complete control over my operating system, and get to use Compiz for all the fancy visual effects.
While I respect the fact that Mac users are running BSD, I feel for most users it is just jewellery with a power button.
Its called dense wave division multiplexing, or DWDM. You take independent links (in this case 100Gig links), and transmit each of them on a slightly different wavelength of light called a Lambda. Since optic is looking for a specific wavelength, you can now run many "virtual links" per physical fibre. This is the standard technology for most Telcos. The innovation here is that they are doing this with 100Gig transceivers, and they have chipsets fast enough to combine the different lambda's back together into on high speed link.
And yes, you can now let the Lambda Lambda Lambda jokes fly
Of course companies that have large compute clusters are migrating to areas that offer steady low cost power and cooling. It is simple business. Power and Cooling account for the majority of the expense of running a DataCenter. The draw is a lot of extremely cheap electricity combined with cold outside air (allowing bypass cooling) is something that is to important to pass up if you have thousands of servers.
One other thing to keep in mind is that in many places the power infrastructure is strained to its limit. For example I heard that to get 1 megawatt of power in downtown San Francisco it will take upwards of Three years for PG&E to deliver. Putting DataCenters in locations that aren't constrained is just good business sense.
Botnets are easy to detect and control. The problem is that the majority of organizations have not taken the steps to stop both their communication and control channels, and their ability to launch attacks.
What should everybody do ?
1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.
2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.
3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.
4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed.
Some good free tools for this are Cacti - http://www.cacti.net/, Nagios - http://www.nagios.org/ and NTOP - http://www.ntop.org/
5. Utilize update antivirus technology, hopefully one that reports to a central console.
These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.
You have a great point about overall network sizing and capacity issues. Though, if you look at Comcast's current setup, they are only enforcing at the peering points on their network. Traffic that is not exiting their network is not being squelched. Until the technology needed to classify the torrent traffic is available at the edge of the network, it will always be cost prohibitive to apply controls internally.
Comcast is trying to spin their actions as promoting fair use of the their networks. The truth is that ISP's profit from having data dumped INTO their network and have to pay hard cash for data LEAVING their network. By injecting RST's into the peers seeding traffic, they promote an asymmetric data flow that brings more data (and therefore money) into their network, while minimizing the money they have to pay other ISP's for data going out.
This proposal provides protection against the throttling of their upstream Bittorrent traffic only if the ISP is not aware of the info_hash of the torrent. Once this data is known it is possible to apply common data tagging and congestion control techniques to squelch this traffic. All the service provider (or application developers like SandVine) has to do is monitor the common torrent sites, and dynamically update this hashes into the network filters. This is sure to deny a majority of the torrent traffic out there (movies, linux distro's, etc).
Colin McNamara
CCIE #18233
This is a prime example of the need for a multi layered security model for authentication and authorization of your systems.
There are many vendors that supply two factor authentication methods (RSA being the most well known) that provide for one time passwords.
Techniques like this effectively mitigate the risk of a user account compromised by use of a hash table like this.
BTW, this is nothing new. Rainbow tables have been out for ages.
--Colin
Slashdot Mirror
On a day to day basis I work with Cisco, and with their product lines. While they don't open source their own code, they do showcase how relevant Linux is as a platform to deploy critical network systems on.
They are moving everything, from routers, to firewalls, to voice system on Linux kernels (as well as providing the proper credit). From this foundation they run their own proprietary code. Their is nothing ignorant or hostile with using and crediting open source software, while still retaining intellectual property rights to your own software.
As Cisco's CTO Padmasree Warrior has led many changes inside of Cisco.
1. Green DataCenter initiatives - She has led the charge in lowering power consumption of existing DataCenters by utilizing new technologies, as well as consolidating sites. This has a direct financial impact, as well as being good for the environment.
2. Focus on collaborative tools and teams - she has really pushed to break down the silo's between teams by providing the tools and technologies to seamlessly share information between teams.
Most importantly, she is a forward thinking technologist, not a bureaucrat. If I am going to trust anybody to drive the technical vision of the federal government, I am going to trust Padmasree.
Seriously though, does anybody actually work only 40 hours a week?
It is like Rsync on steroids. Cisco's Wan optimization and Application Acceleration product allows you to "seed" your remote locations with files. It also utilizes some advanced technology called Dynamic Redundancy Elimination that replaces large data segments that would be sent over your WAN with small signatures.
What this means in a functional sense is that you would push that 4 Gig file over the WAN one time. Any subsequent pushes you would only sync the bit level changes. Effectively transferring only the 10 megabytes that actually changed.
While it is nice to get the propeller spinning, there is no sense reinventing the wheel.
Cisco WAAS - http://www.cisco.com/en/US/products/ps5680/Products_Sub_Category_Home.html
In all seriousness, there may be interesting tax implications if these datacenters are put outside of US waters.
From the referenced article - "The passwords are so-called "phase one" passwords, and must be combined with a second password to access the network, the source said. " 99% chance they are using some form of Cisco device as their VPN concentrator (most like a VPN3030, ASA or 7200 series router). If they are these passwords (one per group) are in what is called a pcf file in every employees computer that is allowed to connect. Heck, if you use a Cisco vpn it is on your computer in the following location - C:\Program Files\Cisco Systems\VPN Client\Profiles . The group pass is encrypted with weak encryption that is commonly cracked to allow linux laptops to connect using vpnc. You can do it on the web here - http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
The thing is, this group password's primary use is to segregate users into different buckets. E.G contractors may have on password, with different authentication methods, while permanent employees are in a different bucket, with their own authentication methods. The key thing, is that once this first password is provided, the end user still has to provide a unique username and password to gain access. So in effect, having the group password alone is meaningless.
On top of that, I frankly would not be surprised or peeved if a network engineer had possession of PCF files for the network he is responsible for. What is next? Is the DA going to try to prosecute him for having diagrams and configs of the network he is managing on his laptop?
If only 5% of DNS servers hadn't updated their root servers list, and this server is listed as 1 of the 13 root servers, then these people will have .38% of the entire internet's DNS requests coming through them.
With "control" of a root server (or at least what a DNS client believed was a root server. They would be free to insert whatever records for anything they want. Think banking, finance, email, etc.
So really, the title of this article should have been if you were in organized crime, what would you do if you could transparent MITM (man in the middle) attack .38% of all web traffic on the internet.
My guess is all your accounts belong to us.....
This is not a new idea. VMware is making a killing around this same concept of consolidating load from many servers onto fewer servers. People tend to forget that an idle server still uses 50% of its peak power utilization. There is a good write up here on Green Data Center
One thing that is important to point out, is that Cisco is treating Rick Frenkel extremely well. They aren't firing him, restricting him from blogging, or taking other knee jerk reactions. What they are doing is requiring that a Cisco employee put boiler plate on their sites.
Cisco itself has been trying to embrace web2.0 collaboration for a couple years now. In some instances like http://blogs.cisco.com/home/ they do really well, providing a conduit for actual engineers to comment on technology and the companies products. In other instances like second life, they have gone completely off target and missed the whole point (my personal rant, second life is NOT web2.0). The important thing to focus on, is that Cisco is consistently trying to encourage open communications of its employees with the general public, and should be apploauded for their attempts.
Disclaimer - I am NOT a Cisco employee, and these are my OPINIONS.
You must be one of those fanboy's my 15" widescreen with a dual core intel cpu and 2 gigs of ram. Is effectively the same as the 15" widescreen with a dual core intel cpu and 2 gigs of ram. You are right, it doesn't come in white, but performance wise it is neck and neck.
I run Ubuntu 7.10 on a dual core HP laptop. My hardware is effectively a clone of the Mac Book Pro at 1/3 of the price. I however have complete control over my operating system, and get to use Compiz for all the fancy visual effects. While I respect the fact that Mac users are running BSD, I feel for most users it is just jewellery with a power button.
Its called dense wave division multiplexing, or DWDM. You take independent links (in this case 100Gig links), and transmit each of them on a slightly different wavelength of light called a Lambda. Since optic is looking for a specific wavelength, you can now run many "virtual links" per physical fibre. This is the standard technology for most Telcos. The innovation here is that they are doing this with 100Gig transceivers, and they have chipsets fast enough to combine the different lambda's back together into on high speed link. And yes, you can now let the Lambda Lambda Lambda jokes fly
Of course companies that have large compute clusters are migrating to areas that offer steady low cost power and cooling. It is simple business. Power and Cooling account for the majority of the expense of running a DataCenter. The draw is a lot of extremely cheap electricity combined with cold outside air (allowing bypass cooling) is something that is to important to pass up if you have thousands of servers.
One other thing to keep in mind is that in many places the power infrastructure is strained to its limit. For example I heard that to get 1 megawatt of power in downtown San Francisco it will take upwards of Three years for PG&E to deliver. Putting DataCenters in locations that aren't constrained is just good business sense.
1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.
2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.
3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.
4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed. Some good free tools for this are Cacti - http://www.cacti.net/, Nagios - http://www.nagios.org/ and NTOP - http://www.ntop.org/
5. Utilize update antivirus technology, hopefully one that reports to a central console. These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.
You have a great point about overall network sizing and capacity issues. Though, if you look at Comcast's current setup, they are only enforcing at the peering points on their network. Traffic that is not exiting their network is not being squelched. Until the technology needed to classify the torrent traffic is available at the edge of the network, it will always be cost prohibitive to apply controls internally.
Every journey starts with a single step. (and all us CCIE's started as CCNA's). You are sooo worthy :)
Comcast is trying to spin their actions as promoting fair use of the their networks. The truth is that ISP's profit from having data dumped INTO their network and have to pay hard cash for data LEAVING their network. By injecting RST's into the peers seeding traffic, they promote an asymmetric data flow that brings more data (and therefore money) into their network, while minimizing the money they have to pay other ISP's for data going out. This proposal provides protection against the throttling of their upstream Bittorrent traffic only if the ISP is not aware of the info_hash of the torrent. Once this data is known it is possible to apply common data tagging and congestion control techniques to squelch this traffic. All the service provider (or application developers like SandVine) has to do is monitor the common torrent sites, and dynamically update this hashes into the network filters. This is sure to deny a majority of the torrent traffic out there (movies, linux distro's, etc). Colin McNamara CCIE #18233
This is a prime example of the need for a multi layered security model for authentication and authorization of your systems. There are many vendors that supply two factor authentication methods (RSA being the most well known) that provide for one time passwords. Techniques like this effectively mitigate the risk of a user account compromised by use of a hash table like this. BTW, this is nothing new. Rainbow tables have been out for ages. --Colin