Let me start by saying that I do not hold any Cisco Certifications but I believe that I have the necessary experience in playing around with their devices to make this post.
Cisco networking devices has been the de-facto standard for small business to enterprise networks. It’s one of those devices where all you need to do is set it up for the first time securely, and it will continue to work as long as no one physically or virtually attacks it.
It has been a habit of mine to implement security in layers when building up networks from the ground up. My signature I guess will be a Master Lock, and it comes with a set of four. This is the first line of defense before you can access my rack or server cabinet. I usually rotate the four Master Locks randomly every two weeks, sometimes weekly. The randomness adds salt to the hash, like in cryptography. The cables are usually wrapped and inside EMI and RFI shielded pipes. No loose wires here man, and I make sure the contractors we hire to do our wiring signs a NDA for client infrastructure materials used during the buildup. Oh yes, we do have a couple of shielded walls as well, especially the ones around the server rack itself. This is for emission and transmission security for those nasty sniffers out there, like me.
Traditional CCTVS are all over the place of course. Most of the guys are migrating already to IP-Based CCTV’s but I find it inherently flawed when it comes to security simply because of one factor; it runs on IP.
(To be continued on next post. Need to go the San Francisco, Market Street, Old Navy is on sale, you can’t miss that )
Saturday, February 20, 2010
Sunday, January 24, 2010
Wednesday, January 13, 2010
Some tips on getting the career that you want (Part 1)
There isn't a really good formula in trying to get the career you really want. Sure, there are degrees offered by colleges/universities that is specifically aligned in certain career, but does not necessarily mean you're going to claim the job you saw from the job board. Unfortunately, more and more companies now are requiring candidates to have experience in the field of their choice before they can get a job. That means, you may start from the bottom of the IT field that isn't really what you want but can definitely get your foot in the door. I decided to give you some tips that may or may not work for you to get the IT job that you really want.
Look for a volunteer gig if you can afford to do it. If you're currently working in a non-IT or IT department that is not in the network pyramid then ask for more responsibilities from the bottom level of the network pyramid. There are companies out there that has a need of an extra body but do not have the resources to hire someone. Also, just because you work in a different department does not mean you're stuck doing what your duties and responsibilities are. If, for whatever reason, you are not allowed to take more responsibilities during your work week, then ask if you can volunteer your time outside your work week. Do not be afraid to ask questions. This is especially true if you're trying to add value to yourself in the company you work for and not just a headcount. Remember, everybody is expendable in every company. Adding value to yourself will make it less likely that you'll be let go by your employer.
Sometimes, it pays to be loyal to the company you work for. I've been working in this particular company, which I am not comfortable to mention the name but will give you a clue it is in the top 50 of Fortune 500, for several years. Held three positions (first position wasn't IT and the very bottom position in pyramid of the company's organization chart) and I am currently in the fourth one temporarily but can turn into a permanent position after the company is done restructuring, which basically means laying people off. Though, I am pretty sure that I am doing a great job because I've been in this department since January but I was working part time and was asked to become full time. I wouldn't be asked to become full time if I wasn't doing a good job right? Besides, I've already had a talk with my immediate manager and was told that he wants to keep me and the other guys that came after me that came from the same department that I was in. Though, out of the three that came after me, they've been in the industry for more than five years so I still feel pretty good. c",)
That goes back to my first point. I asked for a volunteer gig and they gave it to me. I could have asked them a lot sooner but I was in school and studying for more certs. I think it turned out to be a good thing because every week that I am with my teammate running around the campus for the project that we were doing, he was able to find things I am capable of, my potential, and had a lot of good things to say about me compared to some of my old and new teammates. He also gave a lot of good press to my new manager but I am pretty sure that he heard some good press from other people as well since I try to be known as much as possible in the company I work for. Obviously, I like the positive thing to get to his ears and not the bad thing. But, you know what they say though, bad news travels fast. I've made mistakes (only human) and it is possible that he had heard about it. But, one thing I have never done in our network and hopefully never is to cause an unexpected outage. That is a big NO-NO.
I like what Randy Pausch in his video The Last Lecture - definitely worth watching and probably reading the book. Once I finish all the Cisco certs that I want to get, I'll probably read the book.) said: "We cannot change the cards we are dealt, just how we play the hand." While, I haven't watched the video when I was thinking about my decision to volunteer my time, I guess I did pretty good because Randy Pausch was giving this lecture to people and I was able to come up with a solution to my "problem".
I've said this several times but I'll say it again. Expand your human network - sounds like a Cisco advertisement, right? I've seen it and heard stories that sometimes it is not what you know, but who you know that matters. Keep in touch to the people you know. They may have a position open in the company that they work for that may have an opening for a job that you may be qualified for. Even if you are not qualified sometimes a referral is always a preferrable way of many companies to hire someone. Why? Because a lot of times employees won't refer someone that he/she knows that will screw up his/her reputation. Will you refer someone that won't be effective for the job? I do not know about you, but I won't refer someone that will eventually ruin my name.
"The day you stop learning is the day you start becoming obsolete." - Unknown
Look for a volunteer gig if you can afford to do it. If you're currently working in a non-IT or IT department that is not in the network pyramid then ask for more responsibilities from the bottom level of the network pyramid. There are companies out there that has a need of an extra body but do not have the resources to hire someone. Also, just because you work in a different department does not mean you're stuck doing what your duties and responsibilities are. If, for whatever reason, you are not allowed to take more responsibilities during your work week, then ask if you can volunteer your time outside your work week. Do not be afraid to ask questions. This is especially true if you're trying to add value to yourself in the company you work for and not just a headcount. Remember, everybody is expendable in every company. Adding value to yourself will make it less likely that you'll be let go by your employer.
Sometimes, it pays to be loyal to the company you work for. I've been working in this particular company, which I am not comfortable to mention the name but will give you a clue it is in the top 50 of Fortune 500, for several years. Held three positions (first position wasn't IT and the very bottom position in pyramid of the company's organization chart) and I am currently in the fourth one temporarily but can turn into a permanent position after the company is done restructuring, which basically means laying people off. Though, I am pretty sure that I am doing a great job because I've been in this department since January but I was working part time and was asked to become full time. I wouldn't be asked to become full time if I wasn't doing a good job right? Besides, I've already had a talk with my immediate manager and was told that he wants to keep me and the other guys that came after me that came from the same department that I was in. Though, out of the three that came after me, they've been in the industry for more than five years so I still feel pretty good. c",)
That goes back to my first point. I asked for a volunteer gig and they gave it to me. I could have asked them a lot sooner but I was in school and studying for more certs. I think it turned out to be a good thing because every week that I am with my teammate running around the campus for the project that we were doing, he was able to find things I am capable of, my potential, and had a lot of good things to say about me compared to some of my old and new teammates. He also gave a lot of good press to my new manager but I am pretty sure that he heard some good press from other people as well since I try to be known as much as possible in the company I work for. Obviously, I like the positive thing to get to his ears and not the bad thing. But, you know what they say though, bad news travels fast. I've made mistakes (only human) and it is possible that he had heard about it. But, one thing I have never done in our network and hopefully never is to cause an unexpected outage. That is a big NO-NO.
I like what Randy Pausch in his video The Last Lecture - definitely worth watching and probably reading the book. Once I finish all the Cisco certs that I want to get, I'll probably read the book.) said: "We cannot change the cards we are dealt, just how we play the hand." While, I haven't watched the video when I was thinking about my decision to volunteer my time, I guess I did pretty good because Randy Pausch was giving this lecture to people and I was able to come up with a solution to my "problem".
I've said this several times but I'll say it again. Expand your human network - sounds like a Cisco advertisement, right? I've seen it and heard stories that sometimes it is not what you know, but who you know that matters. Keep in touch to the people you know. They may have a position open in the company that they work for that may have an opening for a job that you may be qualified for. Even if you are not qualified sometimes a referral is always a preferrable way of many companies to hire someone. Why? Because a lot of times employees won't refer someone that he/she knows that will screw up his/her reputation. Will you refer someone that won't be effective for the job? I do not know about you, but I won't refer someone that will eventually ruin my name.
I hope that this post will help you to land a job that you really want in the future. I'll leave you guys with more quotes today.
"The day you stop learning is the day you start becoming obsolete." - Unknown
"Don't complain. Just work harder." - Randy Pausch
Saturday, November 28, 2009
New technology should simplify things, not complicate them
An old-school guy like me adheres to an old-school mantra on network and system administration: "If it 'ain't broke, don't fix it"
Rookie Netads and Sysads tend to be too excited when new technologies are available on the market. Under the impression that it will make their jobs and responsibilities easier, they jump to the bandwagon. First they sign up for a trial, then they extend the trial and eventually purchasing the product in the end. "Hey boss, this software/product will cut off costs and man-hours of working on _______ manually, blah, blah"
In other words, please buy this software for me. But sometimes we fail to put into consideration that introducing a new technology on our network most of the time tends to complicate things, especially in troubleshooting when problems start to surface.
There's this company based in the East Coast. They have a corporate size network, with a couple of WAN connections to connect to their regional offices and remote employees. Things were doing good until after they implemented redundancy across all routers and Layer 3 devices on their network. How ironic that they started experiencing major issues when they tried to implement a technology that address the availability of their network.
These guys implemented a technology that they fail to test first on at least half of the nodes/workstations on their network. They fell prey to the "herd mentality". Hey, customer ABC and XYZ are doing it, we should to, that type of herd mentality in IT. And hearing this directly coming from their "seasoned" IT Director saddens me.
Again, I am big fan of keeping things simple. A simple network consumes less resources in all aspects of your business or organization. From technical to administrative. If you want redundancy in your network, study the technology t first before implementing it. Try to look beyond brochures, case studies and white papers. Not all networks are the same despite what those "Best Practices" guide say.
Rookie Netads and Sysads tend to be too excited when new technologies are available on the market. Under the impression that it will make their jobs and responsibilities easier, they jump to the bandwagon. First they sign up for a trial, then they extend the trial and eventually purchasing the product in the end. "Hey boss, this software/product will cut off costs and man-hours of working on _______ manually, blah, blah"
In other words, please buy this software for me. But sometimes we fail to put into consideration that introducing a new technology on our network most of the time tends to complicate things, especially in troubleshooting when problems start to surface.
There's this company based in the East Coast. They have a corporate size network, with a couple of WAN connections to connect to their regional offices and remote employees. Things were doing good until after they implemented redundancy across all routers and Layer 3 devices on their network. How ironic that they started experiencing major issues when they tried to implement a technology that address the availability of their network.
These guys implemented a technology that they fail to test first on at least half of the nodes/workstations on their network. They fell prey to the "herd mentality". Hey, customer ABC and XYZ are doing it, we should to, that type of herd mentality in IT. And hearing this directly coming from their "seasoned" IT Director saddens me.
Again, I am big fan of keeping things simple. A simple network consumes less resources in all aspects of your business or organization. From technical to administrative. If you want redundancy in your network, study the technology t first before implementing it. Try to look beyond brochures, case studies and white papers. Not all networks are the same despite what those "Best Practices" guide say.
Tuesday, July 7, 2009
Configuring ACLs on Huawei
-->
First of all, why ACLs? Did it have to be specific? Not really, it's just that I find configuring ACLs on Huawei a bit more complex or should I say. .structured. More complex in a sense that if you know how to configure ACLs on Cisco, you might find configuring it on Huawei a bit weird because it's kind of like the way route-map or a QoS policy is configured in Cisco. But don't get me wrong it's not that hard, really, all I'm saying is that its pretty similar as to the way those are configured but it doesn't necessarily mean its hard. It only takes a little bit of time to understand the equivalents especially for guys who had their basics the Cisco way just like me.
Now if you're already good at Cisco ACLs then this might be just a piece of cake for you to understand. There's just a little bit more to it but it's pretty easy to digest. First up, there are three new terms you would need to know – Traffic Classifier, Traffic Behavior and Traffic policy. Now let me introduce you to these terms (actually they're already the exact commands lol).
Sorry, this post has been moved to my new blog. Please continue to the new site: Configuring ACLs on Huawei
Saturday, June 13, 2009
IPv6 address types
One of the topics to focus on in IPv6 is the addressing part, greatly because its a totally new addressing scheme. As compared to IPv4 which has 32 bits, the IPv6 address is 128 bits long and is in hexadecimal format (0-9 A-F) or four bits per digit.
0000:0000:0000:0000: 0000:0000:0000:0000
NOTE: In IPv6, due to the length of the address itself there were rules that were made to somehow shorten the address into a bit more human-readable format. These two rules are zero compression and leading zero compression.
zero compression - in case there are consecutive zeros within the address you may replace it by putting in double colons (::). However you can only do this once within an address as the device would have no way of determining how many zeros are there in each '::' theres is if there were more than one. For an example 2001:0005:0000:0000:0201:50FF:FE68:AF50 could be compressed as 2001:0005::0201:50FF:FE68:AF50. The zeros in between were omitted and was replaced by ::.
leading zero compression - for any leading zeros you can go ahead and exclude them to make the address a bit more shorter. However in case there are all zeros within colons you must leave at least one zero to specify that it is all zeros before that hex digit. Using our previous example our address would look like 2001:5:0:0:201:50FF:FE68:AF50.
We could use these two rules simultaneously. And therefore our fully compressed IPv6 address would be 2001:5::201:50FF:FE68:AF50.
One major difference also is there is no ‘class’ system here (class A, B, C, D). In IPv6, we more refer to them as types. Now lets go through them one by one.
Unicast Address – used for sending to one host or interface. Currently there are two types of IPv6 unicast addresses:
Global Unicast – formerly known as Global Aggregatable Unicast address but the ‘Aggregatable’ has now been omitted in the latest RFC. Global Unicast is equal to IPv4s public or Internet address. Knowing this we can understand that this address type will be the ones we use to communicate to the Internet. These addresses composes of the global routing prefix (as of today IANA is assigning numbers that starts with 2000::/3) plus the 64-bit Interface Identifier (EUI-64 format) which we will discuss later.
Link-Local Unicast – are the addresses our devices use to communicate with other nodes on the same local network even without a global unicast address. You may compare this type of address to the layer 2 address or data-link layer address we have in IPv4. Note that these address are autoconfigured on the interfaces using FE80::/10 prefix plus the EUI-64 format Interace Identifier, which again will be discussed later.
Anycast Address – an anycast address is a global unicast address assigned to two or more devices. Packets coming from nodes who wants to access this address will be routed to the closest active device with the anycast address. This is determined by the routing protocol metric or rather the router which receives this packet then routes to the closest one to it.
Multicast Address – a multicast address identifies a group of interfaces. Traffic sent to these addresses are sent to all of the interfaces in that group. Mulicast in IPv6 is not that different in IPv4, its just that in IPv6 only multicast exists. There is no such thing as broadcast in IPv6 (except for some that is specifically addressed to interfaces that maybe within one segment or layer 2 domain like in IPv4). Interfaces may belong to many multicast groups simultaneously. Multicast addresses are addresses that start with FF00::/8. All IPv6 multicast address are within this prefix and so when you see an address that starts with this you will know that this is an IPv6 Multicast address.
Now lets get to the Interface Identifier as promised. Knowing how this address is made is important as you don’t really get to configure this since this is autoconfigured already on the IPv6 enabled interface.
Interface Identifiers (IDs) – are addresses used to identify a unique interface on a link and are sometimes referred to as the ‘host portion’ of the IPv6 address. These address are 64-bits long and is can be dynamically created based on the data-link layer address of the interface. IPv6 Interface IDs are determined depending on the specific data-link layer type of interface there is. In this topic we will discussing Ethernet Interface IDs as this is what we commonly use almost everywhere (even on non-ethernet mediums). Now we can determine its ID based on its MAC address, using a format called Extended Universal Identifier 64-bit (EUI-64). The EUI-64 format Interface ID is derived from the 48-bit MAC address by inserting the hexadecimal digits FFFE between the Organizationally Unique Identifier (OUI), which is the upper three bytes, and the vendor code, which is the lower three bytes of the MAC address. I hope you guys could still remember your MAC addressing fundamentals back in the days because yes it back and used a lot in the IPv6 world. In addition to this the 7th bit in the first byte in the resulting Interface ID, which is the Universal/Local (U/L) bit is always set to binary 1. The U/L bit indicates whether the Interface ID is locally unique on the link or universally (globally) unique. IDs derived from universally unique MAC addresses are assumed to be globally unique so no worries if your already using the Burn In Address of your Interfaces. The 8th bit on the first byte then is the Individual/Group (I/G) bit for managing multicast groups, it is not altered.
As you can see in this example it is pretty easy to understand how an IPv6 Interface ID is composed. You just have to remember two steps. First insert FFFE in between the 48 bit MAC address (in between the two sets of three bytes or 24bits) and then the 7th bit is set to 1. MAC addresses almost always starts with 00 as of yet (I haven’t seen one which isn’t or at least not that I can remember at this time) so you will always see this as ‘02’ (0000 0010).
Now going back to the Glocal Unicast and Link-Local Unicast where we used this Interface IDs. For Global Unicast for example we have a IPv6 public address assigned by APNIC 2001:1F14::/32 (/32s are assigned to ISPs). We now then assign a subnet to our main PoP the subnet 1 and assign a Network Access Server located there an IPv6 address. The server happens to have the MAC address of 00:53:07:2B:AE:09. Knowing this we now determine the Globally unique IPv6 address of this server. The public IPv6 address assigned to us with a subnet of 1 – 2001:1F14::1:, plus the EUI-64 format Interface Identifier derived from the MAC address of the device - 0253:07FF:FE2B:AE09. Our Global Unicast address for our server would be 2001:1F14::1:0253:07FF:FE2B:AE09/64. Now for our Link-Local address we only have to use FE80:: along with our Interface ID. We then now get FE80::0253:07FF:FE2B:AE09. Please note again that this is autogenerated (you will see that once you start assigning an IPv6 address on a router) and that you have to get use to these addresses as these addresses are the ones used by routing protocols for IPv6 e.g OSPFv3, RIPng & MP-BGP.
I hope you guys learned something new and I’ll probably post more topics about IPv6 if I find the time. Yes its been busy these days so it sort of feels good to be able to post a topic again. If you have any questions about this topic just post you may visit the forum.
Tuesday, May 26, 2009
VoIP Application Layer 1: The Packet Infrastructure
Thinking of creating your own VoIP application Part II.
Layer 1: The Packet Infrastructure
Layer 1: The Packet Infrastructure
Let's say I am Superman and I have X-ray vision. My goal is to look at the inner-workings of a VoIP application or clients like Skype, Yahoo Messenger and Five9 Virtual Contact Center (VCC) Agent.
Like Superman, my goal is to "see-through" this VoIP application because I need to investigate on something. Apparently, Lex Luthor, being a rich genius that he is, has managed to create his own secure VoIP client. Lex Luthor is using this VoIP client application to make calls to his henchmen. So its up to me to investigate on this, retrieve evidence and prove to that he is the mastermind.
If I was Superman, all I need to do is use my X-ray vision to see-through the VoIP application Lex Luthor is using. I will immediately see hundreds of lines of programming codes, specifically variables, commands, and on the networking side, what communication protocols and their corresponding ports this application is using to communicate over the Internet. Now that's interesting.
Luckily, we do not need to be a man of steel or someone who wears blue and red tights and fly around the city saving people and still look cool in the process. Thank goodness for protocol analyzers. It is the X-ray vision of us guys in the voice and data networking field.
Wireshark, (known as Ethereal from its early days) is one of the leading protocol analyzers out there, and its free. If you need to investigate the inner-workings of an application connected to a network, Wireshark is your answer. It is slowly becoming the tool of choice for network sniffers and VoIP phreakers, black hat or white hat. There's tons of things you can do with Wireshark once you have it installed and running on your network, but that is beyond the topic of this post.
For this post, I will refer and use Wireshark extensively to show to you what networking protocols and ports Five9 Agent VCC is using. Five9 Agent VCC is a VoIP client used by Call Center Agents around the globe in making and receiving calls. Five9 VCC Agent utilizes a Softphone feature, the dial pad and other telephone features are on the screen, just push the buttons you need. All you need is a reliable Internet connection, a USB headset with microphone and an account with Five9, and that's it.
(To be continued on next post)
Subscribe to:
Posts (Atom)