When things look bleak and you don't know what to do, you go back to the beginning.
I've been feeling a strong longing to play more guitar. I think about it while I'm at work. I think about it when I wake up. I have dreams that I'm performing again. Then, when I have opportunity, I pick up my Strat and...blah...
I started thinking that the problem is that, in my mind's ear I hear myself playing like I did when I played hours every day. I'd go to all-night jam sessions and when I left I'd feel great. Now, I play for 15 minutes and my hands hurt and are tired. I can't seem to get the sounds out of my head into my hands. I drop the guitar in frustration and the cycle starts again.
So, I go back to the beginning. In 1988 I graduated from what was then "The Professional Guitar School (A Division of The Guitar Center)." It was not the retail giant, but a small music school in Minneapolis that eventually became "Music Tech" and now I see that the originators are McNally Smith College of Music. Awesome. Anyway, in 1988 there were about 20 of us in the second graduating class. We spent a year playing major scales, learning music theory, how to read music, the difference between harmonic minor and jazz harmonic minor scales. I played every day, and played a lot.
So, as I was thinking about that time in life, it just so happened that I stumbled across the green photo-copied text "Fingerboard/Theory and Improvisation" written by Jeff Wressell. I opened it up and started running my major scales through the circle of 4ths using a metronome. Wow. I used to be able to do these at a pretty high tempo, and my fingers don't quite do what I'm asking them to do as cleanly as they used to. But like I did in the beginning, I practice them daily now. I write down the tempo I start at and the tempo I end at to measure my progress. I'm improving again...
It's not exactly a weekend performing at Carnegie Hall, but it's greatly therapeutic and I'm having fun. Thanks Jeff Wressell - your influence spans 20 years and your legacy lives on.
Wednesday, December 23, 2009
Saturday, December 19, 2009
2 Weeks of Working Out
After 2 weeks, I've missed about 2 workouts. Contrary to what everyone tells me, it is not becoming more fun, nor is it becoming more enjoyable. Still, I press on in hope that at some point I will stop feeling crappy and start enjoying this.
One difficult thing is that I have sustained a shoulder injury while doing some construction work. There is a pain deep inside my shoulder, and it doesn't hurt all the time. I layed off a little bit this week, and it was feeling pretty good so I worked it out again on Friday. Bad idea, as the pain returned.
Next week I'm going to continue to work out, but I'll be eliminating any exercises that would put strain on my right shoulder. I'll probably ride my stationary bike (yep, I have one of those collecting dust, too) and give this a few weeks before I hit it again. I would like to avoid any surgeries if possible.
One difficult thing is that I have sustained a shoulder injury while doing some construction work. There is a pain deep inside my shoulder, and it doesn't hurt all the time. I layed off a little bit this week, and it was feeling pretty good so I worked it out again on Friday. Bad idea, as the pain returned.
Next week I'm going to continue to work out, but I'll be eliminating any exercises that would put strain on my right shoulder. I'll probably ride my stationary bike (yep, I have one of those collecting dust, too) and give this a few weeks before I hit it again. I would like to avoid any surgeries if possible.
Friday, December 4, 2009
Workout report - week 1
Well, I made it through my first week. I'm glad to have been able to stick with it for a week, which is longer than I normally continue working out. I started using a pretty simple plan that I found on this site.
The essence of the plan is that, if you stick to what you're doing and cut out the extra nonsense that often goes along with working out in a gym, you can get a decent full-body workout in 20 minutes. I'm starting out on the plan for beginners, so it's not that difficult to maintain. I'm doing 8 exercises, 1 set of 12 reps each. Each exercise focuses on a large muscle group, and the point of the beginning workout is to concentrate on form and build some conditioning into your schedule.
I'm also not going to a gym, but rather using an Impex Competitor home gym that I picked up in brand-new condition at a garage sale for $80. I'd say that one could find these just about anywhere for about the same amount of money. After all, it's sat in my basement for two years collecting boxes and clothes and I'm just now getting around to using it - so you know that's the most common fate for home gyms and other workout equipment. I like the home gym in that it's easy to use and I don't have to leave my house to work out. Once I add 15 minutes of drive time on either end of my workout, it's no longer a 20-minute workout but rather an hour.
I'm not sure I feel any different today than I did last week, other than satisfied that I've held the schedule and done what I decided to do. Now to continue to next week!
The essence of the plan is that, if you stick to what you're doing and cut out the extra nonsense that often goes along with working out in a gym, you can get a decent full-body workout in 20 minutes. I'm starting out on the plan for beginners, so it's not that difficult to maintain. I'm doing 8 exercises, 1 set of 12 reps each. Each exercise focuses on a large muscle group, and the point of the beginning workout is to concentrate on form and build some conditioning into your schedule.
I'm also not going to a gym, but rather using an Impex Competitor home gym that I picked up in brand-new condition at a garage sale for $80. I'd say that one could find these just about anywhere for about the same amount of money. After all, it's sat in my basement for two years collecting boxes and clothes and I'm just now getting around to using it - so you know that's the most common fate for home gyms and other workout equipment. I like the home gym in that it's easy to use and I don't have to leave my house to work out. Once I add 15 minutes of drive time on either end of my workout, it's no longer a 20-minute workout but rather an hour.
I'm not sure I feel any different today than I did last week, other than satisfied that I've held the schedule and done what I decided to do. Now to continue to next week!
Thursday, December 3, 2009
Christmas wishes
Greetings!
Many of these children would likely never receive new clothes, and your provision gave them the ability to enjoy Christmas along with other, more fortunate children who have parents to provide these necessities of life for them.
This past year has been very hard for everyone in Kenya. There is a widespread drought that continues to this day, and many Africans are suffering from starvation because they are unable to raise enough food on their subsistence farms. Often, orphans are being cared for by relatives or other guardians who will treat these children very harshly. Many of the orphans will be worked to the point of exhaustion and because there is not enough food to go around, will be fed last if at all. Many of these children walk miles in their bare feet to attend the Love of Christ school where they are loved, fed and cared for beyond anything they would experience in their homes.
I'm writing you again this year to ask you to please consider these children. Fredrick Mulei is our dear friend who runs the school and orphanage, and he has taken in another 11 children with no hope for a future before Fredrick's care and education. He is now caring for 51 children, most of whom are mistreated and abused by their guardians to the point that Fredrick is looking to raise money enough to build a boarding school to house them permanently. If you are interested in helping with this or sponsoring a child, please contact Sandra or me and we would be happy to tell you about how we go about providing for a couple of these little ones.
I'd like to ask each of you to search your hearts and consider sharing a small portion of our "want" to aid in providing what these little ones truly "need." Like last year, I know that our economy has taken a down turn and we all have had to make concessions and give things up as our own budgets are stretched. We would not ask you to take from what you need to provide for another, but perhaps several of us have $17.50 to provide clothing for these children again this year. $17.50 USD will provide a new shirt and pants for a little boy or a new dress (and maybe even a hat) for a little girl. You can see for yourselves the joy it brought these kids last year in their smiles. The other need that Fredrick has shared with us for the children is that most of them have no shoes. A quality pair of leather shoes costs $18.00 USD, and we would intend to provide them for as many as we're able should we raise more than what's needed for the Christmas clothes.
I want to begin this letter with the warmest and most heart-felt expression of thanks. Last year, through your generous gifts we were able to outfit 40 children with new clothing. The girls received Christmas dresses, while the boys were given shirts and pants. The cost of these clothing sets was $17.50 USD each, and as you look at the photos of those kids, you will see that returned in joy a thousand times over.
Many of these children would likely never receive new clothes, and your provision gave them the ability to enjoy Christmas along with other, more fortunate children who have parents to provide these necessities of life for them.
This past year has been very hard for everyone in Kenya. There is a widespread drought that continues to this day, and many Africans are suffering from starvation because they are unable to raise enough food on their subsistence farms. Often, orphans are being cared for by relatives or other guardians who will treat these children very harshly. Many of the orphans will be worked to the point of exhaustion and because there is not enough food to go around, will be fed last if at all. Many of these children walk miles in their bare feet to attend the Love of Christ school where they are loved, fed and cared for beyond anything they would experience in their homes.
I'm writing you again this year to ask you to please consider these children. Fredrick Mulei is our dear friend who runs the school and orphanage, and he has taken in another 11 children with no hope for a future before Fredrick's care and education. He is now caring for 51 children, most of whom are mistreated and abused by their guardians to the point that Fredrick is looking to raise money enough to build a boarding school to house them permanently. If you are interested in helping with this or sponsoring a child, please contact Sandra or me and we would be happy to tell you about how we go about providing for a couple of these little ones.
I'd like to ask each of you to search your hearts and consider sharing a small portion of our "want" to aid in providing what these little ones truly "need." Like last year, I know that our economy has taken a down turn and we all have had to make concessions and give things up as our own budgets are stretched. We would not ask you to take from what you need to provide for another, but perhaps several of us have $17.50 to provide clothing for these children again this year. $17.50 USD will provide a new shirt and pants for a little boy or a new dress (and maybe even a hat) for a little girl. You can see for yourselves the joy it brought these kids last year in their smiles. The other need that Fredrick has shared with us for the children is that most of them have no shoes. A quality pair of leather shoes costs $18.00 USD, and we would intend to provide them for as many as we're able should we raise more than what's needed for the Christmas clothes.
Warmest regards in Christ Jesus,
--Greg & Sandra
Wednesday, December 2, 2009
Day 2 working out
I have now successfully gotten my tired, achy backside out of bed early to workout twice this week. While overwhelmed with a deep sense of satisfaction that I've actually kept to my word for a change and am doing as I said I would be doing, I must admit that this is not fun yet. I am tired and working out always seems a little boring to me. But for the better good I plan to continue and see how this goes.
One thing I'm a little nervous about is that I have a bit of a shoulder injury that may require attention. There's a deep pain inside my right shoulder that has been nagging me for about a month now. I'm not pushing through major pain, and if it hurts I'm backing off. I'm afraid I may have a cartilage problem in there, and shoulder surgery does not sound like fun - perhaps even less fun than working out!
I'll keep moving forward.
One thing I'm a little nervous about is that I have a bit of a shoulder injury that may require attention. There's a deep pain inside my right shoulder that has been nagging me for about a month now. I'm not pushing through major pain, and if it hurts I'm backing off. I'm afraid I may have a cartilage problem in there, and shoulder surgery does not sound like fun - perhaps even less fun than working out!
I'll keep moving forward.
Sunday, November 29, 2009
All set
Well my workout room/office is not 100% straightened out, but it is good enough to begin working out. I'll be starting tomorrow.
Wednesday, November 25, 2009
That's all I can stands, I can't stands no more
I'm 40 years old.
I have 5 children, ranging in age from 23 to 2.
I have 2 grandchildren and one on the way.
My body hurts constantly. It takes me 30 minutes and two cups of coffee before I can even move in the morning without feeling achy.
I need to get in shape. I can't put this off any longer, my desperate hour has arrived. Over the long weekend I'll be cleaning out my exercise room, removing the clothes hangers that have grown over my home gym and stationary bike, and starting the process of getting my body back to good health. I'm fortunate in that I don't have extra weight to get rid of, but being thin and being in good health are two totally different things. I want first to *feel good* and lastly to look a little better. The difficulty is that there are no easy metrics to measure progress. How I feel is somewhat subjective, so I'll keep a running tally here with reports. The things I would like to see are:
1) Decrease aches and pains
2) Increase stamina
3) Physical strength (which will be easy to measure with weight-training)
4) Flexibility
I'll be combining weight training, bicycling (either stationary or fixed-gear), and yoga. I have no plan currently, but will come up with one by this weekend's end.
I wonder if eating me spinichk will make me strong to the finishk...
I have 5 children, ranging in age from 23 to 2.
I have 2 grandchildren and one on the way.
My body hurts constantly. It takes me 30 minutes and two cups of coffee before I can even move in the morning without feeling achy.
I need to get in shape. I can't put this off any longer, my desperate hour has arrived. Over the long weekend I'll be cleaning out my exercise room, removing the clothes hangers that have grown over my home gym and stationary bike, and starting the process of getting my body back to good health. I'm fortunate in that I don't have extra weight to get rid of, but being thin and being in good health are two totally different things. I want first to *feel good* and lastly to look a little better. The difficulty is that there are no easy metrics to measure progress. How I feel is somewhat subjective, so I'll keep a running tally here with reports. The things I would like to see are:
1) Decrease aches and pains
2) Increase stamina
3) Physical strength (which will be easy to measure with weight-training)
4) Flexibility
I'll be combining weight training, bicycling (either stationary or fixed-gear), and yoga. I have no plan currently, but will come up with one by this weekend's end.
I wonder if eating me spinichk will make me strong to the finishk...
Wednesday, November 18, 2009
Windows Server 2008 Telnet Client
Windows Server 2008 does not install a telnet client by default. Apparently, Microsoft has considered this a "feature" and to enable it you must install the client by:
1. Open Server Manager
2. Click on Features > Add new features
3. Scroll down to Telnet Client, check the box
4. Install and voila!
A lot of work to telnet to a switch...
Monday, November 16, 2009
Wednesday, November 4, 2009
GSEC Practice Exam 1
I completed the first of two practice exams tonight. They are a little daunting if for no other reason than SANS allows 300 minutes (that's 5 hours!) to complete 180 questions. That alone makes you think they are going to be exceptionally rough.
I completed it in about 90 minutes, and passed with an 88.89%.
It was a good exercise. It is a web-based exam, and I used a tool called Screengrab! for Firefox. That allowed me to take images of the entire browser window simply by right-clicking on the web page and saving it to a jpg. For all questions I was not 100% sure of, I would enter my guessed answer, take a screen image, and then if I got the answer wrong I would take another image of the explanation. In a few instances I answered without fully reading the question - a continual battle for me.
Without actually reviewing my captured list of errors and unsurities, I think I can say that I'm feeling a bit weak in cryptography and some Windows memorization facts. For instance, how many of you seasoned Windows sysadmins would know that S-1-5-32-544 is the well-known SID of the Local Administrators group? I'm not completely sure how knowing that makes me a better security administrator, but what the heck. Sometimes knowing those little tidbits makes all the difference. I just hope I don't push out some information that is actually useful by memorizing well-known SIDs.
I'll continue on my review tomorrow. At least I'm feeling more confident that I truly understand this material and will be well prepared for the exam.
Now, to bed...
I completed it in about 90 minutes, and passed with an 88.89%.
It was a good exercise. It is a web-based exam, and I used a tool called Screengrab! for Firefox. That allowed me to take images of the entire browser window simply by right-clicking on the web page and saving it to a jpg. For all questions I was not 100% sure of, I would enter my guessed answer, take a screen image, and then if I got the answer wrong I would take another image of the explanation. In a few instances I answered without fully reading the question - a continual battle for me.
Without actually reviewing my captured list of errors and unsurities, I think I can say that I'm feeling a bit weak in cryptography and some Windows memorization facts. For instance, how many of you seasoned Windows sysadmins would know that S-1-5-32-544 is the well-known SID of the Local Administrators group? I'm not completely sure how knowing that makes me a better security administrator, but what the heck. Sometimes knowing those little tidbits makes all the difference. I just hope I don't push out some information that is actually useful by memorizing well-known SIDs.
I'll continue on my review tomorrow. At least I'm feeling more confident that I truly understand this material and will be well prepared for the exam.
Now, to bed...
Tuesday, November 3, 2009
GSEC update
Time is still of the essence. I scheduled the test for November 16th, and thought I might bump that up. At this point, I'm thinking my review will go at least that long. I'm in the process of creating "cram sheets" for each book as a review of all the material. The first couple took a long time because I think I put too much info into each. Starting with section 3 I'm focussing more on points to jog my memory and leaving the details for the book. The exam is actually open book, open note, so I intend to use my cram sheets as indexes more than anything else.
I also have yet to take the practice exam, but will do so tonight. The problem is that they mimic the actual exam in that they are 180 questions and are allocated 300 minutes (5 hours) to complete, with one 15-minute break allowed. By the time my family is down to sleep for the night and I can focus on taking a test it is usually 9:00 at night, and I'd hate to waste the attempt by being unable to finish. Regardless, I'll try one tonight by buzzing through it, making note of areas of weakness and focussing my study on those areas moving forward.
Side note:
I am really looking forward to being done with this. I really love information security. I'm really tired of trying to pass tests. It will be nice to take a few minutes during the day to listen to music, call my brothers and sisters, maybe even get to know the woman I live with...I think that at one point I recognised her as my wife but it's been so long since we've actually spoken that it will be like dating a new person! (I'm only half-kidding. Sandra, if you read this I really love you and thank you for putting up with me)
I'll report on the sample exam after taking it.
I also have yet to take the practice exam, but will do so tonight. The problem is that they mimic the actual exam in that they are 180 questions and are allocated 300 minutes (5 hours) to complete, with one 15-minute break allowed. By the time my family is down to sleep for the night and I can focus on taking a test it is usually 9:00 at night, and I'd hate to waste the attempt by being unable to finish. Regardless, I'll try one tonight by buzzing through it, making note of areas of weakness and focussing my study on those areas moving forward.
Side note:
I am really looking forward to being done with this. I really love information security. I'm really tired of trying to pass tests. It will be nice to take a few minutes during the day to listen to music, call my brothers and sisters, maybe even get to know the woman I live with...I think that at one point I recognised her as my wife but it's been so long since we've actually spoken that it will be like dating a new person! (I'm only half-kidding. Sandra, if you read this I really love you and thank you for putting up with me)
I'll report on the sample exam after taking it.
Thursday, October 29, 2009
GSEC exercises: tcpdump
Tonight I'm doing some lab work for the GSEC recertification. I started this morning by compiling a cram sheet for module 401.1, mostly consisting of info on TCP/IP header decoding and things to make my life easier.
I started out to build a little diagram of a TCP/IP packet in hex with each header a different color so that my ADD brain could decipher quickly and easily what fields are what protocols. Then at this site I found what I was looking for:
I changed the colors to work with a white background, but here in red you see the IP header (20 bytes), and in cyan you see the TCP header (another 20 bytes).
Each 4 hex numbers is 2 bytes. Then just remember that they start counting at zero for the "offset," or rather how far from the first bit/byte each field is found.
The first option we take is the "-i" which instructs tcpdump which interface to listen on. This is useful if you have multiple NICs or perhaps if you are using VMWare to run your lab. I did notice that traffic coming out of the VM will be captured by the host on lo, but not on eth0. Packets from host to VM can be captured on eth0, however. I'm assuming that is because the network card is actually bridged through the physical interface, so traffic coming from the VM never touches the wire. That's good to know, actually, as I prepare to take this into the real world.
Next I use "-x" which dumps the packet in hex. Hex is a bugger for me, personally, to work with, but it really gives you a good feel for what fields are where in the frame. I find that, as I do this more I pick up a field here and there, starting with the first byte of an IP header, which indicates protocol type. A "4" indicates that this is IPv4 (so, if it were IPv6 it would ovbviously be a 6) and the second byte (at bit offset 4) is a 5, indicating that the IP header is in 32-bit words (4 bytes == one 32-bit "word", 5*4=20 bytes)
Other important options are "-X" which gives you the ASCII output as well and "-s" which allows you to determine how much of the packet you want to capture. (-s is for "snaplen, or snapshot length). Using -s0 means "capture the whole packet." Remember that one when you are ready to mount your attack on the local FTP server...
I have been using tcpdump for many years now, and for some reason I have never noted the "host" or "and()" parameters. Using these you can specify a hostname or IP address to filter your capture on (handy if you are trying to watch an attack). Syntax would be:
tcpdump -i eth0 'host 192.168.1.1 and (192.168.1.5 or 4.2.2.2)'
This allows you to capture any traffic between host 1 (192.168.1.1) and either host 2 (192.168.1.5) or host 3(4.2.2.2). Using these parameters you can really fine-tune your capture, and I now use this quite a lot. It shuts down much of the noise a normal LAN has these days. Oh, you can also use "and not" to keep traffic from any given host from being captured. Nice when you work remotely like I do often and don't want to capture all the VNC traffic between your workstation and the remote host.
There you have it, folks. Tcpdump. There are a boatload of great tutorials out there, and quite honestly I'd rather use Wireshark. But sometimes for a quick 'n' dirty capture it's nice to run a quick tcpdumpa nd see who's communicating with whom. Not to mention you get to feel like you're in the Matrix as you watch all that hex fly by...
I started out to build a little diagram of a TCP/IP packet in hex with each header a different color so that my ADD brain could decipher quickly and easily what fields are what protocols. Then at this site I found what I was looking for:
4510 0068 7e87 4000 4006 3862 c0a8 011e
c0a8 0128 0016 0479 b6c8 a8de 621e 87db
5018 4470 1813 0000 e492 152f 23c3 8a2b
4ee7 dbf8 0d48 88e8 0110 2b01 4295 39f4
52c9 a05b 31d7 e3ae 1c62 2dbd d955 d604
b5d2 63d1 8fbc 4ab7 1615 b382 571c 70e0
a368 a03f 425b 6211
I changed the colors to work with a white background, but here in red you see the IP header (20 bytes), and in cyan you see the TCP header (another 20 bytes).
Each 4 hex numbers is 2 bytes. Then just remember that they start counting at zero for the "offset," or rather how far from the first bit/byte each field is found.
The first option we take is the "-i" which instructs tcpdump which interface to listen on. This is useful if you have multiple NICs or perhaps if you are using VMWare to run your lab. I did notice that traffic coming out of the VM will be captured by the host on lo, but not on eth0. Packets from host to VM can be captured on eth0, however. I'm assuming that is because the network card is actually bridged through the physical interface, so traffic coming from the VM never touches the wire. That's good to know, actually, as I prepare to take this into the real world.
Next I use "-x" which dumps the packet in hex. Hex is a bugger for me, personally, to work with, but it really gives you a good feel for what fields are where in the frame. I find that, as I do this more I pick up a field here and there, starting with the first byte of an IP header, which indicates protocol type. A "4" indicates that this is IPv4 (so, if it were IPv6 it would ovbviously be a 6) and the second byte (at bit offset 4) is a 5, indicating that the IP header is in 32-bit words (4 bytes == one 32-bit "word", 5*4=20 bytes)
Other important options are "-X" which gives you the ASCII output as well and "-s" which allows you to determine how much of the packet you want to capture. (-s is for "snaplen, or snapshot length). Using -s0 means "capture the whole packet." Remember that one when you are ready to mount your attack on the local FTP server...
I have been using tcpdump for many years now, and for some reason I have never noted the "host" or "and()" parameters. Using these you can specify a hostname or IP address to filter your capture on (handy if you are trying to watch an attack). Syntax would be:
tcpdump -i eth0 'host 192.168.1.1 and (192.168.1.5 or 4.2.2.2)'
This allows you to capture any traffic between host 1 (192.168.1.1) and either host 2 (192.168.1.5) or host 3(4.2.2.2). Using these parameters you can really fine-tune your capture, and I now use this quite a lot. It shuts down much of the noise a normal LAN has these days. Oh, you can also use "and not" to keep traffic from any given host from being captured. Nice when you work remotely like I do often and don't want to capture all the VNC traffic between your workstation and the remote host.
There you have it, folks. Tcpdump. There are a boatload of great tutorials out there, and quite honestly I'd rather use Wireshark. But sometimes for a quick 'n' dirty capture it's nice to run a quick tcpdumpa nd see who's communicating with whom. Not to mention you get to feel like you're in the Matrix as you watch all that hex fly by...
Wednesday, October 28, 2009
GSEC Update
I finished my initial run-through of the SANS GSEC coursework tonight. I have been feeling a bit pressured, because there are 6 volumes in the course, each of which included about350 pages plus a couple hundred pages in lab work. I've been pressing on, using the 20+5 method for discipline and focus (20 minutes of hyper-focus study, 5 minutes of "blowing off steam" doing whatever I felt like doing).
Tonight I finished the coursework, and I left the labs until later. The reason being many of the labs are using tools I am very familiar with and use daily - tcpdump, hping, John the Ripper, Microsoft Security Baseline Analyzer, PGP, etc. With the reading portions finished tonight I have the following things left to do:
1) Lab work. I intend to go through each lab and refamiliarize myself with the tools, hopefully picking up a few new ideas for vulnerability and penetration testing.
2) 2 Practice exams. These are 3-hour exams, so I'll have to do them on the weekends. I'll utilize them like I did the CCNA practice exams, recording any question I'm not 100% sure of off the bat and restudying the weak areas. The GSEC exam itself is open book, open paper. In essence, I can bring in anything I want as long as it is not electronic. That brings me to the next task:
3) Cram sheet compiled of the post-it notes I've filled the books with.
So I scheduled my exam for November 16th, but in light of the fact that I have finished the courseware a little early I may just schedule that up a week. I'd like to get this over with so I don't have to worry about any certification exams for a while. I'd like to get back to playing guitar daily, building boutique effects pedals and enjoying my family again.
But of course, today I was offered a 2-day course on Watchguard Firewalls that will prep for Watchguard certification. Sheesh! This may never end!
Tonight I finished the coursework, and I left the labs until later. The reason being many of the labs are using tools I am very familiar with and use daily - tcpdump, hping, John the Ripper, Microsoft Security Baseline Analyzer, PGP, etc. With the reading portions finished tonight I have the following things left to do:
1) Lab work. I intend to go through each lab and refamiliarize myself with the tools, hopefully picking up a few new ideas for vulnerability and penetration testing.
2) 2 Practice exams. These are 3-hour exams, so I'll have to do them on the weekends. I'll utilize them like I did the CCNA practice exams, recording any question I'm not 100% sure of off the bat and restudying the weak areas. The GSEC exam itself is open book, open paper. In essence, I can bring in anything I want as long as it is not electronic. That brings me to the next task:
3) Cram sheet compiled of the post-it notes I've filled the books with.
So I scheduled my exam for November 16th, but in light of the fact that I have finished the courseware a little early I may just schedule that up a week. I'd like to get this over with so I don't have to worry about any certification exams for a while. I'd like to get back to playing guitar daily, building boutique effects pedals and enjoying my family again.
But of course, today I was offered a 2-day course on Watchguard Firewalls that will prep for Watchguard certification. Sheesh! This may never end!
Friday, October 16, 2009
GSEC - Week 3
It has been a long hard road of studying for the upcoming GSEC recertification. I just finished a round of study, and tonight was exceptionally fun.
I'm on Module 4 of the GSEC curriculum, which is on Secure Communications. This is not new material, but I find it really fascinating to consider the inner workings of cryptography. Cryptography means "secret writing" and it's a method of hiding data in plain site by applying complex algorithms to existing data to obfuscate the original message. Most people don't know it, but every time you see "https" in the address bar of your web browser, you are employing encryption to hide things like credit card numbers from n'er-do-wells.
Of course, I couldn't begin to explain complex number theory. But the concepts are mind-blowing to me. Tonight a began looking into Virtual Private Networks, and while I work with these daily at work I like getting back to the basics of what exactly is going on when I configure a firewall to tunnel data from one site to another. More of this in the near future.
I've also looked briefly at security policies (the lynchpin of any security posture in corporate America) and I was glad I did, because jsut after my refresher I was contacted by a customer who was in the middle of an audit requiring security policies. I was able to draft some policies for them adn they put their own corporate spin on them and we got them through it. Now, those weren't the most thorough policies I've ever written, but they got the job done.
Another thing that I've been fascinated with again are penetration tests. The tools for this are outstanding, and a lot of people have put a lot of work into making these available. I hope to look at pentesting more after this exam is over and blog about my experiences there. I'm using VMWare Workstation and several different pre-built VM's expressly for pentest labs. Virtual Machines have made this so much easier than it was when I started in information security. Now instead of having a half dozen machines all running, I run one big machine with several virtual machines inside it. When I FUBAR one, I just click "restore to last snapshot" and the thing is right back where I started. Awesome technology.
At any rate, I'm off to bed. I have an episod of "Big Bang Theory" to watch with my lovely wife and I can't wait to relax a little. Tomorrow is hockey practice and I'm not feeling very well so I want to be rested before I have 20 5-year-olds all trying to catch "Coach Greg."
I'm on Module 4 of the GSEC curriculum, which is on Secure Communications. This is not new material, but I find it really fascinating to consider the inner workings of cryptography. Cryptography means "secret writing" and it's a method of hiding data in plain site by applying complex algorithms to existing data to obfuscate the original message. Most people don't know it, but every time you see "https" in the address bar of your web browser, you are employing encryption to hide things like credit card numbers from n'er-do-wells.
Of course, I couldn't begin to explain complex number theory. But the concepts are mind-blowing to me. Tonight a began looking into Virtual Private Networks, and while I work with these daily at work I like getting back to the basics of what exactly is going on when I configure a firewall to tunnel data from one site to another. More of this in the near future.
I've also looked briefly at security policies (the lynchpin of any security posture in corporate America) and I was glad I did, because jsut after my refresher I was contacted by a customer who was in the middle of an audit requiring security policies. I was able to draft some policies for them adn they put their own corporate spin on them and we got them through it. Now, those weren't the most thorough policies I've ever written, but they got the job done.
Another thing that I've been fascinated with again are penetration tests. The tools for this are outstanding, and a lot of people have put a lot of work into making these available. I hope to look at pentesting more after this exam is over and blog about my experiences there. I'm using VMWare Workstation and several different pre-built VM's expressly for pentest labs. Virtual Machines have made this so much easier than it was when I started in information security. Now instead of having a half dozen machines all running, I run one big machine with several virtual machines inside it. When I FUBAR one, I just click "restore to last snapshot" and the thing is right back where I started. Awesome technology.
At any rate, I'm off to bed. I have an episod of "Big Bang Theory" to watch with my lovely wife and I can't wait to relax a little. Tomorrow is hockey practice and I'm not feeling very well so I want to be rested before I have 20 5-year-olds all trying to catch "Coach Greg."
Sunday, September 27, 2009
Security Essentials - Week 1
Just finishing up week 1 of my GSEC recertification. It's actually been a lot of fun, but I find I'm being distracted once again by the "fun" parts of information security...penetration testing. I've been using BackTrack4 as an attack platform, and I'm really very pleased with all the tutorial and virtual labs set up by other pentesters to hone the craft. I'm planning to post more about pentesting and the tools I find useful in future posts, but for now I need to stay focussed on the GSEC so that I can get this exam over with soon.
I've developed a study regimen that breaks down the 6 books by number of pages needed to complete each book in a week, giving me a target exam date of November 6th. Based on week #1, this schedule is incredibly aggessive. I'm working at being better about *not* reading the stuff I know already and reading thoroughly the information I don't or am foggy on. For instance, I spent a good amount of time on decoding frames with tcpdump - it's something that, if you don't use it every day (or even every week) you are going to lose it quickly. I'm surprised how much I enjoy picking apart frames and packets in hex, though. The inner geek in me comes alive!
Lastly, the amount that I've lost since the last exam is prompting me to develop a personal improvement plan for myself that will include working through these labs as well as the CCNA labs a little bit each week. The intent is to keep my breadth of knowledge and then to focus in on more specific technologies as my career grows. Again, I hope to post more about my plans and lab scenarios more as the weeks unfold.
But tonight, I'm done for the week and going to bed. Tomorrow my twins turn 5 years old, and I intend to spend the evening doing important things, like playing Star Wars Legos and Playmobile Dinosaurs...
I've developed a study regimen that breaks down the 6 books by number of pages needed to complete each book in a week, giving me a target exam date of November 6th. Based on week #1, this schedule is incredibly aggessive. I'm working at being better about *not* reading the stuff I know already and reading thoroughly the information I don't or am foggy on. For instance, I spent a good amount of time on decoding frames with tcpdump - it's something that, if you don't use it every day (or even every week) you are going to lose it quickly. I'm surprised how much I enjoy picking apart frames and packets in hex, though. The inner geek in me comes alive!
Lastly, the amount that I've lost since the last exam is prompting me to develop a personal improvement plan for myself that will include working through these labs as well as the CCNA labs a little bit each week. The intent is to keep my breadth of knowledge and then to focus in on more specific technologies as my career grows. Again, I hope to post more about my plans and lab scenarios more as the weeks unfold.
But tonight, I'm done for the week and going to bed. Tomorrow my twins turn 5 years old, and I intend to spend the evening doing important things, like playing Star Wars Legos and Playmobile Dinosaurs...
Thursday, September 3, 2009
Motivation, self-discipline, avoiding distractions
It's been a while since my last post. The summer has been full of activity just as I knew it was going to be, and as we enter the traditional "end-of-summer-weekend" for millions of children across the USA I'm finding myself struggling to get motivated for my next career task. Funny how this seems to happen regularly.
I've been certified by the Global Incident Analysis Center since 2001 in Security Essentials. My certification expired this past August, and I have purchased the recertification exam materials and one shot at the exam. The course is a 40-hour bootcamp that is a mile wide and perhaps more than an inch deep, but doesn't really create "expert" status in any one technology. I typically enjoy this stuff...
But I find I'm lacking in motivation to start or continue when I do start. I have audio copies of recent classroom lectures by Dr. Eric Cole (who, by the way, is an excellent teacher and brilliant security expert), I have a copy of the class books. I have a nifty linux boot CD that provides all the tools I need to perform the work. All I'm missing is the motivation to get up early or stay up late to do this.
My problem is that I am loathe to give up even a minute of my family time. We like to spend time together and do things together. As it is, I only get about 2 hours with my kids every day (if that). I have learned and believe that spending small amounts of "quality time" with my kids doesn't provide the relationship I desire with them. I find that to produce the sort of heart-bond with my kids that I feel is necessary requires a "quanitity of quality time, coupled with constant presence during the regular moments." I think it's important to be there for my kids foundationally in their lives as opposed to being an occasional special moment.
So with that, my time to study and practice is limted to after the kids' bedtime and before I go to work. I'm searching for ways to discipline myself to do this work during that time. Blogging about my geeky studies was good during the CCNA, so I just may attempt that with the GSEC. I also need to remind myself that providing for my family is just one of the ways in which I love them, and at times it needs to take precedence. The danger here is that my financial provision has a tendency to overtake everything else and I justify it by thinking that I'm doing all this work "for them." In reality, I gain a lot of satisfaction from my work, and I do a lot of this for me. I will need to balance that and keep it in perspective. (I lean on my lovely wife for assistance here...)
Lastly, my study room is a mess. I have legos, CD's, guitar parts, cables, books, magazines, and all other sorts of things stacked up around me that take my eyes off the goal. In a sense, this blog post is a distraction. But sometimes I just feel a need to regroup and gain perspective and getting it in writing helps. I have a couple techniques that I've recently learned, like the "(10+2)*5" and "Ultradian Sprint." I'll start using those and probably blogging about their effectiveness.
The bottom line is that I have a goal that needs to be accomplished, and while it's not exactly what I feel like doing right now, it needs to be done. It's time to get to work, both metaphorically on this recertification and literally for the day, so I'm signing off.
More to come...
I've been certified by the Global Incident Analysis Center since 2001 in Security Essentials. My certification expired this past August, and I have purchased the recertification exam materials and one shot at the exam. The course is a 40-hour bootcamp that is a mile wide and perhaps more than an inch deep, but doesn't really create "expert" status in any one technology. I typically enjoy this stuff...
But I find I'm lacking in motivation to start or continue when I do start. I have audio copies of recent classroom lectures by Dr. Eric Cole (who, by the way, is an excellent teacher and brilliant security expert), I have a copy of the class books. I have a nifty linux boot CD that provides all the tools I need to perform the work. All I'm missing is the motivation to get up early or stay up late to do this.
My problem is that I am loathe to give up even a minute of my family time. We like to spend time together and do things together. As it is, I only get about 2 hours with my kids every day (if that). I have learned and believe that spending small amounts of "quality time" with my kids doesn't provide the relationship I desire with them. I find that to produce the sort of heart-bond with my kids that I feel is necessary requires a "quanitity of quality time, coupled with constant presence during the regular moments." I think it's important to be there for my kids foundationally in their lives as opposed to being an occasional special moment.
So with that, my time to study and practice is limted to after the kids' bedtime and before I go to work. I'm searching for ways to discipline myself to do this work during that time. Blogging about my geeky studies was good during the CCNA, so I just may attempt that with the GSEC. I also need to remind myself that providing for my family is just one of the ways in which I love them, and at times it needs to take precedence. The danger here is that my financial provision has a tendency to overtake everything else and I justify it by thinking that I'm doing all this work "for them." In reality, I gain a lot of satisfaction from my work, and I do a lot of this for me. I will need to balance that and keep it in perspective. (I lean on my lovely wife for assistance here...)
Lastly, my study room is a mess. I have legos, CD's, guitar parts, cables, books, magazines, and all other sorts of things stacked up around me that take my eyes off the goal. In a sense, this blog post is a distraction. But sometimes I just feel a need to regroup and gain perspective and getting it in writing helps. I have a couple techniques that I've recently learned, like the "(10+2)*5" and "Ultradian Sprint." I'll start using those and probably blogging about their effectiveness.
The bottom line is that I have a goal that needs to be accomplished, and while it's not exactly what I feel like doing right now, it needs to be done. It's time to get to work, both metaphorically on this recertification and literally for the day, so I'm signing off.
More to come...
Thursday, July 2, 2009
Wednesday, June 24, 2009
CCNA Test
Passed. 825 required, I scored an 874.
I was weak exactly where I thought Iwould be weak - WLAN and switching (VTP to be exact).
Either way, I'm glad to have that over and get on with the summer!
Wednesday, June 17, 2009
Etherchannel
I nearly failed to add Etherchannel to the discussion of STP. The essence of fast etherchannel is that, when you have multiple links between switches STP will set all but one in a blocking state. This is a waste of bandwidth as the blocked ports simply wait for a failure. Fast etherchannel allows you to bind all links between switches together to load-balance across the available connections and combine their bandwidth into a virtual interface that you administer as a single physical link. If one of the links in an etherchannel group fails, the rest of the group continues to work together.
That's cool, I think.
That's cool, I think.
STP and RSTP
Because of the limitations of Spanning-tree Protocol, Cisco added a few options to make it work better - and more "Cisco-like."
When an access port becomes connected to a workstation, it will take up to 50 seconds while it goes through the transition from blocking to listening to learning to forwarding. While it is transitioning, network services are unavailable. This can be a problem if you are in a Windows network where your authentication and DHCP services require a connection and may time out before they complete. To get around this, Cisco added portfast to STP. Portfast essentially tells the switch port to go straight to skip the process and go straight to forwarding. This could be dangerous if the new device is changed out to be a switch, so Cisco added BPDU-guard. BPDU-guard says that, should a switch port receive a BPDU, it sets the port immediately into a blocking state until re-enabled by an administrator.
Two other optional parameters Cisco added to STP are Uplink Fast and Backbone Fast. Uplink Fast sets a port in the access-layer of infrastructure ready to become the root port should it's existing port fail. It has ready knowledge of the alternate path and bypasses the listening and learning states in the event of a failure. Backbone Fast is similar, but it has no direct knowledge of a link to the root. When the backbone link fails, the non-root bridge starts sending BPDU's that it is the new root. The access-layer switch essentially bypasses the listening state, disregards the false BPDU from the non-root bridge and sends a BPDU to the non-root that it has a path to the actual root bridge.
Because these are Cisco-proprietary, the IEEE developed 802.1w, or Rapid Spanning Tree Protocol. RSTP incorporates these features by changing some of the port states and shortening the timers. It changes "blocking" ports to be called "discarding" ports, but because "listening" ports in STP are essentially discarding packets, it lumps that state into discarding. Discarding ports are listening for and forwarding BPDU's but do not forward frames or learn MAC addresses. Learning and forwarding remain the same.
RSTP also adds two port roles. It adds "Alternate" and "Backup" roles to the root and designated port roles. Backup ports are set to assume the role of designated port should the designated port link fail and there are multiple links to that segment (not necessarily to the root). Alternate ports are set to assume the role of root port should the root port link fail.
RSTP also defines a distinction between connections to switches and edge devices differently. Any 100 Mb, full-duplex connection to a switch is defined as a point-to-point link, where half-duplex connections are link-type "shared." Shared link types would take place to a hub, but these are not common any longer so there is no need to worry about them. It then defines access ports as "edge" ports. Edge ports are connected to end devices, and you define them as such by issuing the "switchport portfast" command. If an edge link receives a BPDU, it immediately transitions to point-to-point.
RSTP uses BPDU's as keep-alives, and to aid in rapid convergence, if 3 BPDU's are missed, the switch is considered dead and it floods the BPDU out to all switches (compared to STP sending that TCN to the root and letting the root alert the others) and all switches then age-out any MAC addresses associated with the failed switch. That is quite a lot faster than STP's 50 second wait time.
Lastly, there is a proposal process that neighboring switches go through. When two switches are connected, the send BPDU hello messages to each other. As soon as one decides it is the designated port for that segment, it sends a proposal to forward to the other switch. The receiving switch puts all other non-edge-type ports into a discarding state to avoid loops, and responds that it will accept frames from the sender and becomes the root port. If a switch receives a BPDU from a switch but its path is not optimal to the root, it never sends an agreement so the sender will age out its proposal and become the alternate port and continues to discard.
My understanding is that RSTP configuration is beyond the scope of the CCNA, but it's good to have understanding of how it works to speed up convergence and to know the terms. There you have it folks...
When an access port becomes connected to a workstation, it will take up to 50 seconds while it goes through the transition from blocking to listening to learning to forwarding. While it is transitioning, network services are unavailable. This can be a problem if you are in a Windows network where your authentication and DHCP services require a connection and may time out before they complete. To get around this, Cisco added portfast to STP. Portfast essentially tells the switch port to go straight to skip the process and go straight to forwarding. This could be dangerous if the new device is changed out to be a switch, so Cisco added BPDU-guard. BPDU-guard says that, should a switch port receive a BPDU, it sets the port immediately into a blocking state until re-enabled by an administrator.
Two other optional parameters Cisco added to STP are Uplink Fast and Backbone Fast. Uplink Fast sets a port in the access-layer of infrastructure ready to become the root port should it's existing port fail. It has ready knowledge of the alternate path and bypasses the listening and learning states in the event of a failure. Backbone Fast is similar, but it has no direct knowledge of a link to the root. When the backbone link fails, the non-root bridge starts sending BPDU's that it is the new root. The access-layer switch essentially bypasses the listening state, disregards the false BPDU from the non-root bridge and sends a BPDU to the non-root that it has a path to the actual root bridge.
Because these are Cisco-proprietary, the IEEE developed 802.1w, or Rapid Spanning Tree Protocol. RSTP incorporates these features by changing some of the port states and shortening the timers. It changes "blocking" ports to be called "discarding" ports, but because "listening" ports in STP are essentially discarding packets, it lumps that state into discarding. Discarding ports are listening for and forwarding BPDU's but do not forward frames or learn MAC addresses. Learning and forwarding remain the same.
RSTP also adds two port roles. It adds "Alternate" and "Backup" roles to the root and designated port roles. Backup ports are set to assume the role of designated port should the designated port link fail and there are multiple links to that segment (not necessarily to the root). Alternate ports are set to assume the role of root port should the root port link fail.
RSTP also defines a distinction between connections to switches and edge devices differently. Any 100 Mb, full-duplex connection to a switch is defined as a point-to-point link, where half-duplex connections are link-type "shared." Shared link types would take place to a hub, but these are not common any longer so there is no need to worry about them. It then defines access ports as "edge" ports. Edge ports are connected to end devices, and you define them as such by issuing the "switchport portfast" command. If an edge link receives a BPDU, it immediately transitions to point-to-point.
RSTP uses BPDU's as keep-alives, and to aid in rapid convergence, if 3 BPDU's are missed, the switch is considered dead and it floods the BPDU out to all switches (compared to STP sending that TCN to the root and letting the root alert the others) and all switches then age-out any MAC addresses associated with the failed switch. That is quite a lot faster than STP's 50 second wait time.
Lastly, there is a proposal process that neighboring switches go through. When two switches are connected, the send BPDU hello messages to each other. As soon as one decides it is the designated port for that segment, it sends a proposal to forward to the other switch. The receiving switch puts all other non-edge-type ports into a discarding state to avoid loops, and responds that it will accept frames from the sender and becomes the root port. If a switch receives a BPDU from a switch but its path is not optimal to the root, it never sends an agreement so the sender will age out its proposal and become the alternate port and continues to discard.
My understanding is that RSTP configuration is beyond the scope of the CCNA, but it's good to have understanding of how it works to speed up convergence and to know the terms. There you have it folks...
Tuesday, June 16, 2009
Spanning-tree
Spanning-tree protocol is described by the IEEE 802.1d protocol. (I've never, in a real-world situation needed to know that, but it seems like the sort of thing Cisco would put on their test to see if you were paying attention). It is a layer 2 protocol that prevents loops in traffic by figuring out what is the fastest path to the root bridge (or root switch).
STP bases all its calculation on cost, which it figures by default by the speed of the link. STP costs are assigned as follows:
10 Gb - Cost 2
1 GB - Cost 4
100 Mb - Cost 19
10 Mb - Cost 100
When a switch comes online, it sends out a Bridge Protocol Data Unit (BPDU) that carries its bridge ID, which is a combination of the switches priority (32768 by default, but configurable in multiples of 4096) combined with the MAC address of the switch. Lowest Bridge ID becomes the root bridge. It then sends out BPDU's every 2 seconds, and as long as it doesn't receive a response that another switch on the network has a lower ID, it will continue happily as the root bridge.
Once the root bridge is elected, it defines root ports and designated ports throughout the network. Root ports are simply the ports that have the lowest cost back to the root, and designated ports are the ports that connect to other switches. The cost is calculated by adding all cost values for the entire path back to the root. So if you have 3 switches, and there is a 1Gb link between switch A and switch B, and a 100 Mb link between switch B and switch C, the cost for the path is 23 (4 + 19).
If there are multiple paths to the root, the switch will use the following means of deciding which port will forward and which will block. It looks first at cost, with the lowest cost going into a forwarding state and the higher cost blocking. If there are multiple paths with the same cost, the switch will look at bridge ID, with the lowest going to forwarding state. If there are identical bridge ID's it will look at port priority, which is an arbitrarily assigned number that defaults to 128 but can be configured to choose one path over another. If there continues to be a tie, the switch will then look at port number, with the lowest interface ID going to forward packets.
Spanning-tree ports go through transitions, where each port ends either in a forwarding or blocking state. There are timers assigned to each state, and each state has a different function. They are:
Disabled - the port is obviously not forwarding
Blocking - the portaccepts BPDu's but does not send other user data
Listening - port is accepting traffic and accerpts and sends BPDU's
Learning - port is accepting traffic and entering MAC addresses into memory
Forwarding - the port is forwarding user data as well as BPDU's
To transition from blocking to listening takes 20 seconds, from listening to learning takes 15 seconds and from learning to forwarding takes another 15 seconds. When there is a topology change, STP will take 50 seconds to transition and resume network connectivity. PVSTP+ can converge in 2 seconds, but that is another topic... These timers are dictated by the root bridge, so to modify them in your network you only need to change them on the root and they will propagate throughout the network via BPDU's.
Later, VLAN's.
STP bases all its calculation on cost, which it figures by default by the speed of the link. STP costs are assigned as follows:
10 Gb - Cost 2
1 GB - Cost 4
100 Mb - Cost 19
10 Mb - Cost 100
When a switch comes online, it sends out a Bridge Protocol Data Unit (BPDU) that carries its bridge ID, which is a combination of the switches priority (32768 by default, but configurable in multiples of 4096) combined with the MAC address of the switch. Lowest Bridge ID becomes the root bridge. It then sends out BPDU's every 2 seconds, and as long as it doesn't receive a response that another switch on the network has a lower ID, it will continue happily as the root bridge.
Once the root bridge is elected, it defines root ports and designated ports throughout the network. Root ports are simply the ports that have the lowest cost back to the root, and designated ports are the ports that connect to other switches. The cost is calculated by adding all cost values for the entire path back to the root. So if you have 3 switches, and there is a 1Gb link between switch A and switch B, and a 100 Mb link between switch B and switch C, the cost for the path is 23 (4 + 19).
If there are multiple paths to the root, the switch will use the following means of deciding which port will forward and which will block. It looks first at cost, with the lowest cost going into a forwarding state and the higher cost blocking. If there are multiple paths with the same cost, the switch will look at bridge ID, with the lowest going to forwarding state. If there are identical bridge ID's it will look at port priority, which is an arbitrarily assigned number that defaults to 128 but can be configured to choose one path over another. If there continues to be a tie, the switch will then look at port number, with the lowest interface ID going to forward packets.
Spanning-tree ports go through transitions, where each port ends either in a forwarding or blocking state. There are timers assigned to each state, and each state has a different function. They are:
Disabled - the port is obviously not forwarding
Blocking - the portaccepts BPDu's but does not send other user data
Listening - port is accepting traffic and accerpts and sends BPDU's
Learning - port is accepting traffic and entering MAC addresses into memory
Forwarding - the port is forwarding user data as well as BPDU's
To transition from blocking to listening takes 20 seconds, from listening to learning takes 15 seconds and from learning to forwarding takes another 15 seconds. When there is a topology change, STP will take 50 seconds to transition and resume network connectivity. PVSTP+ can converge in 2 seconds, but that is another topic... These timers are dictated by the root bridge, so to modify them in your network you only need to change them on the root and they will propagate throughout the network via BPDU's.
Later, VLAN's.
Monday, June 15, 2009
The date is set
June 24th, 2009 at 8:00 AM.
I was glad to see that SCSU has a testing center now. Now I can test without having to drive a couple hours beforehand.
I'm about to do some cramming, more updates later. I feel pretty good right now that I'll be prepared. I'll be going over switching and ACL's, while continuing to blast through subnetting and facts and figures. I wish I had gone over the facts and figures more, but at this point I will just need to make the most of it.
Anyway, less blogging. More studying. Opening up the labs as we speak...
I was glad to see that SCSU has a testing center now. Now I can test without having to drive a couple hours beforehand.
I'm about to do some cramming, more updates later. I feel pretty good right now that I'll be prepared. I'll be going over switching and ACL's, while continuing to blast through subnetting and facts and figures. I wish I had gone over the facts and figures more, but at this point I will just need to make the most of it.
Anyway, less blogging. More studying. Opening up the labs as we speak...
Friday, June 12, 2009
IPSec and VPN - overview
Secure network communication is of utmost importance in today's business world. Having worked in network security for the past several years, I find that the only thing that seems to trump security is cost. If something costs too much, companies are usually willing to take a risk. That's why things like HIPPA and SOX come into play, and while they sometimes make life difficult, I'm glad they are there to keep our information safe.
At any rate, IPSec is a layer 3 protocol framework that encrypts everything from layer 4 up to layer 7. I call it a framework, because it actually is a protocol that you configure other protocols to fit into to work together. This way, as encryption protocols become out-dated and compromised, IPSec can simply plug in the latest and greatest protocol and off you go!
IPSec handles encryption, which is securing your data from anyone else being able to read it. Protocols used for encryption are (ordering from weakest to strongest): DES, 3DES, AES. DES uses a 56-bit key, 3DES runs DES 3 times and AES uses 128, 192 or 256-bit encryption. These are all examples of symmetric encryption, where the key that is used to encrypt data is also used to decrypt data. Assymmetric encryption, such as PKI, uses a public/private key pair. Anything encrypted with the public key can only be decrypted with the private key and vice versa.
To solve the problem of having to configure symmetric encryption keys on all parties attempting to secure data between themselves, Diffie-Hellman Key Exchange (or DH) is used. DH works by having both clients exchange the results of a complex mathematical equation and use the results to create a secure shared key.
SSL is an encryption method that is assymmetric, using a public and private key to secure transmission of a shared secret key. Essentially, once the SSL connection is initiated, the sending party uses the receiving party's public key to encrypt a shared secret key that it generated. Only the receiver can decrypt it, because only they will have their private key.
Authentication and data integrity are handled by the older MD5 and the newer, more secure SHA-1. These protocols run a mathematical algorithm on the data to be sent, creating a "hash" that identifies the data to be sent. When the receiving party runs the algorithm against the same data, it will come up with the same hash. If the hash is different, the data has been corrupted or modified in transit and the receiving party can discard it.
Lastly, the IPSec protocol itself consists of the AH(Authentication Header) and ESP(Encapsulating Security Protocol). AH was developed first and only provided authentication and data integrity, and ESP was developed to provide encryption, which AH lacked.
VPN technologies are available in most modern versions of Cisco IOS, making them what Cisco calls "ISR" or "Integrated Security Routers." VPN technology is also included in the ASA (Adaptive Security Appliance). The 3 main benefits of using VPN technology are that: 1) it costs less to use an Internet connection to secure communication between remote sites than point-to-point leased lines, 2) provides higher speed connectivity to remote users by means of broadband and DSL connections in remote sites, compared to the old dial-up lines companies used to use, and 3) scalability is enhanced because new remote sites can be brought online without significant infrastructure enhancements. The down side to VPN technology is that the Internet is not typically as reliable as a point-to-point line, and there is increased overhead on routers and firewalls as they handle the encryption and decryption of data.
There are two types of VPNs: Site-to-site and remote-access.
Site-to-site VPN's create a secure "tunnel" through the Internet from one site to another. The users in one site have no idea what type of equipment their data passes through. As far as they are concerned, it is a direct connection. The Internet doesn't see any of the user's data, because it is encrypted before it traverses the line. These are configured to be either "permanent" or "semi-permanent" where the permanent VPN is always up, offering speed but greater overhead because the tunnel is up whether you are using it or not. Semi-permanent VPN's are brought up by the sending device when data needs to go to the remote site, and torn down wehn they are no longer in use. This takes a load off the router or firewall, but there will be some latency in the initial connection.
Remote-access VPN's are always semi-permanent. They are brought online when a user establishes a connection to the firewall or router by use of a client. Historically, they would load up a VPN client application that was configured for use by the administrator, enter their username and password (or token if 3-factor authentication is being used) and they would have network connectivity as if on the LAN. The latest and greatest method of remote-access VPN for Cisco is the SSL VPN, or WebVPN or Clientless VPN (they are all names for the same thing).
The WebVPn has a user access a secure website (watch for the https:// in the url). Once engaged in the secure web communication, they enter authentication by means of a username and password. At that point, as long as the web connection stays open they are securely connected to the LAN. In a true clientless situation,m they are presented with a directory listing in the web browser of resources to which they have access. In thin-client situations, an Active-X or java client is dlownloaded and run on the remote user, giving them the ability to use any tcp-based application on their computer. The clientless connection does not allow a user to run programs on their computer.
There is much, much, much more involved in these technologies, but from what I gather all we need for the CCNA is the broad overview and familiarity with the terms and protocols. I'll leave the in-depth analysis for my future certification blog...
At any rate, IPSec is a layer 3 protocol framework that encrypts everything from layer 4 up to layer 7. I call it a framework, because it actually is a protocol that you configure other protocols to fit into to work together. This way, as encryption protocols become out-dated and compromised, IPSec can simply plug in the latest and greatest protocol and off you go!
IPSec handles encryption, which is securing your data from anyone else being able to read it. Protocols used for encryption are (ordering from weakest to strongest): DES, 3DES, AES. DES uses a 56-bit key, 3DES runs DES 3 times and AES uses 128, 192 or 256-bit encryption. These are all examples of symmetric encryption, where the key that is used to encrypt data is also used to decrypt data. Assymmetric encryption, such as PKI, uses a public/private key pair. Anything encrypted with the public key can only be decrypted with the private key and vice versa.
To solve the problem of having to configure symmetric encryption keys on all parties attempting to secure data between themselves, Diffie-Hellman Key Exchange (or DH) is used. DH works by having both clients exchange the results of a complex mathematical equation and use the results to create a secure shared key.
SSL is an encryption method that is assymmetric, using a public and private key to secure transmission of a shared secret key. Essentially, once the SSL connection is initiated, the sending party uses the receiving party's public key to encrypt a shared secret key that it generated. Only the receiver can decrypt it, because only they will have their private key.
Authentication and data integrity are handled by the older MD5 and the newer, more secure SHA-1. These protocols run a mathematical algorithm on the data to be sent, creating a "hash" that identifies the data to be sent. When the receiving party runs the algorithm against the same data, it will come up with the same hash. If the hash is different, the data has been corrupted or modified in transit and the receiving party can discard it.
Lastly, the IPSec protocol itself consists of the AH(Authentication Header) and ESP(Encapsulating Security Protocol). AH was developed first and only provided authentication and data integrity, and ESP was developed to provide encryption, which AH lacked.
VPN technologies are available in most modern versions of Cisco IOS, making them what Cisco calls "ISR" or "Integrated Security Routers." VPN technology is also included in the ASA (Adaptive Security Appliance). The 3 main benefits of using VPN technology are that: 1) it costs less to use an Internet connection to secure communication between remote sites than point-to-point leased lines, 2) provides higher speed connectivity to remote users by means of broadband and DSL connections in remote sites, compared to the old dial-up lines companies used to use, and 3) scalability is enhanced because new remote sites can be brought online without significant infrastructure enhancements. The down side to VPN technology is that the Internet is not typically as reliable as a point-to-point line, and there is increased overhead on routers and firewalls as they handle the encryption and decryption of data.
There are two types of VPNs: Site-to-site and remote-access.
Site-to-site VPN's create a secure "tunnel" through the Internet from one site to another. The users in one site have no idea what type of equipment their data passes through. As far as they are concerned, it is a direct connection. The Internet doesn't see any of the user's data, because it is encrypted before it traverses the line. These are configured to be either "permanent" or "semi-permanent" where the permanent VPN is always up, offering speed but greater overhead because the tunnel is up whether you are using it or not. Semi-permanent VPN's are brought up by the sending device when data needs to go to the remote site, and torn down wehn they are no longer in use. This takes a load off the router or firewall, but there will be some latency in the initial connection.
Remote-access VPN's are always semi-permanent. They are brought online when a user establishes a connection to the firewall or router by use of a client. Historically, they would load up a VPN client application that was configured for use by the administrator, enter their username and password (or token if 3-factor authentication is being used) and they would have network connectivity as if on the LAN. The latest and greatest method of remote-access VPN for Cisco is the SSL VPN, or WebVPN or Clientless VPN (they are all names for the same thing).
The WebVPn has a user access a secure website (watch for the https:// in the url). Once engaged in the secure web communication, they enter authentication by means of a username and password. At that point, as long as the web connection stays open they are securely connected to the LAN. In a true clientless situation,m they are presented with a directory listing in the web browser of resources to which they have access. In thin-client situations, an Active-X or java client is dlownloaded and run on the remote user, giving them the ability to use any tcp-based application on their computer. The clientless connection does not allow a user to run programs on their computer.
There is much, much, much more involved in these technologies, but from what I gather all we need for the CCNA is the broad overview and familiarity with the terms and protocols. I'll leave the in-depth analysis for my future certification blog...
Tuesday, June 9, 2009
Checkpoint
I sat this morning and took a 30 question quiz on Frame-relay and WAN connectivity. I smoked the Frame-relay but discovered that I'm a little short on my understanding of VPN technologies. I'll be working on that this week.
I'm in the short haul here. I am planning to take the CCNA exam next week if my study goes well this week. I've shored up the routing protocols, worked through much of the L2 protocols and feel pretty good about the L1 information as far as what makes a router work, where data is stored and what kind of connectors are used in routing.
I'm also assembling a list of labs to complete before I take the exam, and I plan to focus on the troubleshooting aspects of all these technologies. I find that, in a lab situation it's easy to follow along and configure the equipment and then step back and say "Yep, it works. Now I'm an expert." Fact of the matter is, when I get into the office every day I rarely have the opportunity to set up a new enterprise routing topology. Normally I get the call that says "my network is slow" or "why can't I connect to eBay?" Knowing how to set these things up at that point is good because with no foundation it is impossible to troubleshoot, but more importantly to me is the ability to look at a configured system and figure out why it's broken or misbehaving.
So my plan for tomorrow is to take a full practice exam and figure out where I need additional work. I already know that IPSec is something I need a refresher on, and I want to lab the routing protocols and L2 protocols to death. Anyone with some experience who could tell me what else to focus on for the exam that would like to offer pointers or comments would be much appreciated.
I'm in the short haul here. I am planning to take the CCNA exam next week if my study goes well this week. I've shored up the routing protocols, worked through much of the L2 protocols and feel pretty good about the L1 information as far as what makes a router work, where data is stored and what kind of connectors are used in routing.
I'm also assembling a list of labs to complete before I take the exam, and I plan to focus on the troubleshooting aspects of all these technologies. I find that, in a lab situation it's easy to follow along and configure the equipment and then step back and say "Yep, it works. Now I'm an expert." Fact of the matter is, when I get into the office every day I rarely have the opportunity to set up a new enterprise routing topology. Normally I get the call that says "my network is slow" or "why can't I connect to eBay?" Knowing how to set these things up at that point is good because with no foundation it is impossible to troubleshoot, but more importantly to me is the ability to look at a configured system and figure out why it's broken or misbehaving.
So my plan for tomorrow is to take a full practice exam and figure out where I need additional work. I already know that IPSec is something I need a refresher on, and I want to lab the routing protocols and L2 protocols to death. Anyone with some experience who could tell me what else to focus on for the exam that would like to offer pointers or comments would be much appreciated.
Monday, June 8, 2009
Frame Relay - 2
This morning we continue our discussion about Frame Relay. Major benefits of FR are the fast transfer rates and low costs associated to it. However, a major drawback comes into play when you are using a hub-and-spoke topology where one router is the central connection point for all other connections. The problem you run into here is when you're using a distance-vector routing protocol (or hybrid protocol, such as EIGRP), split-horizon restricts routing updates from going out the same interface in which they came. That means that your "spokes" won't be able to communicate with each other.
To get around this issue, you either disable split-horizon on your hub router (which is a little bit like skydiving without a backup parachute - you can do it and probably will be OK, but if you're not...yikes!) or by configuring your router to use subinterfaces.
Subinterfaces are logical interfaces on your physical interface that the router sees and treats as separate interfaces. You configure them by adding a "." and a randomly assigned number to the end of the "interface serial 0/0" command, such as "interface serial 0/0.100". That's all it takes to create a subinterface, after which you assign it its own IP address, mask and assign the DLCI. The router then routes traffic accordingly. To do this, all you need to do is enable the appropriate encapsulation type on the physical interface and bring it up. When doing so, it is good to remember that Cisco didn't become the largest internetworking company in the world by giving away its secrets. When you configure the encapsulation type, you can choose either the proprietary "cisco" type or the industry standard "ietf" type. If all you use is Cisco, ther eis not reason to change it from teh default cisco type. If you are using multiple vendors' equipment, go with ietf.
Because serial interfaces have no MAC address, we need to somehow figure out what IP address belongs to which DLCI. If the service provider uses LMI to send a list of DLCI's that are available, the receiving router sends out inverse-arp requests that pretty much say "hello, DLCI. Send me your IP address." The remote router sends its IP address and the receiving router maps the DLCI to the IP address. Perfect. Inverse ARP is the router's automated method for figuring out which IP address goes with which DLCI. However, this method will not work when you are using mutiple PVC's on a single interface because the Inverse ARP requires that all IP addresses be under the physical interface. This causes problems with split-horizon and your routing protocol won't route and at that point you need another answer...
Enter statically mapped DLCI's. In a multipoint interface, you can map each DLCI to a subinterface, getting around the split-horizon issues. It's a little more work for the administrator, but in 3 lines of code you have configured all that is necessary for a statically mapped DLCI and your subinterfaces are all working. Wonderful.
To configure Frame Relay, you need to make sure the LMI type is the same on both ends. It is important to remember that ietf is a frame relay encapsulation type and *not* an LMI type. LMI types are cisco, ansi and q933a. These are the language that your FR routers speak to each other. Again, remember that ietf is an encapsulation type, not an LMI type.
There are four states that a frame relay circuit acn be in: ACTIVE, INACTIVE, DELETED, and STATIC. You view the state of each FR circuit by using the "show frame-relay pvc" command. This gives a table of circuits and their status, where ACTIVE means that the circuit is good and is in normal operation; INACTIVE means that your end is OK and the remote site is having problems, most likely offline or misconfigured; DELETED meaning that your side of the router is incorrectly configured (most likely an incorrect DLCI setting); and STATIC meaning that the circuit was manually entered by the administrator and not automatically discovered.
FR using a multipoint interface is configured when you add the "multipoint" argument on the end of the interface command where you create the subinterface, such as "interface serial 0.10 multipoint" which marks that subinterface as an interface that will hold multiple DLCI's. That's all fine and well, but if you have a hub and spoke topology, your spoke sites will not be able to see each other because split-horizon keeps routing updates from going out the interface on which they came. So you need to turn off split-horizon, or statically map the DLCI's by issuing the "frame-relay map ip 192.168.1.1 100 broadcast" command, where 192.168.1.1 is the remote router's IP address and 100 is the DLCI. The broadcast argument simply tells your interface not to treat the FR circuit like the NBMA network it is and to send broadcast traffic across the line.
When using Point-to-point subinterfaces, you need to create a subinterface for each PVC coming into your router. So, after enabling frame relay encapsulation on the interface, you tell the router it is a point-to-point with the obvious command "interface serial 0.100 point-to-point". After this, you assign an IP address and netmask to it, issue the "frame-relay interface-dlci 100" command and enable a routing protocol. It's as easy as that.
Frame Relay is a complex topic with much more that can be configured. But if my sources are correct, that can all wait until my CCNP blog comes out...
To get around this issue, you either disable split-horizon on your hub router (which is a little bit like skydiving without a backup parachute - you can do it and probably will be OK, but if you're not...yikes!) or by configuring your router to use subinterfaces.
Subinterfaces are logical interfaces on your physical interface that the router sees and treats as separate interfaces. You configure them by adding a "." and a randomly assigned number to the end of the "interface serial 0/0" command, such as "interface serial 0/0.100". That's all it takes to create a subinterface, after which you assign it its own IP address, mask and assign the DLCI. The router then routes traffic accordingly. To do this, all you need to do is enable the appropriate encapsulation type on the physical interface and bring it up. When doing so, it is good to remember that Cisco didn't become the largest internetworking company in the world by giving away its secrets. When you configure the encapsulation type, you can choose either the proprietary "cisco" type or the industry standard "ietf" type. If all you use is Cisco, ther eis not reason to change it from teh default cisco type. If you are using multiple vendors' equipment, go with ietf.
Because serial interfaces have no MAC address, we need to somehow figure out what IP address belongs to which DLCI. If the service provider uses LMI to send a list of DLCI's that are available, the receiving router sends out inverse-arp requests that pretty much say "hello, DLCI. Send me your IP address." The remote router sends its IP address and the receiving router maps the DLCI to the IP address. Perfect. Inverse ARP is the router's automated method for figuring out which IP address goes with which DLCI. However, this method will not work when you are using mutiple PVC's on a single interface because the Inverse ARP requires that all IP addresses be under the physical interface. This causes problems with split-horizon and your routing protocol won't route and at that point you need another answer...
Enter statically mapped DLCI's. In a multipoint interface, you can map each DLCI to a subinterface, getting around the split-horizon issues. It's a little more work for the administrator, but in 3 lines of code you have configured all that is necessary for a statically mapped DLCI and your subinterfaces are all working. Wonderful.
To configure Frame Relay, you need to make sure the LMI type is the same on both ends. It is important to remember that ietf is a frame relay encapsulation type and *not* an LMI type. LMI types are cisco, ansi and q933a. These are the language that your FR routers speak to each other. Again, remember that ietf is an encapsulation type, not an LMI type.
There are four states that a frame relay circuit acn be in: ACTIVE, INACTIVE, DELETED, and STATIC. You view the state of each FR circuit by using the "show frame-relay pvc" command. This gives a table of circuits and their status, where ACTIVE means that the circuit is good and is in normal operation; INACTIVE means that your end is OK and the remote site is having problems, most likely offline or misconfigured; DELETED meaning that your side of the router is incorrectly configured (most likely an incorrect DLCI setting); and STATIC meaning that the circuit was manually entered by the administrator and not automatically discovered.
FR using a multipoint interface is configured when you add the "multipoint" argument on the end of the interface command where you create the subinterface, such as "interface serial 0.10 multipoint" which marks that subinterface as an interface that will hold multiple DLCI's. That's all fine and well, but if you have a hub and spoke topology, your spoke sites will not be able to see each other because split-horizon keeps routing updates from going out the interface on which they came. So you need to turn off split-horizon, or statically map the DLCI's by issuing the "frame-relay map ip 192.168.1.1 100 broadcast" command, where 192.168.1.1 is the remote router's IP address and 100 is the DLCI. The broadcast argument simply tells your interface not to treat the FR circuit like the NBMA network it is and to send broadcast traffic across the line.
When using Point-to-point subinterfaces, you need to create a subinterface for each PVC coming into your router. So, after enabling frame relay encapsulation on the interface, you tell the router it is a point-to-point with the obvious command "interface serial 0.100 point-to-point". After this, you assign an IP address and netmask to it, issue the "frame-relay interface-dlci 100" command and enable a routing protocol. It's as easy as that.
Frame Relay is a complex topic with much more that can be configured. But if my sources are correct, that can all wait until my CCNP blog comes out...
Friday, June 5, 2009
Frame Relay - 1
And now, back to our program. Even though I'm running a bit short on time this morning, I wanted to drop a few quick thoughts about Frame Relay down before I lose them. Frame Relay is a popular WAN technology because it allows high data transfer rates without having to have the cost of dedicated point-to-point lines for each connection. You can have several FR links on a single interface, reducing cost yet providing a decent throughput. It is the IT manager's dream!
FR utilizes Virtual Circuits, which are logical links through a service provider's network cloud. While the path through "the cloud" may be varied and use several different devices, from the router's perspective it is a direct connection to the other end of the virtual circuit. While a packet may go through several devices between the two ends of the virtual circuit, it still sees it as one hop. Virtual circuits define which devices communicate.
Some of the tpolgies for FR are hub-and-spoke, partial mesh and full mesh. These are exactly like the "networking 101" definitions, so I won't bother to explain them. All that's required to know is that as you move from the hub-and-spoke topology to a full mesh, you increase reliability and cost.
Virtual circuits are either Permanent or Switched. A Permanent Virtual Circuit (PVC) is up all the time adn provides instantaneous data transfer. A Switched Virtual Circuit (SVC) provides data transfer on-demand. These are less common today, and an example would be an ISDN line that connects when there is data to be sent to the other end and torn down when it is inactive.
LMI (Local Management Interface) is the language two devices speak that communicate the state of virtual circuits to a router. Newer versions of IOS are able to automagically determine what LMI is in use, but in older versions it is necessary to enter it manually.
DLCI's (Direct Link Connection Identifier) are the numbers that identify where traffic is destined to reach. These are in essence used as the hardware address to identify the reciving end's network interface, because serial interfaces have no MAC address. They are locally significant only. In other words, if I know that to reach my location in Texas I send frames out virtual circuit with DLCI 100, the Texas router does not need t know what DLCI I send to. It only knows what number returns to me, and could be completely different. A great analogy that I read is one of flight numbers. A flight from Minnesota to Texas needs only be known by the Minnesotan getting on the plane. When he arrives in Texas, he is there and the flight number is unimportant now. When he wants to return to Minnesota, chances are he'll get on a plane with a completely different flight number. As long as the sending terminal knows which plane to put him on, he arrives at his destination. That's how DLCI's work. They answer the question "to get to location X, I send data to circuit Y."
Of importance to network managers is the difference between Local Access Rate and Committed Information Rate. Local access rate is another term for line speed, and is the total bandwidth of an interface. Committed Information Rate (CIR) is the service provider's guarantee for throughput, and as their lines become more heavily subscribed, they will provide at minimum this amount. An interface's local access rate will determine the realistic bandwidth available, and the CIR of all circuits cannot exceed that amount or your line is "over subscribed." When a line is over subscribed, it will allocate bandwidth to all circuits, but perhaps not meet the CIR for each. It's then time to check your SLA and monitor your throughput so you are getting all you pay for.
To keep traffic from backin up too much, service providers use BECN (Backward Explicit Congestion Notifiers) to modify the headers of traffic returning to a router to tell it to slow down its transmission. These are sent back to a transmitting router if there is a large mismatch between the Local Access Rate and the CIR, causing congestion in the line. The converse of BECN is the Forward Explicit Congestion Notifier (FECN), which is a signal from the sending router to the receiver which prompts the receiver to send a BECN in the case where there is no return traffic acknowledgement (such as in a UDP stream).
Lastly, if you are sending traffic above and beyond your CIR, a service provider may mark some of your traffic as "Discard Eligible." Marked as such, most packets still arrive safely. But if the line gets too congested, these will be the first to drop.
Tomorrow, more Frame Relay. It's a complex topic, but once you understand the terms and ideas behind it, the configuration is really quite simple. More on that later.
FR utilizes Virtual Circuits, which are logical links through a service provider's network cloud. While the path through "the cloud" may be varied and use several different devices, from the router's perspective it is a direct connection to the other end of the virtual circuit. While a packet may go through several devices between the two ends of the virtual circuit, it still sees it as one hop. Virtual circuits define which devices communicate.
Some of the tpolgies for FR are hub-and-spoke, partial mesh and full mesh. These are exactly like the "networking 101" definitions, so I won't bother to explain them. All that's required to know is that as you move from the hub-and-spoke topology to a full mesh, you increase reliability and cost.
Virtual circuits are either Permanent or Switched. A Permanent Virtual Circuit (PVC) is up all the time adn provides instantaneous data transfer. A Switched Virtual Circuit (SVC) provides data transfer on-demand. These are less common today, and an example would be an ISDN line that connects when there is data to be sent to the other end and torn down when it is inactive.
LMI (Local Management Interface) is the language two devices speak that communicate the state of virtual circuits to a router. Newer versions of IOS are able to automagically determine what LMI is in use, but in older versions it is necessary to enter it manually.
DLCI's (Direct Link Connection Identifier) are the numbers that identify where traffic is destined to reach. These are in essence used as the hardware address to identify the reciving end's network interface, because serial interfaces have no MAC address. They are locally significant only. In other words, if I know that to reach my location in Texas I send frames out virtual circuit with DLCI 100, the Texas router does not need t know what DLCI I send to. It only knows what number returns to me, and could be completely different. A great analogy that I read is one of flight numbers. A flight from Minnesota to Texas needs only be known by the Minnesotan getting on the plane. When he arrives in Texas, he is there and the flight number is unimportant now. When he wants to return to Minnesota, chances are he'll get on a plane with a completely different flight number. As long as the sending terminal knows which plane to put him on, he arrives at his destination. That's how DLCI's work. They answer the question "to get to location X, I send data to circuit Y."
Of importance to network managers is the difference between Local Access Rate and Committed Information Rate. Local access rate is another term for line speed, and is the total bandwidth of an interface. Committed Information Rate (CIR) is the service provider's guarantee for throughput, and as their lines become more heavily subscribed, they will provide at minimum this amount. An interface's local access rate will determine the realistic bandwidth available, and the CIR of all circuits cannot exceed that amount or your line is "over subscribed." When a line is over subscribed, it will allocate bandwidth to all circuits, but perhaps not meet the CIR for each. It's then time to check your SLA and monitor your throughput so you are getting all you pay for.
To keep traffic from backin up too much, service providers use BECN (Backward Explicit Congestion Notifiers) to modify the headers of traffic returning to a router to tell it to slow down its transmission. These are sent back to a transmitting router if there is a large mismatch between the Local Access Rate and the CIR, causing congestion in the line. The converse of BECN is the Forward Explicit Congestion Notifier (FECN), which is a signal from the sending router to the receiver which prompts the receiver to send a BECN in the case where there is no return traffic acknowledgement (such as in a UDP stream).
Lastly, if you are sending traffic above and beyond your CIR, a service provider may mark some of your traffic as "Discard Eligible." Marked as such, most packets still arrive safely. But if the line gets too congested, these will be the first to drop.
Tomorrow, more Frame Relay. It's a complex topic, but once you understand the terms and ideas behind it, the configuration is really quite simple. More on that later.
Thursday, June 4, 2009
A break from our regularly scheduled program
Last night I turned off routers and spent a couple hours just sitting with my wife. It was refreshing and amazingly good for my attitude. Time slips by too fast, and when I hyper-focus on temporal things, it seems that ball stays in motion once it is in motion.
So this morning I was planning to get back to my regular program of networking-related topics. I sat down, dug up some info on frame-relay, started reading about virtual circuits, DLCI, LMI, BECN, FECN...picked up my guitar and started to play a bit.
I find that playing is what I'm wanting to do with my time more than anything these days. Maybe it's a mid-life crisis, maybe it's just what I'm actually programmed to do. Either way, it's what I want to do and at this point in my life I'm too old to do anything I don't want to do any more. I figure if you don't get to do what you want when you turn 40, what good is turning 40?!
So I started a little discipline that I hope to continue through the rest of the summer, if not the rest of my life. I'm trying develop my song-writing to be productive at the moment I pick up a guitar. I play and sing whatever comes to mind, recording on my phone (until I can actually squeeze some time to have my home recording system actually worked out and always available) and not discriminating or editing. I'm just pouring it out and later I'll go back to edit. Granted, the editing needs to happen or all you have is a bunch of free-associated drivel, but for now I'm longing to get the creative juices flowing again.
So, I say a most heart-felt "Thank you" to my lover, my song and my best friend for supporting me through the nonsense, loving me in spite of myself and always reminding me gently and lovingly what is important and lasting in life. Sandra, I love you...and don't forget, I'm your density...
So this morning I was planning to get back to my regular program of networking-related topics. I sat down, dug up some info on frame-relay, started reading about virtual circuits, DLCI, LMI, BECN, FECN...picked up my guitar and started to play a bit.
I find that playing is what I'm wanting to do with my time more than anything these days. Maybe it's a mid-life crisis, maybe it's just what I'm actually programmed to do. Either way, it's what I want to do and at this point in my life I'm too old to do anything I don't want to do any more. I figure if you don't get to do what you want when you turn 40, what good is turning 40?!
So I started a little discipline that I hope to continue through the rest of the summer, if not the rest of my life. I'm trying develop my song-writing to be productive at the moment I pick up a guitar. I play and sing whatever comes to mind, recording on my phone (until I can actually squeeze some time to have my home recording system actually worked out and always available) and not discriminating or editing. I'm just pouring it out and later I'll go back to edit. Granted, the editing needs to happen or all you have is a bunch of free-associated drivel, but for now I'm longing to get the creative juices flowing again.
So, I say a most heart-felt "Thank you" to my lover, my song and my best friend for supporting me through the nonsense, loving me in spite of myself and always reminding me gently and lovingly what is important and lasting in life. Sandra, I love you...and don't forget, I'm your density...
Wednesday, June 3, 2009
WAN Connectivity
Moving on from layer 3 protocols to layer 2, we look into (mainly) two different implementations: Cisco's proprietary HDLC and the industry standard PPP.
Of course, there is a Cisco proprietary L2 protocol. Cisco didn't get to be the world's largest internetworking company by giving its intellectual property away. If your network is all Cisco, HDLC (High-level Data Link Control) started out as an open standard, but lacked multi protocol support. Cisco took the standard and added the features it thought necessary, and made that the default encapsulation for serial interfaces on all Cisco equipment.
The nice thing about HDLC is that it is extremely simple. If you have the physical layer connected properly and both ends of the circuit are using HDLC there is nothing to get in the way. It is very efficient because it lacks any configurable options. If it was changed from HDLC on a router, you only enter "encapsulation hdlc" on the interface and it is done.
What HDLC lacks in configurability, PPP (Point-to-Point Protocol) offers. PPP gives the option of configuring authentication, call-back, compression and multi-link features to enhance your WAN network computing needs. Topping it all off, it is an open standard and allows communication between any vendor's equipment, making it the de facto standard for WAN communication.
PPP authentication comes in two varieties, either PAP (Password Authentication Protocol) or CHAP (Challenge-Handshake Authentication Protocol). PAP is only used if you are using very old equipment, because the password is sent unencrypted in clear text, and also because the client controls the sending of the credentials. Essentially, the client makes the connection and sends the password when it is darn good and ready, after which it does not require continued authentication. This makes it vulnerable to playback attacks, where an attacker captures the data stream and sends the credentials to take over the session.
CHAP is inherently more secure because it uses MD5 hashes to secure the password, and the server (in our case, router) requests the credentials at connection and then again randomly throughout the remainder of the session. If a client device doesn't offer up the password hash when the router asks for it, the router terminates the session immediately. This prevents the playback attack, because predicting when that call for authentication iwll take place would be nearly impossible.
Call-back is just as it sounds. You set the router up to call back a remote user at a predefined number, so that when a client attempts to make a connection the router hangs up on them and dials a predefined phone number where the user with that username and password should be. If it doesn't answer, the connection is not established (obviously).
Compression is used to increase WAN bandwidth at the expense of router CPU and memory. There is the Stacker algorithm, which is a straight-forward dictionary type compression. It reads the data stream, replaces the data with a code and moves on to the next bit of data. The Predictor algorithm tries to predict the next character based on cached data that it has already compressed. This is good for connection types where the protocol does not change often. Then there is the Microsoft-proprietary MPPC which is only good for connecting Microsoft devices (blah).
Finally we have Multilink capabilities. Multilink allows PPP to combine multiple WAN links into a single, logical link. This allows you to manage and monitor a single interface for throughput, to combine anything from a couple 33.6 bps links to several T1 links for increased bandwidth, and exact-bit load balancing by chopping packets into exact-same-size fragments and sending them out across the MPPP link. TO gain this functionality you will sacrifice router CPU and memory - but what do you want for nothing? A rubber biscuit?
These features (authentication, callback, compression and multilink) are provided by one of PPP's sub-protocols. This is the LCP, or Link Control Protocol. Beneath that in the Layer 2 implementation of PPP are the NCP (Network Control Protocol) and the OSI implementation of HDLC. The OSI implementation of HDLC, like I said already, lacks support for multiple protocols, but it acts as in interface to Layer 1. From that, the NCP allows multiple network protocols to "plug in" to it by providing a standard interface. So HDLC gives the ability to support multiple devices, NCP gives PPP the ability to use multiple network protocols (think of it as a standard "jack" into which you plug in your network protocol), and LCP provides added functionality.
Later we go on to Frame-relay and ATM. What fun!
Hi Geoff...
Of course, there is a Cisco proprietary L2 protocol. Cisco didn't get to be the world's largest internetworking company by giving its intellectual property away. If your network is all Cisco, HDLC (High-level Data Link Control) started out as an open standard, but lacked multi protocol support. Cisco took the standard and added the features it thought necessary, and made that the default encapsulation for serial interfaces on all Cisco equipment.
The nice thing about HDLC is that it is extremely simple. If you have the physical layer connected properly and both ends of the circuit are using HDLC there is nothing to get in the way. It is very efficient because it lacks any configurable options. If it was changed from HDLC on a router, you only enter "encapsulation hdlc" on the interface and it is done.
What HDLC lacks in configurability, PPP (Point-to-Point Protocol) offers. PPP gives the option of configuring authentication, call-back, compression and multi-link features to enhance your WAN network computing needs. Topping it all off, it is an open standard and allows communication between any vendor's equipment, making it the de facto standard for WAN communication.
PPP authentication comes in two varieties, either PAP (Password Authentication Protocol) or CHAP (Challenge-Handshake Authentication Protocol). PAP is only used if you are using very old equipment, because the password is sent unencrypted in clear text, and also because the client controls the sending of the credentials. Essentially, the client makes the connection and sends the password when it is darn good and ready, after which it does not require continued authentication. This makes it vulnerable to playback attacks, where an attacker captures the data stream and sends the credentials to take over the session.
CHAP is inherently more secure because it uses MD5 hashes to secure the password, and the server (in our case, router) requests the credentials at connection and then again randomly throughout the remainder of the session. If a client device doesn't offer up the password hash when the router asks for it, the router terminates the session immediately. This prevents the playback attack, because predicting when that call for authentication iwll take place would be nearly impossible.
Call-back is just as it sounds. You set the router up to call back a remote user at a predefined number, so that when a client attempts to make a connection the router hangs up on them and dials a predefined phone number where the user with that username and password should be. If it doesn't answer, the connection is not established (obviously).
Compression is used to increase WAN bandwidth at the expense of router CPU and memory. There is the Stacker algorithm, which is a straight-forward dictionary type compression. It reads the data stream, replaces the data with a code and moves on to the next bit of data. The Predictor algorithm tries to predict the next character based on cached data that it has already compressed. This is good for connection types where the protocol does not change often. Then there is the Microsoft-proprietary MPPC which is only good for connecting Microsoft devices (blah).
Finally we have Multilink capabilities. Multilink allows PPP to combine multiple WAN links into a single, logical link. This allows you to manage and monitor a single interface for throughput, to combine anything from a couple 33.6 bps links to several T1 links for increased bandwidth, and exact-bit load balancing by chopping packets into exact-same-size fragments and sending them out across the MPPP link. TO gain this functionality you will sacrifice router CPU and memory - but what do you want for nothing? A rubber biscuit?
These features (authentication, callback, compression and multilink) are provided by one of PPP's sub-protocols. This is the LCP, or Link Control Protocol. Beneath that in the Layer 2 implementation of PPP are the NCP (Network Control Protocol) and the OSI implementation of HDLC. The OSI implementation of HDLC, like I said already, lacks support for multiple protocols, but it acts as in interface to Layer 1. From that, the NCP allows multiple network protocols to "plug in" to it by providing a standard interface. So HDLC gives the ability to support multiple devices, NCP gives PPP the ability to use multiple network protocols (think of it as a standard "jack" into which you plug in your network protocol), and LCP provides added functionality.
Later we go on to Frame-relay and ATM. What fun!
Hi Geoff...
Tuesday, June 2, 2009
EIGRP thoughts
EIGRP (Enhanced Interior Gateway Protocol) is a Cisco proprietary routing protocol. It is a hybrid between distance-vector and link-state protocols, incorporating the best from both worlds.
This protocol is able to route multiple protocols, such as IP, IPX, Appletalk (should you ever need to route Appletalk...), but the biggest difference in how EIGRP computes the metric. It uses a combination of bandwidth and delay, each multiplied by 255 to give a 32-bit metric to determine the best path to any given destination. You can also add in other factors, such as load, MTU and reliability to further enhance the routing decisions. It is also capable of unequal load balancing, splitting up traffic according to available bandwidth, over six paths compared to OSPF and RIP's equal load balancing, and it has a maximum hop count of 244 compared to RIP's 15. Also, EIGRP is classfull by default but can be configured as classless (like RIPv2) by issuing the "no auto-summary" command.
It discovers neighbors using multicast packets to 224.0.0.10, and like OSPF stores the data in a topology table. Once the topolgy tables are in sync, they send out hello packets to keep their dead timers from expiring. Like OSPF, the hello and dead timers differ based on the topology of the network. Multi-access broadcast and point-to-point networks have a hello timer of 5 seconds and a dead timer of 15 seconds, while non-broadcast multi-access have a 60 and 180 hello and dead timer, respectively. The dead timer is 3 times the hello timer, which helps me remember for some reason. Worth noting as well is that it uses the Diffusing Update Algorithm (or DUAL) to compute topology changes in a fractions of a second.
The reason EIGRP can converge so quickly when the topolgy changes is that it chooses a successor route and also a feasible successor. The feasible successor is a backup route in case the successor goes down. It does this by tracking the metric from each neighbor router to all routes advertised by its neighbor. That is the advertised distance. It then adds its composite metric to the advertised distance to come up with the feasible distance. The lowest feasible distance is then added to the route table as the successor. To become the feasible successor, a route must have a lower advertised distance than the feasible distance of the successor route.
Along with calculating the feasible successor route to speed convergence in the case of a link going down, EIGRP has another efficiency over OSPF. In the case of multiple routes to a given network, but no advertised distance is lower than the feasible distance (thereby causing EIGRP to have no feasible successor), EIGRP handles the down link differently than OSPF. OSPF would flood the link state to all routers in the area, consuming considerable amounts of bandwidth and processing power. EIGRP simply queries its neighbors for a route to that path and the router with the down link and then computes a successor path based on the information it receives in return. Of course, it must not create a loop and has to wait out the "Stuck in Active" timer of 180 seconds (which also would exceed the dead timer in a NBMA network) to make sure it gets every possible reply.
Like OSPF, EIGRP also utilizes stub networks to allow route summarization where there is only one path in and out of a network. If the only link to a network goes down, it doesn't do any good to start querying neighbors for another route.
Configuring EIGRP is quite simple in its most basic form. Like RIP, you simply initialize the protocol using the "router" command. The major difference here is that EIGRP requires an Autonomous System number the must be the same on all EIGRP routers or they will not get the updates from one another. Contrast this with OSPF's process ID, because they come in the same location of the router command:
EIGRP
RouterA(config)#router eigrp 100
100 is the randomly assigned AS number. It is randomly assigned by the planner of the network, by the way.
OSPF
RouterA(config)#router ospf 100
In this case, 100 is the process ID which does not need to match anything else. Any network advertised in a given area will update with OSPF.
From here, it is imperative to configure the bandwidth of serial links correctly, since Cisco IOS assumes all serial links are T1's. Ethernet interfaces report their bandwidth accurately. It is also important to remember that, if configuring a network as a stub network, you need to turn off the auto-summarization or manually configure a summary route. Also for contrast, to veiw OSPF's topolgy table you enter "show ip ospf database" where in EIGRP you enter "show ip eigrp topology" which just makes more sense to me. I believe in "calling it what it is"...
With all that said, there are only two drawbacks to EIGRP. One is that you cannot use multiple vendors' equipment. EIGRP is Cisco-only. The other thing is that it consumes a lot fo processing and memory because it maintains a topolgy, neighbor and routing table for each protocol being routed. While that isn't a big deal now that the world is run on IP, it could be a consideration.
EIGRP is a nice protocol, efficient and easy to configure. If you only have Cisco equipment, it only makes sense. Unless you are like me and really loathe using proprietary protocols to base your infrastructure upon. I just like having options.
This protocol is able to route multiple protocols, such as IP, IPX, Appletalk (should you ever need to route Appletalk...
It discovers neighbors using multicast packets to 224.0.0.10, and like OSPF stores the data in a topology table. Once the topolgy tables are in sync, they send out hello packets to keep their dead timers from expiring. Like OSPF, the hello and dead timers differ based on the topology of the network. Multi-access broadcast and point-to-point networks have a hello timer of 5 seconds and a dead timer of 15 seconds, while non-broadcast multi-access have a 60 and 180 hello and dead timer, respectively. The dead timer is 3 times the hello timer, which helps me remember for some reason. Worth noting as well is that it uses the Diffusing Update Algorithm (or DUAL) to compute topology changes in a fractions of a second.
The reason EIGRP can converge so quickly when the topolgy changes is that it chooses a successor route and also a feasible successor. The feasible successor is a backup route in case the successor goes down. It does this by tracking the metric from each neighbor router to all routes advertised by its neighbor. That is the advertised distance. It then adds its composite metric to the advertised distance to come up with the feasible distance. The lowest feasible distance is then added to the route table as the successor. To become the feasible successor, a route must have a lower advertised distance than the feasible distance of the successor route.
Along with calculating the feasible successor route to speed convergence in the case of a link going down, EIGRP has another efficiency over OSPF. In the case of multiple routes to a given network, but no advertised distance is lower than the feasible distance (thereby causing EIGRP to have no feasible successor), EIGRP handles the down link differently than OSPF. OSPF would flood the link state to all routers in the area, consuming considerable amounts of bandwidth and processing power. EIGRP simply queries its neighbors for a route to that path and the router with the down link and then computes a successor path based on the information it receives in return. Of course, it must not create a loop and has to wait out the "Stuck in Active" timer of 180 seconds (which also would exceed the dead timer in a NBMA network) to make sure it gets every possible reply.
Like OSPF, EIGRP also utilizes stub networks to allow route summarization where there is only one path in and out of a network. If the only link to a network goes down, it doesn't do any good to start querying neighbors for another route.
Configuring EIGRP is quite simple in its most basic form. Like RIP, you simply initialize the protocol using the "router" command. The major difference here is that EIGRP requires an Autonomous System number the must be the same on all EIGRP routers or they will not get the updates from one another. Contrast this with OSPF's process ID, because they come in the same location of the router command:
EIGRP
RouterA(config)#router eigrp 100
100 is the randomly assigned AS number. It is randomly assigned by the planner of the network, by the way.
OSPF
RouterA(config)#router ospf 100
In this case, 100 is the process ID which does not need to match anything else. Any network advertised in a given area will update with OSPF.
From here, it is imperative to configure the bandwidth of serial links correctly, since Cisco IOS assumes all serial links are T1's. Ethernet interfaces report their bandwidth accurately. It is also important to remember that, if configuring a network as a stub network, you need to turn off the auto-summarization or manually configure a summary route. Also for contrast, to veiw OSPF's topolgy table you enter "show ip ospf database" where in EIGRP you enter "show ip eigrp topology" which just makes more sense to me. I believe in "calling it what it is"...
With all that said, there are only two drawbacks to EIGRP. One is that you cannot use multiple vendors' equipment. EIGRP is Cisco-only. The other thing is that it consumes a lot fo processing and memory because it maintains a topolgy, neighbor and routing table for each protocol being routed. While that isn't a big deal now that the world is run on IP, it could be a consideration.
EIGRP is a nice protocol, efficient and easy to configure. If you only have Cisco equipment, it only makes sense. Unless you are like me and really loathe using proprietary protocols to base your infrastructure upon. I just like having options.
Monday, June 1, 2009
OSPF thoughts
Open Shortest Path First (OSPF) is a widely-used link-state routing protocol. It is vendor neutral, which contributes to its popularity, since many large networks include equipment from various manufacturers.
OSPF is completely classless - so it incorporates networks and subnet masks into its routing updates and topology tables, and this information is used in the computing of the shortest path to any given network. That is a nice thing about OSPF, since you don't have to worry too much about dis-contiguous networks. You simply add the netmask to the network you plan to advertise in OSPF and the router does the rest of the work.
The down side is that computing the shortest path for all known networks is resource intensive, and in the event of a link going down, the state of that link is flooded to all routers inside the area, and the Dijkstra's Shortest Path First algorithm is run by them all. This takes a lot of memory and CPU power, which can cause a slowdown in your network if it is large. If you have a link "flapping," or going up and down rapidly, this can cause an unstable condition as each router computes and recomputes the paths each time it receives an update (or LSU - link state update).
To mitigate this condition on broadcast multi-access networks and non-broadcast multi-access networks (such as frame relay), OSPF elects a Designated Router and a Backup Designated Router in case the DR fails. This election is won by the device with the numerically largest IP address on the network. OSPF first will calculate the DR/BDR from the logical interfaces and then the physical interfaces, so often times a router will be configured first with a logical loopback address to function as the router ID. On point-to-point networks, where there are only two devices on the network, there is no need for an election. The beauty of this is that any link state updates are sent only to the DR and BDR, and these routers then send the update the remaining routers in its area. Updates are flooded out on multicast addresses: 224.0.0.6 for the DR/BDR updates and then they send updates out to 224.0.0.5, which is the multicast address for all OSPF routers.
Other points of note in configuring ospf is that, when you initiate ospf by entering "router ospf" in global config mode on your router, you specify a "process id," which is a number between 1-65,535. This number is only important to the individual router. It is not advertised to other routers, and does not need to be the same on each router within an area. OSPF uses areas to associate routers together, which gets configured when entering the network to be advertised. All areas must somehow connect to Area 0, which is the backbone area for the OSPF autonomous system.
When configuring OSPF, also of great importance is the use of wildcard masks, which is the opposite of a subnet mask. In essence, a 1 in a subnet mask means "ignore this bit" and a 0 means "check this bit." When you enter a wildcard mask of 0.0.0.255, the router will act on any packet that matches the first three octets of the IP address, with anything in the last octet being a match since it is ignored. So, to advertise the 192.168.1.0/24 network, we would enter the following command after the "router ospf 4" command (the 4 is arbitrary and the process ID for this instance of OSPF on this router):
network 192.168.1.0 0.0.0.255 area 0
This puts all 192.168.1.0 traffic in our backbone area 0.
There is much more about OSPF to know, and these are really just simply my summarization of interesting points. A greater discussion of areas, LSA/LSU's and elections could be had. The main points are that OSPF is a link-state routing protocol that is completely classless, advertises the netmask along with the subnet and interoperates with multiple vendors' equipment because it is non-proprietary. From there you just need to draw it out and configure it a few times...
OSPF is completely classless - so it incorporates networks and subnet masks into its routing updates and topology tables, and this information is used in the computing of the shortest path to any given network. That is a nice thing about OSPF, since you don't have to worry too much about dis-contiguous networks. You simply add the netmask to the network you plan to advertise in OSPF and the router does the rest of the work.
The down side is that computing the shortest path for all known networks is resource intensive, and in the event of a link going down, the state of that link is flooded to all routers inside the area, and the Dijkstra's Shortest Path First algorithm is run by them all. This takes a lot of memory and CPU power, which can cause a slowdown in your network if it is large. If you have a link "flapping," or going up and down rapidly, this can cause an unstable condition as each router computes and recomputes the paths each time it receives an update (or LSU - link state update).
To mitigate this condition on broadcast multi-access networks and non-broadcast multi-access networks (such as frame relay), OSPF elects a Designated Router and a Backup Designated Router in case the DR fails. This election is won by the device with the numerically largest IP address on the network. OSPF first will calculate the DR/BDR from the logical interfaces and then the physical interfaces, so often times a router will be configured first with a logical loopback address to function as the router ID. On point-to-point networks, where there are only two devices on the network, there is no need for an election. The beauty of this is that any link state updates are sent only to the DR and BDR, and these routers then send the update the remaining routers in its area. Updates are flooded out on multicast addresses: 224.0.0.6 for the DR/BDR updates and then they send updates out to 224.0.0.5, which is the multicast address for all OSPF routers.
Other points of note in configuring ospf is that, when you initiate ospf by entering "router ospf" in global config mode on your router, you specify a "process id," which is a number between 1-65,535. This number is only important to the individual router. It is not advertised to other routers, and does not need to be the same on each router within an area. OSPF uses areas to associate routers together, which gets configured when entering the network to be advertised. All areas must somehow connect to Area 0, which is the backbone area for the OSPF autonomous system.
When configuring OSPF, also of great importance is the use of wildcard masks, which is the opposite of a subnet mask. In essence, a 1 in a subnet mask means "ignore this bit" and a 0 means "check this bit." When you enter a wildcard mask of 0.0.0.255, the router will act on any packet that matches the first three octets of the IP address, with anything in the last octet being a match since it is ignored. So, to advertise the 192.168.1.0/24 network, we would enter the following command after the "router ospf 4" command (the 4 is arbitrary and the process ID for this instance of OSPF on this router):
network 192.168.1.0 0.0.0.255 area 0
This puts all 192.168.1.0 traffic in our backbone area 0.
There is much more about OSPF to know, and these are really just simply my summarization of interesting points. A greater discussion of areas, LSA/LSU's and elections could be had. The main points are that OSPF is a link-state routing protocol that is completely classless, advertises the netmask along with the subnet and interoperates with multiple vendors' equipment because it is non-proprietary. From there you just need to draw it out and configure it a few times...
Friday, May 29, 2009
Routing - Link State Protocols
Link State protocols differ from Distance-Vector protocols in several ways, but in a nutshell a link state protocol uses a different and complex mathematical formula to compute the best route to a given network based on the actual condition of the network (or rather, the "state of the link"). Where distance-vector protocols gather their information by obtaining all possible routes that their neighbours provide, link state protocols discover their neighbours and keep the information from them in a neighbour table. Their neighbours update the condition of the networks they have knowledge of, and each router then uses Dijkstra's "Shortest Path First" algorithm to compute the best route. An example of a link-state protocol is Open Shortest Path First, or OSPF, which is an industry standard protocol that can be used between any vendor's equipment.
LS protocols send out Link State Announcements, or LSA's when they first come on line, this alerts their neighbours that they exist and that there are networks connected to them. Because each router needs to update their own routing table based on the state of their neighbours, this is a very processor-intense operation. The nice thing about LS protocols is that this only happens when there is a change in the topology (contained in the topology table which holds all possible routes to all possible networks). The updates are sent in Link State Updates, or LSU's.
One reason that LS protocols are much faster to converge than Distance Vector protocols is that a link state protocol, when it receives an update of a change in topology via LSU, forwards that info out to all its neighbours even before updating its own topology table. Getting the info out takes precedence, so all routers know the condition of the network before bothering to change their own routing tables.
LS protocols also do not send out regular updates like distance vector protocols do. They only send out changes when they occur, so once the network is converged there is very little network management traffic. Routers only send out small LSA Hello packets to make sure everyone is still alive and well.
To keep routing tables manageable and link state calculation to a reasonable time frame, LS protocols are typically separated into sections, or Areas. These areas are connected to a single area (called a backbone area), and routers in each area only maintain a topology table for other routers in their area. Between these areas, routes are summarized to keep tables manageable.
I'll be looking more in-depth at the actual protocols and perhaps comparing and contrasting them a bit in the upcoming posts.
LS protocols send out Link State Announcements, or LSA's when they first come on line, this alerts their neighbours that they exist and that there are networks connected to them. Because each router needs to update their own routing table based on the state of their neighbours, this is a very processor-intense operation. The nice thing about LS protocols is that this only happens when there is a change in the topology (contained in the topology table which holds all possible routes to all possible networks). The updates are sent in Link State Updates, or LSU's.
One reason that LS protocols are much faster to converge than Distance Vector protocols is that a link state protocol, when it receives an update of a change in topology via LSU, forwards that info out to all its neighbours even before updating its own topology table. Getting the info out takes precedence, so all routers know the condition of the network before bothering to change their own routing tables.
LS protocols also do not send out regular updates like distance vector protocols do. They only send out changes when they occur, so once the network is converged there is very little network management traffic. Routers only send out small LSA Hello packets to make sure everyone is still alive and well.
To keep routing tables manageable and link state calculation to a reasonable time frame, LS protocols are typically separated into sections, or Areas. These areas are connected to a single area (called a backbone area), and routers in each area only maintain a topology table for other routers in their area. Between these areas, routes are summarized to keep tables manageable.
I'll be looking more in-depth at the actual protocols and perhaps comparing and contrasting them a bit in the upcoming posts.
Thursday, May 28, 2009
Routing loops mitigated - Distance Vector Protocols
To keep your data from floating around in never-ending loops, there are a few methods used by Distance-Vector protocols to avoid looping. They are:
Hop Counts
When a routing protocol sends its routing table to its neighbors, it increases teh hop counts on connected routes by one each time. In the case of a network that is unavailable or looped, this could go on forever (a scenario known as "counting to infinity"). Maximum hop counts are the most basic of the mitigation methods for DV protocols. This way, once a hop count metric reaches the max value, the route is assumed as unavailable.
Maximum hop counts are:
RIP v1 and v2 15
EIGRP 224
Split-horizon
This one, simply stated is to not advertise a route out the same interface in which it came. If I tell you that I am connected to network 192.168.1.0/24, why would I tell you that 192.168.1.0/24 is one router away from me? First, you already know where it is, and because I increment the hop count, you would now think that 192.168.1.0/24 is *two* hops away from me.
Route Poisoning
When a link fails, the router to which it is attached sends out a routing update with a hop count that exceeds the maximum value for that protocol. So, if I have a router connected to 192.168.2.0/24, and the interface connected to that network fails, I send an update to my neighbors incrementing the hop count for that network to 16. Then all my neighbors know it is unavailable. Cool.
Poison Reverse
Poison reverse overrides the split-horizon rule and sends the route update back out the interface on which it came. This provides an acknowledgement that the device received the change to the topology.
Hold-down Timers
Simply stated, hold-down timers store an update for a given amount of time before adding the change to their routing table. The idea is that, should a link start going up and down rapidly (otherwise known as "flapping"), the link will come up before the timer expires and there is no need to change the routing table. If the timer expires and the router doesn't hear of a route with a lower metric, it adds the route to its table.
Triggered Updates
To speed convergence of the network, a triggered update allows a router to send an update in the event of a failed link instead of waiting for the regular update. This allows the network to react more quickly to topology changes.
Invalid/Dead Timers
When a device is removed from the network but doesn't fail, a triggered update isn't sent, so the remaining routers may think the device still exists. To combat this, when a router stops receiving updates from another router, after a certain amount of time the router is considered "dead" and the routes are invalid. The routes are then removed from the table. This method is also used in the case where a router stops receiving updates from a given routing protocol but is no longer. Perhaps we changed our topology and started to use EIGRP instead of RIP, and after that set amount of time the RIP-learned routes are considered invalid and removed.
Tomorrow, more routing protocols! I know you can hardly wait, Bear...
Hop Counts
When a routing protocol sends its routing table to its neighbors, it increases teh hop counts on connected routes by one each time. In the case of a network that is unavailable or looped, this could go on forever (a scenario known as "counting to infinity"). Maximum hop counts are the most basic of the mitigation methods for DV protocols. This way, once a hop count metric reaches the max value, the route is assumed as unavailable.
Maximum hop counts are:
RIP v1 and v2 15
EIGRP 224
Split-horizon
This one, simply stated is to not advertise a route out the same interface in which it came. If I tell you that I am connected to network 192.168.1.0/24, why would I tell you that 192.168.1.0/24 is one router away from me? First, you already know where it is, and because I increment the hop count, you would now think that 192.168.1.0/24 is *two* hops away from me.
Route Poisoning
When a link fails, the router to which it is attached sends out a routing update with a hop count that exceeds the maximum value for that protocol. So, if I have a router connected to 192.168.2.0/24, and the interface connected to that network fails, I send an update to my neighbors incrementing the hop count for that network to 16. Then all my neighbors know it is unavailable. Cool.
Poison Reverse
Poison reverse overrides the split-horizon rule and sends the route update back out the interface on which it came. This provides an acknowledgement that the device received the change to the topology.
Hold-down Timers
Simply stated, hold-down timers store an update for a given amount of time before adding the change to their routing table. The idea is that, should a link start going up and down rapidly (otherwise known as "flapping"), the link will come up before the timer expires and there is no need to change the routing table. If the timer expires and the router doesn't hear of a route with a lower metric, it adds the route to its table.
Triggered Updates
To speed convergence of the network, a triggered update allows a router to send an update in the event of a failed link instead of waiting for the regular update. This allows the network to react more quickly to topology changes.
Invalid/Dead Timers
When a device is removed from the network but doesn't fail, a triggered update isn't sent, so the remaining routers may think the device still exists. To combat this, when a router stops receiving updates from another router, after a certain amount of time the router is considered "dead" and the routes are invalid. The routes are then removed from the table. This method is also used in the case where a router stops receiving updates from a given routing protocol but is no longer. Perhaps we changed our topology and started to use EIGRP instead of RIP, and after that set amount of time the RIP-learned routes are considered invalid and removed.
Tomorrow, more routing protocols! I know you can hardly wait, Bear...
Routing Protocols review - metric
This morning I reviewed routing protocols again, which should be known but I want to make sure I'm absolutely clear on this since it is the foundation of routing.
After being clear on Administrative Distance yesterday, this morning I wanted to make sure I understood what was being described by "Metric," which is something you see in a route table when you execute a "show ip route" command. So for instance, you might get output that looks like:
R 172.17.0.0/16 [120/1] via 192.168.1.10, Serial0/0/0
This is telling us that the network 172.17.0.0/16 was learned using RIP, that its Administrative Distance is 120, the metric is 1, and that it came from 192.168.1.10 (the IP address of our neighbouring router) through the Serial 0/0/0 interface (on our router). Cool enough.
The Administrative Distance is the number that Cisco IOS uses to determine the most reliable route to the network with the lower AD being the more reliable. The *metric* is what the routing protocol uses to determine the best path to that network. So, if we learned about the 172.17.0.0/16 network through another interface, indicating we had multiple paths to that network, and that path was using RIP also, RIP would choose the path with the lowest metric and place that in the routing table. So, if RIP had another entry that looked like:
R 172.17.0.0/16 [120/3] via 192.168.1.129, Serial0/0/1
it would place the route with the lowest metric into the table and use it for any traffic destined for that network. It is then important to know how each routing protocol determines its metric - RIP uses "hop count," or a count of the number of networking devices between the source and the destination networks. Our first entry tells us that there is one router between source and destination, while the second tells us there are 3. Going through one stop theoretically is faster than going through 3, right?
So, that is what the metric is. Administrative Distance is used by IOS to determine the most reliable path based on routing protocol, and metric is used within a routing protocol to determine the most efficient path.
I probably could have just summarized that and saved 15 minutes of typing...
After being clear on Administrative Distance yesterday, this morning I wanted to make sure I understood what was being described by "Metric," which is something you see in a route table when you execute a "show ip route" command. So for instance, you might get output that looks like:
R 172.17.0.0/16 [120/1] via 192.168.1.10, Serial0/0/0
This is telling us that the network 172.17.0.0/16 was learned using RIP, that its Administrative Distance is 120, the metric is 1, and that it came from 192.168.1.10 (the IP address of our neighbouring router) through the Serial 0/0/0 interface (on our router). Cool enough.
The Administrative Distance is the number that Cisco IOS uses to determine the most reliable route to the network with the lower AD being the more reliable. The *metric* is what the routing protocol uses to determine the best path to that network. So, if we learned about the 172.17.0.0/16 network through another interface, indicating we had multiple paths to that network, and that path was using RIP also, RIP would choose the path with the lowest metric and place that in the routing table. So, if RIP had another entry that looked like:
R 172.17.0.0/16 [120/3] via 192.168.1.129, Serial0/0/1
it would place the route with the lowest metric into the table and use it for any traffic destined for that network. It is then important to know how each routing protocol determines its metric - RIP uses "hop count," or a count of the number of networking devices between the source and the destination networks. Our first entry tells us that there is one router between source and destination, while the second tells us there are 3. Going through one stop theoretically is faster than going through 3, right?
So, that is what the metric is. Administrative Distance is used by IOS to determine the most reliable path based on routing protocol, and metric is used within a routing protocol to determine the most efficient path.
I probably could have just summarized that and saved 15 minutes of typing...
Wednesday, May 27, 2009
Routing - things I should have known
Funny how you go through life thinking that you know an awful lot, only to find out that you don't know nearly as much as you did, making you question everything you actually do know...
Anyhow, I was reading up on static routes for the CCNA tonight. Breezing over things, I saw something that I had never really considered before, though I instantly saw how this was going to help me do my job a little better.
I thought there was not much more to a static route entry than to specify the network you wanted to route to, the netmask and the IP address to send that traffic toward. For instance:
ip route 192.168.1.0 255.255.255.0 10.1.1.1
sends anything destined for the 192.168.1.0/24 network to an interface with IP address 10.1.1.1. Woo-hoo, right? Well, now I've learned about Floating Static Routes. By adding a parameter at the end of the ip route statement, you can set the administrative distance for the route than the default value of 1 for a statically-assigned route. So now our command becomes:
ip route 192.168.1.0 255.255.255.0 10.1.1.2 2
The "2" at the end of that statement makes this route slightly higher in administrative distance, and that route will not be added to the routing table unless the first route goes down. This is useful if you have multiple links to get to the same location, such as two different ISP's (multiple default routes) or multiple paths to your remote offices. So, along with that, let's run down the default administrative distances for ip routes in Cisco IOS:
Route type Administrative distance
==============================================
Connected interface 0
Static route 1
EIGRP summary 5
External BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP (v1 and v2) 120
EGP 140
External EIGRP 170
When a router learns of the same destination through multiple routing protocols, it will choose the path with the lowest administrative distance.
Perhaps more later. I've been solidifying my understanding of the show ip route output today, also, but like I said...I feel like I should know this stuff already. Ah well, it's good to learn and better to know what the heck you're talking about should a client ask "What does that number mean there, after the IP address?"
Good night, all.
Anyhow, I was reading up on static routes for the CCNA tonight. Breezing over things, I saw something that I had never really considered before, though I instantly saw how this was going to help me do my job a little better.
I thought there was not much more to a static route entry than to specify the network you wanted to route to, the netmask and the IP address to send that traffic toward. For instance:
ip route 192.168.1.0 255.255.255.0 10.1.1.1
sends anything destined for the 192.168.1.0/24 network to an interface with IP address 10.1.1.1. Woo-hoo, right? Well, now I've learned about Floating Static Routes. By adding a parameter at the end of the ip route statement, you can set the administrative distance for the route than the default value of 1 for a statically-assigned route. So now our command becomes:
ip route 192.168.1.0 255.255.255.0 10.1.1.2 2
The "2" at the end of that statement makes this route slightly higher in administrative distance, and that route will not be added to the routing table unless the first route goes down. This is useful if you have multiple links to get to the same location, such as two different ISP's (multiple default routes) or multiple paths to your remote offices. So, along with that, let's run down the default administrative distances for ip routes in Cisco IOS:
Route type Administrative distance
==============================================
Connected interface 0
Static route 1
EIGRP summary 5
External BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP (v1 and v2) 120
EGP 140
External EIGRP 170
When a router learns of the same destination through multiple routing protocols, it will choose the path with the lowest administrative distance.
Perhaps more later. I've been solidifying my understanding of the show ip route output today, also, but like I said...I feel like I should know this stuff already. Ah well, it's good to learn and better to know what the heck you're talking about should a client ask "What does that number mean there, after the IP address?"
Good night, all.
Tuesday, May 26, 2009
Studying again
I am preparing to take my CCNA (Cisco Certified Network Associate) in the next few weeks. I've been preparing for this for about 60 days now, and with summer coming up I'm feeling the pinch to do other things besides sitting in front of this computer with emulated routing and switching labs. But this needs to be completed soon, so I'll bear with it.
Right now I'm using a really excellent study tool called GNS3, and this is a real money saver. It's an emulation environment for Cisco IOS that runs actual IOS images as opposed to running simulated IOS. I found that, although some other router sims were quite good, they lacked in flexibility and completeness of the IOS command set. It is good to follow a canned lab, executing the required commands and nothing else. It's a whole other thing to set up a lab yourself and emulate a real-world environment. I have a number of labs created that I'm planning to put the finishing touches on and upload to GNS3-labs, which has been a really great tool for learning how to make GNS3 perform at its highest.
I'm in the final days of cramming, as I"ve already been thorough the majority of the material. I'm hoping to blog here about my topics of study to clarify what I'm learning for myself and perhaps to assist others in their own attempts. I find that there is a lot of material on the web pertaining to the CCIE, but not as much for the entry-level certs. (For that matter, I'd recommend not using Paul Browning's web site, book or racks. His material is lacking depth, his book is full of errors and his racks didn't function well. When I asked for a refund, he became condescending, insulting and childish. I'd be happy to show my correspondence with this unprofessional individual should anyone care to see it).
So, at any rate, on to the books and a little WAN theory tonight.
Right now I'm using a really excellent study tool called GNS3, and this is a real money saver. It's an emulation environment for Cisco IOS that runs actual IOS images as opposed to running simulated IOS. I found that, although some other router sims were quite good, they lacked in flexibility and completeness of the IOS command set. It is good to follow a canned lab, executing the required commands and nothing else. It's a whole other thing to set up a lab yourself and emulate a real-world environment. I have a number of labs created that I'm planning to put the finishing touches on and upload to GNS3-labs, which has been a really great tool for learning how to make GNS3 perform at its highest.
I'm in the final days of cramming, as I"ve already been thorough the majority of the material. I'm hoping to blog here about my topics of study to clarify what I'm learning for myself and perhaps to assist others in their own attempts. I find that there is a lot of material on the web pertaining to the CCIE, but not as much for the entry-level certs. (For that matter, I'd recommend not using Paul Browning's web site, book or racks. His material is lacking depth, his book is full of errors and his racks didn't function well. When I asked for a refund, he became condescending, insulting and childish. I'd be happy to show my correspondence with this unprofessional individual should anyone care to see it).
So, at any rate, on to the books and a little WAN theory tonight.
Monday, April 13, 2009
Straight, No Chaser
Miles Davis...that guy is amazing!
I remember learning this song when I was in music school, and thought it was real cool. Today I'm listening to a version on "Milestones" and just wanted to let you all know that Miles is a guy you should really check out.
He brings new levels to the adjctive "cool, man, cool."
I remember learning this song when I was in music school, and thought it was real cool. Today I'm listening to a version on "Milestones" and just wanted to let you all know that Miles is a guy you should really check out.
He brings new levels to the adjctive "cool, man, cool."
Sunday, March 29, 2009
And still, hope
I've meant to get here for some time. I've meant to say a few things about spring and new life and hope. It's been one thing after another, though, and Im just now getting here.
We've been sick. It started with the kids and ended with me and finally Sandra. That took about a month to leave the house and we're just now getting back to normal.
Our yard was flooded, and we feared the same destruction that took place two weeks after moving into this house. The yard was under about 6 inches of water for a good part of the last month. Thankfully, the drainage system we put in place 8 years ago held true and our basement was dry.
We're reeling from medical bills. Sometimes I wonder how we'll pay them.
But still, I'm glad to say that we are hopeful. I think it comes less from the stimulus package or from the sunshine that has been far too elusive. It's from more than our desire for things to get better, or from our improving health. It comes from deep inside - from those places that only seem necessary when you're in dire straights.
It's from knowing without question that all this is temporary. Knowing that the economy is only a means to an end, as are the water-soaked basements and never-ending envelopes asking for money. It's in knowing that when all is said and done, we have fought the good fight and done our best - and in exactly Who gave us the strength to fight it.
Praise the Lord, He is faithful and true. His lovingkindness endures forever.
We've been sick. It started with the kids and ended with me and finally Sandra. That took about a month to leave the house and we're just now getting back to normal.
Our yard was flooded, and we feared the same destruction that took place two weeks after moving into this house. The yard was under about 6 inches of water for a good part of the last month. Thankfully, the drainage system we put in place 8 years ago held true and our basement was dry.
We're reeling from medical bills. Sometimes I wonder how we'll pay them.
But still, I'm glad to say that we are hopeful. I think it comes less from the stimulus package or from the sunshine that has been far too elusive. It's from more than our desire for things to get better, or from our improving health. It comes from deep inside - from those places that only seem necessary when you're in dire straights.
It's from knowing without question that all this is temporary. Knowing that the economy is only a means to an end, as are the water-soaked basements and never-ending envelopes asking for money. It's in knowing that when all is said and done, we have fought the good fight and done our best - and in exactly Who gave us the strength to fight it.
Praise the Lord, He is faithful and true. His lovingkindness endures forever.
Monday, March 9, 2009
Keep the change
I've been pondering what the economic stimulus package is going to do to the country, vs. what it will do for the country. I'm afraid that the depth of relief given to middle-class Americans is a little too little and a little too late. Being one of them, I believe my monthly paycheck will see an increase of $25-40. Well, that's enough to buy my family an extra pizza each month, but it doesn't do anything to help ease the burden of my mortgage or credit card bills (and, for what it's worth, I'm not in a position where I fear losing my home or overwhelmed with credit card debt).
So Wall Street billionaires make millions more, Fannie Mae comes out smelling like a rose and the auto industry tags along. After years of financial mismanagement, corporate America gets bailed out and our children get the shaft. I say our children get the shaft, because if we take an honest look at the situation we'd see that our kids are the ones who are going to end up sorting this mess out - but after how much suffering?
I realize I'm not offering anything constructive and I'm just a pawn in the game here. I don't claim to have a clear understanding of economics from every perspective. All I can say is this: If I were to take the lead of our government, I would run out and charge every credit card I have to the limit and beyond. I would take every offer mailed to me every day and max those out, too. Then I'd buy my kids an extra "Big Mac" each month telling them not to worry about the financial ruin I'm leaving them.
Sound economic practice dictates that we not spend more than we earn - and that we even spend less than we earn. Why does sound economic principle not hold true for governments?
So, US Government, I'd say keep your "change." We can do without an extra pizza, but you could use the help.
Maybe I'll spend my "tax relief" on this.
PS - I realize that the economic stimulus is *supposed* to give us each enough to piddle away and not enough to actually make a difference in our own personal lives. The government does not want us to be free - they want us to be indebted to them and the banks in which they are about to take a major stake. We owe our souls to the company store, Brother...
So Wall Street billionaires make millions more, Fannie Mae comes out smelling like a rose and the auto industry tags along. After years of financial mismanagement, corporate America gets bailed out and our children get the shaft. I say our children get the shaft, because if we take an honest look at the situation we'd see that our kids are the ones who are going to end up sorting this mess out - but after how much suffering?
I realize I'm not offering anything constructive and I'm just a pawn in the game here. I don't claim to have a clear understanding of economics from every perspective. All I can say is this: If I were to take the lead of our government, I would run out and charge every credit card I have to the limit and beyond. I would take every offer mailed to me every day and max those out, too. Then I'd buy my kids an extra "Big Mac" each month telling them not to worry about the financial ruin I'm leaving them.
Sound economic practice dictates that we not spend more than we earn - and that we even spend less than we earn. Why does sound economic principle not hold true for governments?
So, US Government, I'd say keep your "change." We can do without an extra pizza, but you could use the help.
Maybe I'll spend my "tax relief" on this.
PS - I realize that the economic stimulus is *supposed* to give us each enough to piddle away and not enough to actually make a difference in our own personal lives. The government does not want us to be free - they want us to be indebted to them and the banks in which they are about to take a major stake. We owe our souls to the company store, Brother...
Thursday, January 29, 2009
And while we're at it, get rid of the FDA too
You gotta love this.
"Mercury Found in High Fructose Corn Syrup
January 28, 2009
Quantities of mercury have been found in high fructose corn syrup, the ingredient that has replaced sugar in many of our processed foods. Reports have also come out that the FDA knew about traces of the toxic substance in food, and sat on the information. This news comes out just as we've learned that the peanut butter factory responsible for the salmonella outbreak has a storied history of health violations."
"Mercury is toxic in all its forms," said IATP's David Wallinga, M.D.,
and a co-author in both studies. "Given how much high fructose corn
syrup is consumed by children, it could be a significant additional
source of mercury never before considered. We are calling for
immediate changes by industry and the FDA to help stop this avoidable
mercury contamination of the food supply."
========
So tell me, who is the FDA protecting? It certainly isn't you or me. It appears that the processes and fees paid to the FDA is simply in place to generate income - because too often they "approve" of foods and medications that are harful and not fully tested. Then, when they *do* get information like mercury in corn syrup, they sit on it until someone finds out.
Let's get rid of them along with the Dems and Republicans. I'm beginning to sound like an anarchist, I know. But if these are the people we've put in place to protect the public well-being, I'd suggest our well-being is not doing so well.
PS - I'm a little disappointed nobody fired back at my last post. Are we all waiting for Obama to save us?!
"Mercury Found in High Fructose Corn Syrup
January 28, 2009
Quantities of mercury have been found in high fructose corn syrup, the ingredient that has replaced sugar in many of our processed foods. Reports have also come out that the FDA knew about traces of the toxic substance in food, and sat on the information. This news comes out just as we've learned that the peanut butter factory responsible for the salmonella outbreak has a storied history of health violations."
"Mercury is toxic in all its forms," said IATP's David Wallinga, M.D.,
and a co-author in both studies. "Given how much high fructose corn
syrup is consumed by children, it could be a significant additional
source of mercury never before considered. We are calling for
immediate changes by industry and the FDA to help stop this avoidable
mercury contamination of the food supply."
========
So tell me, who is the FDA protecting? It certainly isn't you or me. It appears that the processes and fees paid to the FDA is simply in place to generate income - because too often they "approve" of foods and medications that are harful and not fully tested. Then, when they *do* get information like mercury in corn syrup, they sit on it until someone finds out.
Let's get rid of them along with the Dems and Republicans. I'm beginning to sound like an anarchist, I know. But if these are the people we've put in place to protect the public well-being, I'd suggest our well-being is not doing so well.
PS - I'm a little disappointed nobody fired back at my last post. Are we all waiting for Obama to save us?!
Wednesday, January 28, 2009
How's that for change?
According to a USA Today article:
"All six of the law and accounting firms hired by the Treasury Department to help manage the $700 billion financial bailout have clients who received the federal money, contracting and regulatory records show."
I don't know about you, but I'm sure welcoming the change.
Bah. Kick 'em all out - Republicans/Democrats. There ain't a dime's worth of difference between 'em...
"All six of the law and accounting firms hired by the Treasury Department to help manage the $700 billion financial bailout have clients who received the federal money, contracting and regulatory records show."
I don't know about you, but I'm sure welcoming the change.
Bah. Kick 'em all out - Republicans/Democrats. There ain't a dime's worth of difference between 'em...
Tuesday, January 27, 2009
It's only -4 degrees
I woke up this morning and thought "Man, this house is cold." I poured a cup of coffee and dreaded having to go outside to start my car this morning to get to work, and wished the long winter was over. This is probably one of the most common feelings for anyone who lives in this frozen waste/wonder-land called Minnesota in January.
But I was happy and somewhat encouraged to look at the thermometer outside and see that it was only 4 degrees below zero. I thought "Eh, that's not so bad, I must just be extra warm getting out of bed today."
That's when I realized that I was truly a Minnesotan. Four degrees below zero is officially "not that bad" from my perspective. Oh man, I need a vacation...
But I was happy and somewhat encouraged to look at the thermometer outside and see that it was only 4 degrees below zero. I thought "Eh, that's not so bad, I must just be extra warm getting out of bed today."
That's when I realized that I was truly a Minnesotan. Four degrees below zero is officially "not that bad" from my perspective. Oh man, I need a vacation...
Subscribe to:
Posts (Atom)