Integration is key to everything: Zenoss / COSS / Pagerduty

Posted on: November 8th, 2012 by Cascadeo Corporation

The full document could be accessed in this location.

The End of IPv4: What Your Company Should Know

Posted on: September 16th, 2012 by Cascadeo Corporation

On February 3, 2011, the Internet Assigned Numbers Authority (IANA) distributed the last blocks of IPv4 address space in the free pool to the Regional Internet Registries (RIRs), ARIN, RIPE, AFRINIC, APNIC, and LACNIC. This followed a global policy stating that when the IANA had only five /8-sized blocks, it would give one to each RIR. This means that after this year, no more new IPv4 addresses will be given out.

Currently, Internet service providers (ISPs) apply to one of the RIRs for IP address space, based on policies developed for their region. ISPs, in turn, assign IP address space to their customers. Organizations may also go directly to an RIR, to get provider-independent (PI) address space.

Now that the IANA has no more IPv4 address space, the RIRs will no longer receive new IP addresses directly from IANA and will run out of IPv4 addresses this year. How does this affect you? The next time you or your ISP requests additional IPv4 address space, the request will be rejected. Although opportunities to acquire IPv4 addresses from organizations that have spare allocations may exist, this will likely be both difficult and costly.

Fortunately, the IPv4 Internet will continue to function properly even when all IPv4 address space is gone. However, growing businesses will find expansion increasingly difficult, without additional address space to connect more devices and customers.

What is IPv6?

By the 1990s, IPv4 address space was clearly running out. The Internet Engineering Task Force (IETF), the primary standards body for the Internet, designed a protocol called IPv6. Compared with IPv4’s 32-bit (2^32) address space, IPv6’s enormous 128-bit (2^128) address space easily provides enough space for the foreseeable future. However, many businesses have been slow to adopt IPv6 because of the significant effort involved in doing so and the critical need that was not yet apparent.

What does this mean for your business?

IPv6 does not operate alongside IPv4, but as a completely separate protocol. Businesses that want to remain competitive must apply a mechanism to their infrastructure that allows both versions to run. Therefore, it is essential that your network devices be upgraded and configured to run dual-stack, to cope with the coming IPv6 traffic and to let your business continue to grow. Dual-stack refers to running IPv4 and IPv6 simultaneously. This allows your servers to respond simultaneously both to the old IPv4 requests and to the newer IPv6-connected devices.

Cascadeo recommends a complete audit of your network and systems infrastructure, to determine how to upgrade it to dual-stack. Once the audit is done, a comprehensive transition plan can be implemented.

It will be a very long time, if ever, before IPv4 will be completely gone from the Internet. However, any company with a presence on the Internet, but without IPv4 reserves, must migrate to IPv6 in order to grow.

World IPv6 Day

On June 8, 2011, many major Internet-based companies around the world will go IPv6 for the day. Sites like facebook.com and google.com will change their DNS so that you can reach them only via IPv6. This is a test to motivate everyone to start thinking about, and migrating to, IPv6.

Cascadeo encourages you to review the links below and consider taking part in World IPv6 Day.

We look forward to working with you on the exciting transition ahead!

References:

World IPv6 Day

IANA Free Pool Exhaustion

FAIL: IPv6 on Home Routers and DSL/Cable Modems

Posted on: June 16th, 2012 by Cascadeo Corporation

Most consumer routers and DSL/cable modems/routers are not ready for IPv6.

Get to work, vendors…tick tock.

Thanks, Center for Internet Security (more security docs)

Posted on: November 16th, 2011 by Cascadeo Corporation

Another cache of documents for your reading pleasure. This time thanks go to the Center for Internet Security (CIS).

Debian Linux Benchmarks

Microsoft Windows 7 Benchmarks

Router Assessment Tool

VMware Benchmarks

Microsoft Windows 2000 Benchmarks

Microsoft Windows 2008 Benchmarks

Cisco Device Benchmarks

Apple iPhone Benchmarks

Wireless Network Devices Benchmarks

Apple OSX Benchmarks

Apache HTTP & Tomcat Benchmarks

Microsoft Windows 2003 Benchmarks

Unix Scoring Tools

Juniper Device Benchmarks

Microsoft Windows XP Benchmarks

CIS Windows XP Professional Benchmark v2.0.1

Yet Another Cache of Excellent Network Security Documents

Posted on: November 16th, 2011 by Cascadeo Corporation

We’ve been uncovering quite the mother lode of excellent docs lately. This one is from FIRST (Forum of Incident Response and Security Teams).

Highlights include:

Enjoy!

Official Announcement Regarding IPv4 Exhaustion/IPv6 Migration

Posted on: November 16th, 2011 by Cascadeo Corporation

From: ARIN
Date: February 1, 2011 7:09:02 AM EST
To: Subject: [arin-announce] Significant Announcement 3 February – Watch it Live!

On Thursday, 3 February 2011, at 9:30 AM Eastern Standard Time (EST), the Number Resource Organization (NRO), along with the Internet Corporation for Assigned Names and Numbers, the Internet Society (ISOC,) and the Internet Architecture Board (IAB) will be holding a ceremony and press conference to make a significant announcement and to discuss the global transition to the next generation of Internet addresses.

Much has been written in the international media over the last few weeks about the dwindling pool of Internet addresses using the original Internet protocol, called IPv4 (Internet Protocol version 4), and this topic will be addressed at the event.

We invite all interested community members to view the webcast of this event at: http://www.nro.net/news/icann-nro-live-stream.

In the event you happen to be at the Intercontinental Hotel in Miami on Thursday, there will be limited public seating available to attend (with press receiving seating priority) in Room “Concourse II” at 9:30 AM EST for the ceremony and 10:00 AM for the press conference that follows.

Regards,

Communications and Member Services
American Registry for Internet Numbers (ARIN)

Egypt Travels Back to the Stone Age

Posted on: November 16th, 2011 by Cascadeo Corporation

It’s happened…Egypt’s last functioning ISP was forced to pull the plug. We are fortunate here in the U.S. because we have a huge number of possible routes to the rest of the Internet and the world. In Egypt, the situation is much more dire and susceptible to control.

Another Cache of Excellent Network Security Documents

Posted on: November 16th, 2011 by Cascadeo Corporation

Today’s cache of excellent documents is thanks to the National Institute of Standards and Technology, Computer Security Division. Your tax dollars at work…in a good way.

Enjoy!

Guide to IPsec VPNs
sp800-77.pdf

Border Gateway Protocol Security
SP800-54.pdf

Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP800-97.pdf

Guidelines on Firewalls and Firewall Policy
sp800-41-rev1.pdf

Guide to Securing Legacy IEEE 802.11 Wireless Networks
SP800-48r1.pdf

Guide to General Server Security
SP800-123.pdf

DRAFT A NIST Definition of Cloud Computing
Draft-SP-800-145_cloud-definition.pdf

DRAFT Guidelines on Security and Privacy in Public Cloud Computing
Draft-SP-800-144_cloud-computing.pdf

Guide to Security for Full Virtualization Technologies
SP800-125-final.pdf

DRAFT Information Security Continuous Monitoring for Federal Information Systems and Organizations
draft-SP-800-137-IPD.pdf

DRAFT Guide for Security Configuration Management of Information Systems
draft_sp800-128-ipd.pdf

Guide to Securing WiMAX Wireless Communications
sp800-127.pdf

Guidelines on Cell Phone and PDA Security
SP800-124.pdf

Guidelines for the Secure Deployment of IPv6
sp800-119.pdf

DRAFT Guide to Enterprise Password Management
draft-sp800-118.pdf

Technical Guide to Information Security Testing and Assessment
SP800-115.pdf

User’s Guide to Securing External Devices for Telework and Remote Access
SP800-114.pdf

Guide to SSL VPNs
SP800-113.pdf

Guide to Storage Encryption Technologies for End User Devices
SP800-111.pdf

Information Security Handbook: A Guide for Managers
SP800-100-Mar07-2007.pdf

Guide to Secure Web Services
SP800-95.pdf

Guide to Intrusion Detection and Prevention Systems (IDPS)
SP800-94.pdf

Guide to Computer Security Log Management
SP800-92.pdf

Guidelines for Media Sanitization
NISTSP800-88_rev1.pdf

Guide to Integrating Forensic Techniques into Incident Response
SP800-86.pdf

Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
SP800-84.pdf

Guide to Malware Incident Prevention and Handling
SP800-83.pdf

Secure Domain Name System (DNS) Deployment Guide
sp-800-81r1.pdf

Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
guidance_WinXP_Home.html

Guide to Securing Microsoft Windows XP Systems for IT Professionals
download_WinXP.html

Security Considerations for Voice Over IP Systems
SP800-58-final.pdf

Recommendation for Key Management
sp800-57-Part1-revised2_Mar08-2007.pdf

Building an Information Technology Security Awareness and Training Program
NIST-SP800-50.pdf

Security Guide for Interconnecting Information Technology Systems
sp800-47.pdf

Guide to Enterprise Telework and Remote Access Security
sp800-46r1.pdf

Guidelines on Electronic Mail Security
SP800-45v2.pdf

Guidelines on Securing Public Web Servers
SP800-44v2.pdf

Nov 2002Systems Administration Guidance for Windows 2000 Professional System
guidance_W2Kpro.html

Creating a Patch and Vulnerability Management Program
SP800-40v2.pdf

Guide to Selecting Information Technology Security Products
NIST-SP800-36.pdf

Guide to Information Technology Security Services
NIST-SP800-35.pdf

Aug 2000PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
sp800-24pbx.pdf

Generally Accepted Principles and Practices for Securing Information Technology Systems
800-14.pdf

Telecommunications Security Guidelines for Telecommunications Management Network
sp800-13.pdf

An Introduction to Computer Security: The NIST Handbook
handbook.pdf

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
sp800-122.pdf

Excellent guide relating to Cisco Security BCP (h/t NSA)

Posted on: September 22nd, 2011 by Cascadeo Corporation

Found a great document by our friends at the NSA regarding Router Security Practices. No references to installing backdoors… grin.

IPv4 Is Toast…IPv6 Is NOW

Posted on: March 9th, 2011 by Cascadeo Corporation

As announced at the last American Registry for Internet Numbers (ARIN) meeting, the IPv4 address space will be exhausted as early as February of next year. The process of upgrading from IPv4 to IPv6 is non-trivial and depends on appropriate planning, coordination and, in some cases, hardware and software upgrades. If you have not started down this path, we highly recommend that you begin focusing on it immediately.

For the past 20+ years we have used the Internet Protocol version 4 (IPv4) numbers. These number are what allow all computers, servers, and routers to communicate with each other. The IPv4 set of numbers has 32 bits, or about 4 billion possible addresses. After the extreme growth of the Internet over the years, we are now on the verge of running out of IPv4 addresses. The Regional Internet Registries (RIRs) are responsible for allocating addresses to organizations around the globe, and the American Registry for Internet Number (ARIN) is responsible for allocating address space for the North American region.

Over the past couple of years, the Internet community has closely followed the accelerated draining of the free pool of IPv4 addresses due to the proliferation of mobile devices and tremendous growth of Internet usage in developing countries like China and India. A number of statistical models are being used to predict when exhaustion will occur but, unlike Y2K, it is impossible to know the exact date of exhaustion due to the large number of organizations involved in the allocation process. Based upon the best data available today, the RIRs will run out of freely available IPv4 addresses in 2011.

For the past 10 years we have been working toward the deployment of IPv6, a new numbering scheme that has plenty of numbers available (2^128) to accommodate the growth of the Internet for the foreseeable future. The implementation of IPv6 requires careful planning and engineering to ensure a smooth deployment across various networks. A number of transition methods and technologies must be considered when planning the move to IPv6. Devices only on the IPv6 network cannot directly communicate with the existing IPv4 network, so a transition technology is necessary for all devices to be able to communicate with the entire Internet.

Different types of companies must prepare in different ways for the IPv6 transition. Content providers must ensure that their hosting services are accessible to IPv6 users by adding IPv6 services to their servers or by using a transition technology. Broadband access providers are often in constant need of more IPv4 addresses as they install new customers. After IPv4 addresses run out, additional IPv4 addresses for new customers will likely be scarce and thus new subscribers must be installed by using IPv6. These new subscribers also need a transition technology to bridge the gap between the IPv6 network and the existing IPv4 Internet. Enterprises must ensure that they can reach IPv6 sites as well.

Preparation for IPv6 deployment starts with understanding how the Internet will evolve as we run out of IPv4 addresses. The next steps include auditing your equipment and software to validate that it supports IPv6, training your IT staff to understand IPv6, creating a plan to deploy IPv6 and, lastly,  executing on a plan to fully enable your network to support IPv6.

Cascadeo is well versed in IPv6, including having two members of our team serving on various ARIN advisory councils. For additional information regarding IPv6 or assistance in planning and deploying IPv6, contact us!

ipv6@cascadeo.com
206-577-1155

Additional IPv6 Resources:

IPv6 Info Wiki
ARIN’s IPv6 Education Site
IPv4 Depletion and IPv6 Adoption Presentation
IPv4 Address Report

———————-

From: ARIN
Date: Mon, Oct 18, 2010 at 6:58 AM
Subject: [arin-announce] Remaining IPv4 Address Space Drops Below 5%
To: arin-announce@arin.net

The Number Resource Organization (NRO) announced today that less than 5% of the world’s IPv4 addresses remain unallocated following IANA’s distribution of two IPv4 /8s to APNIC. The IANA IPv4 free pool has now dropped to 12 /8s, or 4.69%. The IPv4 free pool dipped below 10% in January, just nine months ago. Since then, over 200 million IPv4 addresses have been allocated from IANA to the five Regional Internet Registries (RIRs).

The number of IPv4 allocations is expected to grow by only 8% this year. In contrast, the five RIRs are expected to allocate over 2,000 IPv6 address blocks, representing an increase of over 70% on the number of IPv6 allocations in 2009. These statistics indicate an absence of any last minute “rush” on IPv4 addresses and a strong momentum behind the adoption of IPv6.

When the IANA IPv4 free pool has only five /8 blocks remaining, they will be simultaneously distributed to the five RIRs in accordance with global Internet number resource distribution policy. This means that only seven blocks remain to be handed out under the normal distribution method. At current depletion rates, the last five IPv4 address blocks will be allocated to the RIRs in early 2011.

The pressure to adopt IPv6 is mounting. Many worry that without adequate preparation and action, there will be a chaotic scramble for IPv6, which could increase Internet costs and threaten the stability and security of the global network. ARIN encourages you to deploy IPv6 now. Visit https://www.arin.net/knowledge/v4-v6.html for more information on IPv6 adoption, or contact us at info@arin.net with any questions.

Regards,

Communications and Member Services
American Registry for Internet Numbers

_______________________________________________
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List (ARIN-announce@arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-announce

ESXi: Hot Replication of Running Virtual Machines

Posted on: March 4th, 2011 by Cascadeo Corporation

One of the questions we’re frequently asked by clients is how to do hot replication of running VMware virtual machines (VMs) without spending a small fortune on VMware management tools. The good news is that it’s possible—the bad news is that it requires a little work on your part.

The general concept is to gain Secure Shell (SSH) access to the ESX/ESXi host machine [1], use the command-line tools and standard *nix automation tools to create a clone of the running virtual machine and to copy it to another host, and then to add it to the inventory of the second host machine. This leaves the VM in a state that is similar to the situation in which a VM crashes or hangs, such as when the guest operating system detects that something went wrong and attempts to do a file system check or database transaction log replay. This obviously is not as desirable as properly shutting down the guest operating system and ensuring that the entire system is in a consistent state, but that is not possible for mission-critical systems in many cases.

The following is a simple *nix shell script illustrating this concept:

#!/bin/bash

# ESXi hosts
HOSTS=(10.150.100.16)

# For each host, indicate vm datastore name in order
DS=(datastore1)

# Backup datastore
BDSTORE="x.x.x.x::vmbak-casc-dc"

for (( i = 0 ; i < ${#HOSTS[@]} ; i++ )) do
 host=${HOSTS[$i]}
 dstore=${DS[$i]}

 # Get vms list
 ssh root@$host 'vim-cmd vmsvc/getallvms' > /tmp/vmlist-temp
 sed 1d /tmp/vmlist-temp > /tmp/vmlist

 # Iterate backup sequence
 exec 3</tmp/vmlist
 while read <&3; do
  line=$REPLY
  #echo "VM: $line"

  # Get VM id
  id=`echo "$line" | awk '{print $1}'`
  vmname=`echo "$line" | awk '{print $2}'`
  echo $id
  ts=`date +%y%m%d-%H%M`
  echo $ts
  # Create snapshot
  echo "ssh root@$host 'vim-cmd vmsvc/snapshot.create $id $vmname-$ts $vmname-$ts'"
  ssh root@$host "vim-cmd vmsvc/snapshot.create $id $vmname-$ts $vmname-$ts"

  # Copy snapshot to remote datastore
  #echo "ssh root@$host 'scp -i /.ssh/id_dsa -r /vmfs/volumes/${dstore}/$vmname $BDSTORE'"
  #ssh root@$host 'scp -i /.ssh/id_dsa -r /vmfs/volumes/${dstore}/$vmname $BDSTORE'

  # This is the rsync option
  echo "time ssh root@$host 'rsync -av /vmfs/volumes/${dstore}/$vmname $BDSTORE'"
  time ssh root@$host "rsync -av /vmfs/volumes/${dstore}/$vmname $BDSTORE"

  # Remove snapshot to merge back delta file
  echo "ssh root@$host 'vim-cmd vmsvc/snapshot.removeall $id'"
  ssh root@$host "vim-cmd vmsvc/snapshot.removeall $id"
 done
 exec 3>&-
done

If you have any questions about this approach, please don’t hesitate to contact us. We’d be glad to help and, if we can’t, we’ll get you in touch with someone who can. Send an email to info@cascadeo.com or call us at 206-577-1155. We are here to help!

[1] Note that ESXi has the SSH server disabled by default. It is possible to re-enable it, but it may violate VMware licensing rules and, as such, we can only formally endorse ESX for this solution. ESXi is known to work, however, with the SSH server re-enabled.

Installing TACACS+ on Ubuntu

Posted on: February 23rd, 2011 by Cascadeo Corporation

Excellent documentation for setting up TACACS+ on Ubuntu.

Sweetfixes TACACS Ubuntu Setup

BGP at 18, Lessons Learned

Posted on: February 2nd, 2011 by Cascadeo Corporation

Yakov Rekhter, one of the authors of BGP, provides an excellent walk through of the lessons learned in its development.

A Glimpse into What’s Next, from the Cloud to the Edge

Posted on: February 1st, 2011 by Cascadeo Corporation

It dawned on me this weekend that many people don’t fully appreciate the significance of having massive bandwidth to the edge (home/office) and nearly infinite storage and processing power in the cloud and that it might be interesting to share with you some of the applications we’ve found that demonstrate the potential here. In no particular order, here are a few of my favorites. Please add others you think are worthy of inclusion, if you want. — Jared

Pandora, Personalized Internet Radio: Incredibly addictive, especially on an iPhone, as the music is streamed straight to your car stereo. No commercials, no interruptions, just new music tailored to your taste delivered free of charge. I love this.

Mailplane, Native MacOS client for Gmail: Why bother storing mail locally, when Google will store it for you? The only downside to date has been the clunky POP/IMAP client access requirement for offline access – Mailplane + Google Gears + offline Gmail completes the move of mail to the cloud. Expect to see a ton of other applications go this route, even as broadband becomes more and more ubiquitous.

XBMC on Apple TV: Ever dream of having your entire DVD, music, or photo library accessible on your television/stereo? Find the standard iPod/Apple TV interface a bit limiting for larger libraries? Want to watch Comedy Central on-demand free of charge? Install XBMC on your Apple TV, point it at your storage server, and you’re set. The minor hassle of the “patchstick” routine for the Apple TV is worth it.

Comcast’s new DOCSIS 3 cable modem service: The differences between 12 Mbps and 30+ Mbps are subtle, but significant. In particular, it is now possible to stream DVD video across the Internet, and the result is literally identical to having the physical media present. Push your entire audio/video/photo library up to the cloud (for example, S3) and forget about it.

Skype with Video: The era of the videophone finally arrives. Coupled with a very high bandwidth connection, video will become increasingly common in telecommunications in the near future.

Amazon Web Services: Scalable, disposable, cheap computing on demand. The migration to the cloud will be swift and likely painful for the server hardware manufacturers, as the economy will push people to opt for a recurring operating expense rather than the high capital expense (and operational headaches) associated with building conventional datacenter infrastructure. I am literally dumping my entire photo library to S3 storage as I write this.

Amazon Web Services blog

Posted on: February 1st, 2011 by Cascadeo Corporation

The Amazon Web Services blog at http://aws.typepad.com/aws/ is an excellent way to learn the latest and greatest in the rapidly-evolving cloud computing space. Even if you’re not currently an EC2/S3 user, this blog is one worth watching, because you’ll quickly get a sense for just how fundamentally this will change the industry.

Navigation