Show 82 – Security Failures, No IPv6, No Network Management – Another Good Year

Guests

This week a bunch of new faces to talk about 2011 and it’s many failing:

  • Scott Morris – well known industry figure and CCIE trainer.
  • Chris Marget – Fragmentation Needed who works for a large reseller. And some regulars return:

Tony Bourke @tbourke [Data Center Overlords](http://datacenteroverlords.com/

Hosts and Regulars

And the blow hards Mrs. Y – the Network Security Princess, Ethan “I’m looking forward to next year” Banks and Greg “IT Security got shown up as a bunch of retards in 2011″ Ferro are all making noises as usual.

Topics

From Greg’s blog – is OpenFlow/SDN routing or switching?

From Chris’ blog – Pricing and Trading Networks: Down is Up, Left is Right

Is 2012 the year enterprises get serious about IPv6? (Don’t fear the colon.)

Professional certifications that matter in 2012.

2011 was the year everything we trusted in security broke (RSA, various CAs, health information breaches, financial information breaches, SSL cipher cracks). So what decisions should enterprises be making in 2012 to stay out of the headlines?

Show Notes

Show 72 – How We are Killing the Internet – where we talk about the Happy Eyeballs IPv6/IPv4 interoperability feature.

LinkedIn Group – Packet Pushers

Show Sponsors

This week’s show is sponsored Get Console, makers of the best iPad terminal app for network engineers. If you need a rock solid feature rich terminal app to run on your iPad, including serial console support, check out www.getconsole.co.uk.

And also by, Infineta Systems, a leading innovator and provider of Hyper-scale WAN Optimization solutions. Infineta’s WAN Optimization product, the Data Mobility Switch, allows enterprises to expand and fill large WAN links. Infineta helps you move more data, more quickly, using less bandwidth. Get more information at www.infineta.com.

Greg Ferro
Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count. He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.
Greg Ferro
Greg Ferro
  • Boyan

    Hi Greg,

    Are your both sponsors links are broken, or it is my broswser ?

    Regards

    Boyan

  • Markku Leiniö

    Ok, who played Angry Birds during the show recording?

  • Luis Teixeira

    Im sorry about the stupidity, but when you guys say “no default routes”, what do you mean? Dump the entire internet table even in stub areas?

    • http://twitter.com/chrismarget chris marget

      Hey Luis

      When I said “no default route” I meant: “Don’t let end systems know how to reach the Internet”

      In most “enterprise” networks there’s no reason for end user systems to reach the Internet. Surfing is handled by a proxy. Email is handled by the Exchange server. Telephony is handled by a SIP gateway of some sort, etc…

      What reason do desktops have for reaching the Internet?

      Desktops *will* be compromised (spearphishing, USB in the parking lot, drive-by downloads while at Starbucks, etc…), but the real damage is done when those compromised systems reach back out to the Internet for command/control or data exfiltration.

      Kill the default route, and you mitigate many of the security problems on the desktop systems because the attackers won’t learn that they’ve succeeded in pwning something.

      • Luis Teixeira

        Wow, thanks a lot for the reply Mr Marget!!!

        It’s all clear now. I’m just getting into security, and I thought proxy servers were only good for web filtering. Thanks once again!

      • http://twitter.com/paulgear1 Paul Gear

         I
        started dwelling upon this concept after hearing you guys talk about it
        on the podcast, and i’m curious as to how you would make it work.  For
        example, my home network is set up to mirror most of my clients’
        networks and i have about 6 VLANs.  My family’s desktops & laptops
        are on one VLAN, and the proxy server is on another.  How

         

        • http://twitter.com/chrismarget chris marget

          You still put a default route on the clients (workstations, etc…).  Let’s say that they all use “.1″ on their subnet as the default gateway.

          …But the interior routers don’t have a default route. Instead, they’re only populated with the prefixes you use in your IGP. They *don’t* know how to get to the Internet.

          This proposition doesn’t scale down to a home use where there’s only one routing device – obviously that device has to have a default route pointing at the ISP.

          But it works fine in an enterprise. In that case, all routers know how to get to all of your networks, including the DMZ network where the proxy lives.

          …But only the edge router/firewall (where the DMZ is attached) knows how to get to the internet.

          No funny DHCP business is required.

          • http://twitter.com/paulgear1 Paul Gear

            Good points, thanks Chris.

            I still have some reservations about how well this can work in practice.  All it needs is for the CxO to decide that he/she needs to use Skype to talk to a colleague overseas (substitute something equally silly if this would not apply to your network), and we have our best practice for routing and security overridden by a simple “make it work because the boss wants it”.  A network or security engineer would have to have much better visibility into the top levels of the organisation than any client/employer i’ve worked for that strategy to fly.

            I might dwell  upon this a little more and maybe blog about it a little once i’ve thought myself clear, but i welcome your thoughts in the meantime…

  • Nuno Delgado

    Great show and nice input by Chris Marget! Hope to see him on the show again in the future.

  • Fernando Montenegro

    Just listened last night. Great show! A couple of comments:
    – ‘No default route’ is a great suggestion, but shouldn’t it be clarified that we don’t mean ‘no default route’ on a PC/server, but that the core has no default route out? Proxies/gateways/… still need them, of course. Furthermore, the firewall rules should be cleaned up to block the ‘default trust->untrust is ok’ policy: from Cisco’s security levels to Juniper’s default branch SRX policies (and others, I’m sure) the ‘ease of use’ is enabling all that nonsense.
    – Is it appropriate to mention that at least on the firewall space Greg’s contempt of all things CLI is very well addressed by… Check Point? :-) 

  • http://twitter.com/miroslaf Miroslaw Burnejko

    Great show guys.
    One thing. Czechoslovakia does not exist :)

    • http://etherealmind.com Etherealmind

      Yeah. Hard to think of all these things when talking quickly. :)

  • Jsdf

    It’s unfortunate to locate a podcast with intellectual conversation, only to find it’s ruined by unprofessional, childish, and demeaning references to “retards” and “retarded children”.   I guess if you’re willing to eliminate listeners like me it’s your choice.

  • http://packetpushers.net/author/ecbanks Ethan Banks

    Critical comments are fine, but you have to leave a valid e-mail address (like a grown-up) or they’re getting deleted.

  • Bryan S

    Great Ethan, thanks for the opportunity to provide an opposing view to the Hosts and Regulars section above promoting Greg “IT Security got shown up as a bunch of retards in 2011″ Ferro.

    I am a new listener and find this podcast very helpful with stimulating conversation.  I do find references to “retarded children” and “retards” distracting.  The hosts are very talented and successful individuals and the show will undoubedly grow in popularity without the need to resort to demeaning references. 

    • http://packetpushers.net/author/ecbanks Ethan Banks

      Bryan, a fair comment, duly noted. We have no problem with opposing views whatsoever. Many things we’ve been criticized for we take into consideration to make the show better as we go along.

      The tone we take is not one where we are completely serious all the time. We balance the nerdy tech with a bit of strong opinion and/or light-heartedness. Greg can certainly be cheeky, but quite honestly that’s part of what makes him the personality that he is. On a show like this specific podcast you’re commenting on, where it was definitely more back and forth banter than a focused discussion, Greg’s cheek is more likely to come out. He has said some outrageous things, it’s fair to say.

      That said, for shows where we’re focused on a specific topic, then you’ll find that (generally speaking), flippant remarks are harder to come by. We say on target, wander less, and try to deliver a cohesive technical show.

  • -J

    That was hilarious. I’m pursuing a network engineering career, I’m really just getting started. I just passed the ccnp route & switch over the last few months, and I’m currently studying for the ccnp tshoot. I did a lab today, where they put a default route and then redistributed it into eigrp. I thought that was brilliant. My solution was, – put default next hop routes on the upstream. ha.

    The default route thing might even be a cisco training thing. On the tshoot Demo, the test network has the same thing, – A default route redistributed into eigrp. if you have a chance check out the exam demo. no joke.

    just a thought, maybe it’s the way the academy is training us new comers. I would of never known otherwise if it wasn’t for this show. Thanks.