Thanks everyone,
I feel a lot more confident on this project after
this discussion. I will be working with a comm
engineer who'll be doing the various radio links.
I just need to be sure he can make the best
decision as we're moving from ATM to MPLS and he
doesn't understand the
Aviat Networks has recently released a microwave router with MPLS features,
it's basically a router inside the microwave indoor unit.
What we've found what hurts with anything over microwave is when you're running
n+n links over long haul and the RF modulation steps down on one of those links
Securing hosts/applications/services themselves is the way to protect them
from compromise.
Can't go wrong with defense in depth. I'd definitely throw securing routers in
there, throw in firewalls, periodic internal scanning for idiot mistakes,
audits, etc.
I still think IPS/IDSes can be
On 5 Feb 2015, at 20:13, Michael O Holstein wrote:
Personally I'm of the belief that *all* IPS systems are equally
worthless, unless the goal is to just check a box on a form.
Concur 100%.
Securing hosts/applications/services themselves is the way to protect
them from compromise.
On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
Le 04/02/2015 17:19, Roland Dobbins a écrit :
Real life limitations?
https://app.box.com/s/a3oqqlgwe15j8svojvzl
Right ;-) Among many other nice ones, I like:
`` IPS devices require artificially-engineered topological symmetry-
can have a
`` ‘IPS’ devices require artificially-engineered topological symmetry-
can have a negative impact on resiliency via path diversity.''
Dang, I thought this quote was from an April 1st RFC when I first read it.
I hate to be the bearer of bad news, but everything we do is artificial.
There are
Le 05/02/2015 13:57, Terry Baranski a écrit :
On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
Le 04/02/2015 17:19, Roland Dobbins a écrit :
Real life limitations?
https://app.box.com/s/a3oqqlgwe15j8svojvzl
Right ;-) Among many other nice ones, I like:
`` ‘IPS’ devices require
Hi,
We have used dynamic routing on firewall in the old days. We did experience
several severe outages due to this setup (OSPF en Cisco). As you will
understand i’m not eager to go back to this solution but I am curious about
your point of views.
Is it advisory to so these days?
Kind
On 5 Feb 2015, at 08:13, Michael Hallgren wrote:
Sure they will give you pretty graphs of script-kiddie attempts but
that's just the noise in which the skilled attack will get lost.
Sorry but this is not even in the neighborhood of what a
properly-implemented IPS does.
I can certainly see
Le 05/02/2015 14:15, jim deleskie a écrit :
mh,
Hi there Jim :-)
you know that forcing traffic to be symmetrical is evil,
Voilà !
and while backbone traffic and inspection don't play nice, there are
very legit reasons why, in many cases edge traffic must be open for
inspection.
Yes,
Le 05/02/2015 14:28, Terry Baranski a écrit :
On 5 Feb 2015, at 08:13, Michael Hallgren wrote:
Sure they will give you pretty graphs of script-kiddie attempts but
that's just the noise in which the skilled attack will get lost.
No, Terry, I didn't write that ! :-)
Cheers,
mh
Sorry but this
mh,
you know that forcing traffic to be symmetrical is evil, and while
backbone traffic and inspection don't play nice, there are very legit
reasons why, in many cases edge traffic must be open for inspection. I'm
on my way to the office, feel free to ping me if you want to discuss. Or
maybe I
Like most tools, IPSes are only as good as the people using them.
+10 you can't just plug the magic box inline and expect to relax
IPSes can't replace a well administered modern firewall, with default deny,
well defined protocols with sanity checking, etc. But imho they can help--e.g.
with
On 5 Feb 2015, at 19:57, Terry Baranski wrote:
I hate to be the bearer of bad news, but everything we do is
artificial. There are no routers in nature, no IP packets, no fiber
optics. There is no such thing as natural engineering -- engineering
is artificial by definition.
This isn't even
It all depends how much of the firewall functionality is implemented in CPU.
The biggest problem is that firewalls that implement functionality in
software usually saturate CPU when stressed (e.g. DOS) and routing
protocols start dropping.
I'm a strong believer in having a router that can do
On 2/5/2015 9:42 AM, Eugeniu Patrascu wrote:
On Juniper things tend work OK. Other than this, make sure you don't
run into asymmetric routing as connections might get dropped because
the firewall does not know about them or packets arrive out of order
and the firewall cannot reassemble all of
Yeah cogent is great, accept for that time they dropped a /15 for no reason and
took 24 hours to get it back up. Aside from that it's been a great experience.
Regards,
Nick Rose | CTO
Enzu Inc.
nick.r...@enzu.com
www.enzu.com
-Original Message-
From: NANOG
On 6 Feb 2015, at 3:01, Roland Dobbins wrote:
Which highlights the importance of broadness of experience, of
knowledge and understanding of the experiences of others, and
understanding of the implications of scale.
It highlights the importance of knowing what you're doing in the real world,
On 6 Feb 2015, at 4:24, Terry Baranski wrote:
It highlights the importance of knowing what you're doing in the real
world, on networks that exist and which you actually understand
intimately,
end-to-end.
Absolutely. At least one of the parties in this discussion has such
knowledge of and
Working on it. ;-)
Being an eyeball network, most of my traffic just goes to NetFlix, Akamai,
LimeLight, FaceBook, Google, etc. anyway. Peer what you can peer, Cogent for
customer routes, then grab a couple nicer carriers and call it a day.
-
Mike Hammett
Intelligent Computing
Some Juniper models actually do a very good job of being both.
In reality, a Firewall _IS_ a router, even if it's a bad one. Anything that
moves packets from one interface to another is a router. Of course, the support
for routing protocols is a useful feature in a router and one of the areas
On 6 Feb 2015, at 11:46, Valdis Kletnieks wrote:
Count up the number of *actual* attacks they have stopped
that wouldn't have been stopped otherwise
Many.
and contrast it
to the number of times they've been used as the *basis* for
an attack (DDoS via state exhaustion, for starters)
Zero,
Hi Eugeniu,
On 05 Feb 2015, at 15:42, Eugeniu Patrascu
eu...@imacandi.netmailto:eu...@imacandi.net wrote:
Any specific firewall in mind? As this depends from vendor to vendor.
We are using Cisco (ASA).
I've had some issues with OSPF and CheckPoint firewalls when the firewalls
would be
Hi Ray
On 05 Feb 2015, at 15:51, Ray Soucy r...@maine.edumailto:r...@maine.edu
wrote:
You're much better off
splitting up the workload and having a series of components
architected to work with each other.
Especially in case of datacenter- or enterprise solutions i do agree.
Thanks
On 05/02/2015 13:15, jim deleskie wrote:
you know that forcing traffic to be symmetrical is evil
it's not evil; it's stupid because enforcing symmetry creates a potentially
unnatural stress in a network which will revert to asymmetry, given half a
chance.
Nick
On Thu, Feb 5, 2015 at 8:34 AM, Roland Dobbins rdobb...@arbor.net wrote:
I've never heard a plausible anecdote, much less seen meaningful
statistics,
of these devices actually 'preventing' anything.
People tend to hear what they want to hear. Surely your claim can't be that
an IPS has never,
On Thu, Feb 5, 2015 at 4:10 PM, David Jansen da...@nines.nl wrote:
Hi,
We have used dynamic routing on firewall in the old days. We did
experience several severe outages due to this setup (OSPF en Cisco). As you
will understand i’m not eager to go back to this solution but I am curious
I work for a fixed wireless provider, and our mpls-capable backhauls are
all running mpls with 9200 MTU with no problem. The only weirdness I
encounter is if I have multiple equal-cost routes to the same location, one
over MPLS and one not, end up having ping/unreachable issues from my
monitoring
We are. What would you like to know?
On Thu, Feb 5, 2015 at 3:55 PM, Scott Weeks sur...@mauigateway.com wrote:
Anyone doing MPLS over microwave radios? Please
share your experiences on list or off.
scott
--
Adair Winter
VP, Network Operations / Owner
Amarillo Wireless | 806.316.5071
Shouldn't really be any different as long as your gear supports the appropriate
MTUs.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
- Original Message -
From: Scott Weeks sur...@mauigateway.com
To: nanog@nanog.org
Sent: Thursday, February 5, 2015
On Thu, Feb 5, 2015 at 3:55 PM, Scott Weeks sur...@mauigateway.com wrote:
Anyone doing MPLS over microwave radios? Please
share your experiences on list or off.
--- ada...@amarillowireless.net wrote:
From: Adair Winter ada...@amarillowireless.net
We are. What would you like to know?
Not doing anymore, but I have in a previous life. It works. What's more
important is how you engineered your radios and what you're using...
Best regards,
Christian
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Weeks
Sent: Thursday, February 5, 2015
Anyone doing MPLS over microwave radios? Please
share your experiences on list or off.
scott
I have been running MPLS over TDM and Ethernet microwave for about 8 years and
the only issues are with microwave fade.
Nathan Sipes
Principal Network Architect
Tel: 713-369-9866
FAX: 303-763-3510
Kinder Morgan
1001 Louisiana St
KMB 548
Houston, TX
77002
nathan_si...@kindermorgan.com
+100% agree.
...Skeeve
*Skeeve Stevens - Founder Chief Network Architect*
eintellego Networks Pty Ltd
Email: ske...@eintellegonetworks.com ; Web: eintellegonetworks.com
Phone: 1300 239 038 ; Cell +61 (0)414 753 383 ; Skype: skeeve
Facebook: eintellegonetworks
Done it, and it works well. Used Motorola radios, and the key is the radio and
building that part of the infrastructure right. The MPLS is just another IP
packet to the wireless. Always used Ethernet handoffs on the radios to keep
things simple.
Make sure you have good line of site, have
--- davidbass...@gmail.com wrote:
Always used Ethernet handoffs on the radios to keep
things simple.
-
Had to run off to a meeting. Back now. This is
one thing I was worried about. I'm not doing the
radio part. Someone else is. I didn't know if
folks do
A router behind the firewall is nice too.
It insulates the firewall from direct end-user traffic.
It also makes for a cleaner cutover from one firewall to another. (Instead
of the edge getting stuck ARPs their perspective of the network remains
unchanged.)
It also allows for stateless ACLs on both
On 05/02/2015, at 12:31, Terry Baranski
terry.baranski.l...@gmail.com wrote:
On Thu, Feb 5, 2015 at 8:34 AM, Roland Dobbins rdobb...@arbor.net wrote:
I've never heard a plausible anecdote, much less seen meaningful
statistics,
of these devices actually 'preventing' anything.
People tend
But there's no overstating the usefulness of a properly-tuned IPS for
attack prevention
I've never heard a plausible anecdote, much less seen meaningful
statistics,
of these devices actually 'preventing' anything.
I think it depends upon where you put them, and whether or not you have
My organization is currently shopping for some additional Transit Capacity to
augment our existing interconnects. We've got around 8 distinct AS's that
we're receiving transit routes from, followed by a handful of Public IX's and
Private PNI's to AS's that warrant them. That said, the
On Thu, 05 Feb 2015 07:51:56 +0100, Michael Hallgren said:
I know. However, I fail to see symmetric traffic flow as ``natural'',
apart from maybe at the extreme edge of a network. So, need another
inspection strategy I think.
Firewalls aren't much help except at that extreme edge, anyhow.
On Thu, 05 Feb 2015 09:31:49 -0500, Terry Baranski said:
People tend to hear what they want to hear. Surely your claim can't be that
an IPS has never, in the history of Earth, prevented an attack or exploit.
So it's unclear to me what you're actually trying to say here.
Count up the number of
On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer rma...@nerd-residenz.de wrote:
a router is a router and a firewall is a firewall.
Especially a Cisco ASA is no router, period.
Man-o-man did I find that out when we had to renumber our network after we
got bought by the French.
Oh, I'll just pop on a
We run Dragonwave systems and have no issues at all. MPLS in itself doesn't
make a difference since the gear is a straight Ethernet link. Just make sure
your gear handles your frame sizes and tagging and you should be good.
As long as your radio link is engineered right you should have high
On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer rma...@nerd-residenz.de
wrote:
a router is a router and a firewall is a firewall. Especially a Cisco ASA
is no router, period.
Man-o-man did I find that out when we had to renumber our network after
On 6 Feb 2015, at 0:38, Raymond Burkholder wrote:
There must some sort of value in that?
No - patch the servers.
---
Roland Dobbins rdobb...@arbor.net
Hi,
We are running Juniper SRX5000 family with around 40ish routing-instances,
most of them using OSPFv2 without any issues. The RIBs are not too big,
just a couple of them with thousands routes. I know that some guys are
testing a similar environment on Fortigates and I'm not aware of any issues
On 6 Feb 2015, at 1:26, Matthew Huff wrote:
Like it's been said before, I strongly support my competitors
following your advice.
Sorry - I've done the jobs, all of them. They can be done properly, and
are done properly by clueful operators.
Oh, and what are operators who deploy these
Hi David,
a router is a router and a firewall is a firewall.
Especially a Cisco ASA is no router, period.
A router in front of the firewall is my choice, it also keeps broadcasts from
the firewall + can do uRPF.
rm
By that logic, and giving you the benefit of the doubt that you follow your own
advice, you have 15-20 upstreams?
I've never tried that on a standard network with BGP as the only tool. See any
interesting operational stuff with that many upstreams?
Also, while many people knock Cogent, I would
What if you are a hosting company and those aren't your servers to patch?
What about the time to patch 200+ servers versus configuring one location?
What if you have to schedule the staff and maintenance window to patch the
servers?
What if you have legacy equipment that you must continue using,
NTT is awesome. Extremely responsive, sales guys aren't pushy, noc is
great, and lots of NTT guys are here on nanog.
Cogent is not. Their sales guys love to scrape whois records too, and
won't leave you the hell alone.
I've used both extensively, and now typically just avoid cogent.
-chris
Am
As a current Cogent customer, my experience on the service side of
things is similar.
Very responsive (I called on a Sunday and had someone with good enough
clue + router access pick up instantly.)
NOC is competent, and my sales guys (I've had two so far) are not pushy
at all. I don't have
On 6 Feb 2015, at 0:55, Matthew Huff wrote:
What if you are a hosting company and those aren't your servers to
patch?
Then it isn't the operator's problem.
What about the time to patch 200+ servers versus configuring one
location?
Operators should have sufficient automation to do this
You make so many assumptions, it completely negates any reasonable point you
are trying to make:
There are other ways (reverse proxies, on-box systems like ModSecurity,
et. al.); or take them offline.
What if the box isn't Linux? What if it isn't a web server. What if proxies
don't work
A lot of people knock Cogent, but the best way to get to Cogent's customer's is
probably through Cogent. Given that they do have a very large network, they're
worth picking up even if you only use them for customer routes.
-
Mike Hammett
Intelligent Computing Solutions
On 6 Feb 2015, at 1:40pm, Roland Dobbins wrote:
*Real* security mostly consists of *doing things*. It requires skilled,
experienced
people who have both broad and deep expertise across the entire OSI
model, are
well-versed in architecture and the operational arts, and who understand
all the
Don't be surprised if cogent contact you for even posting this.
They did it to me when I asked for hibernia.
On 5 Feb 2015 19:16, Mike Hammett na...@ics-il.net wrote:
Working on it. ;-)
Being an eyeball network, most of my traffic just goes to NetFlix, Akamai,
LimeLight, FaceBook, Google,
On 6 Feb 2015, at 2:29, Terry Baranski wrote:
And if there's one person qualified to comment on what real security
is, it's a person who has never heard a plausible anecdote of [IPS]
devices actually 'preventing' anything. :-)
That's right - especially if such a person spent a
On 6 Feb 2015, at 2:26, Terry Baranski wrote:
Zero, on my networks.
Which highlights the importance of broadness of experience, of knowledge
and understanding of the experiences of others, and understanding of the
implications of scale.
If you can't deploy IPS's in such a way that they
We've been on Cogent for 3 years now.
I have to say the experience has been nice. Good sales, great NOC. We even
had a dirty fiber issue with their uplink (due to the MMA owner) and Cogent
stayed on the phone with me for hours and got it handled before we hung up
the phone. So great NOC too.
On
They are persistent, but by no means the most persistent vendor I work with.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
- Original Message -
From: Alistair Mackenzie magics...@gmail.com
Cc: NANOG nanog@nanog.org
Sent: Thursday, February 5, 2015
I have a client looking to implement x86 based route reflectors, and was
looking at the ax1000. I'm wondering if anyone has implemented it yet, and
what your experience has been?
Any other alternatives would also be appreciated. This customer does standard
L3 VPNs, and VPLS services so the
64 matches
Mail list logo