Selected as NFD 15 Delegate

Last year I was pleased to be selected for Networking Field Day 12 in Silicon Valley.   This event was amazing, and I was able to learn and publish tons of great information from some big companies in Silicon Valley.   Everyone from the big guys like Intel, to smaller startups like Teridion, Kentik and Nyansa.    Even a few presentations that made my brain bleed like those from Brocade.

For me the Networking Field Day events are about collaborating with amazing people, it is about working with some of the best people in the industry.  Learning and interacting with the up and coming tech companies and keeping myself ahead of the technology curve.

For me the huge take away from that event was that SD-Networking is not coming, it is here.   Innovations in microsegmentation from the likes of Illumio.  New ways of thinking about networks and applications from companies like ThousandEyes.

What is cool about Networking Field Day is – while I have been selected as a delegate, everyone can participate, the event is as interactive (or more so) than Cisco Live, you can virtually attend as a virtual or community contributor.   Every event is live streamed, you can send in your questions on twitter, and I promise you, someone WILL ask it.

So head over HERE to check out who and what will be happening at Networking Field Day 15, April 6-7.  As of this writing we have ipInfusion and TelioIP presenting but more will be announced soon.

Live video links will be posted on the Networking Field Day page, and my page, and on twitter during the event, so grab that extra monitor and a pair of headphones and join in on the action – besides, it’s FREE!

Vault7 Lessons – Zero Trust

Zero Day Exploits,  0-Day,   custom malware, tailored malware,  infected humans.   All things we have no way to protect against using signatures.

Signatures have been our life in security for a long time.  Virus update packs, signature updates.   Vendors like Cisco even helped build complex and expensive security reach task forces like TALOS – amassing over 250+ researchers who look for new malware, take it apart and then build protection against it – in almost real time.   This means we are reasonably well protected from things we know about

I still wash my hands

What?   That is because I don’t trust licking my palms when they are not clean.  If I trusted that I had all of the immunizations and that new “flu” vaccine gave me everything I needed – I could run around never washing my hands, but we all know that the flu vaccine only covers last years and SOME of what is coming.

Then why are firewall IPS signatures, and virus signatures enough for many corporations and end users?

Trust No-One

Sorry boss, but there’s only two men I trust. One of them’s me. The other’s not you.”  – Cameron Poe (Character in Con-Air played by Nicholas Cage)

Anyone that knows me, knows I tend to use movie quotes a lot.   Customers look at me funny when I say something similar.   Trust nobody,  don’t even trust me.   Every person, machine or connected object could become ‘Weaponized’.    The minute you start trusting you are opening the door.   We all lock our front doors, but we do not lock our interior doors,  but if you found out someone else MIGHT be running around with a universal set of keys – you might start locking that bedroom, and maybe do it with a different kind of lock so that the person with the universal key has a harder time.  So why do we rely on traditional firewalls so much and then leave our interior networks wide open?

Vault7 – Wikileaks

The latest release from the team at Wikileaks proves the need for Zero-Trust models.    If the CIA was accessing vulnerabilities that were not publicly known,  that means hackers and bad actors in your networks could be using them as well.    The CIA is very well funded, and this release provides a glimse into how well organized and funded they are.    I want to be clear, this isn’t a negative comment towards the CIA, in actual fact I would have been surprised if they were NOT doing everything they could to protect the country.

This is a very good glimpse into the inside of an organized cyber activity program, and what we need to learn from this is – zero-trust or bust.

There is a small silver lining to such a leak – this view into an organized and well funded cyber program and the tools, tactics, and methods they used will help organizations learn about how to protect themselves.   Not that we didn’t know much of this before, but this will help harden and strengthen networks as a whole.    A wake up call, a chance to learn and a chance to realize that when they are well funded (which organized crime organizations are) they can mount cyber campaigns of significant complexity and capability.

Bad Actors Are Everywhere

Do not think for a second others around the globe are not doing the exact same thing,  foreign governments and organized crime are very much involved in these types of activities as well – it is just that in this case Wikileaks is calling out the CIA because that is the leak data they received.    We can learn from this, we can become a more security information technology industry

Zero Trust Design

A new world of security products has started to emerge in recent times, and new design philosophies are being suggested, but it does require a paradigm shift in thinking, and the realization that security will start to impact users day to day lives a bit.    No different than when seatbelts became mandatory.

Encryption In The Way

On a recent podcast (Cisco Champion Radio) Peter Jones from the Cisco Catalyst team tossed out this quote (sorry I do not have the original writers name) “The days of scratch and sniff on packets is over”.   Everything is encrypted.   Google requires any site with a login to be HTTPS by Jan 2017 otherwise you are flagged, and the majority of network traffic is encrypted.

That means technologies like NBAR and other deep packet inspection – DPI technologies are going to cease to function, which makes managing our networks more difficult.

Technologies like TOR allow telescoping encryption tunnels to anonymize traffic as it flows across transport networks, DPI is useless there.

Network-As-A-Sensor / Enforcer

Technologies like Cisco StealthWatch (previously LanCope) provide analysis of NetFlow data, which does not require payload to detect network traffic, scanning for deviations in standard network traffic and then providing analysis.

Tetration collects network flows and then build connectivity patterns looking for deviations from baselines, similar to StealthWatch but has a component of unsupervised machine learning.

MicroSegmentation

Cisco ACI operates under the guides of micro segmentation between object groups in the data centre, locking down interactions (assuming you implement it correctly) between objects in the network.  The way I explain ACI to my clients is simple – the network is turned on it’s head from “trust everything” (in a typical switch/router arrangement) to “Trust Nothing) where every interaction requires a rule (or Contract)

Then we have break out companies like Illumio who are thinking a little different, in their mind each system already has great security technologies, and without changing the network at all they orchestrate the packet protection engines within the operating system to provide Micro Segmentation.  Great content on Illumio can be found on Tech Field Day 12 – Click Here for that.

Final Thoughts – What Does This Mean?

This should be a wake-up call – stop thinking traditionally, start realizing the threats are out there.  Realize that security exploits are spending years in the wild without detection and that ZERO TRUST is the only model that matters anymore.   Do not rely on signatures and definitions to protect you.   A layered approach to security is your only defense against a growing world of threats, but firewalls and intrusion prevention is no longer good enough.   You need a strategy, and a plan to protect yourself because it is not a matter of if, it will be when – and you better be ready to respond.

Trust No-One.

 

 

 

Cisco DNA Series: DNA Goes Virtual

DNA Goes Virtual

A huge update to the Cisco DNA Strategy has been released, and it comes with some pretty big news.   I am going to distill it down into the “need to know” and give you the low down.

We have all seen SDN – Software Defined Networking take off, commodity hardware becoming more and more popular – like the Trident 2 powered Nexus 3K models.     With a move to the software driven infrastructure, Cisco is virtualizing it all.   ISR, ASA, WLC, WAAS, – and even 3rd party applications.

In addition – they have a new platform to host it all – and this is all going to be automated.

dnavirte

What are we virtualizing?

Well, just about everything.   The idea here is to run an entire branch office in a box – yes you have heard this before – but – this is different, this is not an ISR with a UCS-E blade (although you could do that).  This is about choice.

dnasoftware

ISR:  You can run most ISR features virtualized, if you are using the new platform (later in this doc) you can even use NIM modules.   Voice modules are exempt.

WLC:  Totally virtualized WLC

ASA: Virtualized security with virtual ASA and threat defense

WAAS: Nuff Said

3Rd Party:   I don’t do alot of rumors, but through DEVNET you will be able to deploy certified 3rd party application services,  and even Windows, Linux and other OS VM’s within the Virtualized DNA Platform

Cisco Launches ENCS

For a new DNA design, we need new DNA Hardware.   Cisco is announcing the first “DNA” specific hardware platform design specifically for the DNA architecture.  The ENCS 5400 Series.

Think of this as the combination of an ISR and a UCS server in one.

ENCS5400.png

CPU:  6, 8 or 12 core XEON-D options today

Memory: 16-64GB

Storage:  M2 and dual hard drive with hardware raid as an option

Hardware Acceleration for VM Traffic, Switching and Crypto

The best part is – you can run your own VM’s on this platform as well as all of the virtualized Cisco kit – all of this managed by APIC-EM

What are we running this on?

Almost anything.    ISR with UCS-E,  UCS Servers or in public clouds, or the new ENCS 5400 platform.     Run it in the cloud, run int on your premise in all sorts of “NFV” gear or on a traditional routing platform.    Control it all with APIC-EM.

PlatformChoice.png

Cisco One Licensing – Future Proof Licensing

Many of my clients have said “Tell me why Cisco One is a good value” and the argument has been difficult if you are not on a 2-3 year refresh cycle, but with virtualized platforms the Cisco One story just became compelling.    If today you have an ISR 4K physical router with Cisco One, you can migrate to an NFV platform like the ENCS and not repurchase your licensing.

Not only does Cisco One protect you with licensing, it now allows you to migrate to a new platform – and while not everyone is ready for NFV today, it does mean moving to NFV later doesn’t involve purchasing all new licensing.  It also means moving to cloud services with NFV in the cloud could be at very limited cost.

 

 

Cisco Live! on a Budget – 2017

Last year I wrote a great article on “Making your Case for Cisco Live” – Click Here – that article was all about how to get your boss to pay for Cisco Live, and why Cisco Live is a great value.    If you have not read that – go back and read that.   I even provide some tips on how to get free passes if you are a Cisco customer, or how to show your boss that Cisco Live! is cheaper than traditional training.

Why Cisco Live?

First, I want to talk about WHY you need to get to Cisco Live US – #CLUS.   For your career, for your job, for YOU.

Cisco Live! has some great tips on “Why” attend, I will not list them all – CLICK HERE – and I will show you all the right reasons.

There’s Never Been a Better Time – to go to Cisco Live and find out what you have been missing.

  • Breakout Sessions, Content, Content, Content…
  • DevNet
  • Seminars
  • Walk In Labs
  • World of Solutions

The bottom line is – there is more to do at Cisco Live, than you have time for, and you really do need to think about, and plan how to get the most out of your week.

I am budget constrained!

No problem, if getting your boss to pay is a problem, or you need to go on a budget (still, get the boss to pay, you need to really make your case!) this will give you tips on how to get the most – for the least at Cisco Live!

A full trip to Cisco Live! for the full conference experience is going to cost you close to $5000 USD – if you get the full conference pass.   That is the bottom line,  between airline tickets, the $2300+ full conference pass and hotel – you are approaching some big bucks.   Don’t let this get you down – you are still going – and for much less.

The Explorer + Social Pass – The Hidden Gem

I am sure the event does not want everyone figuring this out – The Explorer Pass is the best value – and I will show you how to save yourself $1900 right now – and still experience it all.     Yes, all of it.

$249 – Miss (Almost) Nothing.

For the price of “Explorer + Social Pass” which is only $249,  the only things that you are missing at Cisco Live! is the following….

  • Cisco Live T-Shirt (Trust me, you will go home with enough T-Shirts!)
  • Cisco Live Bag (If you ask around, tons of people give their away you could get one)
  • Breakfast and Lunch (Read my blog HERE about breakfast – not a big deal IMO)
  • Breakout Sessions (I will address this)
  • Your attendance does not count towards NetVet status
  • No Free Certification Exam

If you want to save an extra $150, you could get only the “Explorer” pass, but then you miss out on the “Social” part of Cisco Live, and I DO NOT recommend this,  there have been enough BLOGS out there about why Cisco Live! is all about SOCIAL.

What do you get?

DevNet Zone

Are you a developer?  Do you want to be?  Are you getting interested in the new SDN, SDWAN, XML, REST-API – are you trying to catch up in this new software defined programmatic world we are in?   Then DevNet zone is for you – you could literally hang here all week, there are tons of activities and learning opportunities.      This area should be called “Industry Shift Zone”  because this is where you will see what really is up and coming, and new ways of thinking.    Not to be missed

World of Solutions

This is where everyone goes for free stuff – but – this is where you go to learn from everyone who sells complimentary products – and they don’t tend to only send marketing people but real engineering types.     Here is the secret – Cisco has over 30% of the floor space in World of Solutions.   Lots of the content you see in breakouts is also duplicated here, and you can go one-on-one with a lot of the product teams.     I try and track down those hard to find Cisco engineering types on specific technologies, get some answers and learn about things.     Another cool trick, is if you want to integration product A + B – perhaps you want to link ACI with ASA Firewall – goto the ACI booth, and then drag that person over to the ASA booth (or vice versa) and then have a conversation – ok be nice about it, but you get the idea.   WORLD OF SOLUTIONS IS WORTH THE PRICE OF ADMISSION ALONE.   You could spend all week in here.

Customer Appreciation Event (CAE)

It is a concert, it is a great time, and you get to see/hang/learn and collaborate with like minded people – the nerd knobs never stop, and the CAE is a great place to go to network.

KeyNotes

You still get access to keynotes, and there is nothing more inspiring than listening to some of these amazing speakers – live – in person.  If you don’t make it into the hall, don’t worry it is simulcasted all over the event.

Breakouts via Cisco Live! 365 Access

Didn’t I just say you don’t get breakouts?  That’s right – live – you don’t – but who says that you need to see them LIVE.   With access to Cisco Live 365 online – you can see almost every single breakout – online.     “But what if I have questions”  well, there is a good chance someone will ask it.

Here is another tip – go ahead and watch the breakouts you WOULD have seen – at Cisco Live Europe on Cisco Live 365 – before the event,  now you are ahead of the game.   Once you reach the event, you can use access to World of Solutions or DevNet to go ask questions.

Lodging

No question, this can get expensive, if you stay at the Mandalay (Assuming you get a room) you are $490/Night+ – CRAZY.      If you stay just 2 doors down at the Excalibur, rooms as I write this are $69, and it is walking distance, or take the tram.    There are rooms for as low as $49 a night – and if you read my blog from last year, you won’t be in your room much anyway.

Travel

This is where it becomes difficult, because travel is always a challenge – and I don’t know where you are coming from, but you need to get “fancy”

Drive

If you are in the western half the USA – you have Friday night till Sunday night to get there, so you don’t lose much of your work day, so driving might be an option for you.    Don’t worry about parking, if you are a member of any M-Life hotel program (free sign up) parking is free, or maxes out at $30 (if you “lose” your ticket) and there are many other free parking offers.

If you drove from Chicago and back, it would cost you about $270 in fuel in an average car, leave the F-150 at home, and grab that Toyota Echo.

Even if you are coming from as far as Florida or Chicago – this drive is doable and can anyone say ROAD TRIP!?

Fly

I am not an “American Flight Expert” as I am Canadian but Google Flights, Travelocity, tons of other sites give you the ability to find reasonable flight options.   As I look right now you can get flights that run from $300-600 – and if you play with your dates you can reduce it a bit, remember to consider it might be worth staying an extra night on either end to bring the flight cost down.

The Sub – $1500 Live Trip

You can do it,  $249 for your ticket, $276 for your room, $600 for your flight – a little spending money for food – YOU CAN DO THIS – for less than $1500.

So what are you waiting for – CLICK HERE NOW – see what you would miss out on, and sign up now.

 

Cisco has chosen ThinkTel for Spark Calling in Canada

While no real announcement has been made yet, we knew that Cisco Spark voice in Canada was coming soon.

ThinkTel – a company previously known to many as Distributel has announced they are the provider for Cisco Spark Voice offerings in Canada.

http://www.thinktel.ca/services/thinktel-voice-services-cisco-spark/

It would appear that they plan to be fully integrated with the Cisco Cloud Collaboration Management Portal (CCMP).

ThinkTel has been in the VoIP and SIP space for a long time, as one of the largest Lync / Skype4Business service providers in Canada, and one of the first certified Lync SIP providers – as many know, Lync required TCP based SIP service and had some specialized requirements.  They also provide ExpressRoute services for Office 365 SIP connectivity.

In the coming days I would expect an annoucement soon from both Cisco and ThinkTel about costs and services – but it appears that ThinkTel at least has let the cat out of the bag.

thinktelspark

ClockGate 2017 – The Intel Atom C2000

The pieces are coming together in “ClockGate” and it would appear that Intel the worlds largest CPU manufacturer is in the centre of the mess.   According to TheRegister – and while not confirmed, Intel’s C2000 processor has a fault that will cause device bricking, but nobody is talking.   A cross section of equipment from various manufacturers, and confirmed with my investigation – they all have this same Intel C2000 processor.   After Intel’s comments to the register, I think the culprit has been found.

Who is affected

The first to open up about was Cisco – admitting to problems with everything from ISR 4K’s, NCS Optical Gear, some ASA 5500 series firewalls, a few Nexus 9K Fabric modules and both the MS350 switch and MX84 firewall from Meraki.   I was going to write about it – but wanted to figure out what is actually going down here.

Cisco is not alone – Dell is also affected, users of Synology storage devices have been talking about it.  HP, NEC, NetGear, SuperMicro, and the list goes on and on.

HP MoonShot M300/M350,   Dell FX,  Segate home NAS products,  PFSense NetGate

I applaud Cisco for being first out of the gate to say “We have a problem, and we are fixing it”,  many vendors would sit around and figure out how they can sweep this under the rug, but Cisco is getting out in front of it.

The list of who is affected is growing – hourly.

The Cone of Silence

Nobody is talking,  Cisco is refusing to name the vendor, and Intel is refusing to name the product manufacturers but the writing is clearly on the wall.  Dell also isn’t talking, and when we reached out to some of our contacts – we received no responses from a few vendors (including Cisco).

The silence is not that much of a surprise, Intel is a huge partner with everyone involved and without Intel, these companies have no products, and without products, Intel isn’t selling silicon – so everyone is protecting everyone.

Cisco is at at the table with how to replace the affected devices – others are still quiet.

What caused this?

This little guy – the Intel Atom C2000.   Designed to provide power and scale into smaller footprints for intelligent system applications, systems on a chip and as a processor in the DPDK – the Data Plane Development Kit with the ability to improve packet processing speeds.

intel-atom-c2000-1000x562

Image result for Atom C2000

This little guy did.  The Intel C2000 series.  Intel issues an errata note AVR.54 that basically states that “System May Experience Inability to Boot or May Cease Operation,” because the clock outputs on the chip simply stop functioning.  Apparently this is occurring because Intel didn’t think people would use this SOC – constantly, and as a result the clock output is failing.

If you want all the nerdy specs on the C2000 – Click Here.. 

You need a clock – without it, CPU’s lose touch with the rest of the system – including things like BIOS and bus connected devices.   So once this clock signal fails – your system will not even boot up.

The statement is not really acceptable, you sold it for DPDK, and as a scaleable IoT processor, but yet in your own words (via TheRegister) ” degradation of a circuit element under high use conditions at a rate higher than Intel’s quality goals after multiple years of service”

How do we fix this?

Intel is issuing a new stepping for the Atom C2000 and has to fix this in silicon – that is a pretty expensive fix.     Some kind of board level repair might be possible, but we cannot find details right now.

If you have Cisco SmartNet with On Site support they will send someone to replace it, but that is not the magic bullet, because someone has to arrange and co-ordinate that all.  Partners will have to be involved – who will pay for all these services.

In a discussion with CRN Magazine – Jennifer Ho – Manager of Cisco’s Business Critical Communications has said “Unfortunately, because our funding is focused on providing the products, we are unable to reimburse for on-site services to replace the affected devices. Customers may have field engineering service as an option for their services contract, in which case the field engineering support would be included with the replacement.”

Cisco is clear – they are only paying for product.

There is also a delay – with so many people asking for replacements – rationing of replacement hardware is already occurring.

Justin’s Thoughts….

This is one of the largest fiasco’s since CapacitorGate, when one guy stole a faulty capacity formula and gave it to another company, who sold it to tons of manufactures of motherboards – and then I was replacing cap’s on motherboads in my house along with millions of others.

I’m pretty happy with Cisco on this one (Yeah bring on the “your a Cisco fan boy” comments) but the evidence is clear, they were first in front of it, and didn’t try to blame someone else they are just out there to fix it.

The big problem is who is going to pay for all this work – Cisco has said, they will not.

This is a pretty big hit – and these types of things need to stop – IoT devices with faulty ANYTHING can spell disaster and be potentially dangerous.   Just think if an electric car was powered by this chip, and one day the computer didn’t start up, or failed while driving.  Think of the oil rig which had a drill being controlled by a chip like this.

Right now nobody is really being hurt with this one – but it makes me worry about things to come in the IoT market with failures like this.

 

 

 

ATTENTION Rally Teams – Stop Using Tow Straps!

Tow Straps are deadly.

This is a tow strap.    It isn’t designed to stretch, or be yanked on, it is designed for static loads – “TOWING” is exactly what it is designed for – however most rally recovery teams will not even use them for towing.  These straps have no “give”.   Even the yank as the tow strap gets loose during towing and then the quick re-tightening action will cause them to break.

When these straps break, the stored energy in the strap can cause either the hook, or the tow point to fly off at a high rate of speed, if it hits another person – they could be killed or severely injured.

Ever notice how the sweep team always says “We will use our own strap” ?

NEVER USE THESE STRAPS

If it has metal hooks on the end – it’s not a recovery strap.

How Deadly Are they?

This deadly.

Image result for tow strap injury

Watch as this passenger is almost decapitated.

 

Tow Straps Damage Both Cars

The tow strap has no give – when you “snap” a tow strap (that is leave it loose and then drive away letting it tighten up to break them free)  there is no give in the strap, if it doesn’t break, it will bend either the hooks on the strap, the tow point on the vehicles, or even bend the frame on the vehicles.  100% force is applied immediately and totally to the other vehicle.  It is very hard on the vehicle.

How does this work?

What should I use?

This is called a RECOVERY STRAP.  It is made with nylon webbing so it has “give” or stretch. Use a recovery strap to “snatch” or pull out a stuck vehicle. Nylon webbing absorbs the shock of heavy pulls, while the elastic rebound energy aids in quick recovery. Constructed of tough, high quality nylon web. End loops are reinforced with abrasion resistant wear pads.

When you pull with a recovery strap, you can leave the strap on the ground, and then gain momentum to create a “Spring” or “Slingshot” type action to pull the car out.    You have a better chance of getting yourself out with one of these, you can pull much harder

You can also – and show tow with a recovery strap,  this will prevent

A) hooks coming off when the line is loose

B) if the vehicles get close together, and the line re-tightens, it will very gently re-tighten and reduce the jerk on the tow points, and the people in the cars.

Image result for recovery strap

This will slow me down!

No, it won’t.    If a sweep team arrives – they might actually be willing to use your recovery strap, saving time.   If someone else arrives, all you do is put the pin through – and then pull it out.  No tools.     Plus you can pull much harder, meaning if another team or car 99 helps you, you have a better chance of actually getting out.   Plus nobody is killed.

Leave both shackles on the end of the strap, jump out, put the pin through your tow point.   When the other vehicle arrives, have it ready to insert.   You don’t need to tighten the pin – just close it 95% of the way

This will be expensive!

No – it won’t be.   Go to Princess Auto, and buy these items, and you will be good to go.  Click on each item to view.

1 x 2 Inch x 20FT 18K Recovery Strap  – $36.99

2 in. x 20 ft 18,000 lb Recovery Strap

2 of these..  1/2 Inch High Tensile Shackle  $6.99

1/2 in. High Tensile Galvanized Shackle

So the total cost – $50.97

Other options?

You can use this as well, the high quality “BubbaRope” 

Ideal for Jeeps, Light Trucks & Side-by-Sides - Renegade Recovery Rope

instead of shackles, if you want something quicker you can use a Bubba “Gator-Jaw”

Synthetic Shackle 32,000 lb Breaking Strength, Stronger than Steel!