Ads 468x60px

20 May 2019

F5 BIG-IP APM – SSO for Terminal Services

F5 BIG-IP APM is a good alternative to the deprecated Juniper SSL VPN, which has been sold to Pulse Secure, because APM unifies SSL VPN services and the management of authentication and user accesses, integrating SSO Authentication and federation of identities services into the same solution. Therefore, F5 BIG-IP APM can be used for telecommuting as well as for Virtual Desktop Infrastructures (VDI) due to the fact that APM supports native VDIs such as Microsoft, VMWare and Citrix and also supports most authentication mechanisms (NTLM, Kerberos, SAML, digital certificates, tokens, OTPs, etc).

I made a video last week about Portal Access & Webtops and I would like to share a new video this week about Single Sign-On for Terminal Services. You will watch, it’s easy to configure SSO for Terminal Services but it’s a useful feature in most organizations for employees and partners who work from home, airport or wherever.

I think, it’s important to highlight that some extensions are needed when creating the SSL Certificate for the SSL Profile (Client) because the VDI Profile generates a cryptographic signature based on the attached client SSL Profile. However, if the SSL Certificate doesn’t have these extensions, there will be a message error when we connect to the Remote Desktop.

"The digital signature of this RDP File cannot be verified. The remote connection cannot be started".

 APM - User Defined RDP in version 13 - digital signature issue

I hope this video is useful for you. Regards my friends! Keep learning!

13 May 2019

F5 BIG-IP APM - Portal Access & Webtops

The last two weeks have been a little bit stressful but at the same time very rewarding. Firstly, I’ve had to make ready lots of F5 labs and slides because I’ve been the teacher of a F5 training. Secondly, it’s very rewarding because I’ve also learnt a lot thanks to the students’ questions. Actually, the first course week has been about F5 BIG-IP LTM Fundamentals while the second week has been about, three days of F5 BIG-IP LTM Advanced and two days of F5 BIG-IP APM.

We’ve talked about new technologies such as HTTP/2 and HSTS which could be interesting for new application deployments. We’ve also been speaking about advanced TCP options such as Multipath TCP, SACK, Long Fat Networks and the Nagle’s Algorithm. All of these concepts were new for students. They didn’t know anything about it. However, F5 BIG-IP has able to deliver applications with these TCP options. What’s more, F5 BIG-IP APM has able to deliver Access Portals with Single Sign-On (SSO) which is very useful for organizations who wants an unique web portal to access all internal applications with the same credentials. An access portal with SSO for applications is like Google does with all the applications.

Google Single Sign-On for Gmail Applications

I wrote about throw away your firewalls two summers ago when I read Google has an Access Portal with SSO for employees where they can work from Internet as they were inside the Google building. Therefore, we can watch in the next video how to configure an Access Portal, which can be configured along with SSO Authentication, where there are Webtops to access internal applications. F5 BIG-IP APM allows organizations to have an unique Access Portal with SSO Authentication to access all internal and external applications.

I hope this video is useful for you. I've learnt a lot!! Keep learning my friends!

6 May 2019

F5 BIG-IP APM – SSO Authentication

It’s really beautiful and rewarding learn how to configure new services and technologies but it’s also really hard test configuration again and again till it’s work because it takes lot of time. This weekend, I’ve been more than 6 hours learning how to configure the Single Sign-On functionality with an application server that uses forms based authentication. Finally, I’m happy because I’ve learnt how to configure SSO in BIG-IP APM.

The most difficult configuration is the SSO Method Configuration because we have to know exactly how the application works to validate the username and password. I mean, we have to know what is the login page and the credential parameters. On the other hand, it’s really powerful the Visual Policy Editor where we can configure the logon page, the authentication database, SSO mapping, etc. We can configure almost everything.

Visual Policy Editor
I hope this video is useful for you. I've learnt a lot!! Keep learning my friends!

29 April 2019

What’s new in BIG-IP version 14.0

From my point of view, the BIG-IP version 13.1 is ready for production. In fact, BIG-IP version is the best version for production right now. However, BIG-IP version 14.0 is already out and it’s time to know the new features and enhancements. I like reading and writing about new versions such as What’s new in BIG-IP version 13.1, What’s new in FortiOS 5.6 or What’s new in FortiOS 6.0. Today, I’m going to highlight the new features included in BIG-IP 14.0 which are useful and cool.

BIG-IP LTM v14.0 has new features such as Default Passwords Expiry, Password Policy Enforcement, New HTML-Based Dashboard and Support full dual-stack IPv4 and IPv6 addresses on the Management Port. The new HTML-Based Dashboard is the best feature by far because it’s no longer needed Flash software to show the system dashboard. On the other hand, security has improved because Default Passwords have to be changed and we can also configure a Password Policy to create strong administrator passwords.

HTML-Based Dashboard

BIG-IP Advanced WAF v14.0 has lots of interesting security features such as Enforcing Use of Parent Policies, Threat Campaigns Subscription and Secure Client-Side Transactions with DataSafe to named of few. Enforcing use of Parent Policies is useful to eliminate repetitive configurations and management of the same settings across individual policies. In addition, the Threat Campaigns Subscription is interesting to detect specific threat actors, web attacks and vulnerabilities. The Threat Campaigns Subscription can complement any existing security policy and DoS profile already deployed. Finally, the Secure Client Side Using DataSafe is able to obfuscate user data, encrypt user data or protect against keyloggers using a new DataSafe profile assign to the virtual server.

Enforcing Use of Parent Policies
BIG-IP APM v14.0 has also included new features and enhancements such as Access Guide Configuration, OpenID Connect Authorization Server, VMware Blast Extreme or Multi-Factor Authentication for Native Microsoft Clients. Guided Configuration uses iApps and it’s designed to make complicated configurations much simpler for BIG-IP administrators. What’s more, BIG-IP APM v14 supports OpenID authentication, which is similar to SAML, and it also supports VMware Blast for Virtual Desktop Infrastructures (VDI).

Access Guided Configuration
BIG-IP DNS v14.0 has also been improved with new features such as EDNS0 Client Subnet Support and it’s also able to add DNS Devices via iControl REST. For instance, BIG-IP DNS v14 places the client IP address into the EDNS0 field, if empty, and determines the topology proximity of the client. This new feature improves Global Server Load Balancing.

With EDNS0 Client Subnet Support
There are lots of new features and enhancements in BIG-IP v14.0. It’s up to you testing these new features and reading about it. Regards my friends! Be happy!

22 April 2019

Security on the Internet for teenagers

From time to time I have to give a speech about security, networking or technology. This week, my colleague Marco has scheduled a talk about “Security on the Internet for teenagers” where I’m going to speak about best practices and risks there are on the net. Actually, there are lots of things I can tell about Security on the Internet. I can speak about Social Networks, Privacy, Sexting, Cyber Bullying, Grooming, etc, etc.


Social Networks are well known by most teenagers. Most of them know WhatsApp, Snapchat, Pinterest or even Tik Tok. They know the benefits of using this kind of applications. We can be in touch with friends. We can share pictures. We can meet people with the same hobbies. There are lots of benefits. However, it’s important to highlight there are also risks we have to take into account. The severity of these risks can be very dangerous. From a fight to commit suicide. For this reason the use of social networks must be done carefully.

Privacy seems something boring. Most teenagers don’t mind the privacy. There are lots of letters to read. There are lots of sentences to understand. Nobody read them. However, privacy is not like stuff, which we can recover if someone else picks them up. I mean, if someone steal your bike, you can recover it but if someone steal your identity, your pictures or your information, you’ll never recover it.

Social Networks and Privacy are just two topics I’m going to speak in the talk but I will also speak about Sexting, Bullying, Grooming, etc where I’m going to play videos and ask lots of questions to teenagers. We’ll see the feedback of the audience. I hope this talk will be rewarding for the future of teenagers on the net.

We will see on the stage!! ;-)

15 April 2019

ISA-95 levels for Industrial Systems

One of the first certification exams I applied was the ITIL Foundation 8 years ago, where I learnt about IT Service Management (ITSM). Afterwards, I worked for Ariadnex to get ISO 20000, where I learnt more about IT Service Management. I also worked for Ariadnex to get ISO 27001, where I learnt a lot about Information Security. These last two years I’ve also been working with PCI-DSS and ISO 22301. I mean, I think reading standards and applying best practices is important, and much of the time, mandatory to do a good job.

Today, I want to write about a new standard I’m reading lately. It’s the ISA99 standard. I didn’t know this standard till four or five months ago when I started working on a new project. If you know the ISA99 standard, you’ll know I’m talking about an industrial project. Actually, the ISA99 committee has developed the ISA/IEC 62443 series of standards and, then, the ISA99 standard is no longer developed by the committee. What I would like to highlight today is the levels defined by the ISA95 and ISA88 standards.

ISA-95 levels

The first two levels, level 0 and level 1, of process control are focused on the control of equipments which execute the production processes. On the one hand, level 0 is the equipment and human resources which are required for the industrial process. Level 0 is a set of physical assets into the enterprise. On the other hand, automations-systems such as PLCs, DCSs or RTUs are in the level 1. These automations-systems work with the physical assets, which are in the level 0. The level 1 devices are electric and control devices.

PLC - Programmable Logic Controller

The next level, level 2, is very good defined by the ISA88 standard. HMI and SCADA systems are in this second level. HMI are operation monitors to control specific processes while SCADA systems are applications to control and monitor the whole industrial system. As a rule, a PLC is controlled by an HMI while lots of PLCs are monitored with an SCADA system. Therefore, the first interaction between the human being and the hardware is in the level 2.

SCADA - Supervisory Control And Data Acquisition

The next two levels, level 3 and level 4, are well defined by the ISA95 standard. We have the Batch, Historian and MES in the third level. The Batch is like an SCADA with databases for batch production. The Historian is a database where industrial data is store. The MES is the interface between the level 2 and level 4. Therefore, the level 4 is where the business intelligence is located. For instance, ERPs and CRMs are in the level 4.

MES - Manufacturing Execution System

Once all levels are defined, how can we protect an industrial enterprise? The bottom levels can be secured with an Intrusion Prevention System (IPS) with industrial signatures which block attacks against communication protocols (e.g. Modbus, PROFIBUS, Conitel, etc) while the up levels can be secured with Application Control and Web Filtering. In addition, I would like to highlight the importance to segment the network into zones.

FortiGate Rugged

Keep learning and keep studying my friends!! All comments are welcome.

8 April 2019

A Forensic Challenge

I finished the training on Networks, Systems, Hacking and Forensics last week where students have learned a lot about Security, or I think they have learned a lot! This last course about Forensics has been funny because three challenges have had to be resolved by students. The first one was interesting for reinforce the importance of looking at metadata. The second one was a little bit more difficult, which used steganography techniques. I have to admit the third one is difficult for a newbie because it contains a mix of steganography and obfuscation techniques.

The last challenge is about steganography and obfuscation where students have checked the image metadata, hex dumped the file contents and extracted a hidden zip archive. They also have had to look at the start of the file, the end of the file and the middle of the file to extract another file. Finally, students have had to read about esoteric programming language to look for the final flag.

There are lots of CTF (Capture The Flag) challenges on the Internet which are useful for learning about hacking and forensics. You just have to keep studying, reading books and learning what you want!

1 April 2019

MLAG vs vPC vs Stacking

I’m working these days with Mellanox Switches, which I think they are awesome because, thanks to the Spectrum ASIC, these switches provide low latency, zero packet loss, and non-blocking traffic. In fact, it’s one of the first manufacturer I know with 400 GbE interfaces. I mean, one network interface at 400 Gbps. It’s amazing. In addition, Mellanox switches support the RDMA over Converged Ethernet (RoCE) technology which is a great benefit for Hyperconverged Infrastructures (HCI).

Mellanox SN3510 with 6 QSFP-DD 400GbE

Once they are installed, it’s time for network configuration. I’m right now thinking about clustering and I’m also looking for the best technology to deliver high throughput. I’ve already written about Multi-Chassis Link Aggregation (MLAG) and I think this will be the best technology to configure a clustering of switches with high throughput. MLAG is a non-standard protocol which is useful to create port groups between switches of the same vendor. We can create LAGs to servers from different switches. Therefore, the MLAG technology is recommended for high availability and high throughput.

Multi-Chassis Link Aggregation

Maybe, if you know Cisco, you are thinking about Cisco Nexus vPC. This is also a great technology for clustering switches where we can create Link Aggregations (LAG) between two switches. In addition, switches keep control planes separated thus better performance is delivered. However, Cisco Nexus vPC is a Cisco specific protocol which can’t be configured in other kind of switches.

Cisco Nexus vPC
At a first glance, MLAG and vPC is the same. Both are able to create Link Aggregations (LAG) between two switches and both are managed and configured independently but they are not really the same. For instance, MLAG is easier to configure than vPC because MLAG concepts are the same in all platforms while vPC is a vendor technology with their own concepts. In addition, MLAG mainly enables Layer 2 multipathing while vPC enables Layer 2 and Layer 3 multipathing. However, if we want to enable Layer 3 multipathing, we could also use the Multi-Active Gateway Protocol (MAGP).

On the other hand, stacking is a well-known technology which is useful for an easy configuration of switches because all switches can be configured from an unique point of management interface. Thus, there is only one management plane. In addition, the stacking technology is able to create Link Aggregations (LAG) between switches like MLAG and vPC does. However, there are much more limitations in the stacking technology than in the MLAG or vPC technologies. For instance, there is always a limited number of switches that can be added to the stack. What’s more, it’s not able to stack remote switches which are geographically separated. Therefore, stacking makes sense for the edge of smaller sites while MLAG or vPC make sense for the core or distribution layer.

To sum up, there are three types of technologies to create Link Aggregations (LAG) between switches to servers. MLAG, vPC and Stacking. Which one to choose? It’s up to you.

Keep learning and keep studying my friends!! Any comments are welcome.

25 March 2019

Fileless malware forensics

This weekend I’ve been watching videos about forensics to look for labs for my students of the Digital Forensic course. I would like to highlight one of them. It’s a fileless malware forensics talk that I will use for the training course. What’s really interesting in this talk is the fileless malware analysis because this kind of malware doesn’t store any file into the operating system but it’s able to execute instructions through the command line while operating in memory. Therefore, it’s really difficult to acquire evidences to know how the malware works.

How a Fileless Attack works

Actually, there are three talks I would like to highlight. The first one is about acquisition in complex incidents. The second one is acquisition in the cloud, which is also really interesting because we can learn how to acquire digital evidences of AWS. The third one is about fileless malware forensics, which shows, step by step, how to analyse the Windows Prefetch folder, web history, event logs, memory, etc from the memory acquisition and triage. It’s an interesting forensics to learn how to analyse a fileless malware.

Keep learning and keep studying my friends!!

18 March 2019

A basic computer forensics

There are people who think forensics is a small part of Security. That’s right, but this small part is very big. Usually, there are two kind of computer forensic investigators. The guy who acquires the digital evidences and manages the laboratory, and the specialist who analyses digital evidences. The role of this last one is very important because he must have deep knowledge about the technology which is going to be analysed. For instance, if a video game console has to be analysed, the case will need a video game console specialist. Therefore, computer forensics need lots of specialist with deep knowledge in specific fields.

This post is not going to be about a difficult and specific computer forensic analysis but about an easy one. You will be able to watch in the next video how to look for encrypted files as well as virtual machines volumes. In addition, we’ll recover deleted files and we'll check file extensions to look for alterations. We’ll also analyse the disk partition and the file system with the aim of knowing what operating system and applications were running in the digital evidence. What’s more, system and security events will be analysed to look for interesting facts as well.

This is a basic computer forensics where we have used six tools. AccessData FTK Imager for mounting digital evidences. Passware Encryption Analyzer to look for encrypted files. Autopsy, which is a digital forensics platform that I really love, to look for virtual machines volumes, files, mail accounts, etc. Active Disk Editor for analysing the disk partition and the file system. Windows Registry Recovery to know applications installed, operating system version, IP address, etc. The last tool I’ve used is Event Log Explorer for searching windows event logs.

Do you think it’s difficult? Keep learning and keep studying!!

11 March 2019

Forensic - Data recovery and metadata analysis

My first step into Forensics was 9 years ago when I was studying a master’s degree about System Administrator with Open Source Operating Systems. This master’s degree had a subject about Forensics. Later on, I’ve taken training and I’ve tried challenges about Forensics such as the CyberSecurity Challenge in the ForoCIBER 2018. Today, I’m writing about data recovery and metadata analysis because I’ve recorded a video, which will be the next laboratory, for my students of the Forensics Training Course at FEVAL in Extremadura.

Edmond Locard

We can watch in the next video how to recover data and analyse metadata of a memory stick where there were 10 pictures but only three of them are interesting. First, we verify the SHA hash to check image hasn’t been modified. Secondly, we have to mount the image in read-only for keeping image safe. Once image is mounted, we can work with it. We analyse the file system. We can also recover data. Finally, we can even know where pictures were taken and what camera took the pictures. I think this is an easy and interesting laboratory for beginners.

There are lots of Digital Forensics Tools. You can watch some of them in the video. There are also lots of information on the Internet to deep down in Forensics. What’s more, there are certification such as the Computer Hacking Forensic Investigator (CHFI), which could be the starting point to Forensics. Therefore, you just have to want learning and looking for the time for training.

Keep learning and keep studying my friends!

4 March 2019

RDMA over Converged Ethernet (RoCE)

I didn’t know anything about RoCE till weeks ago when a sales engineer told me about this technology. It’s amazing. Actually, I’m studying these days how to configure RoCE and I will end up installing and deploying this technology. However, I’ve realised RoCE uses the Data Center Bridging (DCB) standard, which has features such as Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), Data Center Bridging Capabilities Exchange Protocol (DCBX) and Congestion Notification. All of them useful for RoCE.

If we want to understand RoCE, firstly, we should know about InfiniBand. The first time I heard about InfiniBand was two or three years ago when Ariadnex worked for CenitS in a project of supercomputing. They have 14 Infiniband Mellanox SX6036 switches with 36 56Gbps FDR ports and 3 InfiniBand Mellanox IS5030 switches with 36 QDR ports 40Gbps for computing network. Therefore, we will see most InfiniBand networks in High-Performance Computing (HPC) systems because HPC systems require very high throughput and very low latency.

CenitS Lusitania II

RoCE stands for RDMA over Converged Ethernet and RDMA stands for Remote Direct Memory Access. This last technology, RDMA, was only known in the InfiniBand community but, lately, it’s increasingly known because we can also enable RDMA over Ethernet networks which is a great advantage because we can achieve high throughput and low latency. Thanks to RDMA over Converged Ethernet (RoCE), servers can send data from the source application to the destination application directly, which increases considerably the network performance.

RDMA over Converged Ethernet (RoCE)
Clustering, Hyper-Convergence Infrastructure (HCI) and Storage solutions can benefit from performance improvements provided by RoCE. For instance, Hyper-V deployments are able to use SMB 3.0 with the SMB Direct feature, which can be combined with RoCE adapters for fast and efficient storage access, minimal CPU utilization for I/O processing, and high throughput with low latency. What’s more, iSCSI extensions for RDMA, such as iSER, and NFS over RDMA are able to increase I/O operations per second (IOPS), lower latency and reduced client and server CPU consumption.

RDMA support in vSphere

In addition to RoCE and InfiniBand, the Internet Wide Area RDMA Protocol (iWARP) is another option for high throughput and low latency. However, this protocol is less used than RoCE and InfiniBand. In fact, iWARP is no longer supported in new Intel NICs and the latest Ethernet speeds of 25, 50 and 100 Gbps are not available for iWARP. This protocol uses TCP/IP to deliver reliable services, while RoCE uses UDP/IP and DCB for congestion and flow control. Furthermore, I think it's important to highlight that these technologies are not compatible with each other. I mean, iWARP adapters can only communicate with iWARP adapters, RoCE adapters can only communicate with RoCE adapters and InfiniBand adapters can only communicate with InfiniBand adapters. Thus, if there is an interoperability conflict, applications will revert to TCP without the benefits of RDMA.

RoCE and iWARP Comparison

To sum up, RDMA was only used for High-Performance Computing (HPC) systems with InfiniBand networks but thanks to converged Ethernet networks, and protocols such as RoCE and iWARP, today, we can also install clusters, Hyper-Convergence Infrastructures (HCI) and storage solutions with high throughput and low latency in the traditional Ethernet network.

Keep reading and keep studying!!

25 February 2019

Data Center Bridging (DCB)

I wrote about Bridging, Provider Bridging, Provider Backbone Bridging (PBB) and Shortest Path Bridging (SPB) two years ago when I was teaching these technologies to a group of network administrators. These technologies are useful for Cloud Service Providers or Internet Service Providers. However, I want to write today about Data Center Bridging (DCB) which is useful for most Data Centers where there is a high demanding Ethernet traffic such as virtual SAN (vSAN) or Fibre Channel over Ethernet (FCoE) traffic.

Data Center Bridging is a set of open standards Ethernet extensions developed through the IEEE 802.1 working group to improve clustering and storage networks. These extensions are Priority-based Flow Control (PFC), which is included in the 802.1Qbb standard; Enhanced Transmission Selection (ETS), which is included in the 802.1Qaz standard; Data Center Bridging Capabilities Exchange Protocol (DCBX), which is included in the 802.1az standard; and Congestion Notification, which is included in the 802.1Qau standard.

The first one, Priority-based Flow Control (PFC), is going to create eight virtual links on the physical link where PFC provides the capability to use pause on a single virtual link without affecting traffic on the other virtual links. Pauses will be enabled based on user priority or classes of service. This extension allows administrators to create lossless links for traffic requiring no-drop service, such as vSAN or FCoE, while retaining packet-drop congestion management for IP traffic.

Priority-based Flow Control

The second extension is Enhanced Transmission Selection (ETS) which provides bandwidth management between traffic types for multiprotocol links. For instance, a virtual link can share a percentage of the overall link with other traffic classes. Therefore, ETS is able to create priority groups and it allows differentiation between traffic of the same virtual link.

Enhanced Transmission Selection
These two extensions, PFC and ETS, have to be configured in switches and endpoints. This configuration can be deployed easily with Data Center Bridging Capabilities Exchange Protocol (DCBX). The third extension is going to exchange the configuration between devices. It is going to exchange parameters such as priority groups in ETS, congestion notification, PFC, Applications, etc. In addition, DCBX is able to discover peers and detect mismatched configuration.

DCBX Deployment Scenario
The last extension, which is optional and not required into the Data Center Bridging architecture, is Congestion Notification. This extension is useful for actively managing traffic flows and, thus, avoid traffic jams. It’s interesting because an aggregation-level switch with this feature can send control frames to access-level switches asking them to throttle back their traffic and, therefore, rate limit policies for congestion can be enforced close to the source.

Congestion Notification
These four specifications (PFC, ETS, DCBX and Congestion Notification) improve clustering and storage networks as well as responding to future data center network needs such as the new Hyper-Convergence Infrastructure of VMware vSAN or Nutanix.

Keep reading and keep learning!!

18 February 2019

Cisco Virtual Networking

I was working as a virtualization administrator 9 years ago and I still remember how the virtualization team had to configure and manage the virtual network. The main tasks of the virtualization team were to create and manage virtual machines but, from time to time, we also had to manage the virtual network. I always thought networking should be managed by the networking team regardless of virtual or physical, but the networking team said everything virtual should be managed by the virtualization team. It was chaotic.

Actually, I already really loved networking and I didn’t mind to manage virtual networks but roles and responsibilities were not clarify defined. Therefore, nobody applied network and security policies between virtual machines and nobody wanted to troubleshoot communication problems between virtual machines. However, clear separation of roles could already be got with technologies such as Nexus 1000V and VM-FEX. These two technologies help organizations to address these problems.

Cisco Virtual Networking Solution Options

Cisco Virtual Networking solutions, such as VM-FEX and Nexus 1000V, help customers to reduce the operational complexities and take advantages of virtual technologies. For instance, virtual networks can be managed in the same way that physical networks because we’ll have the same command line (Cisco NX-OS CLI) and network administrators won’t have to be retrained. In addition, we’ll use the same monitoring and management tools to manage both environments. What’s more, we will be able to apply network and security policies between virtual machines.

I’ve already written about Cisco Nexus Fabric Extender (FEX), which removes the line cards from the modular switch with the aim of installing remote line cards as ToR switches. However, these remote line cards are like virtual wires to the Parent Switch where the management, control and data plane are carried out. VM-FEX is the same Cisco FEX technology but it is applied to the virtual environment thus VM-FEX extends the physical network to virtual machines.

Cisco VM-FEX Extends Cisco Fabric Extender Technology with Cisco UCS Fabric Interconnects
One of the main benefits of VM-FEX is the operation simplicity because both environment, virtual and physical, can be managed with the same tools and same networking administrators. However, another interesting advantage is the improved performance because SR-IOV functionality, enabled into the virtual platform, offers near-bare-metal performance for virtual workloads.

Finally, the Cisco Virtual Networking solution Cisco Nexus 1000V Series extends networking functions to the hypervisor layer. This solution has two components. The Virtual Ethernet Module (VEM), which is a software line card connected to each virtual machine, and the Virtual Supervisor Module (VSM), which is the management module for controlling multiple VEMs. This solution has lots of advantages, like VM-FEX does, but I think the main advantage is the hardware requirements because Cisco Nexus 1000V Series is a software solution while VM-FEX required dedicated hardware.

Cisco Nexus VEM and VSM Components
That’s all my friends. Two Cisco Virtual Networking solutions for your portfolio. Keep learning and keep studying!!

11 February 2019

Unified Fabric and FCoE

I still remember the first Data Center where I worked almost 10 years ago. There were mainly three racks. One for switches, routers, load balancers and firewalls, another for servers and the third one for the Storage Area Network (SAN). This last rack had an storage array and a tape library along with storage switches. I had to know about networking, security, systems and storage. That years were amazing because I had just finished my degree in IT engineer at University and I learnt a lot in that Data Center. Thanks, of course, to my workmates.

Why I’ve highlighted the third rack? Because IT trends are changing. I’m not going to write about virtual servers because it’s already here but I’m going to write about converged infrastructures. Most IT engineers know about Hyper Converged Infrastructures (HCI), others don’t know anything yet. The aim of HCI is to include servers, storage and networking all together. This can be achieved thanks to software-defined IT infrastructures. Therefore, the third rack, which I administered as a storage engineer, no longer makes sense because storage is going to be into the virtual infrastructure as a virtual SAN (vSAN).

Enterprise NAS file services for VMware vSAN

HCI solutions such as VMware vSAN, HPE SimpliVity or Nutanix are increasingly known. They are getting market bit by bit. However, there are also companies who don’t want to install HCI technology yet but they first want to converge storage to FCoE switches. This is an advantage because we can throw away the storage switches and converge to network switches, such as Cisco Nexus, for networking and storage. Thus, one kind of switch for everything. Less cables, less complexity, better efficiency, cost saving, operation simplicity, etc. Lots of advantages.

Unified Fabric and FCoE

As network engineers, we are used to reading IPoE, PPPoE or PoE. Three technologies which are over Ethernet. FCoE is similar than that. This is a technology that encapsulates Fibre Channel frames over Ethernet networks. It’s useful in high speed networks like 10 GbE networks where we can have a SAN with Ethernet switches instead of dedicated storage switches. Therefore, as network engineers, it’s time to learn about storage, or storage engineers will have to learn about networking.

FCoE - Frame Structure

These days I’m learning about storage, though, I’m still remember about zoning, HBAs, WWNN, etc. For instance, what I didn’t know is NPIV and NPV which are two new technologies for me. These Fibre Channel features are useful for virtualized infrastructures and large SAN deployments. The first one, NPIV or N-Port ID Virtualization, is interesting to attach LUNs to virtual machines while the second one, NPV or N-Port Virtualizer, is able to aggregate the locally connected host ports into one or more uplinks to the core switches.

N-Port Identifier Virtualization (NPIV)

It seems IT engineers will have to converge too. Network engineers will have to learn about storage for installing and configuring FCoE switches and/or systems engineers will have to learn about storage and networking too for Hyper Converged Infrastructure (HCI). We’ll see, meanwhile, keep studying my friends!!

4 February 2019

MACsec for Securing High Speed Deployments

There are increasingly more and more services off-premises. There are lots of cloud services and mobile services. There are increasingly more customers who demand high-speed links to consume these services. This is a challenge for service providers because they have to deploy high-speed networks. It’s no longer worth to deploy 10 Gbps or 40 Gbps networks but 100 Gbps networks are already mandatory for lots of businesses.

What’s more, most businesses need to connect remote and branch offices to the cloud or to a remote data center, and they have to encrypt these communications. Today, IPsec is well-known and it’s used by most companies who want to encrypt traffic between offices and the data center. However, if we have high-speed links, such as 100 Gbps links, IPsec is useless because encryption is performed on centralized ASIC processors which have high performance impact. Thus, if it’s required high encryption performance, MACsec offers a simplified, line-rate, per port encryption option for secure next-generation deployments.

 Link Speeds Aligning with Encryption Using MACsec

MACsec was standardized as 802.1AE in 2006 to provide confidentiality, integrity, and authenticity in Ethernet networks for user data. Therefore, MACsec is able to encrypt and/or authenticate Ethernet frames. This is amazing because we can encrypt and authenticate data at layer 2 in high-speed networks. It’s like the wireless standard 802.11i (WPA2) but for wired networks. Both encrypt at layer 2. It’s interesting how this “new” protocol works. There is a MACsec header and encryption and authentication is performed per port at line-rate.

Defense in Depth

The MACsec header, which is 16 octets long, doesn’t have impact on Ethernet frames markings such as 802.1p for QoS, 802.1Q for VLANs, or QiQ tags. These markings tags are encrypted along with the payload. What’s more, there are no changes to the destination and source MAC addresses. In addition, a 16-byte Integrity Check Value (ICV) is included at the end of the frame. Therefore, the whole Ethernet frame is authenticate and user data is encrypted.

MACsec Frame Format
This MACsec header format is right for local area networks (LAN) where we can have a physical interface “per remote site” but it’s not a good solution for WAN deployments because Metro Ethernet services, like E-LINE VPWS and E-LAN VPLS Services, need 802.1Q tag exposed. Therefore, there is a new enhancement to the MACsec header to expose the 802.1Q tag outside the encrypted MACsec header. This enhancement allows service providers to deploy Metro Ethernet services easily.

MACsec Tag in the Clear for a Hub/Spoke Design

Maybe, most of you are wondering if MACsec is better than IPsec for encryption. As network designers, we should know the requirements of the business and we should choose the technology that best fits the requirements. For example, some companies may need MACsec for high-speed networks while other companies will need IPsec for MPLS networks.

Ethernet and IP Encryption Positioning Matrix

That’s all my friends. New standard for my pocket. I didn’t know this interesting technology.
Related Posts Plugin for WordPress, Blogger...

Entradas populares