[OT] Re: Intellectual Property in Network Design
On Fri, 13 Feb 2015 11:43:14 +1100, Ahad Aboss a...@telcoinabox.com said: In a sense, you are an artist as network architecture is an art in itself. It involves interaction with time, processes, people and things or an intersection between all. This Friday's off-topic post for NANOG: Doing art is creative practice directed to uncover something new and not pre-conceived. Successful acts of art produce something that not only wasn't there before but that nobody thought could be there. The art is the change in thinking that results. Whatever else is left over is residue. An engineer or architect in the usual setting, no matter how skilled, is not doing art because the whole activity is pre-conceived. Even a clean and elegant design is not usually intended to show beautiful connections between ideas the same way poetry or mathematics might. Hiring an engineer for this purpose almost never happens in industry. Rather the purpose is to make a thing that does what it is intended to do. It is craft, or second-order residue. Useful, possibly difficult, but not art. Some people want to claim ownership of a recipe for predictably creating residue of a certain kind. An artist knows that this is not good for doing art because nothing new can come from it. If they are committed to their practice, they will not seek to prevent others from using an old recipe. Why would they? They have already moved on. Some older thoughts on the topic: http://archive.groovy.net/syntac/ pgpnAhVCkiBjX.pgp Description: PGP signature
Re: gmail spam help
More than one, but I found it here: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1412830 They did patch it after it finally became a problem, I don't know about any other distributions. On 02/12/2015 08:09 PM, Suresh Ramasubramanian wrote: Which distro is it that has dnsbl filtering on by default, and also defaulting to shady no name blocklists? I have yet to see a case where turning this sort of thing on first and kicking self later wasn't because of a clueless sysadmin. On Feb 13, 2015 7:36 AM, Daniel Taylor dtay...@vocalabs.com mailto:dtay...@vocalabs.com wrote: Of course not, and I didn't mean to imply that they were. I was surprised to see it still present *anywhere* (this was in a major Linux distribution, and may still be), and that hidden presence may be polluting data streams used by even the most responsible vendors unless they are running entirely self-contained. On 02/12/2015 07:04 PM, Suresh Ramasubramanian wrote: Please. Gmail isn't ever likely to use long dead hobbyist block lists. On Feb 12, 2015 9:38 PM, Daniel Taylor dtay...@vocalabs.com mailto:dtay...@vocalabs.com mailto:dtay...@vocalabs.com mailto:dtay...@vocalabs.com wrote: Possibly related: http://www.ahbl.org/content/changes-ahbl We had to manually remove it from spamassassin for our local installation, and I am pretty sure that a lot of sites still haven't figured it out so there's a lot of false positives being generated all over the place to throw off even filters that don't use it directly. On 02/12/2015 09:54 AM, Alex Rubenstein wrote: Mainly because I own it, and the people who use it. The server has been around 10+ years and has tight oversight. SPF is proper. This is a recent issue. From: Scott Helms [mailto:khe...@zcorum.com mailto:khe...@zcorum.com mailto:khe...@zcorum.com mailto:khe...@zcorum.com] Sent: Thursday, February 12, 2015 10:51 AM To: Alex Rubenstein Cc: Josh Luthman; NANOG list Subject: Re: gmail spam help I'd be interested to know how you can be so adamant about the lack of spam from this specific server. A great percentage of the spam hitting servers I have visibility into comes from very similar kinds of set ups because they tend to have little or no over sight in place. Also, lots of commercial email gets flagged as spam by users, even when they opted in for the email. If enough people flagged email from this server as spam it will cause Google to consider other email from the same small server as likely to be spam as well. Small systems, especially new ones, tend to unintentionally look like spam sources by not having proper reverse records, making sure you have SPF set up for the domain, etc. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Feb 12, 2015 at 10:41 AM, Alex Rubenstein a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.netmailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net wrote: I should have been clearer. I have been getting complaints from my sales folks that when they send emails to people who use gmail (either a gmail account or google apps) that they recipient is reporting that the email is ending up in the Spam folder. So, I tested this myself, sending an email from a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.netmailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.netmailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.netmailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net mailto:a...@corp.nac.net to rubenstei...@gmail.com mailto:rubenstei...@gmail.com mailto:rubenstei...@gmail.com
Re: [OT] Re: Intellectual Property in Network Design
On Fri, Feb 13, 2015 at 8:54 AM, Skeeve Stevens ske...@eintellegonetworks.com wrote: On Fri, Feb 13, 2015 at 8:55 PM, William Waites wwai...@tardis.ed.ac.uk wrote: An engineer or architect in the usual setting, no matter how skilled, is not doing art because the whole activity is pre-conceived. Even a Excellent perspective... Howdy, I have to disagree with you there. This particular ship sailed four decades ago when CONTU found computer software to be copyrightable and the subsequent legislation and litigation agreed. If a router configuration turns out not to be art, it isn't because the engineer had to follow practical rules to create it. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Dark Fiber in Latin America
All, I'm looking for some general information of a dark fiber provider in latin america countries namely Nicaragua and Costa Rica. Any info is greatly appreciated. Please contact me off list. thanks, -Beavis -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
Re: Dark Fiber in Latin America
Hi Beavis, Just in case, there is a Lacnog mailing list.., the URL: https://mail.lacnic.net/mailman/listinfo/lacnog In case you don't get a response here you might want to try thee. Alejandro, El 2/13/2015 a las 11:32 AM, Beavis escribió: All, I'm looking for some general information of a dark fiber provider in latin america countries namely Nicaragua and Costa Rica. Any info is greatly appreciated. Please contact me off list. thanks, -Beavis
Re: [OT] Re: Intellectual Property in Network Design
On Fri, 13 Feb 2015 10:28:25 -0500, William Herrin said: I have to disagree with you there. This particular ship sailed four decades ago when CONTU found computer software to be copyrightable and the subsequent legislation and litigation agreed. The output of craft is copyrightable even if it doesn't count as art, as long as it meets the requirement of 17 USC 102(a)(1) - literary works. The issue with software wasn't if it was art, but if it was a literary work (they struggled for a while with the concept of machine-readable versus human readable). Furthermore, the House Report discussing the Act states: The term literary works does not connote any criterion of literary merit or qualitative value: it includes catalogs, directories, and similar factual, reference, or instructional works and compilations of data. It also includes computer data bases, and computer programs to the extent that they incorporate authorship in the programmer's expression of original ideas, as distinguished from the ideas themselves. {FN8: H.R. Rep. No. 94-1476 at 54} http://digital-law-online.info/lpdi1.0/treatise17.html If catalogs and directories are covered, config files are... :) pgpXQUSlYtP8x.pgp Description: PGP signature
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Andy Ringsmuth wrote: NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. I'd have a look at Alien Vault if you don't want to fork out heavy money and have a geek enough staff who doesn't mind butchering it up. It can be plug and play to an extent yet at the same time, if not configured properly it becomes useless. On the other hand, if you don't want to waste precious time in the event of say incident response to an actual event, then I would opt for QRadar. IDS/IPS is a mere buzzword. Detection comes via way of knowledge: Who knows/has seen, that N traffic is malicious often based on signatures. Then of course you get all the nifty buzzwords: but we use heuristic doohickey reverse nacho cheese technology! Prevention is a paradox. If it did prevent then why did you get notified via a tweet that you were compromised before you even knew you were. IDS works like this (in theory): Look at all logs, and all traffic patterns. Compare this data (often) to a config file of known knowns, if it matches what we have seen then it MUST be an attack. IPS works like this: Sell someone an IDS appliance or software and tell them it's IPS. It won't stop a huge portion of attacks since it is well... IDS but boy does it have a cooler name. ITS (Intrusion Tolerance) works like this: Ok, so we won't stop them, we can't prevent them, but boy oh boy can we tolerate them! All work off of a broken premise of known knowns and not one vendor will ever come clean on this. I have had the opportunity (or misfortune take your pick) to have analyzed quite a bit of malware, intrusions, and so forth. I have seen how rapidly some of the attacks change, so I know firsthand why IDS, IPS, and others fail. Now let me be fair... IDS/IPS are good as a HSSS (new buzzword) Hind Sight Security System, but will only prevent, and detect what is known. Your best goal is to perform a combination security and network analysis PRIOR to implementing any system. In doing so, you create logic suitable to your environment. For example, you have a DB that is supposed to ONLY communicate internally, a better approach would be to go on to that machine, and use the local machine's firewall rule to create a rule that says: ONLY CONNECTIONS FROM HERE TO THERE ARE ALLOWED ALL OTHERS GET BLOCKED, then alert when something strays. Most of these systems lack because of the design prior to, and after their implementations. Organizations haven't taken the time to map data, processes, and create even a simple baseline to work with. This leads to these types of systems (IPS, IDS, SIEM, ITS, blah blah blah) generating all sorts of false positives. These false positives often overwhelm the users tasked with the administration of the systems. Thousands of alerts which often go unchecked until it is too late. thee end. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=getsearch=0xFC837AF59D8A4463
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 14 Feb, 2015 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary BGP routing table entries examined: 532541 Prefixes after maximum aggregation (per Origin AS): 203597 Deaggregation factor: 2.62 Unique aggregates announced (without unneeded subnets): 259474 Total ASes present in the Internet Routing Table: 49402 Prefixes per ASN: 10.78 Origin-only ASes present in the Internet Routing Table: 36461 Origin ASes announcing only one prefix: 16309 Transit ASes present in the Internet Routing Table:6259 Transit-only ASes present in the Internet Routing Table:169 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 108 Max AS path prepend of ASN ( 60548) 101 Prefixes from unregistered ASNs in the Routing Table: 1744 Unregistered ASNs in the Routing Table: 432 Number of 32-bit ASNs allocated by the RIRs: 8597 Number of 32-bit ASNs visible in the Routing Table:6682 Prefixes from 32-bit ASNs in the Routing Table: 24277 Number of bogon 32-bit ASNs visible in the Routing Table: 5 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space:399 Number of addresses announced to Internet: 2731541796 Equivalent to 162 /8s, 208 /16s and 5 /24s Percentage of available address space announced: 73.8 Percentage of allocated address space announced: 73.8 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 97.2 Total number of prefixes smaller than registry allocations: 180324 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 131568 Total APNIC prefixes after maximum aggregation: 38312 APNIC Deaggregation factor:3.43 Prefixes being announced from the APNIC address blocks: 136903 Unique aggregates announced from the APNIC address blocks:55612 APNIC Region origin ASes present in the Internet Routing Table:5026 APNIC Prefixes per ASN: 27.24 APNIC Region origin ASes announcing only one prefix: 1228 APNIC Region transit ASes present in the Internet Routing Table:874 Average APNIC Region AS path length visible:4.6 Max APNIC Region AS path length visible:107 Number of APNIC region 32-bit ASNs visible in the Routing Table: 1307 Number of APNIC addresses announced to Internet: 747848064 Equivalent to 44 /8s, 147 /16s and 65 /24s Percentage of available APNIC address space announced: 87.4 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 131072-135580 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:176091 Total ARIN prefixes after maximum aggregation:86886 ARIN Deaggregation factor: 2.03 Prefixes being announced from the ARIN address blocks: 178136 Unique aggregates announced from the ARIN address blocks: 83478 ARIN Region origin ASes present in the Internet Routing Table:16488 ARIN Prefixes per ASN:
Re: Intrusion Detection recommendations
On 13/02/15 17:45 +, Mel Beckman wrote: Unless you need regulatory-grade IDS, your best bet is a Unified Threat Management (UTM) appliance, essentially any modern enterprise grade firewall such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS options for a fee. -mel Flip over these, or ideally watch the talk before deploying an ASA (or some other black-box security appliance that tries to be All Things to All People) https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf -- richo
Re: [OT] Re: Intellectual Property in Network Design
On Fri, Feb 13, 2015 at 12:25 PM, valdis.kletni...@vt.edu wrote: The issue with software wasn't if it was art, but if it was a literary work (they struggled for a while with the concept of machine-readable versus human readable). If catalogs and directories are covered, config files are... :) Smells like a Friday challenge for who can produce the most artistic yet functionally correct Cisco configuration. -Bill -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Intrusion Detection recommendations
NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. Andy Ringsmuth a...@newslink.com News Link – Manager Technology Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397(402) 304-0083 cellular
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Mel Beckman wrote: Unless you need regulatory-grade IDS, your best bet is a Unified Threat Management (UTM) appliance, essentially any modern enterprise grade firewall such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS options for a fee. -mel With all due respect, is regulatory-grade IDS the same as say military-grade encryption? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=getsearch=0xFC837AF59D8A4463
Re: [OT] Re: Intellectual Property in Network Design
On Fri, 13 Feb 2015 13:36:43 -0500, William Herrin said: On Fri, Feb 13, 2015 at 12:25 PM, valdis.kletni...@vt.edu wrote: If catalogs and directories are covered, config files are... :) Smells like a Friday challenge for who can produce the most artistic yet functionally correct Cisco configuration. All too many of them read like either Edgar Allen Poe or HP Lovecraft. :) pgpDKryPclccO.pgp Description: PGP signature
Re: [OT] Re: Intellectual Property in Network Design
Thank you for looking up facts, laws, etc... The rest is merely opinion, and wouldn't necessarily help someone trying to protect their network designs. On Fri, Feb 13, 2015 at 11:25 AM, valdis.kletni...@vt.edu wrote: On Fri, 13 Feb 2015 10:28:25 -0500, William Herrin said: I have to disagree with you there. This particular ship sailed four decades ago when CONTU found computer software to be copyrightable and the subsequent legislation and litigation agreed. The output of craft is copyrightable even if it doesn't count as art, as long as it meets the requirement of 17 USC 102(a)(1) - literary works. The issue with software wasn't if it was art, but if it was a literary work (they struggled for a while with the concept of machine-readable versus human readable). Furthermore, the House Report discussing the Act states: The term literary works does not connote any criterion of literary merit or qualitative value: it includes catalogs, directories, and similar factual, reference, or instructional works and compilations of data. It also includes computer data bases, and computer programs to the extent that they incorporate authorship in the programmer's expression of original ideas, as distinguished from the ideas themselves. {FN8: H.R. Rep. No. 94-1476 at 54} http://digital-law-online.info/lpdi1.0/treatise17.html If catalogs and directories are covered, config files are... :)
Re: Intrusion Detection recommendations
JO, IDS to meet PCI or HIPAA requirements is regulatory grade. It meets specific notification and logging requirements. SNORT-based systems fall into this category. -mel beckman On Feb 13, 2015, at 10:00 AM, J. Oquendo joque...@e-fensive.net wrote: On Fri, 13 Feb 2015, Mel Beckman wrote: Unless you need regulatory-grade IDS, your best bet is a Unified Threat Management (UTM) appliance, essentially any modern enterprise grade firewall such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS options for a fee. -mel With all due respect, is regulatory-grade IDS the same as say military-grade encryption? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=getsearch=0xFC837AF59D8A4463
Re: Intrusion Detection recommendations
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA. Depending on the traffic you have on your fiber uplink, you can get a redundant pair of ASAs running for less than $2,000 in the US. I just find it less stressful to use a solution like ASA rather than worrying about patching your kernel every so often and worrying about possible vulns in the ipfw/pf codes. That, and you have to make sure EVERYTHING is taken into account when you create your rules, which requires some intense knowledge on either ipfw, pf or both. I am not an expert in intrusion detection, so with regards to that, I'd just setup a honeypot and monitor activity. You can also regularly run penetration tests on your own network and see how well you are protected. Just make sure the appropriate people know about these tests so you don't get wrongfully reported. Rafael On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth a...@newslink.com wrote: NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. Andy Ringsmuth a...@newslink.com News Link – Manager Technology Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397(402) 304-0083 cellular
Re: Intellectual Property in Network Design
On 12 Feb 2015, at 3:12, Skeeve Stevens wrote: Hi all, I have two perspectives I am trying to address with regard to network design and intellectual property. 1) The business who does the design - what are their rights? 2) The customer who asked for the rights from a consultant My personal thoughts are conflicting: - You create networks with standard protocols, configurations, etc... so it shouldn't be IP - But you can design things in interesting ways, with experience, skill, creativity.. maybe that should be IP? - But artwork are created with colors, paintbrushes, canvas... but the result is IP - A photographer takes a photo - it is IP - But how are 'how you do your Cisco/Juniper configs' possibly IP? - If I design a network one way for a customer and they want 'IP', does that mean I can't ever design a network like that again? What? I've seen a few telcos say that they own the IP related to the network design of their customers they deploy... which based on the above... feels uncomfortable... I'm really conflicted on this and wondering if anyone else has come across this situation. Perhaps any legal cases/precedent (note, I am not looking for legal advice :) If this email isn't appropriate for the list... sorry, and please feel free to respond off-line. ...Skeeve You really need to get real legal advice. There are a fair number of deep legal issues here, as best I can tell (and I'm not a lawyer); there may not be anything that's actually legally protectable. Of course, the other party may have a lawyer who thinks the opposite, and there may or may not be enough case law to come to a reasonably probable common answer. So--decide what your preference is (I tend to agree with Randy, but that's me), and learn what your lawyer thinks of the general question. Then ask the lawyer what to do if there are conflicting opinions on whether or not it can be protected, and to draft language consistent with your preference and that belief for the contract. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Mel Beckman wrote: JO, IDS to meet PCI or HIPAA requirements is regulatory grade. It meets specific notification and logging requirements. SNORT-based systems fall into this category. rambletl;dr (even I don't read what I write) You failed to see the snark in military grade crypto comment. This thought process is what causes many organizations to fail repeatedly. Relying on what the herd says. PCI, HIPAA, FINRA, FISMA, and all of the other regulatory guidelines, standards, baselines, and mandates spew from the manufacturing industry's ISO (BS pick your poisonous acronym). Call it SADHD (or Security ADHD) but I don't get why everyone keeps running around like dogs chasing their tails. Let's look at HIPAA where everyone is scrambling to replace Windows based on the word of the herd. Here is the rule: Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization's inability to maintain its systems and customer information Do you chuck Windows XP? It'd be easier to in theory but not in practice, however NO ONE EVER SAID: thou shall chuck XP (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html) The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems Organizations keep relying on half-decent guidelines for remedies to their problems. By you thinking that you are going to plop in any regulatory grade *anything* and find security, you are doing not only yourself a huge disservice, but also to your clients. These pieces of technology (IPS, IDS, FWs, HIPS, NIPS, etc) are only capable of doing what you tell them to. Neither the Payment Card Industry, NIST, or even the President of your country (or Premier, or whatever else) should be telling you how to secure your organization. YOU need to know the ins and outs, take the proper steps and THEN use these technologies when you're done with your risk assessments. If you're relying solely on what others tell you is regulatory-grade or military-grade or any other kind of grade, your bound to be right up there with Target, Anthem, Citi, JP Morgan Chase, snipa wikipedia-length list of compromised companies/snip. When doing pentesting work, I fill up IPS and IDS with so many false positives, the analysts are FORCED to ignore the results while I shimmy my shiny right on by. I know based on experience what someone is going to do when they see a kabillion alerts light up their dashboard. http://seclists.org/incidents/2000/Aug/277 The approach: Let me cater to what they say I should do versus: Let me figure out what my organization does, needs to do, and how to get to the proper point is mind boggling. I wish there were a statistical database of compromised companies, and the tools they used, frameworks they followed, and regulatory nonsense they needed to comply with was listed. Most of these regulatory mandates are based off of half-baked models that are partially good when followed thoroughly. However, they are ONLY partially good when an organization goes beyond the normal banter: thou shall apply this - Does not mean: plop in an IPS and call it a day. For the most part though, this practice of half-baked security will continue, vendors will make bucketloads of money, consumers of IPS/IDS devices will still complain how much the product sucks, and I as a pentester... I stay happy as it keeps me steadily enjoying Five Guys' burgers /ramble -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=getsearch=0xFC837AF59D8A4463
RE: Vancouver WA Comcast Outage?
From: aa...@heyaaron.com Date: Thu, 12 Feb 2015 14:13:56 -0800 Subject: Vancouver WA Comcast Outage? To: nanog@nanog.org We just lost a handful of customers in Vancouver WA on Comcast. Voice and data are out. Initial reports are saying a transformer blew down town. Service still degraded for you? Today it's me with long duration partial outage and very poor connectivity trying to reach Portland via Vancouver hop, on Comcast network. Still no relevant response for my open ticket from their party.
Re: Intrusion Detection recommendations
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years. On Fri, Feb 13, 2015 at 3:27 PM, Rich Kulawiec r...@gsp.org wrote: On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote: I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA. Closed-source software is faith-based security. ---rsk
Verizon webmail support
Could anyone from Verizon webmail service contact me regarding access issues? Thanks in advance. -- Eduardo Schoedler
Custom fiber for FTT* deployment
I am researching a project that would involve running fiber to several thousand kiosks in a dense metro area. My $dayjob owns very dense metro fiber footpring in the metro in question, but splicing costs are high, and I prefer not to strand a lot of backbone fibers if at all possible. The customer's plan is to have a hub connected with a 10G link, and 9 spokes connected to the hub via a 1G link. The initial plan was to build laterals to the hub site, connect the hub site to backbone fiber that runs to a site with 10G switches, build laterals to each of the spoke sites, and have each of the spokes connected to backbone fiber pairs to the hub lateral and then to the hub Ethernet switches. I've been thinking about a more efficient way to do this, and I thought that I had read something on this list several years ago about custom fiber bundles with something like X pairs of different lengths in a single bundle. I would ideally like to be able to order a bundle with 10 pairs of SM fiber, with 2 pairs being 200' long, 2 pairs being 400' long, 2 pairs being 600' long, 2 pairs being 800' long, and the remaining 2 pairs being 1000' long. Has anyone ordered this type of fiber bundle before, and could you recommend a vendor that I can speak with about this? Jeremiah
Re: gmail spam help
If it's email you are sending from your domain that's getting marked as spam make sure that you have a reverse DNS setup, an SPF record, and DKIM signing helps too. Alex On Feb 12, 2015 8:42 AM, Mike Hammett na...@ics-il.net wrote: Don't use GMail for things you care about? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Josh Luthman j...@imaginenetworksllc.com To: Alex Rubenstein a...@corp.nac.net Cc: NANOG list nanog@nanog.org Sent: Thursday, February 12, 2015 8:31:58 AM Subject: Re: gmail spam help Create a filter. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Feb 12, 2015 8:11 AM, Alex Rubenstein a...@corp.nac.net wrote: Is there anyone on-list that can help me with a world - gmail email issue, where email is being considering spam by gmail erroneously? Thanks.
RE: Dark Fiber in Latin America
Date: Fri, 13 Feb 2015 11:45:06 -0430 From: alejandroacostaal...@gmail.com To: nanog@nanog.org Subject: Re: Dark Fiber in Latin America Hi Beavis, Just in case, there is a Lacnog mailing list.., the URL: https://mail.lacnic.net/mailman/listinfo/lacnog In case you don't get a response here you might want to try thee. Alejandro, Did you try ufinet / Fenosa? We use both their dark fibre and transport services in several LATAM locations, including both locations you are looking for providers. A while ago we had some problems with long lead times for new connections but it might have normalized. Worths giving a try. Regards, El 2/13/2015 a las 11:32 AM, Beavis escribió: All, I'm looking for some general information of a dark fiber provider in latin america countries namely Nicaragua and Costa Rica. Any info is greatly appreciated. Please contact me off list. thanks, -Beavis
Re: Intrusion Detection recommendations
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote: I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA. Closed-source software is faith-based security. ---rsk
RE: Low cost WDM gear
Hi Mike, You should try CYAN inc and the Z series. (US based) Very solid platform and very strong warranty. David Boisseleau -Original Message- From: NANOG [mailto:nanog-bounces+dboisseleau=fonex@nanog.org] On Behalf Of Colin Johnston Sent: February-07-15 6:29 PM To: Tim Durack Cc: NANOG Subject: Re: Low cost WDM gear Yes can do long distances without need to amplifier site (train tracks for example) but you need to make sure ground is stable and if using track bed of train track that the ballast is good and stable else ground tremors affect the signal quality. Colin On 7 Feb 2015, at 22:32, Tim Durack tdur...@gmail.com wrote: You can do ~500km without inline amplifier sites using EDFA+Raman+ROPA, but you are going to need some serious optical engineering to make that work. The more standard way to do it is amplifier sites every 80-100km for EDFA. If you are doing 10GigE you will need to allow for DCM also. On Sat, Feb 7, 2015 at 1:04 PM, Mike Hammett na...@ics-il.net wrote: One particular route I'm looking at is 185 miles, so of the options presented 300 km is closest. ;-) - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Christopher Morrow morrowc.li...@gmail.com To: Kenneth McRae kenneth.mc...@me.com Cc: NANOG nanog@nanog.org Sent: Saturday, February 7, 2015 12:02:11 PM Subject: Re: Low cost WDM gear would be good for mike to define 'long distances' here, is it: 2km 30km 300km 3000km Probably the 30-60k range is what you mean by 'long distances' but... clarity might help. On Sat, Feb 7, 2015 at 12:55 PM, Kenneth McRae kenneth.mc...@me.com wrote: Mike, I just replaced a bunch of FiberStore WDM passive muxes with OSI Hardware equipment. The FiberStore gear was a huge disappointment (excessive loss, poor technical support, refusal to issue refund without threatening legal action, etc.). I have had good results from the OSI equipment so far. I run passive muxes for CWDM (8 - 16 channels). On Feb 07, 2015, at 09:51 AM, Manuel Marín m...@transtelco.net wrote: Hi Mike I can recommend a couple of vendors that provide cost effective solutions. Ekinops Packetlight. On Saturday, February 7, 2015, Mike Hammett na...@ics-il.net wrote: I know there are various Asian vendors for low cost (less than $500) muxes to throw 16 or however many colors onto a strand. However, they don't work so well when you don't control the optics used on both sides (therefore must use standard wavelengths), obviously only do a handful of channels and have a distance limitation. What solutions are out there that don't cost an arm and a leg? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com -- TRANSTELCO| Manuel Marin | VP Engineering | US: *+1 915-217-2232* | MX: *+52 656-257-1109* CONFIDENTIALITY NOTICE: This communication is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If you are not the intended recipient of this information, you are notified that any use, dissemination, distribution, or copying of the communication is strictly prohibited. AVISO DE CONFIDENCIALIDAD: Esta comunicación es sólo para el uso de la persona o entidad a la que se dirige y puede contener información privilegiada, confidencial y exenta de divulgación bajo la legislación aplicable. Si no es el destinatario de esta información, se le notifica que cualquier uso, difusión, distribución o copia de la comunicación está estrictamente prohibido. -- Tim:
BGP Update Report
BGP Update Report Interval: 05-Feb-15 -to- 12-Feb-15 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS23752 260831 4.7%1890.1 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 2 - AS27194 181162 3.3% 90581.0 -- REALLYFAST - ReallyFast.net,US 3 - AS9829 133632 2.4% 79.2 -- BSNL-NIB National Internet Backbone,IN 4 - AS61894 94291 1.7% 23572.8 -- FreeBSD Brasil LTDA,BR 5 - AS53563 57787 1.1%5778.7 -- XPLUSONE - X Plus One Solutions, Inc.,US 6 - AS36947 54890 1.0% 262.6 -- ALGTEL-AS,DZ 7 - AS17974 48847 0.9% 17.2 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID 8 - AS614747352 0.9% 27.0 -- Telefonica del Peru S.A.A.,PE 9 - AS845241602 0.8% 25.4 -- TE-AS TE-AS,EG 10 - AS25563 34077 0.6%8519.2 -- WEBLAND-AS Webland AG, Autonomous System,CH 11 - AS55714 33537 0.6% 149.7 -- APNIC-FIBERLINK-PK Fiberlink Pvt.Ltd,PK 12 - AS840233235 0.6% 22.7 -- CORBINA-AS OJSC Vimpelcom,RU 13 - AS51964 32478 0.6% 67.5 -- ORANGE-BUSINESS-SERVICES-IPSN-ASN Equant Inc.,FR 14 - AS10620 32159 0.6% 10.4 -- Telmex Colombia S.A.,CO 15 - AS346230874 0.6% 114.3 -- HINET Data Communication Business Group,TW 16 - AS42337 26508 0.5% 166.7 -- RESPINA-AS Respina Networks Beyond PJSC,IR 17 - AS39891 23394 0.4% 9.5 -- ALJAWWALSTC-AS Saudi Telecom Company JSC,SA 18 - AS60725 23207 0.4%1160.3 -- O3B-AS O3b Limited,JE 19 - AS14840 22433 0.4% 659.8 -- COMMCORP COMUNICACOES LTDA,BR 20 - AS23342 22142 0.4% 567.7 -- UNITEDLAYER - Unitedlayer, Inc.,US TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS27194 181162 3.3% 90581.0 -- REALLYFAST - ReallyFast.net,US 2 - AS61894 94291 1.7% 23572.8 -- FreeBSD Brasil LTDA,BR 3 - AS61039 16164 0.3% 16164.0 -- ZMZ OAO ZMZ,RU 4 - AS25563 34077 0.6%8519.2 -- WEBLAND-AS Webland AG, Autonomous System,CH 5 - AS262647649 0.1%7649.0 -- TVI-AS - TVI Inc,US 6 - AS197914 21790 0.4%7263.3 -- STOCKHO-AS Stockho Hosting SARL,FR 7 - AS53563 57787 1.1%5778.7 -- XPLUSONE - X Plus One Solutions, Inc.,US 8 - AS501044281 0.1%4281.0 -- SATORP-AS SAUDI ARAMCO TOTAL Refining and Petrochemical Company,SA 9 - AS337214110 0.1%4110.0 -- CCL-ASN2 - CARNIVAL CRUISE LINES,US 10 - AS621743419 0.1%3419.0 -- INTERPAN-AS INTERPAN LTD.,BG 11 - AS33440 10610 0.2%2652.5 -- WEBRULON-NETWORK - webRulon, LLC,US 12 - AS47680 10690 0.2%2138.0 -- NHCS EOBO Limited,IE 13 - AS23752 260831 4.7%1890.1 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 14 - AS677515016 0.3%1877.0 -- BACKBONE_EHF_EUROPE Backbone ehf,CH 15 - AS201511662 0.0%1662.0 -- MCW-12-01 - Mountain Computer Wizards, Inc.,US 16 - AS523553051 0.1%1525.5 -- Jalasoft Corp.,BO 17 - AS456067627 0.1%1525.4 -- 18 - AS1980531507 0.0%1507.0 -- AMTEL VECTRA S.A.,PL 19 - AS632691498 0.0%1498.0 -- DYONYX - DYONYX L.P,US 20 - AS2621493609 0.1%1203.0 -- Sistemas Fratec S.A.,CR TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 202.70.88.0/21 129883 2.3% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 2 - 202.70.64.0/21 128839 2.3% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 3 - 177.10.158.0/24 94179 1.7% AS61894 -- FreeBSD Brasil LTDA,BR 4 - 162.246.92.0/22 90669 1.6% AS27194 -- REALLYFAST - ReallyFast.net,US 5 - 162.208.40.0/22 90493 1.6% AS27194 -- REALLYFAST - ReallyFast.net,US 6 - 199.38.164.0/23 57762 1.0% AS53563 -- XPLUSONE - X Plus One Solutions, Inc.,US 7 - 105.96.0.0/22 51057 0.9% AS36947 -- ALGTEL-AS,DZ 8 - 64.29.130.0/2421919 0.4% AS23342 -- UNITEDLAYER - Unitedlayer, Inc.,US 9 - 130.0.192.0/2121786 0.4% AS197914 -- STOCKHO-AS Stockho Hosting SARL,FR 10 - 91.235.169.0/24 16164 0.3% AS61039 -- ZMZ OAO ZMZ,RU 11 - 91.193.202.0/24 15108 0.3% AS42081 -- SPEEDY-NET-AS Speedy net EAD,BG 12 - 79.134.225.0/24 14962 0.3% AS6775 -- BACKBONE_EHF_EUROPE Backbone ehf,CH 13 - 162.249.183.0/24 11983 0.2% AS60725 -- O3B-AS O3b Limited,JE 14 - 92.43.216.0/2111655 0.2% AS25563 -- WEBLAND-AS Webland AG, Autonomous System,CH 15 - 185.84.192.0/22 11381 0.2% AS25563 -- WEBLAND-AS Webland AG, Autonomous System,CH 16 - 42.83.48.0/20
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015 15:45:30 -0600, Rafael Possamai said: What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years. By the time you learn enough about security that the box is actually securing something rather than just filling a checkbox on a form, mastering ipwf/pf is the least of your worries pgp6uutWAFbbm.pgp Description: PGP signature
Customer fiber for FTT* deployment
Apologies if this comes through twice, it's been waiting for moderation for 30 hours or so. I am researching a project that would involve running fiber to several thousand kiosks in a dense metro area. My $dayjob owns very dense metro fiber footpring in the metro in question, but splicing costs are high, and I prefer not to strand a lot of backbone fibers if at all possible. The customer's plan is to have a hub connected with a 10G link, and 9 spokes connected to the hub via a 1G link. The initial plan was to build laterals to the hub site, connect the hub site to backbone fiber that runs to a site with 10G switches, build laterals to each of the spoke sites, and have each of the spokes connected to backbone fiber pairs to the hub lateral and then to the hub Ethernet switches. I've been thinking about a more efficient way to do this, and I thought that I had read something on this list several years ago about custom fiber bundles with something like X pairs of different lengths in a single bundle. I would ideally like to be able to order a bundle with 10 pairs of SM fiber, with 2 pairs being 200' long, 2 pairs being 400' long, 2 pairs being 600' long, 2 pairs being 800' long, and the remaining 2 pairs being 1000' long. Has anyone ordered this type of fiber bundle before, and could you recommend a vendor that I can speak with about this? Jeremiah
FYI: An Easy way to build a server cluster without top of rack switches (MEMO)
Hi all! We wrote up TIPS memo an easy way to build a server cluster without top of rack switches concept. This model have a reduce switches and cables costs and high network durability by lightweight and simple configuration. if you interest in, please try to do yourself this concept ;-) An Easy way to build a server cluster without top of rack switches (MEMO) http://slidesha.re/1EduYXM Best regards, -- Naoto MATSUMOTO
Re: gmail spam help
A good tool to test all that is mxtoolbox.com. They have black list checks and SMTP tests that will check your PTR records and other things. They also provide free weekly blacklist checks for one domain. DJ Anderson Sent from my iPhone On Feb 12, 2015, at 10:53 AM, Scott Helms khe...@zcorum.com wrote: I'd be interested to know how you can be so adamant about the lack of spam from this specific server. A great percentage of the spam hitting servers I have visibility into comes from very similar kinds of set ups because they tend to have little or no over sight in place. Also, lots of commercial email gets flagged as spam by users, even when they opted in for the email. If enough people flagged email from this server as spam it will cause Google to consider other email from the same small server as likely to be spam as well. Small systems, especially new ones, tend to unintentionally look like spam sources by not having proper reverse records, making sure you have SPF set up for the domain, etc. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Feb 12, 2015 at 10:41 AM, Alex Rubenstein a...@corp.nac.net wrote: I should have been clearer. I have been getting complaints from my sales folks that when they send emails to people who use gmail (either a gmail account or google apps) that they recipient is reporting that the email is ending up in the Spam folder. So, I tested this myself, sending an email from a...@corp.nac.netmailto: a...@corp.nac.net to rubenstei...@gmail.commailto:rubenstei...@gmail.com [cid:image001.png@01D046AD.3B2FA890] This is curious to me, since @corp.nac.net is a small exchange implementation with only about 50 users behind it, and there is no question that there is no spamming going on from here. So, it’s not a question of adding a filter or not using gmail; it is not me who is using gmail in this problem. From: Josh Luthman [mailto:j...@imaginenetworksllc.com] Sent: Thursday, February 12, 2015 9:32 AM To: Alex Rubenstein Cc: NANOG list Subject: Re: gmail spam help Create a filter. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Feb 12, 2015 8:11 AM, Alex Rubenstein a...@corp.nac.netmailto: a...@corp.nac.net wrote: Is there anyone on-list that can help me with a world - gmail email issue, where email is being considering spam by gmail erroneously? Thanks.
The Cidr Report
This report has been generated at Fri Feb 13 21:14:25 2015 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/2.0 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 06-02-15537226 294411 07-02-15536997 294672 08-02-15537472 294846 09-02-15537682 295006 10-02-15537711 296080 11-02-15537678 295979 12-02-15537820 294638 13-02-15538035 294858 AS Summary 49655 Number of ASes in routing system 19863 Number of ASes announcing only one prefix 3098 Largest number of prefixes announced by an AS AS10620: Telmex Colombia S.A.,CO 120442368 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street,CN Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 13Feb15 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 538481 294885 24359645.2% All ASes AS6389 2890 69 282197.6% BELLSOUTH-NET-BLK - BellSouth.net Inc.,US AS22773 2985 172 281394.2% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc.,US AS17974 2824 77 274797.3% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID AS39891 2473 14 245999.4% ALJAWWALSTC-AS Saudi Telecom Company JSC,SA AS28573 2330 313 201786.6% NET Serviços de Comunicação S.A.,BR AS4755 1971 245 172687.6% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP,IN AS4766 2872 1316 155654.2% KIXS-AS-KR Korea Telecom,KR AS7303 1788 279 150984.4% Telecom Argentina S.A.,AR AS9808 1535 56 147996.4% CMNET-GD Guangdong Mobile Communication Co.Ltd.,CN AS10620 3098 1646 145246.9% Telmex Colombia S.A.,CO AS6147 1587 154 143390.3% Telefonica del Peru S.A.A.,PE AS7545 2586 1220 136652.8% TPG-INTERNET-AP TPG Telecom Limited,AU AS20115 1849 517 133272.0% CHARTER-NET-HKY-NC - Charter Communications,US AS8402 1342 25 131798.1% CORBINA-AS OJSC Vimpelcom,RU AS4323 1628 408 122074.9% TWTC - tw telecom holdings, inc.,US AS9498 1300 111 118991.5% BBIL-AP BHARTI Airtel Ltd.,IN AS18566 2041 869 117257.4% MEGAPATH5-US - MegaPath Corporation,US AS7552 1146 57 108995.0% VIETEL-AS-AP Viettel Corporation,VN AS22561 1333 252 108181.1% AS22561 - CenturyTel Internet Holdings, Inc.,US AS34984 1965 891 107454.7% TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR AS3356 2571 1503 106841.5% LEVEL3 - Level 3 Communications, Inc.,US AS6983 1622 565 105765.2% ITCDELTA - Earthlink, Inc.,US AS6849 1195 210 98582.4% UKRTELNET JSC UKRTELECOM,UA AS7738 1000 84 91691.6% Telemar Norte Leste S.A.,BR AS38285 983 133 85086.5% M2TELECOMMUNICATIONS-AU M2 Telecommunications Group Ltd,AU AS18881 863 30 83396.5% Global Village Telecom,BR AS4538 1776 957 81946.1% ERX-CERNET-BKB China Education and Research Network Center,CN AS8151 1551 740 81152.3% Uninet S.A. de C.V.,MX AS26615 921 137 78485.1% Tim Celular S.A.,BR AS4780 1082 302 78072.1% SEEDNET Digital United Inc.,TW Total 55107133524175575.8% Top 30 total Possible Bogus Routes 5.100.241.0/24 AS19957 -Reserved AS-,ZZ
Accessing YouTube Video from a single /24
NANOG Request for a Google / Youtube network eng. to contact me off list to help troubleshooting. Thanks, --- Cory Haessler | CNI | Network Operations Center Manager | 888-618-4638 www.cniteam.com; www.ifnetwork.biz 13888 County Rd. 25A | Wapakoneta, Ohio 45895 ---
Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Rafael Possamai wrote: What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years. The alternative is to understand what his network does, what it was designed to do, and what he needs it to do. The end solution (IPS, IDS, ASA, whatever you want to throw in) should be just that, an END solution once he has taken the time to assess risk. This is a concept many miss. As for testing ... So you own a house, you hire an assessor to analyze your property, write a report for you on your vulnerabilities. You have 12 windows. OMFG Someone can break one of those windows and steal your family jewels! Vendor gets paid and leaves you with a headache. 12 windows? So what... Behind those windows are a rabid pitbull I never feed. Wanna take a chance to break in? Pentest... So you own a house, same windows, now you're paying someone to get in. Let me tell you how pentesting fails. Pentesting fails because most companies get all bent out of shapes based on Internet history of systems, and applications crashing from a simple network scan. Ask your next pentesting client (if this pentesting is your primary function) to allow you to perform a no-holds barred pentest including social engineering. You'll get the deer in headlights look. I discussed this recently with a client who wanted to be snarky: Oh you'll never get in my systems and I decided to inform him about reality... Reality: Hardcore attackers are NOT charging down the castle road with a log trying to break down the castle wall. They're sending client side attacks (phishing emails, waterhole attacks). It's more cost effective for an attacker to do this versus trying to defeat the router, the switching with all its VLAN glory (that gets vlan hoppped), the L7 firewalls, the load balancers, the IPS, and then the IPS. Its useless, noisy, and just not cost effective when you think about it. IPS, IDS does little because they're RARELY applied in a proper fashion. As for tinkering, geekiness. If you can't at least wrap your head around the concept, then I don't know why you'd want to be on this list. Further, IPS/IDS is better suited to be inverted (Extrusion Detection) as you WILL NEVER (CAN NEVER) stop someone from knocking on your door. So you block every APNIC block thinking Phew I just blocked 100% of APTs until you get whacked from a hosting company in the US. What have you accomplished? On the EXTRUSION side of the equation, knowing your network, and how it works makes more sense. Your focus gets shifted to the following logic: (rule) SHOW ME ANYTHING LEAVING MY NETWORK THAT IS OVER 1MB ON A SUNDAY MORNING 2AM ... This anomaly means a hell of a lot more than watching all of the internet trash that will hit your door (egree ifaces) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=getsearch=0xFC837AF59D8A4463
Re: Intrusion Detection recommendations
tl;dr dc -mel On Feb 13, 2015, at 1:13 PM, J. Oquendo joque...@e-fensive.net wrote: On Fri, 13 Feb 2015, Mel Beckman wrote: JO, IDS to meet PCI or HIPAA requirements is regulatory grade. It meets specific notification and logging requirements. SNORT-based systems fall into this category. rambletl;dr (even I don't read what I write) You failed to see the snark in military grade crypto comment. This thought process is what causes many organizations to fail repeatedly. Relying on what the herd says. PCI, HIPAA, FINRA, FISMA, and all of the other regulatory guidelines, standards, baselines, and mandates spew from the manufacturing industry's ISO (BS pick your poisonous acronym). Call it SADHD (or Security ADHD) but I don't get why everyone keeps running around like dogs chasing their tails. Let's look at HIPAA where everyone is scrambling to replace Windows based on the word of the herd. Here is the rule: Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization's inability to maintain its systems and customer information Do you chuck Windows XP? It'd be easier to in theory but not in practice, however NO ONE EVER SAID: thou shall chuck XP (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html) The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems Organizations keep relying on half-decent guidelines for remedies to their problems. By you thinking that you are going to plop in any regulatory grade *anything* and find security, you are doing not only yourself a huge disservice, but also to your clients. These pieces of technology (IPS, IDS, FWs, HIPS, NIPS, etc) are only capable of doing what you tell them to. Neither the Payment Card Industry, NIST, or even the President of your country (or Premier, or whatever else) should be telling you how to secure your organization. YOU need to know the ins and outs, take the proper steps and THEN use these technologies when you're done with your risk assessments. If you're relying solely on what others tell you is regulatory-grade or military-grade or any other kind of grade, your bound to be right up there with Target, Anthem, Citi, JP Morgan Chase, snipa wikipedia-length list of compromised companies/snip. When doing pentesting work, I fill up IPS and IDS with so many false positives, the analysts are FORCED to ignore the results while I shimmy my shiny right on by. I know based on experience what someone is going to do when they see a kabillion alerts light up their dashboard. http://seclists.org/incidents/2000/Aug/277 The approach: Let me cater to what they say I should do versus: Let me figure out what my organization does, needs to do, and how to get to the proper point is mind boggling. I wish there were a statistical database of compromised companies, and the tools they used, frameworks they followed, and regulatory nonsense they needed to comply with was listed. Most of these regulatory mandates are based off of half-baked models that are partially good when followed thoroughly. However, they are ONLY partially good when an organization goes beyond the normal banter: thou shall apply this - Does not mean: plop in an IPS and call it a day. For the most part though, this practice of half-baked security will continue, vendors will make bucketloads of money, consumers of IPS/IDS devices will still complain how much the product sucks, and I as a pentester... I stay happy as it keeps me steadily enjoying Five Guys' burgers /ramble -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM Where ignorance is our master, there is no possibility of real peace - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=getsearch=0xFC837AF59D8A4463
GTT NOC
Hi all, Does anyone know of a direct phone number for someone with somewhat authority at GTT? Our prefix has been hijacked by a customer of theirs and we haven’t received any kind of response to our email and the guys on the phone seem to not speak very good English. Any ideas? Ammar.
Re: GTT NOC
Hi Ammar, Sorry to hear this has happened. I do not have any contact info, but have you tried announcing more specific prefixes to override the hijacker? Jason On Feb 13, 2015, at 20:10, Ammar Zuberi am...@fastreturn.net wrote: Hi all, Does anyone know of a direct phone number for someone with somewhat authority at GTT? Our prefix has been hijacked by a customer of theirs and we haven’t received any kind of response to our email and the guys on the phone seem to not speak very good English. Any ideas? Ammar.
RE: Intrusion Detection recommendations
Hello Andy, I believe you are very good set up the way you are in technology. I see you are surrounded by BSD systems everywhere, on servers, mobile and desktop. And I suggest you keep running FreeBSD for this new security requirement you have. We run FreeBSD as IDS/IPS system on several sites, and pfSense on a couple others. From my experience, we started using Snort, the common path people usually follow, but under certain circumstances, the drop ratio (unprocessed packets) started to raise a lot, and we looked for options. Tried Bro and Suricata and with some help from one of our servers supplier we decided to give Suricata a tuning and special try, and it became our primary option for IDS. Therefore I strongly suggest you start researching around Bro vs Snort vs Suricata and try to reach your conclusions from your own findings. But if you ask me for suggestion, as a long time user for Snort, I deprecated it in favor of Suricata. So my primary suggestion is Suricata + FreeBSD as IDP. Suricata is a very serious Project with very good software provided. We run ServerU networking servers, and they are the vendor who supported us. Usually they offer their own software solution called ProApps, it's a system made on top of FreeBSD which you have full root access etc, a plain old good FreeBSD system, but with nice auto update features and a helpful web GUI which allows me to delegate IDS operations to different level of staff operators on my team. They allow using for their ProApps solution on ServerU hardware, so if intend to add new hardware to your project, it might worth a try. I find the tool very powerful and very complete. On pfSense side you have a third party package made by community members, it also has a nice GUI, good deployment practices, but is Snort based. At one special location we needed even more performance for packets capturing, and we added Suricata running in Netmap mode, and it raised performance three times on the same box. So if you are looking for something easy, ready and supported, go for ServerU+ProApps. If you are looking for plain good open source arranged the way want to, you can have just the same with FreeBSD + Suricata Friends. Should you want to do everything by yourself, FreeBSD + Suricata + Barnyard2 + Sguil + Snortsam is my suggested path way to go, with Richard Beijtlichs' books on your hand for good analysis learning and IDS best common operation practices. And maybe I can be of any help, private mail me if you want to. Regards, From: a...@newslink.com Subject: Intrusion Detection recommendations Date: Fri, 13 Feb 2015 11:40:06 -0600 To: nanog@nanog.org NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. Andy Ringsmuth a...@newslink.com News Link – Manager Technology Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397(402) 304-0083 cellular
Re: Intrusion Detection recommendations
Of course it is. You say that like faith is a bad thing. The illogic of claiming to have no faith in anything is this: it's impractical to assume the role of quality assurance for everything in your life. The question is your faith reasonable. Ever use an elevator? Faith. Drive a car? Faith. Drive through a green light? Faith. Faith. Faith. Show me a man who has no faith, and I'll show you a man who is paralyzed. (Not a sexist statement; woman seem to have few problems with Faith). -mel On Feb 13, 2015, at 1:27 PM, Rich Kulawiec r...@gsp.org wrote: On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote: I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA. Closed-source software is faith-based security. ---rsk
Re: Intrusion Detection recommendations
On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth a...@newslink.com wrote: NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. An important thing to realize is that an Intrusion Detection System is not a product you can buy. And if your org. is 100 people, you should probably think about engaging some professional security services firms to help, starting with a basic Info. security and physical security audit from an independent third party. An intrusion detection system consists of an infrastructure stack containing vigilant dedicated human beings, devices, various software for instrumenting the network in different ways and analyzing collected data, documentation, business, and security processes within the organization. Without enough of all those pieces, there are plenty of off-the-shelf IPS offerings, BUTusing one could very well instill a false sense of security, because you have no idea if the product is actually doing a good job at what it is supposed to do, and not just presenting a perception of security mostly by tackling just whatever bugs or malware is appearing in the news headlines of the day. Also, there is the matter of being equipped with suitable analysis and response plans to be prepared for the time that the IDS alarm actually goes off, and to be able to determine if it's actually legitimately a false alarm, something meriting investigation, or if it represents an emergency. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc. [snip] -- -JH
RE: Intrusion Detection recommendations
German Shepherd Dogs are wonderful intrusion detection devices. In a lot of cases they also server as excellent intrusion prevention devices as well. (Must be Friday night) :-) --- Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. Sometimes theory and practice are combined: nothing works and no one knows why. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Andy Ringsmuth Sent: Friday, 13 February, 2015 10:40 To: NANOG Subject: Intrusion Detection recommendations NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. Andy Ringsmuth a...@newslink.com News Link – Manager Technology Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397(402) 304-0083 cellular
RE: [OT] Re: Intellectual Property in Network Design
William, I beg to differ though this is getting slightly off topic. Art = something different, unexpected, not quite in your ordinary experience yet related to your ordinary experience. Art is connected to what we experience every day but it represents some kind of transformation of the everyday. Something that is not actually entirely real, it can’t be found by locating it. It requires human intervention, it’s the finger print if you will, of our existence in the world that has its impact on things that we transform through the use of imagination. How can architecture being an interaction of time, process, flow, people and things be art? The answer is elegance. It inspires people to see things in a new way and the interaction with people is the clearest point where architecture becomes an art. Properly architected network not only need to work well now, they must also provide a foundation for business and transform business, provide boundaries for information and people, and yet enable collaboration. We are entering an age of agile service creation with virtualized IT infrastructure, breaking down old constraints in many domains, including the delivery of services. No need to dwell further in to this era of SDN and NFV. To achieve all this, network designs must go beyond mechanical algorithms, and even beyond the uncertain empirical, into the world of abstract concept, mathematical theory, and raw power. Network architecture is not just about configuring routers, switches, firewalls or load balancers. One must think beyond that. How does technology drive the business? What is the perception of the network within the organization? What is the perception of the technology stance beyond the organization? If competitors see your network design, will they wonder why they didn’t think of it, or just wonder why it works at all? If a potential partner sees your network design, will they see the future or the past? All these things contribute art to the world of network architecture. Here is a question for you; When you observe a beautifully architected building, what do you see? (Link to some examples) http://www.azuremagazine.com/article/2014-top-10-architecture-projects/ Is it all about noticing the details, making observation about textures, lines materials, shapes, proportions, light and shadow? Or do we agree that architects don't only deal with buildings - they think of people, places, materials, philosophy and history, and only then consider the actual building? Ahad -Original Message- From: William Waites [mailto:wwai...@tardis.ed.ac.uk] Sent: Friday, 13 February 2015 8:55 PM To: a...@telcoinabox.com Cc: ske...@eintellegonetworks.com; o...@delong.com; b...@herrin.us; nanog@nanog.org Subject: [OT] Re: Intellectual Property in Network Design On Fri, 13 Feb 2015 11:43:14 +1100, Ahad Aboss a...@telcoinabox.com said: In a sense, you are an artist as network architecture is an art in itself. It involves interaction with time, processes, people and things or an intersection between all. This Friday's off-topic post for NANOG: Doing art is creative practice directed to uncover something new and not pre-conceived. Successful acts of art produce something that not only wasn't there before but that nobody thought could be there. The art is the change in thinking that results. Whatever else is left over is residue. An engineer or architect in the usual setting, no matter how skilled, is not doing art because the whole activity is pre-conceived. Even a clean and elegant design is not usually intended to show beautiful connections between ideas the same way poetry or mathematics might. Hiring an engineer for this purpose almost never happens in industry. Rather the purpose is to make a thing that does what it is intended to do. It is craft, or second-order residue. Useful, possibly difficult, but not art. Some people want to claim ownership of a recipe for predictably creating residue of a certain kind. An artist knows that this is not good for doing art because nothing new can come from it. If they are committed to their practice, they will not seek to prevent others from using an old recipe. Why would they? They have already moved on. Some older thoughts on the topic: http://archive.groovy.net/syntac/
Re: GTT NOC
Ammar, Feel free to contact me off-list, and I'd be happy to take a look into this issue for you. Thanks! On 2/13/2015 8:10 PM, Ammar Zuberi wrote: Hi all, Does anyone know of a direct phone number for someone with somewhat authority at GTT? Our prefix has been hijacked by a customer of theirs and we haven’t received any kind of response to our email and the guys on the phone seem to not speak very good English. Any ideas? Ammar.