Tag Archive for Network

| September 17, 2015
Comments Off on HFCC More Secure Than Most

HFCC More Secure Than Most

HFCC More Secure Than MostNYC based security reputation firm SecurityScorecard just released its 2015 Higher Education report (PDF) which has some surprising results. According to ArsTechnica the security startup pegged MIT near the bottom of its security posture list. What the Ars article did not tell us what universities had excellent security postures.

The other surprising result is that Henry Ford Community College, in Dearborn, Michigan has the 5th best security posture in the SecurityScorecard report of 485 colleges and universities.

Henry Ford Community College

The report says HFCC is among the best securing their network. HFCC scored well in all phases of the online security studied including:

  1. Web Application Security,
  2. Network Security,
  3. Endpoint Security,
  4. Hacker Chatter,
  5. Social Engineering,
  6. DNS Health,
  7. IP Reputation,
  8. Patching Cadence, and
  9. Password Exposure.

The report explains that each category consists of dozens of security-risk indicators, resulting in a holistic security assessment.

rb-

As an alumnus and former instructor at HFCC, I say well done!

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| September 25, 2014
Comments Off on Internet of Things Full of Holes

Internet of Things Full of Holes

Internet of Things Full of HolesThe Internet of Things, is big and heading towards huge. The Internet of Things (IoT) is a system where unique identifiers are assigned to objects, animals, or people. These “Things” then transfer data over a network without requiring human-to-human or human-to-computer interaction. Whatis.com says IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS), and the Internet.

Business Insider believes that the IoT will be the biggest thing since sliced bread. They claim there are 1.9 billion IoT devices today, and 9 billion by 2018, which roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined. Gartner (IT) predicts that there will be 26 billion IoT devices by 2020. Based on a recent article in InfoSecurity Magazine is a very scary thing.

BI Global IOT Installed Devie projectionsThe InfoSecurity article says HP (HPQ) found 70% of the most common IoT devices have security vulnerabilities. HP used its Fortify On Demand testing service to uncover security flaws. HP detected flaws in IoT devices like TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers as well as their cloud and mobile app elements according to the new study.

HP tested IoT devicesHP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral OWASP Internet of Things Top 10 list of vulnerability areas. The author concludes that the results raised significant concerns about user privacy and the potential for attackers to exploit the devices and their cloud and app elements. Some of the results are:

  • A total of 250 security concerns were uncovered across all tested devices, which boils down to 25 on average per device,
  • 90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application,
  • 80% of devices studied allowed weak passwords like 1234 opening the door for WiFi-sniffing hackers,
  • 80% raised privacy concerns about the sheer amount of personal data being collected,
  • 70% of the devices analyzed failed to use encryption for communicating with the Internet and local network,
  • 60% had cross-site scripting or other flaws in their web interface vulnerable to a range of issues such as the Heartbleed SSL vulnerability, persistent XSS (cross-site scripting), poor session management and weak default credentials,
  • 60% didn’t use encryption when downloading software updates.

Mike Armistead, VP & General Manager, HP Fortify, explained that IoT opens avenues for attackers.

IoT opens avenues for the attackers.While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.

HP urged device manufacturers to eliminate the “lower hanging fruit” of common vulnerabilities. They recommend manufacturers, “Implement security … so that security is automatically baked in to your product … Updates to your product’s software are extremely important.”

Antti Tikkanen, director of security response at F-Secure, told InfoSecurity said the problems HP uncovered in this report were just the tip of the iceberg for IoT security risks.

One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster ‘just work’ and would not think of making sure the software is up-to-date and the firewall is configured correctly … At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be mining for Bitcoins sooner than you think, and ransomware in your home automation system sounds surprisingly efficient for the bad guys.

rb-

I covered the threats that IoT or “smart” devices presented back in 2012. I don’t know where HP (or the rest of the security community) has been.

The current generation of “smart” devices does not seem to have any security. Most likely the manufacturer did not consider basic security or worse calculated it was better to ignore the secure design in their rush to gain market share.

It is also annoying that HP did not reveal the details on the products they tested.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| December 17, 2013
Comments Off on Wiring Closet 3.0

Wiring Closet 3.0

Wiring Closet 3.0The lowly wiring closet at the edge of the network is evolving. You know the one’s that IT shares with the custodians or the women’s lav. The neglected place that connects all end-points into the enterprise network infrastructure. Throughout my career we have moved from 3Com SuperStack hubs to 10/100 SuperStack switches to 100/1000/10000 Cisco 2960’a fixed Ethernet devices. In this first edge era, the primary buying criteria was the price per port. Low price was the critical factor. These devices might have had a few network services but they only provided best-effort connectivity services with little to no operational control according to Nick Lippis in the Lippis Report 103: Wiring Closet Switches Gain Strategic IT Value Label.

Baystack stackCommoditized network gear created enterprise networks consisting of equipment from different vendors. Purchases throughout the wiring closets, distribution, and core were based mainly on cost. The article says that equipment from multiple vendors is the hallmark of Wiring Closet 1.0. Wiring Closet 1.0 made effective management difficult. Multiple management systems required that organizations keep a large staff with diverse skills to keep up network functionality.

Wiring Closet 2.0

Most organizations are now in the Wiring Closet 2.0 era. As competition drove margins on edge switches into the single digits, the author states that vendors began to add services to a new breed of device. The new features on 2.0 switches created new ways for the vendors to compete on different (rb- and more profitable) fronts beyond price per port. Mr. Lippis argues enterprise trends are forcing IT executives to check projects, programs, and priorities as they seek to drive down Total Cost of Ownership (TCO) while extracting added value from their enterprise network. Business executives expect their IT departments to meet continually growing demands without significant year-over-year network expenditures. (rb– the ever popular more with less argument) The article says the new realities include new mixed traffic patterns and increased desktop bandwidth requirements for new applications, communications, and data center strategies.

Goddard rocket scientistSwitch vendors recognized these trends. They responded by developing a new type of wiring closet switch. Second-generation switches added significant functionality. The vendors’ goal is to transform the commoditized network edge (rb- low profit) into a strategic IT asset (rb- high profit). The blog says these new switches enable a host of new applications for Wiring Closet 2.0.

  • Quality of Service: Wiring Closet 2.0 switches tag applications like IP telephony and Unified Communications at access to guarantee priority throughout an internal network and active monitoring
  • Power Over Ethernet (PoE): Second generation, wiring closets distribute power over Ethernet cables. POE enables new classes of devices to be powered from the Wiring Closet 2.0. These demands include WLAN access points, video surveillance, and IP phones. As well as specialty devices such as health care instrumentation, point of sale devices and soon even laptops.
  • Security: The network edge Is the first level of defense. Network Access Control (NAC) and application policing have increased in importance. They are needed to protect the integrity of the network, data privacy, and compliance. Wiring Closet 2.0 switches integrate security features and the support of security appliances bolstering defense-in-depth strategies.
  • Wireless Local Area Networking: WLAN integration, which includes access point, PoE, and controller support, increases WLAN coverage. Further common network management interfaces streamline operational support for both wired and wireless networks.
  • Unified Communication (UC): UC support via PoE to power IP phones and UC end-points plus unique UC configuration profiles to ensure reliable and stable UC operation.
  • Application Intelligence: Application intelligence or the categorizing of applications as they enter the wiring closet and either mark them with QoS or discard the application. This enables application policing at the network edge.
  • Layer 3: Full layer 3 forwarding enabling all the value associating with routing including segmentation and aggregation are now included in some wiring closet switches.
  • Total Cost of Ownership: The network edge and wiring closet switches in particular have a TCO breakdown of 20% capital spend and 80% operational spend according to Gartner (IT). Mew wiring closet switches are more expensive from a capital acquisition point of view. However, their operational cost is lower. Thus, the total dollar spend over a three-year period will also be lower while delivering increased value to the enterprise.

Wiring Closet 3.0

The IT industry is on the verge of a new era at the network edge. New technologies and requirements will disrupt Wiring Closet 2.0.

  • 10Gbps Ethernet: 10Gbps Ethernet is the future of networking. If the past is a guide to the future, then over time more and more 1 Gbps Ethernet ports will upgrade to 10 Gbps. This will place a strain on wiring closet packet processing performance while driving up 10Gbps port density requirements plus downstream distribution and core switch capabilities.
  • Software-defined networking (SDN): The holy grail of SDN is to separate the network control plane from the data plane. The model I carry in my head is wireless networks. There is a central controller that tells the WAP’s what to do and they do their job without any help from the central controller. This implies that the network devices can be dumber and cheaper.
  • Network Management: Consistent network management means leveraging the same supplier for the network edge, distribution, and core.
  • True Layer 3 Support: To support all the above-mentioned trends and unforeseen applications, wiring closet switches need to support full layer 3 forwarding.
  • Support of UC, Mobility, and Security: This basis of competition is one of the most important attributes to the new network edge. Wiring closet switches need to support both standard interfaces and services for UC, mobility, and security so that mixed vendor solutions may occur.
  • IPv6: If you have wiring closets full of perfectly good Layer 2 switches, there’s no reason to replace them just because you can’t manage them with IPv6. If they work today, they’ll work until they break, and you don’t need to worry about (or budget for) swapping them out any sooner.

IPv6

IPv6

Dan Campbell, President, Millennia Systems, Inc. suggested in a recent CircleID post that to manage the move to an IPv6 enabled Wiring Closet 3.0. Organizations should strive to use theIPv6 dual-stack migration strategy. This is where IPv6 is added to the existing systems so they can simultaneously function with both IP versions. Tunneling and translation techniques should be used when the dual-protocol configuration is not possible. The mantra of “dual stack where you can, tunnel where you must” is the order of the day.

He advises that starting today, don’t buy another box unless it supports dual-stack operation or offers a clear, well-defined upgrade plan. It doesn’t matter if the manufacturer is “up and to the right” in the latest Gartner (IT) report; anything you buy from now on that is IPv4-only is a waste of valuable resources.

Mr. Campbell tells network administrators that while LAN switches function mainly at layer 2. They forward Ethernet frames regardless of whether the packet inside is IPv4 or IPv6. There are some functions on a switch that works at layer 3 or higher. They include:

• Dynamic ARP Inspection (DAI).
• DHCP Snooping.
• Multicast Listener Discovery (MLD) Snooping (the IPv6 equivalent of IGMP Snooping).
• Quality of Service (QoS) marking for upstream Differentiated Services treatment.
• Access Lists (e.g., VLAN or regular ACLs).

He explains that these features need layer 3 or upper-layer information; Layer 3 is needed to inspect the packet header or payload inside the Ethernet frame. These features may not be things you are doing now, but you never know when you will. Security requirements and hardening guidelines are recommending things like DAI, DHCP Snooping, and ACLs at the access layer.

The more streaming video gets moved to IP networks, the more the need for multicast. MLD Snooping is necessary to improve performance. Finally, the continued convergence of voice, video, and other rich media and interactive applications to IP networks is furthering the need for QoS. It is always best to mark traffic as close to the edge as possible.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: low voltage | Tags: , , , , , , , , ,
| October 1, 2013
Comments Off on R Social Networks Bad 4 U?

R Social Networks Bad 4 U?

R Social Networks Bad 4 U?The average U.S. Facebook user spends 6.5 hours a month on the site. There is growing global evidence that using social networks have a negative impact on their users. Not only do social networks open their users to malware (PDF) and identity theft, but the latest research from around the world suggests that social media can impact user’s emotional well-being.

Facebook can make you feel badBuzzFeed reports that social scientists at the University of Michigan looked at the impact of social networking. The UofM researchers released new research that using Facebook can make you feel bad. The U of M research published in the online journal Plos One found that Facebook use predicted declines in the well-being of surveyed participants.

Facebook

The Michigan research indicates that using Facebook negatively impacts how people feel from one moment to the next. It also impacts their overall life satisfaction. As UM social psychologist Ethan Kross explained to BuzzFeed:

On the surface, Facebook provides an invaluable resource for fulfilling the basic human need for social connection. Rather than enhancing well-being, however, these findings suggest that Facebook may undermine it.”

University of MichiganBuzzFeed points out that the results are just another piece in a larger stack of evidence. The evidence says that increased hours per month spent on Facebook could have a harmful effect on our lives. Professor Kross told the LA Times, “We measured lots and lots of other personality and behavioral dimensions … none of the factors that we assessed influenced the results. The more you used Facebook, the more your mood dropped.”

The Michigan study tested for and discounted alternative reasons that might account for Facebook’s negative impact on happiness. However, the article claims the deceased life satisfaction of Facebook users has more to do with behavioral patterns than the service itself.

The article equates Facebook use with gambling. The author cites Alexis Madrigal‘s article in the Atlantic, “The Machine Zone.” The Atlantic article says that Facebook users, similar to those who play slot machines, are unwittingly lulled into a time-distorting rhythm. They are lulled by repetitive and sometimes rewarding tasks — like looking at an endless stream of your friends’ photos. This behavior can mimic the deleterious effects of gambling and even addiction. The article claims this kind of problem stems from Facebook’s savvy design and engineering. Facebook takes advantage of how humans are wired to keep users on the site.

Social networks in China

China's Beihang UniversityTechEye also points out a study from researchers at China’s Beihang University. The Chinese study claims social networking sites are generating a lot of anger. The study, by Rui Fan, Jichang Zhao, Yan Chen, and Ke Xu, examined human emotions on China’s Twitter-like microblogging site Sina Weibo.

After reading 70 million messages from 200,000 users of Weibo, the researchers found that anger spreads faster and wider than other emotions like joy. The TechEye article suggests that posts you write out of anger will have more impact than those expressing happiness. The researchers also found that users with a larger number of friends have a more significant sentiment influence on their neighborhoods. According to the article, the Chinese researchers found that anger among users correlated much higher than that of joy. They concluded that angry emotions could spread more quickly and broadly in the network.

Angry tweetsIf a user sent an angry message, researchers looked at how likely the recipients were to also send out an angry message or retweet the same emotion. The BuzzFeed article also references a German study. The German study found that Facebook’s social pressures created noticeable stress and feelings of envy. These are emotions that could, ultimately, lead to people abandoning the social network.

Social networks FOMO

A Pew Research Center report released in May 2013 reinforces the risks Facebook faces. According to BuzzFeed, younger users told Pew the stress of needing to manage their reputation on Facebook contributes to their lack of enthusiasm for the social network. Nevertheless, the site is still where a large amount of socializing takes place. The teens reported feeling they need to stay on Facebook to not miss out.

social media as an industry ranked third to last in consumer satisfactionThe BuzzFeed article concludes that future social media networks will have to figure out have to survive if they make us sad. The question isn’t exclusive to Facebook. In a recent survey, social media as an industry ranked third to last in consumer satisfaction. Social networks ranked below the airline industry. They state that it’s not hard to imagine a future where users will demand social platforms that are not only intensely engaging but also keenly aware and respectful of how our psychological state works.

As Madrigal notes in his post, “fighting the great nullness at the heart of these coercive loops should be one of the goals of technology design, use, and criticism.” Facebook has succeeded in its mission to connect the world. But we’re only beginning to understand what that means for humanity.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 12, 2013
Comments Off on PoE Overworked

PoE Overworked

PoE OverworkedGary Audin at No Jitter warns that Power over Ethernet (PoE) is not always a plug-and-play environment and PoE should be monitored, managed, and efficient. In this article, Mr. Audin observes that PoE has evolved into an electrical power device utility platform. POE started out as a centralized power source for IP phones, backed up with an Uninterruptible Power Supply (UPS). (rb- Click here and here for my overview of PoE) Since those early Cisco dominated days. The article says PoE now is called upon to support wireless access points; environmental controls; point, tilt, and zoom cameras; lighting control; clocks; door controls; Bluetooth devices; RFID; now laptops, and still more to come.

The LAN switch is the PoE source, but the article warns it can be overwhelmed with the power drain, which produces headaches for IT. Unless properly managed, the PoE function can experience:

  • power drainA blown-out power supply. Smoke is an indicator of this condition.
  • Reduced power to all devices with degraded service from all the attached devices.
  • An added PoE device does not work.
  • The more power is drawn by PoE, the shorter the UPS battery life. The original UPS design could last 20 minutes. Added PoE devices could shorten this to 3 minutes.

PoE IP phones and other devices can signal to the PoE network what class of device it belongs to and how much power it may need. Class 0 devices, usually older devices, do not indicate their PoE power requirements. These devices may draw any power level from none to maximum. The other standard classes, 1-3, range from very low power to mid-level power consumption.

Class 4 is a newer class of device requiring PoE+ (802.1at) and needs to draw more than the 12.95 Watt maximum provided by the original standard PoE. Class 4 devices must be powered by PoE+ ports and may not function correctly on an 802.3af PoE port. Most IP phones are in class 2. IP phones with color screens and other advanced features may be categorized as class 3 devices.

PoE classes

PoE Access Points Wireless LAN access points are also common PoE devices, many of which started out as class 2 and 3 devices. As the wireless speeds increased, so did the power requirements. The 802.11ac standard means that the access points (AP) will have a 1 Gbps connection back to the switches and routers.

site-surveyAt issue is the PoE required. It is likely that each AP could need 20 to 30 watts, the limit that the 802.1at PoE+ standard delivers. Many installed switches cannot support PoE+. So the enterprise has to buy new switches or power supplies or power injectors. (rb- add this to your site-survey when you plan to implement 802.11ac)

Mr. Audin spoke to Tim Titus, CTO, and founder of PathSolutions, (they happen to sell a network management tool) about what he considers a good approach to monitoring and managing POE. He told No Jitter,

“Regardless of whether there are any PoE or PoE+ devices on a network, it can be very helpful to monitor the health of our network equipment’s power supplies. The best monitoring system watches the status and power consumption of each power supply, what percentage of utilization it is running, and which interfaces are drawing power, so power policing can be achieved.”

He provided this example of missing power management.

“Keeping an eye on power supplies avoids unpleasant discoveries. One unlucky network administrator had two power supplies installed in a network chassis (one primary and one backup). Unfortunately, when the primary power supply stopped working, nobody knew, since the backup power supply was doing its job of keeping everything running. The problem wasn’t noticed for over six months. Nobody was in the empty remote wiring closet to notice the lack of lights on the power supply. The users remained blissfully unaware of impending doom until the wee hours of a weekend when the second power supply was shut off by a circuit-breaker trip!” 

Mr. Titus pointed out to Mr. Audin, that monitoring should happen at the port level,

“Not only will a monitoring system show you what mode a PoE port is operating in, but it should also provide a view of relevant error counters.

  • MPS Absent and Invalid Signature errors frequently point to broken or defective powered devices.
  • Overload conditions and short-circuits typically point to wiring problems (or somebody re-wiring devices in use).
  • Denied errors can point to devices asking for more power than the switch has available, and may indicate that it is time to consider adding another power supply to a large Ethernet chassis.”

How did that happen?

Finally, many network engineers try to buy limited PoE due to the cost premium of POE ports, only to find that half of their PoE ports are used by non-PoE devices such as PCs. With a monitoring tool, the engineers could have avoided buying expensive PoE ports or purchased less expensive “ordinary” Ethernet ports.  The engineers should have an up-to-date PoE port inventory and use it to avoid over-buying the PoE by playing safe in their design. (rb- Been there done that, I’ve been in many customer’s closets and found POE switches full of PC and printer access ports.)

rb-

The author warns not to assume that PoE is always a plug-and-play environment. PoE should be handled like a utility–monitored, managed, and efficient.

I have tried to build custom fields by working with reports in SolarWind’s Orion by working with MIBs, it’s not the funnest thing in the world. I wonder if this product does a better job.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
« Older Entries