Calin | IPNET - Part 42

Nortel continues the enterprise fight

Nortel Even though it filed Chapter 11 and is reportedly looking to sell off huge chunks of its business, Nortel is not giving up the enterprise fight.

The company this week will unveil its next generation large enterprise core/data center aggregation switch. The Virtual Service Platform 9000 is Nortel’s entry into the increasingly crowded core data center switch field, which has seen numerous announcements of late from Nortel’s competitors: Force10, Extreme, Juniper and even 3Com, which is re-entering the battle to provide a lower cost alternative to Cisco during these trying economic times.
Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory: Download now

Nortel says the VSP 9000 will go up against Cisco’s Nexus 7000, Force10’s ExaScale, Extreme’s BlackDiamond 8900, Brocade’s BigIron RX, Juniper’s EX8216, 3Com’s S12500 and any other switch approaching or exceeding 100Gbps per slot capacity and designed to aggregate hundreds of 10Gbps Ethernet ports.

Nortel’s challenges are significant, however. The company is restructuring under Chapter 11 bankruptcy protection from creditors so its future is uncertain. Also, the VSP 9000 won’t ship for another year, while most competitor offerings are already on the market.

Read the full article on NetworkWorld.com…

Cisco: DoS protection using TCP Intercept

Every now and then, all network engineers have to deal with some kind of network attack. Usually, the attack does not target the network devices, but the machines that provide services (e.g. www, database hosting…), because it’s more easy to find on the Internet a script that is probing port 80 for example, which by the way any kiddie can use, than to corrupt BGP in order to act as man-in-the-middle. Anyway, in front on the machine being attacked, there is a network device and even if the network component is not the target it can be affected (e.g. high traffic encounter during a denial-of-service attack). So, beside the fact that we have to protect the network components, we have the duty (at least moral) to help the team that is managing the servers to mitigate the attack.

For those of you who are not familiar I will explain shortly what is a Denial-of-Service (DoS) attack. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, web hosting and so on. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. This extreme external communications requests can be achieved using ICMP flood, peer-to-peer attack, teardrop attack, nuke, application level floor and many other (too many…) methods and the purpose of this is the consuming of resources on the target machine so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

On method to prevent DoS attacks is to limit on the network device ( network router) the amount of connection which is allowed to pass to a server by using TCP Intercept. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

The main steps to enable TCP Intercept are:

1. Define an IP extended access list
2. Enable TCP intercept
3. Fine tune TCP intercept parameter

The TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an ACK and SYN, then waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is set to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.

In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If they fail to become established within a definite interval, the software sends a Reset to the server to clear up its state.

In the following topology we have the Server (10.10.10.100) and the possible Attacker (10.10.20.100). In the middle we have the router called R1 which is reponsible to mitigate the attack to port 80 on the Server. For this I would chose to apply the following configuration:

access-list 101 permit tcp any host 10.10.10.100 eq 80

ip tcp intercept mode intercept
ip tcp intercept list 101
ip tcp intercept max-incomplete high 150
ip tcp intercept max-incomplete low 100
ip tcp intercept drop-mode oldest

Some explanation for the line above. We create an access-list matching the traffic from anywhere to the Server. We set the TCP intercept mode to intercept (this is not need actually, because it’s the default mode; I put it here just for the sanity of the example). When the connections are over 150 (…max-incomplete high 600) the router will start to drop connections starting with the oldest ones (..drop-mode oldest). As soon as the connection will be under 100, the router will cease to drop the connections. This are just values used for this example.

To check the TCP intercept you can use the following commands on the Cisco router:

show tcp intercept connections
show tcp intercept statistics

To check a live example of what you should see if your TCP Intercept configuration is working properly please click on the image below. The test is done in Dynamips environment with 2 VMware machines (client and server) using Ubuntu and a Cisco 3640 series router.

Two CCIE R&S Certification Webinars

Source: https://cisco.hosted.jivesoftware.com/docs/DOC-4862

Cisco will conduct two webinar events on Wednesday, May 20, 2009 to describe recent enhancements to CCIE R&S certification and Cisco 360 Learning Program for CCIE R&S.
Attendees can choose from calls at 8:00 am and 7:00 pm PST.
Participants need only attend one event as content will be identical.

Registration information is as follows:

MEETING DETAILS

Meeting Name:	CCIE R&S Refresh
Date/Time:	5/20/2009 @ 8:00 AM and 7:00PM US/Pacific Time
Length:	90 minutes
Frequency:	Once
Meeting ID:	222333

Register for each event:

Please visit https://cisco.hosted.jivesoftware.com/docs/DOC-4862 to register for this event.

Join the Voice Conference

1. Call MeetingPlace:

Toll-free (US only): 1-800-370-2618

Toll-free (Canada only): 1-800-370-2618

International Direct Dial: 1-650-599-0315

2. Press 1 to attend a meeting.

3. Enter Meeting ID (222333) followed by the # key.

4. Follow the prompts to record your name and enter the meeting.

Join the Web Conference

1. Disable any pop-up blocker software.

2. Go to http://gc46gw1.meetingplace.net.

3. Enter meeting ID (222333) and click Attend Meeting.

4. Enter your first and last name in the My name is box and click Attend Meeting.

5. Answer Yes to any security warnings you receive and wait for the Meeting Room to initialize.

Encryption and decryption half century ago

I know that it’s not the latest discovery in cryptography area, but still this device amazed me with it’s ingenious construction and way of utilization.

An Enigma machine is any of a family of related electro-mechanical rotor machines used for the encryption and decryption of secret messages. The first Enigma was invented by German engineer Arthur Scherbius at the end of World War I. This model and its variants were used commercially from the early 1920s, and adopted by military and government services of several countries — most notably by Nazi Germany before and during World War II. A range of Enigma models was produced, but the German military model, the Wehrmacht Enigma, is the version most commonly discussed.

The machine has become notorious because Polish mathematicians-cryptographers and then Allied cryptographers were able to cryptanalyze, and thus decrypt, a vast number of messages which had been enciphered using the Enigma. The intelligence gleaned from this source, codenamed ULTRA by the British, was a substantial aid to the Allied war effort. The exact influence of ULTRA is debated, but an oft-repeated assessment is that decryption of German ciphers hastened the end of the European war by two years.

Though the Enigma cipher had cryptographic weaknesses, in practice it was only in combination with other factors (procedural flaws, operator mistakes, occasional captured hardware and key tables, etc.) that those weaknesses allowed Allied cryptographers to cryptanalyze so many messages.

Enigma cryptanalysis contributed greatly to the success of Allied war efforts—in the Battle of Matapan in March 1941; in course of the Battle of the Atlantic, beginning in the latter part of 1941; in Rommel’s efforts to capture Cairo in 1942; in the invasion of Sicily (1943) and mainland Italy (1943–44); in the planning and execution of Operation Overlord (the Allied invasion of France, 1944); and in the subsequent drive to and through Germany. Evidence suggests that Soviet strategy and tactics against Nazi Germany likewise benefited from Ultra intelligence, conveyed to the Soviets by a variety of conduits.

Below you can see a demonstration of how Enigma was used to encrypt and decrypt messages thanks to NetworkWorld.com:

For more detailed presentation please read:
http://en.wikipedia.org/wiki/Enigma_machine
http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma

Brought to you by NetworkWorld.tv and FirstDigest

Category 6 UTP

Category 6 cable, usually Cat-6, is a cable standard for Gigabit Ethernet and other network protocols that is backward compatible with the Category 5/5e and Category 3 cable standards. The main difference between Cat-6 and it’s previous versions is that CAT-6 fully utilizes all four pairs. Cat-6 features more stringent specifications for crosstalk and system noise. The cable standard provides performance of up to 250 MHz and is suitable for 10BASE-T / 100BASE-TX and 1000BASE-T / 1000BASE-TX (Gigabit Ethernet). It is expected to suit the 10GBASE-T (10Gigabit Ethernet) standard, although with limitations on length if unshielded Cat 6 cable is used.

The cable contains four twisted copper wire pairs, just like earlier copper cable standards and when used as a patch cable, Cat-6 is normally terminated in 8P8C modular connectors. Some Cat-6 cables are too large and may be difficult to attach to 8P8C connectors without a special modular piece and are technically not standard compliant. If components of the various cable standards are intermixed, the performance of the signal path will be limited to that of the lowest category. The maximum allowed length of a Cat-6 cable is 100 meters.

The cable is terminated in either the T568A scheme or the T568B scheme. It doesn’t make any difference which is used, as they are both straight through:

t586b-scheme t586a-scheme

Crossover is used for hub to hub, computer to computer, wherever two-way communication is necessary. All gigabit ethernet equipment, and most new 10/100Mb equipment, supports automatic crossover, meaning that either a straight-through or crossover cable may be used for any connection. However, older equipment requires the use of a straight-through cable to connect a switch to a client device, and a crossover cable to connect a switch to a switch or a client to a client. Crossover cables can be constructed by wiring one end to the T568A scheme and the other end with the T568B scheme. This will ensure that the Transmit (TX) pins on both ends are wired through to the Receive (RX) pins on the other end.

If you are starting to build a LAN network now, it’s recommend to use already CAT-6 as it can accommodate most of the usual traffic in a network based on the fact that already NIC cards are build for the speed of 1Gbps. Some useful tips regarding the use of CAT-6 and any Ethernet cable are:

– Do run cables over distances up to 100 meters with their rated speed
– If you know how to handle some cabling tools, do make your own cable if you need lots of varying lengths
– Don’t order anything less than Cat. 5e cable
– Don’t crimp or staple cable, this can easily cause breaks in the cable which are sometimes hard to track down
– Ethernet cables are not directional in any way, you cannot install one backwards
– Lighter colored cables are usually a better choice for two reasons: They are easier to see in the dark, and it’s easier to read the cable catogory stamped on the side
– Use a patch cable when connecting a computer to a router or hub, use a cross over cable when connecting two computers directly together
– If it’s possible and you know that you need higher speed that 100Mbps do not mix different type of cables on the same network segment
– Even if all the specification are saying that the CAT-6 is protected against external factors, do not mount this cables close by cable power or any other cable that can influence the performance of Ethernet cable.

Below you can find a presentation of CAT-6 “how-to” thanks to Giganet:

[flashvideo filename=https://ipnet.xyz/vid/hardware/archive/2009/04/Category6UTPTermination.flv image=https://ipnet.xyz/vid/hardware/archive/2009/04//Category6UTPTermination.jpg width=486 height=412 /]

Resources used:
http://donutey.com/ethernet.php
http://en.wikipedia.org/wiki/Category_6_cable
http://en.wikipedia.org/wiki/TIA/EIA-568-B