Networking, Security & Cloud Knowledge

Wednesday, June 3, 2015

How HTTPS works

How HTTPs works
    1.      Client make tcp connection on destination port 443
    2.      Ssl handshake process starts once tcp connection is established
a.    Browser send the CLIENT HELLO message
                                                         i.   It contains information like
1.      Highest version of SSL supported by browser
2.      Compression method that it supports
3.      Suite of cipher it can user for encryption
4.      And random data which can later use when generating symmetric key for session.
b.      Server response with SERVER HELLO
It contains
1.      SSL version used for session
2.      Cipher and compression method that will be used
3.      Session id for ssl session
4.      Random data used for key generation process.
c.       Server then send Digital certificate singed by CA
It serves for two purposes
1.      It contain public key so that browser can use key to encrypt sent to server it can optionally send chain of certificate beginning with certificate of authority that issued the server certificate.
2.      It established the identity of the server from which the web page is coming.
d.      Server sends SERVER HELLO DONE message
e.      Browser respond by sending CERTIFICATE VERIFY message that it has verified the certificate
f.        Browser then sends CHANGE CIPHER SPEC command to server telling it now on data send to server will be encrypted.
g.      After that browser send FINISHED MESSAGE. This contains digest of message exchanged between browser and server till now. This is done to ensure that none of the information exchanged earlier is tampered during transit.
h.      Server responds with CHANGE CIPHER SPEC message hinting browser that now on data send by server will be encrypted.
i.        Server sends FINISHED MESSAGE containing digest of all message between browser and server.
j.        Now we consider SSL handshake to be complete
   3.      Browser generate symmetric secret key just to be used for this ssl session. It encrypt generated key using public key of the serve and send it across to the server. This key remains secret with browser and server.

Note: Reason for using symmetric key is encryption and decryption using symmetric key is lighter then asymmetric key. 

Sunday, May 31, 2015

Riverbed

Riverbed function

  • tcp packet compression
  • scalable data referencing and de-duplication
    • after data flows steel head looks for binary data and keep the pointer. 
    • 60 to 90 % reduction in traffic
  • transaction prediction ( send whole file at remote riverbed befor server ack)

             

Riverbed technology overview

Deduplication:  In computing, data deduplication is a specialized data compression technique for eliminating duplicate copies of repeating data. Related and somewhat synonymous terms are intelligent (data) compression and single-instance (data) storage.

Three appliance of riverbed
  • riverbed wan accelerators
    • Data consolidation (cosolidated back to data center)


  • Riverbed whitewater  (disaster recover)
    • tape b/u replacement / push to cloud


  • Riverbed Granite   (if wan goes of and no access to DC to get consolidated data)
    • Push data back to local share.
  • smc ( steel head mobile controller)  - steel head for one user
    • for individual user or soho user 


Riverdbed - Steelhead connectivity details



Saturday, May 30, 2015

ITIL : Information Technology Infrastructure Library

Introduction to ITIL
  • Is a set of guidelines and best practices outlining how ITSM (Information Technology Service Management ) can be implemented.
  • Focuses on aligning IT services with the needs of business.
  • Although ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, there are some differences between the ISO 20000 standard and the ITIL framework.
  • ITIL describes processes, procedures, tasks, and checklists which are not organization-specific, but can be applied by an organization
  • Since July 2013, ITIL has been owned by AXELOS Ltd, a joint venture between HM Cabinet Office and Capita Plc. Axelos licenses organizations to use the ITIL intellectual property, accredits licensed Examination Institutes, and manages updates to the framework.



Organization 
  • CCTA: The Central Computer and Telecommunications Agency (CCTA) was a UK government agency providing computer and telecoms support to Government departments.
  • Office of Government Commerce (OGC) was a UK Government Office established as part of the HM Treasury in 2000. It was moved into the Efficiency and Reform Group of the Cabinet Office in 2010, before being closed in 2011
  • Her Majesty's Treasury (HM Treasury), sometimes referred to as the Exchequer, or more informally the Treasury, is the UK government department responsible for developing and executing the British government's public finance policy and economic policy.
  • Cabinet Office: The Cabinet Office is a department of the Government of the United Kingdom responsible for supporting the Prime Minister and Cabinet of the UK.
  • Capita plc (LSE: CPI), commonly known as Capita, is an international business process outsourcing and professional services company headquartered in London, UK.\
  • Axelos : is a joint venture set up in 2014 by the Government of the UK (HM Cabinet Office )and Capita, to develop, manage and operate qualifications in best practice, in methodologies formerly owned by the OGC.


Ownership & Certification 
  • Responding to growing IT dependency  CCTA (agency providing telecom support to government).
  • CCTA merged into OGC
  • OGC consolidated with Cabinet office( responsible for supporting PM and Cabinet of UK)
  • ITIL 2011 owned by HM Government 
  • 2013  - Axelos ltd ( joint venture HM cabinet office and Capita plc)
  • AXELOS Announces Strategic Partnership With EXIN For Global ITIL® and PRINCE2® Exam Delivery

ITIL Version 
  • Version 1: After the initial publication in 1989–96, the number of books quickly grew within ITIL v1 to more than 30 volumes.
  • Version 2: In 2000/2001, to make ITIL more accessible (and affordable), ITIL v2 consolidated the publications into nine logical "sets" that grouped related process-guidelines to match different aspects of IT management, applications and services. The Service Management sets (Service Support and Service Delivery) were by far the most widely used, circulated, and understood of the ITIL v2 publications.
  • In April 2001, the CCTA was merged into the OGC, an office of the UK Treasury.
  • In 2006, the ITIL v2 glossary was published.
  • Version 3: In May 2007, this organization issued version 3 of ITIL (also known as the ITIL Refresh Project) consisting of 26 processes and functions, now grouped into only 5 volumes, arranged around the concept of Service lifecycle structure. Version 3 is now known as ITIL 2007 Edition.
  • In 2009, the OGC officially announced that ITIL v2 certification would be withdrawn and launched a major consultation as per how to proceed.
  • In July 2011, the 2011 edition of ITIL was published, providing an update to the version published in 2007. The OGC is no longer listed as the owner of ITIL, following the consolidation of OGC into the Cabinet Office. The 2011 edition is owned by HM Government.




Cisco Router Preview

Cisco Router:


Cisco 1720 router :

  • On board 10/100 Mbps port.
  • WIC : Two smart Serial  , Model: WIC 2T
  • WIC : ISDN BRI, Model : BRI S / T
  • WIC : Serial , Model : WIC 1T
  • WIC : Ethernet , Model : WIC 1E (Support only 10 Mbps, no 100 Mbps )
  • 1750 Series Support Voice.




























Cisco 1841,
  • Two 10/100 Mbps port onboard.
  • Two smart serial WIC  ( Left )
  • BRI WIC  ( Right)


Cisco 2901


Cisco 2911

Cisco 2921


Cisco 6800 Series switch

Cisco 6800 Series switch.



  • Campus backbone switches optimized for 10 / 40 / 100 Gbps
  • Unified access
  • 6807-XL Support  6500 line card and service moduel
  • Catalyst Instance Access Solution.
  • Support Sup 2T ( Supported in 6500 E)


6800 series family.
  • 10 RU
  • 7 Slots
  • 6807 -XL
  • 880 Gbps / slot
  • 11.4 Tbps full duplex switching capacity.
  • VSS support on two pair of distribution switch with 20 instance access switch.


6880-X
  • 7- RU
  • Fixed format
  • 4 module slots
  • 80 X 10Gig   OR  20 X 40Gig ports.


6800ia
  • Instance access Switch
  • 48 X 10/100/1000 Gbps ports
  • PoE / PoE+ support
  • Stackable.

Friday, May 29, 2015

ACS 5.1 overview

   Earlier version of ACS was based on membership of user groups; user group defines access restriction and permission for the users who are members of the group. Since authorization was tied up with user groups all members will have access policies and restrictions all the time. This type authorization suitable for simple polices in which identity is only condition. If we want user should have different permission on different condition (like location, date and time). The ACS 5.1 rule based policy model is based on rule of the form:
   IF then
In ACS5.1 we define conditions and results as global, shared objects. You define them once and then reference them when you create rules. ACS 5.1 uses the term policy elements for these shared objects, and they are the building blocks for creating rules.



Table below shows how the various policy elements define all the information that the old group contained.
Table 3-1 Information in Policy Elements 
Information in ACS 4.x Group
Information in ACS 5.1 Policy Element
Identity information
AD group membership and attributes
LDAP group membership and attributes
ACS internal identity groups and attributes
Other policy conditions
Time and date conditions
Custom conditions
Permissions
Authorization profiles


A policy is a set of rules that ACS 5.1 uses to evaluate an access request and return a decision. For example, the set of rules in an:
  • Authorization policy returns the authorization decision for a given access request.
  • Identity policy decide how to authenticate and acquire identity attributes for a given access request.

ACS 5.1 organizes the sequence of independent policies (a policy workflow) into an access service, which it uses to process an access request. We can create multiple access services to process different kinds of access request, for example device administration or network access.

Access service contain the identity and authorization policies for handling incoming service request, by default ACS provides one access service (Default Network Access) for handling Radius network access  request and another (Default Devices Admin) TACACS device admin request. Typically each access service will have two policies step an identity policy to select the identity store use to authenticate the user and authorization policy to granting permission.

We can define simple polices which applies single result to all request without any conditions and rule-based polices which are complex polices that test various conditions.


Key Benefits
  • Powerful and flexible policy model
    • Authorization is not tied to single group membership.
    • Different authorization under different condition (e.g.  Time, location etc).
    • Network devices groups can be structured hierarchically to simplify policy administration.

  • Enhanced management and troubleshooting:
    • Centralized collection and reporting for activity and health information
    • Incremental replication
    • Installation and management interface for software updates.



ACS Functionality


Within the context of two major AAA protocol – RADIUS & TACACS+ ACS provides the following basic area of functionality.
Under the framework of the RADIUS protocol, ACS controls the wired and wireless access by users and host machines to the network and manages the accounting of the network resources used. ACS supports

  • multiple RADIUS-based authentication methods that include PAP, CHAP, MSCHAPv1, MSCHAPv2, and many members of the EAP family of protocols, such as EAP-MD5, LEAP, PEAP, EAP-FAST, and EAP-TLS. In association with PEAP or EAP-FAST, ACS also supports EAP-MSCHAPv2 and EAP-GTC.
  • Under the framework of the TACACS+ protocol, ACS facilitates the administrative management of Cisco & non-Cisco network devices such as switches, wireless access points, router and gateway, as well as of services and entities such as dialup, VPN and firewall.



Summary


  • Cisco ACS 5.1 is policy management system for supporting comprehensive, identity-based access control and security. It support for 802.1x and support for NAC RADIUS. And also supports device administration through TACACS+.
  • It is available in two form factors
    • Linux Appliance: One rack-unit (1Ru) security-hardened, Linux-based appliance
    • Virtual Appliance: Software application and operation system image for installing on VMware ESX 3.5.
  • All primary and secondary ACS servers can process AAA requests. The primary ACS server is also the default log collector for the Monitoring and Report Viewer, you can configure any ACS server to be the log collector.



Stacking 3850 Switch

Component required to create 3850 stack.

3850 features :

  • Provide convergence between wired and wireless.
  • Support  480-Gbps stacking and Cisco StackPower.
  • 802.11 ac wireless
  • Flexible Netflow 
  • Support full PoE+ abd  Universal Power Over Ethernet (UPOE).


3850 license 

  • L - Lan base
  • S-  Standard ( IP Base )
  • E - Enterprise ( IP Service)


Switch model 

  • WS-C3850-24S           SFP
  • WS-C3850-48T           Ethernet

Stacking requirement Two 3850 switch, both should have same license.



Stack cables
Power Stack ports

Stack port 
Stacking connection 

Stacking procedure 
Step 1 : to stack the switch connect stack cable in cross format as shown in picture above.  There are two cable connect one end to first port and other end to second port of other switch vice versa.

Step 2: connecting power stack connection: connect one end of cable to port 1 of one switch and other end to port 2 of second switch.

Setting stack priority : 
Switch# Switch  [Switch number] priority [1 -15 ]          
lowest is preferred.

To verify stack 
Switch# show switch

To verify license.
Switch# sh license right-to-use