Ads 468x60px

31 de octubre de 2016

Benefits of Layer 7 Load Balancing

Some time ago, I'm working with load balancer appliances where I have had to apply for the Radware Certified Application Specialist on Alteon (RCAS-AL) and the F5 Certified BIG-IP Administrator (F5-CA). Meanwhile, I have written some posts about Global Server Load Balancing and DNS Load Balancing and I have also had to reply about the benefits of a Layer 7 Load Balancing against the traditional Layer 4 Load Balancing. Therefore, I want to highlight in this post some advantages of this kind of load balancers.

First of all, it's important to know that if we want to install a layer 7 load balancer successfully we should have knowledge about networking and development because it is an appliance which is in the middle of the two worlds, networking for routing, nating, tagging, etc and development for load balancing applications. As a result, two teams should be in the installation and management of this kind of devices, the networking team and the development team.

The traditional layer 4 load balancer could load balancing applications based in TCP/UDP ports while the layer 7 load balancer is much more intelligent because it can make decisions based in the requests and responses of applications. For example, it can read HTTP headers for balancing by the User-Agent field, which could be useful for delivering a mobile web page to smartphones and the normal web page to computers or we can read the Accept-Language field to deliver the English web page to the English spoken people and the Spanish version to Spanish people. We can also read the URL/URI, allowing us to have an only public IP and many applications behind that IP, or we can even read de SSL ID, any data inside HTML files … all to make decisions, modify information, redirections, show messages, etc.

HTTP Headers

Other advantages of the layer 7 load balancing are the caching, compression and encrypting features which, if they are implemented properly and with hardware ASICs, can increase significantly the performance of applications. For example, we can manage all SSL certificates in an unique and centralized store inside the load balancer appliance and we can also configure SSL offloading to reduce CPU load in real servers.

SSL Offloading

A layer 7 load balancer is a full proxy which delivers better security, performance and adaptability than a traditional load balancer. For instance, they are able to block DDoS Attacks, SQLi and XSS Attacks analysing TCP sessions, HTML and XML files. On the other hand, better performance is delivered through the modification and configuration of the TCP stack like the TCP Express by F5 Networks, and we'll get better adaptability through scripts and APIs like iRules by F5 Networks.

Full Proxy Security

Last, but not less important, this kind of appliances can able to accelerate applications through new protocols and standards like Multipath TCP and HTTP/2. In addition, we can even deliver our services in a high availability worldwide through GSLB. As always, everything depend of our necessity.

Global Server Load Balancing

Regards my friends, drop me a line with the first thing you are thinking and balance your load!!

24 de octubre de 2016

Inverter Circuit with an 74HC04 Chip

Lately, you'll have realised I'm writing about electronics like UART connections of an Orange router or how to see the booting process of broadband routers. Therefore, I have used words like multimeter, oscilloscopio, ground, volts, etc in previous posts. However, this time, I want to go beyond and I have bought a couple of inverters with some leds and a breadboard to make some experimental circuits. At first, in this post, we'll see how the 74HC04 inverter works and how to test it.

An inverter is a chip that it's be able to change the logic state of an input to the opposite state. For example, if the input is a HIGH logic signal, the output is a LOW logic signal, and if the input is a LOW logic signal, the output is a HIGH logic signal. This is a basic and necessary chip when we want the opposite state of an input state.

The 74HC04 hex inverter chip has 6 gates where the logic signal output by an inverter gate is the opposite of the logic signal fed into the gate. In addition, we can see in the 74HC04 datasheet that the A's of each gate are the inputs and the Y's of each gate are the outputs, meaning Y is the opposite logic signal of A.

Once we know how it works, it's time to test it. I've built a small circuit with an inverter chip and two leds. One led is connected to the input (A) and the second led is connected to the output (Y) with the goal of testing the first gate. Therefore, one led is connected between the first pin (A) and the seventh pin (GND) and the other led is connected between the second pin (Y) and the seventh pin (GND). I've also fed the inverter chip through the 14 pin with 5 volts and I've connected it to the ground as well through the seventh pin. What should there be the result? The led number 1 turned off because it's not being fed and the led number 2 turned on because the opposite of a LOW logic signal in the first pin is a HIGH logic signal for the second pin, where the led number 2 is connected. It is represented in the next diagram:

Led 1 turned off and Led 2 turned on

On the other hand, if the first pin (A) has a HIGH logic signal with 5V, we'll see that the led number 1 is turned on while the led number 2 is turned off. Why? Because the led number 1 is being fed and the led number 2 has the opposite, not being fed, as a result, turned off. It is represented in the next diagram:

Led 1 turned on and Led 2 turned off

This is an easy way to test each gate of our inverter chips and especially to understand how it works. Next, we have a video I recorded.

Regards my friends, drop me a line with the first thing you are thinking.

17 de octubre de 2016

Booting process of broadband routers

Last week, we talk about how to find out the UART connections of an Orange router with a multimeter for getting root access to the device. We identified the pinout (GND, RX and TX pins) last week but today we are going to see how to connect the USB-to-UART converter and how to find out the baud rate easily for getting the booting process and accessing the root console. However, I have another broadband router this time to have fun, a Huawei EchoLife HG556a, which is an interesting device for my lab.

The best way to get the pinout is with an oscilloscope, if we don't have one, we can use a multimeter as we saw in the last post, and if we don't have this tools we can use another way for identifying useless pins and ground pin. However, this trick is not as much reliable than oscilloscope and multimeter, but helpful. The first thing we have to do is flashing a bright light from the backside of the PCB and look at it from directly above. This is what that looks like:

Identifying useless pins and ground pin in a Huawei router

We can see that some of the pins have lines meaning they are making contact with the PCB. For instance, it's easy to see that the forth pin doesn't have lines meaning it useless. What's more, the second one has four lines meaining is a power pin, either GND or Vcc. Finally, all other pins have a single line meaning they are TX, RX or Vcc. This trick is a little bit risky because we can break our device but if we don't have the right tools we can use this trick connecting each pin in turn to find out the pinout.

Once we know the pinout, we have to connect the USB-to-UART converter to the router. First, we should connect the GND pin between each other. Second, I would connect the TX pin of the router to the RX pin of the converter and, in this time, we should be able to see the booting process but not stop it or send or write something. At the end, I would connect the RX pin of the router to the TX pin of the converter and, in this time, we should be able to send information to the router like, for instance, username and password for getting root access.

Connecting converter to the router

We already know the pinout and how to connect the converter to the router but, maybe, we don't see any information yet through our miniterm/minicom application. This is because we have to configure the baud rate properly but, first, we should know what baud rate configuration we have to set. The best way to find out the baud rate configuration of an unknown serial device is with the Baudrate tool developed by Craig Heffner. Next, we can see that the tool allow us to change the baud rate configuration of our host system's serial por on the fly and with 115200 of baud rate we can read the output (letters) properly.

Baudrate tool

If we have got the baud rate configuration, we'll be able to see the booting process, and even stopping the autoboot process, and finally we'll see the console prompt to have root access.

Regards my friends, are you ready for doing whatever you want in your router?

10 de octubre de 2016

UART connections of an Orange router

This summer, I was building cross compilations Apps for broadband commercial routers. It is not an easy task for me but after hours and hours of working I got to install and run a “Hello world” application in my router. However, Apps and remote access services didn't remain after rebooting thus I wanted to go further because my goal is to have root access to do whatever. For this reason, this time, I wanted to have access by serial port connector to see the booting process. Let's try with an Orange broadband router.

First, surfing on Internet, I found that most routers have a serial port connector called UART and/or JTAG which are for programming and access to the console. It is like the RS232 connectors of computers but it isn't exactly the same, instead, it is a TTL serial, where a logic high ('1') is represented by Vcc, often 5V or 3.3V, and a logic low ('0') is 0V. Therefore, I disassembled the router to look for this connectors and I was looking the way to connect my laptop to the router, where I found two options, an USB-to-UART converter and the BusPirate electronic device, which is more professional and more expensive too, thus I bought the cheapest one, the converter.

USB-to-UART converter

Next step was to identify the pinout to know which pin is ground (GND), which pin is transmiting information (TX) and which pin can receive information (RX). This is important if we don't want to break/burn the mainboard (PCB) connecting pines in a wrong way. Let's begin with the easiest one, the ground pin.

The first pin that we have to identify is the ground (GND) pin. What tools we need? A multimeter. What more we need to know? We have to identify a ground place too in the mainboard which is easy because most mainboards have empty places ready for connecting capacitors, where we can see the minus symbol meaning ground. Next, connecting ground to each pin in turn with the multimeter we should look for 0V.

Identifying the ground pin

Once we know which pin is ground (GND), the next step is to identify the TX pin. This is a little more difficult because this pin is going to fluctuate between the Vcc value (3.3 volts) and ground (0 volts). Why? Because when it is transmiting bits of data, we'll see 3.3V, and when it is transmiting “spaces”, we'll see 0V. Therefore, we need a good multimeter because if it isn't so, the multimeter will do the average and it will be difficult to identify the TX pin. Another way to meter is with an oscilloscope, which is more expensive than a multimeter, or you can even make your own oscilloscope with your's computer sound card.

Identifying the TX pin

Finally, we have to identify the RX pin, which is the most difficult one. Why? Because there isn't a pattern. Therefore, the best way will be by process of elimination and connecting the serial converter to all possible receive pins individually, presssing a few keys in our terminal emulator and seeing what happens until we find out which one is the RX pin.

Arcadyan ARV7519RW22-A-LT pinout

This time, I have fun with an Arcadyan ARV7519RW22-A-LT router, we'll see in next posts how to connect the USB-to-UART converter for seeing the booting process and get the root access in other router as well.

Regards my friends and remember, test your thought and test whatever you are thinking.

3 de octubre de 2016

FortiXpert 2016

One more year, I have been in the FortiXpert summit learning about security trends, new Fortinet products and features, and new risk factors in the cybersecurity world. Again, it has been a rewarding experience because we have shared IT knowledge to improve our security deployments and to maintain much better our security infrastructure for protecting, the most important thing, the data. Next, I'm going to highlight some of the important things that they are still in my head.

The Systems Engineer Manager, Jose Luis Laguna, spoke about a new concept called Fortinet Security Fabric which is an evolution to integrate every security device in only one ecosystem. Today, we have lots of security devices, servers, network devices, software, etc increasing the complexity of our IT environment and when a new threat is discovered or someone is attacking us we are lost and we don't know where we have to looking at. Fortinet, with his Security Fabric, are integrating every device to speak each other to discover and block attacks, and along with FortiSIEM, has only one dashboard where we can see the health of our IT infrastructure.

Fortinet Security Fabric

The Systems Engineer, Paco García, spoke about hardware acceleration and the new FortiASICs, the Content Processor 9 (CP9) and the Network Processor 6 (NP6), which are the new generation of processors that they are installed in the FortiGate E-Series. FortiGate firewalls with CP9 and NP6 have less latency and more performance reaching more than 1 Tbps of throughput, thanks to 100 Gbps interfaces and FortiASICs. Maybe, the new FortiGate 7040E is the most powerful firewall in the market today.

Hardware Update

The CCI Manager, José Valiente, spoke about Cybersecurity in the Smart Factory or, as he called it, Industry 4.0, where he compared the Industry with the evolution of cars and he highlighted the increasingly integration between OT and IT. Today, everything is Smart, even Factories, because devices/sensors have to interconnect each other to exchange and share data, and as most software, Smart Factory has vulnerabilities that we should take care, because we are not talking only about steal information but disasters which can kill people as well.

CyberSecurity in Smart Factory

Pablo García from Fortinet and Francisco José Verdugo from VMware spoke about SDN or how we can take advantage of Virtual Networks for better segmentation, scalability and security. We'll get better segmentation isolating applications and workloads, which is easy with NSX and FortiGate-VM, where we can deny the communication even between virtual machines which are in the same subnet. In addition, we'll get scalability with dynamic elasticity when we use orchestration platforms which can implement auto-provisioning to deploy security devices automatically as we grow.

Fortinet SDN

The Systems Engineer, Rubén Javier Pérez, spoke about an interesting technology, which is increasingly demanded by companies, to monitor all assets from an unique dashboard. This technology is called SIEM and with the recent acquisition, AccelOps, they have implemented a new product called FortiSIEM, which is perfectly aligned with Fortinet Security Fabric and it can be integrated with all FortiStuff and lots of other devices to know the health of our IT infrastructure.


Thanks and congratulations to every FortiPeople who has participated and organized this interesting summit.
Related Posts Plugin for WordPress, Blogger...

Entradas populares