It's easy on modern hardware to strip tagging -- in fact, if you're going to use QoS techniques you want to be sure you only listen to appropriate tags.
Else everyone sets the DSCP value (or TOS) to as high as possible and the whole system becomes useless.
No, it won't. You just de-prioritise ANY traffic other than your VoIP traffic.
And without some form of prioritisation across a public network, VoIP becomes a flaky proposition at best. You have a 250ms round trip latency budget, and encryption adds to the serialisation delay on both ends and impacts this. Plus any out of order packet delivery or jitter will further impact voice quality, along with compression.
And people expect their phone to work. All the time. Early adopters will tolerate the impact, but the money is in the commoditisation of the service and deploying it to everyone -- and everyone will not be willing to deal with a flakey phone.
Well... VoIP technology is inherently extremely sensitive to both latency and jitter; this is why Cisco is trying to work with ISPs (their 'V3PN program', which always sounds like a Star Wars driod every time I talk about it) to get them to listen to QoS/DSCP values as set by the customer in their network. (Or to route DSCP tagged traffic into the appropriate MPLS TE 'VPN', or whatever you choose as a methodology)
This, of course, raises huge issues for the general consumer, since those willing to pay what's probably a premium to NOT have their DSCP values stripped off at the edge of the network get further stomped, even without any form of 'anti-competitive' prioritisation -- the end users get squished first as they don't have a 'business class' service and the only real way for a backbone provider to make money is to over-subscribe their backbone and rely on the bursty nature of IP traffic to handle it. (At least, that was the plan when I was working with VERIO engineering a few years back; now I'm just a conslutant on the Cisco side... )
I run a hybrid testing/unstable on my desktop. On servers I have to run the same thing in some cases; especially on mail gateways for spam/virus filtering -- the two year old version of spamassassin in Stable is... inefficient.
However, it's not the instability of the testing/unstable releases that worry me. It's the fact that they are explicity not supported by the Debian security team. So running that on Internet facing servers worries me. A lot.
I don't care about the naming convention. I'm smart enough to go read the docs and figure out what they mean. But when I either have to run two year old versions OR accept a lack of security coverage I become unhappy.
Why not a laptop? I think it boils down to 'what do you actually want/need/use'.
I use a laptop and a PDA for very different things. Any PDA has to have a few relatively vital features, the largest one of which is form factor (I want something that, with a hard case, I can carry in a pocket all the time) and the second is battery life. Lastly, I want to be able to get to the data fast -- no long bootup time.
There's a crossover between the PDA and the laptop in a lot of places, and if I want something with a large screen, etc, then sure -- I'll use a laptop. But I also want something that will be there wherever I am for general stuff -- note taking, calendar and address book (I actually like keeping the address book separate from the phone, since then I dial the phone numbers and eventually remember them). And some basic timewaster games for airport lounges and so on. So it has to fit in a pocket, easily.
And the FBI is making fairly concerted efforts to hire people who are computer security aware; it's up there with 'middle eastern languages' at the current time.
Yes, it sucks; but I, for one, don't care if the FBI knows which tools I've downloaded -- they're used for legal, business purposes.
While this is somewhat offtopic, I actually used 2500's to study for all the Cisco certs, plus a little time with an ISDN simulator when it came time for the sissy.
I had one larger router as a frame switch, and was working enough ATM to get away without it, mind.
And, today, Cisco basically announced the replacement for the 1700, 2600 and the 3745.
From URL:http://newsroom.cisco.com/dlls/2004/prod_09140 4.html?CMP=ILC-001):...The Cisco 1800 Series, 2800 Series and 3800 Series integrated services router will begin at list prices of $1395, $1995 and $9500, respectively. The new Cisco 1800 and 2800 Series routers will be available in September 2004 and the Cisco 3800 Series routers will be available in October 2004...
New features appear to include a higher and easier integration of VoIP/IPT and security and a new WIC interface with higher speeds (1000FX WIC, for instance).
Has some neat additional features, such as conversation tracking and I believe it has a few more decodes. Only for Windoze, however, thus encouraging the VMWare machines.
It's a difficult challenge, for sure, especially with anonymous access. OTOH, most/many municipalities have accepted some level of this risk already with open access library PCs and may have addressed this with some form of security policy (for what's that's worth). This also seems -- to me -- to be a valid place for an IDS (looking primarily at traffic outbound from this wireless segment and triggered to shun the user originating these attacks). Not perfect, by any stretch of the imagination, but it's security and thus, by definition, not perfect. And I don't care too much if I accidentally DoS one of those wireless users.
Not addressed here are things like users accidentally/deliberately attacking other users across the wireless, let alone the privacy issues others have talked about, etc.
There are other technical issues with securing this; segregation of client and data network, etc, etc -- the classic wireless issues.
Here in NM, Rio Rancho did this in certain areas -- Albuquerque, not be upstaged by their western neighbour, deployed it at the airport and in the centre of downtown. There is no user authentication, so tracking of activities is very hard unless you catch them in real time (see above on IDS), but I believe there is some level of firewalling between this and the City network. (I haven't poked at it too terribly hard, mind you.)
Verizon actually has a BT phone; the V710. They came out from Radio shack early this month and are now available via VZW stores.
I have one; as many people mentioned, the tech is/great/ with a headset. Sadly, the current version of the phone appears to be pretty cripped, limited to DUN and headset -- my Palm T2 doesn't talk to it yet, though there are rumours of an upgraded f/w for the V710. The phone is also, compared to the GSM BT, a touch bulky, but not enough that it's an issue for me. YMMV. There's a HUGE discussion on this thing over at
Phonescoop.
However, living in NM AND with a job that requires me be outside of Abq/SF/Las Cruces enough, I can't effectively use a GSM carrier. Combined with corporate choice of VZW as a carrier and the cheap in-network stuff, I'm just happy to get SOMETHING with BT.
And, as mentioned earlier, it's great just for the headset. At least, to an admitted gadget freak like wot I am.
From what I can read on the NIST 802.11 overview it's still not designed to protect identity.
Thus it will still not encrypt ESSID (used as a clue for what encryption credentials you need, NOT as a security measure) or the MAC address of the systems using it. (Page 29 of the above referenced article).
It's designed to address two of the three of the CIA principles, those being confidentiality and integrity of your data. Not to hide who is on the wireless network.
It's not designed to replace a/b/g. It's an add on to secure a/b/g.
We saw relatively rapid deployment of WPA into firmware upgrades. The real question will be if the AES encryption can be off-loaded to the processor (as suggested by the article referenced) or if it has to be in hardware.
The latter will be a massive slow-down in deployment. Even the former requires re-writing drivers and software, and it looks like it won't even be really in testing until September.
Re:Now we can start waiting for a total break of A
on
IEEE Approves 802.11i
·
· Score: 3, Informative
AES, like DES and 3DES is a public algorithm and was subject to extensive peer review prior to adoption by the US government. (It's not a US algorithm; the original name was Rijndael). It was chosen for key length, security and efficiency of the algorithm and memory footprint among other things.
While this doesn't guarantee the security, it certainly improves the chances of it being as secure as possible. AFAIK, DES/3DES, a 20+ year old algorithm is still only vulnerable to brute force attacks.
The real fear here -- as in any encrytion system -- is the security of the key handling protocol. It's TKIP not AES that'll be the key to the security of 802.11i.
I'll second the support comment. I am biased -- I work for a Cisco gold partner based in New Mexico, but you know; you can and will get support when you need it.
(Off topic, I totally believe that not all TAC's are created qual, even within Cisco -- give me Sydney any time for a problem. Many people even delay calling until then).
But Cisco is pretty good about releasing vulnerability and other statements. No-one is perfect, and some of their issues (the ex-Strataccom ATM switches with passwords you need a TAC engineer to change) suck from a security standpoint. Overall, though... I'd rate them as good, responsive when there is an issue, and good at updating, releasing and dealing with advisories.
Mmm. I'm not a big believer in certs, except to get past the HR people. All the CCNA/CCDA/CCNP/CCDP/CCSP show is that you can take the test. (Qualifier: I do have many of these, primarily since it was a promotion requirement)
I agree with the experience thing, though I don't think the actual hardware is important; my lab when I was studying for my CCIE was 5 2500s and a 4000 used as a frame switch. And that was Feb 2000. I leased some time to learn ISDN and I got it, but I didn't have the expensive toys to study on. (I was working in the field; I was doing ATM at the time. Both of these helped ENORMOUSLY. I was lucky in that the company I'm with hired me with a CS degree and no certs and I made the time around the work hours to study.)
More important, however, is understanding the theory. And that is what I look for when I'm interviewing; not if you know the command on whatever piece of hardware, but if you know what you're trying to do and can show me that you know where to find it in a reasonable timeframe. I don't care if you can rote memorize commands, or know every IEEE protocol by heart.
It's in this theory and understanding area that, in truth, is where I see the college degree coming in useful. Mine (Manchester, UK) I've never used. But I do networking and security, and neither of those was a focus for that. It also took me 10 years in the field to realise that the theory was the important part.
The degree also opens a lot of doors from HR people again, though I don't think I'd specialise early either. You could look for somewhere with a Cisco Academy and hopefully get the best of both worlds; the 'cisco cert' and a degree that hopefully shows that you know theory.
My first car was my grandmother's Morris Marina. It was in many ways, amazingly scary. It had that 1970's Leyland body that would just if you looked at it hard. In England. Moving it up to Manchester from London didn't help that, and half the body was wire mesh and epoxy after a year or more. And the rest was built out of, basically, spare parts from other Leyland vehicles that were around at the time (like the Maxi and the Allegro and the MG)
But what was truly scary was the cartleaf rear suspension. My wonderful example had a blown cylinder - on a 4Cyl 1.7l engine - and would fishtail on a dry road under acceleration.
Yes, Cisco already does this. But they do it in the pre-standard fashion. (I believe this is in the resistive vs. capacitative methods of sensing the presence of a powered device, such as a phone or an access point).
The newer powered systems (3750 switches etc) are being held until the draft is finalized so that we'll get real inter-operability.
This while discussion centers on what you use the laptop for. In a desktop replacement that gets moved around occasionally -- sure 7-8lbs is fine. But my T23 is in for repair and I'm back to a Inspiron 7500 and I've noticed the difference. On the other hand, I haul it around a lot, move from office to office on customer sites etc, and one of my primary reasons for the IBM was weight.
As to the military? Last time I was packing that sort of load and gear, the webbing was MUCH better designed to distribute it than the average laptop bag. And. Well. Why should I suffer if I don't have to?
I tend to agree with this; however I think that anyone who depends on single-factor authentication on a 'core' router is probably in that 'bad' category. Further up the list someone mentioned RSA or some other one-time-password solution, which is certainly the way I'd recommend. At very least a username/password system along the RADIUS/TACACS+ path.
Secondly, as has been repeatedly pointed out, Tier 1 ISPS implement either automatic (RADB) or manual filters to control the advertisements that they'll recieve. While this is far from optimal, it certainly limits the scope of the issue.
Thirdly, I don't think authentication/encryption is as tough as it could be. It's present (on Cisco hardware) in IGPs. The issue, of course, is scaling that deployment across critical devices and the huge danger bulk code upgrades cause on these devices.
Interesting list. The issue is that, at least on the Cisco gear, it's not very accurate.
Routers by default come with no password (and without one set, you can't telnet into them). Admittedly, the classes teach 'cisco' for telnet and sanfran for enable, and it's/amazingly/ common to see routers that people have set up with these passwords in production networks. (Terrifingly common, in point of fact).
As with many of the other posters, I'll add an 'I do', or at least an 'I did'. I'm using Phoenix thesedays, but mainly because some MS patch I had to apply to my machines broke O6 at some point, and I haven't gone to and upgraded to O7 to fix it.
I think the key edges are: 1) Tabbed Browsing. Not for everyone, but I love
it. 2) Mouse gestures. Another control method is
great 3) Speed and it's not an M$ product
Slashdot Mirror
It's easy on modern hardware to strip tagging -- in fact, if you're going to use QoS techniques you want to be sure you only listen to appropriate tags.
Else everyone sets the DSCP value (or TOS) to as high as possible and the whole system becomes useless.
No, it won't. You just de-prioritise ANY traffic other than your VoIP traffic.
And without some form of prioritisation across a public network, VoIP becomes a flaky proposition at best. You have a 250ms round trip latency budget, and encryption adds to the serialisation delay on both ends and impacts this. Plus any out of order packet delivery or jitter will further impact voice quality, along with compression.
And people expect their phone to work. All the time. Early adopters will tolerate the impact, but the money is in the commoditisation of the service and deploying it to everyone -- and everyone will not be willing to deal with a flakey phone.
Well... VoIP technology is inherently extremely sensitive to both latency and jitter; this is why Cisco is trying to work with ISPs (their 'V3PN program', which always sounds like a Star Wars driod every time I talk about it) to get them to listen to QoS/DSCP values as set by the customer in their network. (Or to route DSCP tagged traffic into the appropriate MPLS TE 'VPN', or whatever you choose as a methodology)
This, of course, raises huge issues for the general consumer, since those willing to pay what's probably a premium to NOT have their DSCP values stripped off at the edge of the network get further stomped, even without any form of 'anti-competitive' prioritisation -- the end users get squished first as they don't have a 'business class' service and the only real way for a backbone provider to make money is to over-subscribe their backbone and rely on the bursty nature of IP traffic to handle it. (At least, that was the plan when I was working with VERIO engineering a few years back; now I'm just a conslutant on the Cisco side... )
I run a hybrid testing/unstable on my desktop. On servers I have to run the same thing in some cases; especially on mail gateways for spam/virus filtering -- the two year old version of spamassassin in Stable is ... inefficient.
However, it's not the instability of the testing/unstable releases that worry me. It's the fact that they are explicity not supported by the Debian security team. So running that on Internet facing servers worries me. A lot.
I don't care about the naming convention. I'm smart enough to go read the docs and figure out what they mean. But when I either have to run two year old versions OR accept a lack of security coverage I become unhappy.
Why not a laptop? I think it boils down to 'what do you actually want/need/use'.
I use a laptop and a PDA for very different things. Any PDA has to have a few relatively vital features, the largest one of which is form factor (I want something that, with a hard case, I can carry in a pocket all the time) and the second is battery life. Lastly, I want to be able to get to the data fast -- no long bootup time.
There's a crossover between the PDA and the laptop in a lot of places, and if I want something with a large screen, etc, then sure -- I'll use a laptop. But I also want something that will be there wherever I am for general stuff -- note taking, calendar and address book (I actually like keeping the address book separate from the phone, since then I dial the phone numbers and eventually remember them). And some basic timewaster games for airport lounges and so on. So it has to fit in a pocket, easily.
Exactly.
And the FBI is making fairly concerted efforts to hire people who are computer security aware; it's up there with 'middle eastern languages' at the current time.
Yes, it sucks; but I, for one, don't care if the FBI knows which tools I've downloaded -- they're used for legal, business purposes.
(Today. My paranoia streak wonders. But today...)
While this is somewhat offtopic, I actually used 2500's to study for all the Cisco certs, plus a little time with an ISDN simulator when it came time for the sissy.
I had one larger router as a frame switch, and was working enough ATM to get away without it, mind.
And, today, Cisco basically announced the replacement for the 1700, 2600 and the 3745.
0 4.html?CMP=ILC-001): ...The Cisco 1800 Series, 2800 Series and 3800 Series integrated services router will begin at list prices of $1395, $1995 and $9500, respectively. The new Cisco 1800 and 2800 Series routers will be available in September 2004 and the Cisco 3800 Series routers will be available in October 2004...
From URL:http://newsroom.cisco.com/dlls/2004/prod_0914
New features appear to include a higher and easier integration of VoIP/IPT and security and a new WIC interface with higher speeds (1000FX WIC, for instance).
... is Packetyzer, available from Network Chemistry http://www.networkchemistry.com/products/packetyze r/.
Has some neat additional features, such as conversation tracking and I believe it has a few more decodes. Only for Windoze, however, thus encouraging the VMWare machines.
It's a difficult challenge, for sure, especially with anonymous access. OTOH, most/many municipalities have accepted some level of this risk already with open access library PCs and may have addressed this with some form of security policy (for what's that's worth). This also seems -- to me -- to be a valid place for an IDS (looking primarily at traffic outbound from this wireless segment and triggered to shun the user originating these attacks). Not perfect, by any stretch of the imagination, but it's security and thus, by definition, not perfect. And I don't care too much if I accidentally DoS one of those wireless users.
Not addressed here are things like users accidentally/deliberately attacking other users across the wireless, let alone the privacy issues others have talked about, etc.
There are other technical issues with securing this; segregation of client and data network, etc, etc -- the classic wireless issues.
Here in NM, Rio Rancho did this in certain areas -- Albuquerque, not be upstaged by their western neighbour, deployed it at the airport and in the centre of downtown. There is no user authentication, so tracking of activities is very hard unless you catch them in real time (see above on IDS), but I believe there is some level of firewalling between this and the City network. (I haven't poked at it too terribly hard, mind you.)
I have one; as many people mentioned, the tech is /great/ with a headset. Sadly, the current version of the phone appears to be pretty cripped, limited to DUN and headset -- my Palm T2 doesn't talk to it yet, though there are rumours of an upgraded f/w for the V710. The phone is also, compared to the GSM BT, a touch bulky, but not enough that it's an issue for me. YMMV. There's a HUGE discussion on this thing over at
Phonescoop.
However, living in NM AND with a job that requires me be outside of Abq/SF/Las Cruces enough, I can't effectively use a GSM carrier. Combined with corporate choice of VZW as a carrier and the cheap in-network stuff, I'm just happy to get SOMETHING with BT.
And, as mentioned earlier, it's great just for the headset. At least, to an admitted gadget freak like wot I am.
Forgot the URL of the NIST overview: NIST overview
From what I can read on the NIST 802.11 overview it's still not designed to protect identity.
Thus it will still not encrypt ESSID (used as a clue for what encryption credentials you need, NOT as a security measure) or the MAC address of the systems using it. (Page 29 of the above referenced article).
It's designed to address two of the three of the CIA principles, those being confidentiality and integrity of your data. Not to hide who is on the wireless network.
It's not designed to replace a/b/g. It's an add on to secure a/b/g.
We saw relatively rapid deployment of WPA into firmware upgrades. The real question will be if the AES encryption can be off-loaded to the processor (as suggested by the article referenced) or if it has to be in hardware.
The latter will be a massive slow-down in deployment. Even the former requires re-writing drivers and software, and it looks like it won't even be really in testing until September.
AES, like DES and 3DES is a public algorithm and was subject to extensive peer review prior to adoption by the US government. (It's not a US algorithm; the original name was Rijndael). It was chosen for key length, security and efficiency of the algorithm and memory footprint among other things.
While this doesn't guarantee the security, it certainly improves the chances of it being as secure as possible. AFAIK, DES/3DES, a 20+ year old algorithm is still only vulnerable to brute force attacks.
The real fear here -- as in any encrytion system -- is the security of the key handling protocol. It's TKIP not AES that'll be the key to the security of 802.11i.
I think it's because many (most) people are not geeks and would prefer the ease of use, help, and support of one of the 'standard' clients.
/is/ the best option.
This is why I continue to use GAIM -- my sister, back in the UK, is on AIM. Several of my cow-orkers use Y!, as do a couple of our vendors. Etc.
And while my sisters and brother are bright, I don't want to make trans-atlantic phone calls to help them get a different client set up.
Convenience rules, and sometimes the LCD
I'll second the support comment. I am biased -- I work for a Cisco gold partner based in New Mexico, but you know; you can and will get support when you need it.
... I'd rate them as good, responsive when there is an issue, and good at updating, releasing and dealing with advisories.
(Off topic, I totally believe that not all TAC's are created qual, even within Cisco -- give me Sydney any time for a problem. Many people even delay calling until then).
But Cisco is pretty good about releasing vulnerability and other statements. No-one is perfect, and some of their issues (the ex-Strataccom ATM switches with passwords you need a TAC engineer to change) suck from a security standpoint. Overall, though
Mmm. I'm not a big believer in certs, except to get past the HR people. All the CCNA/CCDA/CCNP/CCDP/CCSP show is that you can take the test. (Qualifier: I do have many of these, primarily since it was a promotion requirement)
I agree with the experience thing, though I don't think the actual hardware is important; my lab when I was studying for my CCIE was 5 2500s and a 4000 used as a frame switch. And that was Feb 2000. I leased some time to learn ISDN and I got it, but I didn't have the expensive toys to study on. (I was working in the field; I was doing ATM at the time. Both of these helped ENORMOUSLY. I was lucky in that the company I'm with hired me with a CS degree and no certs and I made the time around the work hours to study.)
More important, however, is understanding the theory. And that is what I look for when I'm interviewing; not if you know the command on whatever piece of hardware, but if you know what you're trying to do and can show me that you know where to find it in a reasonable timeframe. I don't care if you can rote memorize commands, or know every IEEE protocol by heart.
It's in this theory and understanding area that, in truth, is where I see the college degree coming in useful. Mine (Manchester, UK) I've never used. But I do networking and security, and neither of those was a focus for that. It also took me 10 years in the field to realise that the theory was the important part.
The degree also opens a lot of doors from HR people again, though I don't think I'd specialise early either. You could look for somewhere with a Cisco Academy and hopefully get the best of both worlds; the 'cisco cert' and a degree that hopefully shows that you know theory.
My first car was my grandmother's Morris Marina. It was in many ways, amazingly scary. It had that 1970's Leyland body that would just if you looked at it hard. In England. Moving it up to Manchester from London didn't help that, and half the body was wire mesh and epoxy after a year or more. And the rest was built out of, basically, spare parts from other Leyland vehicles that were around at the time (like the Maxi and the Allegro and the MG)
But what was truly scary was the cartleaf rear suspension. My wonderful example had a blown cylinder - on a 4Cyl 1.7l engine - and would fishtail on a dry road under acceleration.
I see Haystack and I think of one of the old, old IDS systems/companys. Stalker, right?
On the other hand, it's a damn fine name for both types of product, and I haven't seen anything on the Haystack IDS in a long while...
Yes, Cisco already does this. But they do it in the pre-standard fashion. (I believe this is in the resistive vs. capacitative methods of sensing the presence of a powered device, such as a phone or an access point).
The newer powered systems (3750 switches etc) are being held until the draft is finalized so that we'll get real inter-operability.
You know...
This while discussion centers on what you use the laptop for. In a desktop replacement that gets moved around occasionally -- sure 7-8lbs is fine. But my T23 is in for repair and I'm back to a Inspiron 7500 and I've noticed the difference. On the other hand, I haul it around a lot, move from office to office on customer sites etc, and one of my primary reasons for the IBM was weight.
As to the military? Last time I was packing that sort of load and gear, the webbing was MUCH better designed to distribute it than the average laptop bag. And. Well. Why should I suffer if I don't have to?
I tend to agree with this; however I think that anyone who depends on single-factor authentication on a 'core' router is probably in that 'bad' category. Further up the list someone mentioned RSA or some other one-time-password solution, which is certainly the way I'd recommend. At very least a username/password system along the RADIUS/TACACS+ path.
Secondly, as has been repeatedly pointed out, Tier 1 ISPS implement either automatic (RADB) or manual filters to control the advertisements that they'll recieve. While this is far from optimal, it certainly limits the scope of the issue.
Thirdly, I don't think authentication/encryption is as tough as it could be. It's present (on Cisco hardware) in IGPs. The issue, of course, is scaling that deployment across critical devices and the huge danger bulk code upgrades cause on these devices.
Hm.
/amazingly/ common to see routers that people have set up with these passwords in production networks. (Terrifingly common, in point of fact).
:)
Interesting list. The issue is that, at least on the Cisco gear, it's not very accurate.
Routers by default come with no password (and without one set, you can't telnet into them). Admittedly, the classes teach 'cisco' for telnet and sanfran for enable, and it's
MGX is not superuser, superuser.
But I like the list.
As with many of the other posters, I'll add an
'I do', or at least an 'I did'. I'm using Phoenix
thesedays, but mainly because some MS patch I had
to apply to my machines broke O6 at some point,
and I haven't gone to and upgraded to O7 to fix
it.
I think the key edges are:
1) Tabbed Browsing. Not for everyone, but I love
it.
2) Mouse gestures. Another control method is
great
3) Speed and it's not an M$ product