Category Archives: General

Magic Quadrant for Enterprise Network Firewalls 2018

Security landscape is evolving fast, so fast detection and mitigation is important for customers.   Many enterprises are looking to firewall vendors to provide cloud-based malware detection instances to aid them in their advanced threat detection efforts, as a cost-effective alternative to stand-alone sandboxing appliances.
SSL Decryption is one of the key topics, since TLS 1.2 to the TLS 1.3 standard will undoubtedly force changes in how enterprise firewall vendors process the traffic.
Policy Orchestration and Automation Become Critical on SDN deployments, some vendors haven’t provide much attention om this topic. Firewall Services Within IaaS Environments Become an Area of Differentiation.

Magic Quadrant for Enterprise Network Firewalls

Full Report on Report Magic Quadrant for Enterprise Network Firewalls 2018

Google BBR Algorithm

Google’s BBR algorithm for handling TCP traffic congestion could announce a new Era on the trasnport Control Protocol (TCP). Google announced integration with Google Cloud, a cloud hosting platform offered by Google to thousands of companies and which serves millions of websites on a daily basis.

BBR stands for “Bottleneck Bandwidth and RTT (Round-Trip Time),” and is an algorithm for optimizing how network packets travel through servers in order to avoid jamming certain routes.

If you want test this on your linux box, you can follow this guide here https://patchwork.ozlabs.org/patch/671069/

An draft IETF proposal as been made, you check see it here https://tools.ietf.org/html/draft-cheng-iccrg-delivery-rate-estimation-00

Magic Quadrant for Enterprise Network Firewalls 2017

Cisco is climbing fast, Fortinet faster, PaloAlto still leading and filling their gaps in portfolio and Check Point released finally the R80 for gateways. I predict 4 Leaders next year, it will be a nice race to watch!

Full Report on Report Magic Quadrant for Enterprise Network Firewalls 2017

Spot Bad Traffic without decrypting it

How can we detect and mitigate a kill chain in encrypted traffic without breaking users privacy and same time  with minimal false positives? Cisco Catalyst 9k is the newest platform with this capability which is called Encrypted Traffic Analysis (ETS). Machine Learning & metadata seems to be the right ingredients to make the wheel work.

Read here for more detail.

 

 

 

Wishes of Cisco Champion

I’ve thinking on this, a really cool thing could be Cisco providing extended trial licenses for those who live and breathe Cisco (true DNA of a Cisco Champion). Also part of the bundle could a Cisco VIRL license be included and/or a voucher for a Cisco Press ebook.

Maybe we can see some of these next year 2018.

Fingers crossed.

ALG breaking a Transfer Zone

This came when i tried to do a DNS Transfer Zone through a Cisco SOHO (877), which when triggered i received a RST packet from the router. Initially i was thinking that came from the server, but looking to the packet capture i observed the TTL was 254, which was the from router it self. Why? Answer ALG.

Because ALG can handle until a certain message size, the only way to fix this is DISABLE the ALG.

INTERNET#sh ver | i Vers
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

[[email protected] ~]# dig -y @104.28.16.27 cocheno.com -t axfr;; communications error to 104.28.16.27#53: connection reset

Looking at the NAT Debug…..

Jan 11 23:15:10.146: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.150: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F: Policy check successful
Jan 11 23:15:10.150:  NAT-L4F: received fd1: 1073742971 and
tcp flags = 0x2, payload_len = 0
Jan 11 23:15:10.294:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.294: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.294:  NAT-L4F: received fd2: 1073742972 and
tcp flags = 0x12,payload_len = 0
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298:  NAT-L4F: Received final ACK from fd1 : 1073742971 and
tcp flags = 0x10
Jan 11 23:15:10.298:  NAT-L4F:Transistioning to proxy: rc 0 error 0
Jan 11 23:15:10.298:  NAT-L4F: Successfully proxied this flow
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298: NAT-ALG: lookup=0 l7_bytes_recd=125 appl_type=12
Jan 11 23:15:10.298: NAT-ALG: DNS l7_msg_size = 125
Jan 11 23:15:10.298: NAT-ALG: after state machine:
Jan 11 23:15:10.298: NAT-ALG: remaining_hdr_sz=0
Jan 11 23:15:10.298: NAT-ALG: remaining_payl_sz=0
Jan 11 23:15:10.298: NAT-ALG: tcp_alg_state=0
Jan 11 23:15:10.298: NAT-ALG: complete_msg_len=125
Jan 11 23:15:10.298:  l4f_send returns 125 bytes
Jan 11 23:15:10.298:  Complete buffer written to proxy
Jan 11 23:15:10.298:  NAT-L4F:NO DATA to read
Jan 11 23:15:10.446:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.446: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.454: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454: NAT-ALG: lookup=1 l7_bytes_recd=1452 appl_type=12
Jan 11 23:15:10.454: NAT-ALG: DNS l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-ALG: Unsupported l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-L4F:CSM isn’t able to accept the pkt
Jan 11 23:15:10.458:  NAT-L4F:read RST, aborting
Jan 11 23:15:10.458:  NAT-L4F:setting ALG_NEEDED flag in subblock

 

How to disable DNS ALG?

INTERNET-RTR(config)#no ip nat service alg tcp dns

New Year Resolutions for 2017

This is the right time on the year where we need to think what we want to do and define our goals to upcoming year, i consider this an important step to make you focus in your career and step away from the darkness (dead times). Comparing what i achieved this year it’s embarassing but i’m looking for a great 2017. This year i have to renew some of my Certs (2 years gone…) like Juniper and Checkpoint. This year i’m expecting to enhance my knowledge about Azure/AWS Platforms, Web Application Firewall, CyberSecurity, DNS RPZ , DDoS, SSL Decryption and maybe others a long run. Network Design and Automation stil my priority, but maybe my employer will challenge me next year, so i will add it later to my list :)

Likely maybe i will do some exams:

VMware Certified Professional 6 – Network Virtualization (VCP6-NV)

Cisco CCIE Service Provider Written+Lab(?)

Cisco CCDE Written+Lab(?)

JNCIE-ENT

JNCIP-SP

JNCIS-SEC

Palo Alto Networks Certified Network Security Engineer (PCNSE)

F5 Certified BIG-IP Administrator

F5 Certified Technology Specialists ASM

Beta versions?

Books

There are some books i’m still reading:

Art of Network Architecture, The: Business-Driven Design

MPLS Fundamentals – Cisco Press

CCDE Study Guide – Cisco Press

Lets the journey begins!

happy_2017

Cisco DNA Learning Track

On this new track you can learn about about the building blocks of the Cisco Digital Network Architecture (DNA), including an introduction to REST APIs, how to code in Python, and how to use programmability in the context of controllers and device-level interface. You have 10 module and 32 learning Labs, free, free, free!

devnet_dna

Labs Available

devnet_dna_modules

References:

DevNet Express for DNA

Renew your Expired Juniper Certification until March 2017

The JNCP is offering a recertification grace period to candidates whose certifications expired in 2016. Expired certifications may be renewed between January 1, 2017 and March 31, 2017 by taking the same or higher level exam or using the Continuing Education option. This means candidates with Specialist through Expert-level certifications that have expired do not have to start at the JNCIA-level.

To renew an expired certification, candidates must pass the appropriate exam or attend an appropriate course by March 31, 2017. See the Recent News section of the Certification Website for instructions on how to take advantage of this offer

VMware vSphere 6 Masterclass

ITMasters is offering a new course (VMware vSphere 6) , developed in partnership with ITPA, this short course is for administrators who are already comfortable setting up individual ESXi hosts, and configuring and maintaining VMs within.

Enroll here

Note: Course free of Charge! We love a bargain!

Starts in October 2016, scheduled time below.

  1. Wed, Oct 26, 2016 8:00 PM – 9:00 PM AEDT
  2. Wed, Nov 2, 2016 8:00 PM – 9:00 PM AEDT
  3. Wed, Nov 9, 2016 8:00 PM – 9:00 PM AEDT

References:

Free University Short Courses

My Recap from Cisco Vegas 2016

Let’s make it clear, i wish to be there! I read really some cool stuff this year in www.ciscolive.com, and i want to share with you my favourite topics:

  • Cisco HyperFlex Systems
  • Cisco Tetration Analytics
  • Cisco Spark
  • Cisco DNA
  • Security Related (Ransomware,etc)

References:

IO Visor Project

BRKCOM-1125 – Hyper-converged Computing

 PSODCN-2375 – Introduction to Cisco HyperFlex Systems )

Cisco Tetration Analytics Data Sheet – Cisco

PSOACI-2100 – Cisco Tetration Analytics: Real-time application visibility and policy management

BRKCOL-2235_Spark Call Extending Spark with Business-Class Communications

BRKSEC-2002 – It’s Cats vs Rats in the Attack Kill Chain!

BRKSEC-2010 – Emerging Threats – The State of Cyber Security

BRKDCT-3001 Leveraging Micro Segmentation to Build Comprehensive Data Center Security Architecture