Author Archives: cbroccoli

Getting Started with AWS

Posted on by cbroccoli
Comments off

Having long ignored trying out AWS I have finally taken the plunge and activated an account.  As a basic  use case, I want to investigate how I can build a standard web site to support a WordPress blog.  My plan would be to use an EC2 Ubuntu Linux instance to build a standard LAMP (Linux Apache MySQL PHP) server which I could install WordPress on.  There is a standard tutorial on Amazon to walk you through the process of doing exactly this, since it is a very standard setup. Not only should this save me a lot of time blundering through the setup, along the way I hope to gain more insight into how AWS works.

As a first step I walked through the basic setup steps documented in “Setting Up with Amazon EC2” with the following customization:

  • I configured two IAM Groups, one for Administrators and one for Operators to better understand the RBAC concept.  Of course I also needed to setup two users, one as admin and one as operator.
  • I configured a custom VPC with a public subnet.  This is part of the tutorial but may not be necessary.

VPC Setup

I added a standard security group as described in the tutorial as shown below.

security group

Once this was done, I moved onto the guide, “Getting Started with Amazon EC2 Linux Instances.” I selected a Ubuntu t2.micro instance and configured it with my new VPC and Security Group.  I used the key I generated in the tutorial as described and then launched the instance.  It took less than a minute to show it was running.

instance

Once it was up, I proceeded to connect via putty to the instance using the configuration below.

putty putty_ssh

Which worked without any problems…

screen

Since I logged in with the user Ubuntu using the ssh key for my user, the next step is to setup a local user with a real user name using a privately generated key pair unknown to Amazon and disable the ubuntu generic user.

Categories: AWS, Lab Environment | Tags: ,

Big Switch Networks SDN Controller

Posted on by cbroccoli
Comments off

I just finished the first lab module on the Big Switch Networks SDN controller. The lab was very well structured and gave me a good feel for how it works and how it would compare to managing a similar Cisco style network. The concepts would take a little getting used to but the overall impression is that the learning curve would not be that steep. The BSN Controller uses a standard Cisco CLI like interface to show and modify the configuration. All components, spine and leaf switches, routers, tenants, etc. are contained in the same configuration file so I can see a CLI solution becoming cumbersome after a while as the file would get very large in a real datacenter. However, being able to look at specifics of the configuration via CLI is always nice and troubleshooting using debug commands is also a great benefit.

The module ended with a review of the GUI which is probably the way to go for day to day operations. Of course in a real productive system, the biggest benefits will come with orchestration and integration into either an OpenStack or VMWare solution.

Here is an excerpt from the configuration for reference based on the following topology…

Big Switch Lab Topology

Big Switch Lab Topology

 
 54 login: admin
 admin@54.166.155.75's password:
 Last login: Mon Aug 3 06:39:47 2015 from 54.224.58.210
 Big Cloud Fabric Appliance 2.6.0 (bcf-2.6.0 #265)
 Logged in as admin, 2015-08-03 07:51:42.971000 UTC, auth from 54.224.58.210
 10.37.169.132> en
 10.37.169.132# sh run
 !
 ! Big Cloud Fabric Appliance 2.6.0 (bcf-2.6.0 #265)
 ! Current Time: 2015-08-03.07:51:49
 !
 version 1.0
! ntp
 ntp server 0.us.pool.ntp.org
! aaa
 aaa accounting exec default start-stop local
! local
 local node
 interface ethernet0
 service openflow
 service secure-api
 service secure-ns-api
 service secure-web
 service ssh
 service sync
 service syslog
 service web
! user
 user admin
 full-name 'Default admin'
 hashed-password method=PBKDF2WithHmacSHA1,salt=bfklbm1eiP8UB9Rx2tRbnA,
     rounds=10000,Ei1Sj4GiBNZchV707iJ1jrXb
 Ca_L26KhmoT5t22cxyg
! group
 group admin
 associate user admin
! controller
 controller
 name VirgoSupercluster
! switch
 switch R1L1
 fabric-role leaf
 leaf-group R1
 mac 00:00:00:02:00:01
switch R1L2
 fabric-role leaf
 leaf-group R1
 mac 00:00:00:02:00:02
switch R2L1
 fabric-role leaf
 leaf-group R2
 mac 00:00:00:02:00:03
switch R2L2
 fabric-role leaf
 leaf-group R2
 mac 00:00:00:02:00:04
switch R3L1
 fabric-role leaf
 leaf-group R3
 mac 00:00:00:02:00:05
switch R3L2
 fabric-role leaf
 leaf-group R3
 mac 00:00:00:02:00:06
switch S1
 fabric-role spine
 mac 00:00:00:01:00:01
switch S2
 fabric-role spine
 mac 00:00:00:01:00:02
switch S3
 fabric-role spine
 mac 00:00:00:01:00:03
! port-group
 port-group FW-01
 member switch R3L1 interface R3L1-eth5
 member switch R3L2 interface R3L2-eth5
port-group R1H1
 member switch R1L1 interface R1L1-eth5
 member switch R1L2 interface R1L2-eth5
port-group R1H2
 member switch R1L1 interface R1L1-eth6
 member switch R1L2 interface R1L2-eth6
port-group R2H1
 member switch R2L1 interface R2L1-eth5
 member switch R2L2 interface R2L2-eth5
port-group R2H2
 member switch R2L1 interface R2L1-eth6
 member switch R2L2 interface R2L2-eth6
port-group RTR-01
 member switch R3L1 interface R3L1-eth6
 member switch R3L2 interface R3L2-eth6
port-group RTR-02
 member switch R3L1 interface R3L1-eth7
 member switch R3L2 interface R3L2-eth7
! tenant
tenant External
 logical-router
 route 10.0.0.0/24 next-hop tenant system
 route 10.0.1.0/24 next-hop tenant system
 route 10.0.2.0/24 next-hop tenant system
 route 0.0.0.0/0 next-hop rtr
 interface segment Ext-01
 ip address 10.0.3.1/24
 interface segment Ext-02
 ip address 10.0.4.1/24
 interface tenant system
 next-hop-group rtr
 ip 10.0.3.2
 ip 10.0.4.2
 segment Ext-01
 member port-group RTR-01 vlan untagged
 segment Ext-02
 member port-group RTR-02 vlan untagged
tenant Green
 logical-router
 route 0.0.0.0/0 next-hop tenant system
 interface segment QA
 ip address 10.0.2.1/24
 interface tenant system
 segment QA
 member port-group R2H2 vlan untagged
tenant Red
 logical-router
 apply policy-list FireWall
 route 0.0.0.0/0 next-hop tenant system
 interface segment App
 ip address 10.0.1.1/24
 interface segment FW-01
 ip address 10.0.5.1/24
 interface segment Web
 ip address 10.0.0.1/24
 interface tenant system
 next-hop-group ServiceNode
 ip 10.0.5.2
 policy-list FireWall
 10 permit segment-interface Web any to tenant Red segment App 
    next-hop ServiceNode
 11 permit any to any
 segment App
 member port-group R2H1 vlan untagged
 segment FW-01
 member port-group FW-01 vlan untagged
 segment Web
 member port-group R1H1 vlan untagged
 member port-group R1H2 vlan untagged
tenant system
 logical-router
 route 0.0.0.0/0 next-hop tenant External
 interface tenant External
 interface tenant Green
 interface tenant Red
Categories: Networking, SDN

Latest Read: Security 2020: Reduce Secuirty Risks This Decade

Posted on by cbroccoli
Comments off

[openbook booknumber=”ISBN:978-0470639559″ templatenumber=”1″]

It must be a sign of the times when you pick up a book published two years ago and wonder if it is worth reading because it may already be outdated.  Things are moving at such a rapid pace, I always have the feeling that was true two years ago may no longer be valid today.  Luckily for me, the information presented in this book is still relevant and provided intereting food for thought.   One interesting feature of the book, is that interspersed throughout each chapter, the authors included short discussions from some of their contributors relating to the contents of the chapter.  Some of these discussions support the conclusions and some may offer alternative conclusions and opinions.  In both cases, I found the alternative points of view to be quite interesting, making the book more of a discussion and less of a one-sided lecture.

The book begins with a quick overview of the various topics in IT Security, from what Malware is to Botnets and the evolution of security solutions.  The chapter is very concise and covers a lot of ground quickly.  In chapters 2, 3 and 4, he book continues with a discussion of the external non-technical influences on security, followed by the technical influences and finally a discussion on various threats.  These three chapters cover a lot of ground, touching on almost every topic relevant to IT Security today and how they the authors feel they will evolve over the next decade.    

Chapter 5 then concentrates on Unified Communications and Collaboration solutions and the challenges these solutions pose to security professionals, since securing these types of services often “restrict the benefits these types of tools bring to the business.”   Within UCC the authors include topics such as email, VoIP, Shareoint, Webinars, storage of user generated content and digital rights management.  The author’s conclusion that UCC will evovle significantly over the coming decade and these change will have a significant impact on user behavior is definitely true.  The challenge of being able to effectively identify and provide an audit trail for activities in the UCC area is significant and still not solved effectively today.

The authors then take a step back and discuss the history of Inforation Security and how it has evolved over time.  Among other things, the authors argue that since adding point solutions to an infrastructure increases the complexity and cost of the overall IT security environment, the future will continue to see the convergence of tools into integratied solutions much like the melding of technologies into UTM solutions has done.  

Chapters 7 and 8 touch on the business and economics of Security, which ranges from internal IT budgets to macro-economic influences such as another recession. 

Chapters 9 and 10 bring it all together with some future scenarios and then the conclusion.  I found the future scenarios to be interesting and some could be considered useful, for example what if GPS stopped working.  Is this relevant to your business?  What services rely on it?  Because of this, I feel that the most valuable part of Chapter 9 was the idea that just writing down a few what-ifs with possible action plans, will give you a basis for quicker reation if one does actually come true.  By reading this book, you take one step in that direction, preparing for what might come.  Whether the authors have it right or wrong, the most important thing is to have performed the thought exercise, which may give you a head start when faced with one of these topics in the future.  

 Note:  This book review was submitted for CPE credit to ISC2 as part of my CISSP certification requirements.

 

Categories: Books, IT Security | Tags: , , ,