Good read: Do you block ICMP at all places in Network?

If your answer is Yes, or you believe that blocking ICMP increases security, then please give some second thoughts for the poor support guy who gets called at 2 A.M. and needs to ping some hosts to ensure reachability….

The Problem

Many network administrators feel that ICMP is a security risk, and should therefore always be blocked at the firewall. It is true that ICMP does have some security issues associated with it, and that a lot of ICMP should be blocked. But this is no reason to block all ICMP traffic!

ICMP has many important features; some are useful for troubleshooting, while some are essential for a network to function correctly. Here are details of some of the important ICMP traffic that you should know about, and consider allowing through your network.

Read the full article at http://shouldiblockicmp.com/

Share this!

Good read: Money well spent??

A Short Story for Engineers
You don’t have to be an engineer to appreciate this story.

A toothpaste factory had a problem: Due to the way the production line was set up, sometimes empty boxes were shipped without the tube inside. People with experience in designing production lines will tell you how difficult it is to have everything happen with timings so precise that every single unit coming off of it is perfect 100% of the time. Small variations in the environment (which cannot be controlled in a cost-effective fashion) mean quality assurance checks must be smartly distributed across the production line so that customers all the way down to the supermarket won’t get frustrated and purchase another product instead.

Understanding how important that was, the CEO of the toothpaste factory gathered the top people in the company together. Since their own engineering department was already stretched too thin, they decided to hire an external engineering company to solve their empty boxes problem. Continue reading “Good read: Money well spent??”

Share this!

Why SSL Inspection matters?

Having SSL Inspection has been always a matter of IT and Organisation fight.
In an architecture project, the only objection to my design was SSL Inspection and I had to bring some convincing reasons for that.

First of all, without SSL Inspection, basically there is zero visibility into what’s happening inside an encrypted traffic like HTTPS, SMTPS, POP3S, etc. Just imagine an attacker popping a machine, tunneling command and control via a HTTPS tunnel. Or an unfortunate employee, exposing confidential data by uploading them to some random cloud service… 0 visibility!

Second business driver I can think of is related to Data Loss Prevention; If a breach is detected tomorrow, there’s hardly any ways to detect what has been lost.

Benefits aside, a noteworthy drawback to SSL Inspection would be administrative overhead; you should distribute the CA cert to all nodes. That being said, in case of a Directory environment like Microsoft AD, it’s not a big deal, although Linux machines or some browsers need special configuration; beside, some web applications have to be excluded from inspection, mainly the ones utilizing Java.

Not really a drawback, but the administrators should be liable and trusted as they can easily intercept the traffic, unencrypted. This not only applies to the Proxy admins, but to a Mail admin, System admin, etc; which makes it an HR matter.
Note that any product which does MITM has the opportunity to expose data, and so its admins.

Here, you have to see the tradeoff; I believe the gained visibility worths it!

Sometimes CxOs might say that SSL is sacred! Yes, it is, but they have to decide how sacred they want SSL to be versus how interested they are in what information might be leaving the environment without authorization; or how much malware command and control (C&C) they might want quietly going out via SSL without being torn open for inspection.

Note that you have to design a way that all egress web traffic (both users and servers) must be enforced to go through the proxy, otherwise the whole proxy plan is pointless. Besides, you have to follow some practices:

  • Know the business and business processes and demands. Every sector has its own limitations or requirements where might be against SSL inspection.
  • Plan some whitelisting policies to disable inspection in specific cases where needed.
  • Know your traffic and the percentage of encrypted requests.
  • Make sure that your appliance supports the amount of traffic; SSL Inspection means decrypting the connection, inspecting it and then re-encrypting it.

P.S. Yes, my drawing skills are awful! 🙂

Share this!

Do you need an IT Certification?

A couple of times in recent days I had the discussion of Certifications with two friends, once with Shawn Zandi, who is the Principal Network Architect at LinkedIn and another time with Hosein Khosravi who is a successful instructor and engineer!
I thought that it might be a good idea to blog on this topic with my own words and the conclusion of my own experience till now.

Disclaimer: I’m neither against nor with certifications. I’m not telling you to be certified or not; I’m not devaluing people who have made legit efforts to get certified and totally respect them and their achievement.
I’m just looking at it from my own perspective.

You can find lots of posts on this topic in the Internet from all the experts. Usually you’ll find two types of answers; the “marketing” and the honest ones!

You can detect the marketing persuasion by phrases like:

  • You have to be certified to be hired!
  • You have to be certified as an indication of your knowledge and expertise!
  • This certification guarantees your job!
  • This is the most valuable certification on the market!
  • Your earnings will boom!
  • Holders of this certification get paid the most!

Well, they could be true, but only to some extent; but I believe less than 10% of the time! I’m not saying neither certification is bad nor it is good. Let me dig deeper into it.

Basically, achieving a certification means that you have put enough efforts and dedication to pass an exam. That’s great, congratulations!
Similarly, earning a University mainly means that you have been a good learner.

First, I’ve to admit that sticking to a plan for a certification could bring dedication into your studies. Personally, I’ve also many times started to gain knowledge about a concept by following a certification path;  but that should never be an end and boundary to grasp a technology!

Have in mind that the reality is usually different from exams.

Exams usually teach you the techniques but not the tactics. You’ve to be prepared for the complexities and harsh situations; you’ve to be able to manage your time, keep pace with new technologies, use them to make your work more efficient and play a part in connecting people and services!
Besides, You should be able to network with people and learn how to discuss your ideas and present yourself.

Be curious and find the original idea behind a thing; i.e. was there a problem out there that made engineers to create that protocol? Did it solve their issue?

Imagine yourself in different situations and scenarios; then challenge your creativity to propose something. This is a best practice!

Read the standards and scrutinize the concepts in detail; google and read what others say about the concept; think out of the box and try to figure out other possibilities; dig the RFCs deep and even maybe you can contribute to one!

Again, studying and learning is always good, whatever the reason is. Just you should be cautious of not getting bound to a vendor. Get to know what’s going on around, know the market and today’s business need; read, read and read and make some educated guesses for the future! Have in mind that the half-life of IT skills is less than 2 years. You should be fast otherwise you’ll be left behind.

So, I believe the honest and truthful answer is that, you have to earn the knowledge by dedication, hard work, experience, curiosity and creativity. A vendor’s certification can’t be a good measure of someone’s knowledge in the IT era today; you’re not bound to vendors anymore; at the end of the day we’re going to live in the IoT and SDN world. (Yeah, they’re the new fancy words)

You should add value to the certificate; not the certificate to you!

If you’re confident of having the knowledge, and you’re able to discuss and demonstrate your skills, then you’re at it! Don’t panic and let your expertise talk for itself.

A good approach could be to become certified when it’s needed; yes, sometimes vendor partners need certified people for specific projects to get discounts and support contracts; I call it a practical approach. This brings a win-win result. You get the knowledge, certification, and money.

It’s not a vendor to approve If you’re an engineer, architect, consultant, etc.; it’s you and your knowledge!

From all the articles out there, Russ White has done a great job writing on this and related topics; I totally recommend reading the posts below:

Share this!

Enterprise Core Routing Design Models with BGP

Reading through the well-written CCDE Study Guide book by Marwan Al-shawi, came to a section about having BGP as the Enterprise Core Routing Protocol and its possible Design models.

To make it a little bit brighter to myself, I’m gonna explain them in a different way with different diagrams and matrix based on my own design experience with these models.

Disclaimer: Please have in mind that the number of routers drawn, doesn’t reflect the reality of the design, and is just been this way for the sake of simplicity; obviously there would be redundant routers in real World, and also the Core could span different PoPs.
Besides, the bigger border routers could reflect two separate ones, one on Core, and one on Branch side.

Design Model 1

BGP-as-Enterprise-Core-Routing-Design-Model-1

This model is suitable when least Administrative Domain Control is required; though it still overcomes an end-to-end IGP design, providing better management between remote campuses.

Core IGP is mainly used to provide Next-hop reachability for iBGP speakers. Please note that this is applicable to all models where iBGP is used in the Core.

The downside to this design is moderate operation complexity; which could arise i.e. by IGP-into-BGP Redistribution and iBGP full-mesh/RR/Confederation management in the Core. Continue reading “Enterprise Core Routing Design Models with BGP”

Share this!