Re: Jenkins amplification
On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith wrote: > > On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow > may have written: > > My experience, and granted it's fairly scoped, is that this sort of thing > > works fine for a relatively small set of 'persons' and 'resources'. > > Seeing as managing this sort of thing is my primary job these days ... :) > > it ends up being about the cross-product of #users * #resources. > > That's the interesting part of the job - coalescing rules in a way that > minimises the security impact but maximises the decrease of complexity. If > you don't, you get an explosion of complexity that results in a set of > rules (I know of an equivalent organisation that has over 1,000 firewall > rules) that becomes insanely complex to manage. > I think the fact that it's hard to keep all of this going and to contain the natural spread of destruction (that it takes someone with a pretty singular foc us) makes my point. > > certainly a more holistic version of the story is correct. > > the relatively flippant answer way-back-up-list of: "vpn" > > I think that "vpn" is the right answer - it's preferrable to publishing > services to the entire world that only need to be used by empoyees. But > it's not cheap or easy. Weighing the cost/benefit is certainly each org's decision. having lived without vpn for a long while and under the regime of authen/author for users with proper token/etc access... I'd not want my internal network opened to the wilds of vpn users :( (I actively discourage this at work because there are vanishingly small reasons why a full network connection is really required by a user at this point). anyway, good luck!
Help with survey on enterprise network challenges?
Hi, My name is Joseph Severini, and I am a PhD student in the Computer Science Department at Carnegie Mellon University. I’m working on a research project to identify common operational challenges in modern enterprise computer networks. I’ve put together a survey to identify these challenges by analyzing some operational problems found in the Network Engineering Stack Exchange open-source dataset. You’ll be given a problem from the dataset and asked some questions about it. I would appreciate it if you would consider taking this survey, which can be found at the link below: http://cmu.ca1.qualtrics.com/jfe/form/SV_dm6i9znuPWlLDN3 The survey should take ~15 minutes. Participation is voluntary, with no compensation, and all responses are anonymous. You must be at least 18 years old to complete the survey. Thanks, Joseph Severini PhD Student CMU Computer Science Department
WTR: 1-2RU @ Equinix Ashburn
Hi, I’m wondering if anyone is looking to subsidize their Equinix Ashburn colo costs by way of carving out 1-2 RU to a friendly for a low density networking application. If so, I’d love to hear from you! Thanks in advance!
Re: EVPN multicast route (multi home case ) implementation / deployment information
Hi Mankamana, For Juniper: Starting in Junos OS 18.4R1, devices with IGMP snooping enabled use selective multicast forwarding in a centrally routed EVPN-VXLAN network to replicate and forward multicast traffic. As before, IGMP snooping allows the leaf device to send multicast traffic only to the access interface with an interested receiver. But now, when IGMP snooping is enabled, the leaf device selectively sends multicast traffic to only the leaf devices in the core that have expressed an interest in that multicast group. In selective multicast forwarding, leaf devices always send multicast traffic to the spine device so that it can route inter-VLAN multicast traffic through its IRB interface. https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-selective-multicast-forwarding.html Kind regards, Andrey Mankamana Mishra (mankamis) via NANOG писал 2020-02-03 18:34: Folks Wondering if there is any known implementation of EVPN multihome multicast routes which are defined in https://tools.ietf.org/html/draft-ietf-bess-evpn-igmp-mld-proxy-04 there is some change planned in NLRI , we want to make sure to have solution which does work well with existing implementation. NOTE: Discussion INVOLVES NOKIA, JUNIPER, CISCO, ARISTA ALREADY. SO LOOKING FOR ANY OTHER VENDOR WHO HAVE IMPLEMENTATION. Mankamana
Re: Jenkins amplification
On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow may have written: > My experience, and granted it's fairly scoped, is that this sort of thing > works fine for a relatively small set of 'persons' and 'resources'. Seeing as managing this sort of thing is my primary job these days ... > it ends up being about the cross-product of #users * #resources. That's the interesting part of the job - coalescing rules in a way that minimises the security impact but maximises the decrease of complexity. If you don't, you get an explosion of complexity that results in a set of rules (I know of an equivalent organisation that has over 1,000 firewall rules) that becomes insanely complex to manage. > certainly a more holistic version of the story is correct. > the relatively flippant answer way-back-up-list of: "vpn" I think that "vpn" is the right answer - it's preferrable to publishing services to the entire world that only need to be used by empoyees. But it's not cheap or easy. -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer pgp9x9K3M8fTy.pgp Description: OpenPGP digital signature
Re: Jenkins amplification
On Mon, 3 Feb 2020 10:55:35 -0800 (PST) Sabri Berisha wrote: > - On Feb 3, 2020, at 10:35 AM, Christopher Morrow > morrowc.li...@gmail.com wrote: > > > On Mon, Feb 3, 2020 at 1:26 PM William Herrin > > wrote: > > >> VPN. > > > > I love it when my home network gets full access to the corporate > > network! > > Most places I've worked at issue company controlled laptops with > company controlled VPN software which will disable all local access > and even disconnect if you dare to manually change the routing table > to access the printer in your home office. > > In fact, a too tightly controlled VPN contributed to a 7 figure loss > during an outage at a company which name shall not be mentioned. > > Your home network should have no access to the corp network. Your > company issued laptop should. > > Thanks, > > Sabri That's how our company operates. I went a step further and put all company issued equipment on it's own vlan at home.
RE: Recommended DDoS mitigation appliance?
> This sounds like a different model to me. Kentik I think averages out around > $500 per 10G per month I was talking about Imperva
Re: Recommended DDoS mitigation appliance?
Phil, This sounds like a different model to me. Kentik I think averages out around $500 per 10G per month. Kentik doesn't do any scrubbing however. Does anyone have guide to DDoS services? Seems like there is a wide array of pricing and technology options. On Tue, Feb 4, 2020 at 7:50 AM Phil Lavin wrote: > > So is Imperva similar to how Kentik operates? What was it priced liked? > > It is a nice model as you don't need additional hardware or virtual > appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, > they price the scrubbing based on your clean traffic levels. Price I have > is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year > for 500mbit clean traffic. Reasonably good value if you get attacked a lot > - a very expensive insurance policy if not. Yearly pricing is broadly on > par with Radware, Arbor and A10 (Verisign). >
Re: Recommended DDoS mitigation appliance?
Hopefully you would be sending those flows out a different circuit than the one that’s going to get swamped with a DDoS otherwise... it might just take a while to mitigate that ;-) depending on the type obviously. -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > On Feb 3, 2020, at 11:01, Javier Juan wrote: > > > Hi ! > > I was looking around (a couple years ago) for mitigation appliances (Riorey, > Arbor, F5 and so on) but the best and almost affordable solution I found > was Incapsula/Imperva. > https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm > > > Basically, You send your flows to Imperva on cloud for analysis. As soon as > they find DDoS attack , they activate mitigation. It´s some kind of > elegant-hybrid solution without on-premise appliances . Just check it out :) > > Regards, > > JJ > > > >> On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> >> Hello, NANOG! >> >> I'm in the midst of rebuilding/upgrading our backbone and peering - >> sessions cheerfully accepted :) - and am curious what folks recommend >> in the DDoS mitigation appliance realm? Ideally it would be capable >> of 10Gbps and circa 14Mpps rate of mitigation. If you have a >> recommendation, I'd love to hear it and the reasons for it. If you >> have an alternative to an appliance that has worked well for you >> (we're a mix of Cisco and Juniper), I'm all ears. >> >> Private responses are fine, and I'm happy to summarize back to the >> list if there is interest. >> >> Thank you! >> Rob. >> - -- >> Rabbi Rob Thomas Team Cymru >>"It is easy to believe in freedom of speech for those with whom we >> agree." - Leo McKern >> -BEGIN PGP SIGNATURE- >> >> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF >> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF >> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV >> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv >> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ >> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y >> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti >> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ >> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka >> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC >> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP >> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo= >> =uuel >> -END PGP SIGNATURE- smime.p7s Description: S/MIME cryptographic signature
RE: Recommended DDoS mitigation appliance?
If you are looking for remote scrubbing, I can high recommend DDoS-Guard (ddos-guard.com), they do not have any “limits” on the size or the number of attacks, the billing is simply based on the clean bandwidth. The highest they have mitigated for us is about 40G. You can either have it in an always on mode, with all incoming traffic coming via their 4 POPs (Los Angeles, Amsterdam, Hong Kong or Almaty) or you can use something like FastNetMon or DDoS-Guard’s own application that runs on any hardware and use eBGP to route the victim /24 over DDG’s network. -- Kushal R. | Management Office: +1-8557374335 (Global) | +91-8080807931 (India) WhatsApp: +1-3104050010 (Global) | +91-9834801976 (India) host4geeks.com host4geeks.in On 4 Feb 2020, 7:22 PM +0530, Phil Lavin , wrote: > > So is Imperva similar to how Kentik operates? What was it priced liked? > > It is a nice model as you don't need additional hardware or virtual > appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, > they price the scrubbing based on your clean traffic levels. Price I have is > circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year for > 500mbit clean traffic. Reasonably good value if you get attacked a lot - a > very expensive insurance policy if not. Yearly pricing is broadly on par with > Radware, Arbor and A10 (Verisign).
RE: Recommended DDoS mitigation appliance?
> So is Imperva similar to how Kentik operates? What was it priced liked? It is a nice model as you don't need additional hardware or virtual appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, they price the scrubbing based on your clean traffic levels. Price I have is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year for 500mbit clean traffic. Reasonably good value if you get attacked a lot - a very expensive insurance policy if not. Yearly pricing is broadly on par with Radware, Arbor and A10 (Verisign).
Re: Recommended DDoS mitigation appliance?
Javier, So is Imperva similar to how Kentik operates? What was it priced liked? I like the Kentik solution, but their per router per month pricing is too expensive even for a small network. On Mon, Feb 3, 2020 at 11:01 AM Javier Juan wrote: > Hi ! > > I was looking around (a couple years ago) for mitigation appliances > (Riorey, Arbor, F5 and so on) but the best and almost affordable > solution I found was Incapsula/Imperva. > > https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm > > > Basically, You send your flows to Imperva on cloud for analysis. As soon > as they find DDoS attack , they activate mitigation. It´s some kind of > elegant-hybrid solution without on-premise appliances . Just check it out :) > > Regards, > > JJ > > > > On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> >> Hello, NANOG! >> >> I'm in the midst of rebuilding/upgrading our backbone and peering - >> sessions cheerfully accepted :) - and am curious what folks recommend >> in the DDoS mitigation appliance realm? Ideally it would be capable >> of 10Gbps and circa 14Mpps rate of mitigation. If you have a >> recommendation, I'd love to hear it and the reasons for it. If you >> have an alternative to an appliance that has worked well for you >> (we're a mix of Cisco and Juniper), I'm all ears. >> >> Private responses are fine, and I'm happy to summarize back to the >> list if there is interest. >> >> Thank you! >> Rob. >> - -- >> Rabbi Rob Thomas Team Cymru >>"It is easy to believe in freedom of speech for those with whom we >> agree." - Leo McKern >> -BEGIN PGP SIGNATURE- >> >> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF >> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF >> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV >> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv >> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ >> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y >> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti >> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ >> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka >> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC >> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP >> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo= >> =uuel >> -END PGP SIGNATURE- >> >
Re: Jenkins amplification
It really depends on how much control the employer really needs. In a tightly-knit two-site company where the tech guy probably is the reason the boss hired the grunt half way across the province, friends don't generally let friends down like that, and you really don't have to have that sort of vise-tight control. On Mon, 3 Feb 2020 10:55:35 -0800 (PST) Sabri Berisha wrote: > - On Feb 3, 2020, at 10:35 AM, Christopher Morrow morrowc.li...@gmail.com > wrote: > > > On Mon, Feb 3, 2020 at 1:26 PM William Herrin wrote: > > >> VPN. > > > > I love it when my home network gets full access to the corporate network! > > Most places I've worked at issue company controlled laptops with company > controlled VPN software which will disable all local access and even > disconnect if you dare to manually change the routing table to access the > printer in your home office. > > In fact, a too tightly controlled VPN contributed to a 7 figure loss during > an outage at a company which name shall not be mentioned. > > Your home network should have no access to the corp network. Your company > issued laptop should. > > Thanks, > > Sabri -- Large Hadron Collider