RedWarriorNet

For some time, us network people have been quietly (ok, sometimes not so quietly!) snickering at our system administrator counterparts. Why? Patches. Every “patch tuesday,” that nefarious day when Microsoft pushes its Windows Updates, across the globe we would walk past the Windows Admin’s cube with just a little bit (ok, sometimes a lot) of smugness and maybe, in some cases, a well-timed remark about the stability and security of our beloved IOS. Then we got to walk past the Linux Admin’s cube as well (ok, it’s the same Admin in the same cube for some of us) and try to console them as their own OS began the endless parade of patches. It seemed like life was pretty good for a network person. Even when Cisco began releasing regular IOS patches for certain vulnerabilities, we (ok me) were able to shrug it off and tell ourselves that these must be pretty isolated, low-risk vulnerabilities. No reason at all for us to fix what wasn’t broken and risk bringing our quietly humming routers and switches to a screeching halt…or reboot anyhow.

Then the unthinkable happened.

Some Security Guy who obviously hates Cisco Admins (well, ok, maybe he just wants to stop the bad guys from doing it first), came up with the first ever rootkit for IOS and plans on spilling the beans soon. Then, as if that weren’t enough, Cisco announces a patch for a DoS vulnerability in SSH, which I’m planning on moving all our network devices to soon since it’s more secure than telnet. Gulp…ok, you have my attention.

Trust me, I want to believe the older network people who say you really shouldn’t touch your IOS unless it’s causing you problems or you need additional features an update can provide. It certainly makes life easier since the process for upgrading an IOS image is tedious at best and nerve-wracking at worst. Still, there are more and more vulnerabilities being found for IOS versions every day and any company has to be concerned about something like an SSH Denial of Service vulnerability. The way I see it, if it’s a vulnerability that would force me to push a patch or an update to a server, why wouldn’t I update my IOS for it?

Oh the conundrum…fall into the dark pit of dispair of continuous patching or endlessly worry that we’re leaving a gaping security hole open…

Well, I probably blew too much of my last paycheck on hardware, but my CCNP lab is finally beginning to start to take shape!!! So far, here’s the list:

1 - 2950 (I want at least another one of these, probably more for BCMSN)
1 - 1710 (I hope this will help with ONT and ISCW and plan on getting another)
2 - 2501’s (For the price, I just couldn’t pass them up!)

I know…not much there…yet, but you’ve got to start somewhere! As soon as I get them all set up I will be taking pictures to post.

Apparently, the US government has decided that it’s not enough to secure their own systems and networks and allow corporations to do the same. Department of Homeland Security Chief, Michael Chertoff is afraid enough of a major attack against US financial institutions that he has called for a US Cyber-Security “Manhattan Project.” I can’t help but wonder if I’m the only one made nervous by a project involving the government, the internet, and that it’s all named after a project to create the first atomic bomb.

Basically, most of the details of this proposed project are classified, but from what can be read, it involves the NSA monitoring America’s internet traffic and google searches for signs of a cyber attack.  I can’t help but have mixed feelings.  Of course, like most people, I’ve already accepted that very little of what we do online is private and I would hope that a major attack, such as a distributed attack against financial institutions, would be thwarted.  Still, I can’t say I feel much safer with even more of the government’s eyes on my searches and online activities.  Who is to say down the line that simply doing research about vulnerabilities, something I do every day in the course of doing my job, might bring me squarely in the government’s radar as a potential threat.  Would they wait and see if I used anything I was researching for good or ill or simply decide to act preemptively to protect the nation from what I might do?

I don’t even pretend to have the knowledge or skills to be a threat to anyone, nor would I want to harm anyone’s interests, but that doesn’t mean a large net cast widely wouldn’t scoop up even someone as mundane as me.  It’s a Brave New World, Mr. Orwell.

I just read that a new net neutrality bill has been proposed in Congress.  This is interesting as it comes not long after I had an interesting conversation with someone about my QoS studies for ONT and the applications such technologies might have to do away with net neutrality.

I’m a huge believer in net neutrality, the premise that ISP’s should not be able to pick and choose what content has priority and give faster speeds to websites or servers that can pay higher fees, beyond just their uplink speed.  This would mean that if I wanted my site to be seen by the most people or have a faster download time, I’d not only have to get a fast connection to my server, but pay for my traffic to get priority through the networks of the ISP’s.  In effect, smaller companies and individuals would be drowned out by those with more money, reducing those without the money or power to the internet version of a public access cable channel while the fat cats would be HDTV premium cable channels.  To those of us who began using the internet back when it was mainly the home of university students, intellectuals, and the geek fringe and full of horizontal rules and new ideas, this idea is repulsive.  It would be the barbed wire fences destroying our open frontier and leaving so many of us to tell stories of the “good old days” like so many antiquated cowboys.

On the other hand…there is a need for businesses to be able to prioritize traffic, both within their own private networks and over the WAN links that connect their sites.  Essentially, QoS (Quality of Service) technologies arose out of the need to give small VoIP (Voice over IP) packets priority so that calls could be made over networks sharing bandwidth with data and not have jitter or difficult to understand conversations.  If I have a network like this and limited bandwidth over my connections between sites, I want to be able to set priorities on the types of traffic I send over those links and then have those priorities followed by any devices owned by the ISP between my sites.

As I was trying to explain in my conversation about this earlier, QoS is simply a set of technologies, neither good nor bad.  Yes, this could be used to destroy net neutrality, but it can also be used to let a poor startup make the most out of the bandwidth they can afford and continue to compete.  Like any technology, it is how it is used and what the intention is that determines whether it is good or evil.