Thursday May 17

Archive for the ‘Network Niblets’ Category

« Older Entries
Newer Entries »
May
04/08
Layered Security: Solving the Cube
Last Updated on Monday, 21 July 2008 11:50
Written by JJ
Sunday, May 4th, 2008

We always talk about ‘layered security’ and ‘defense in depth’ as strategies for securing the network. And, usually, we’re talking about these as good strategies. However, with more and more security ‘stuff’ on the market, the layered security solutions are starting to lose some of their value.

Why? Well, the problem with layered security is that we tend to assume if Layer X isn’t providing a particular protection, Layer Y must be… and we all know what assuming does.

In the good ol’ days, we relied on firewalls- perhaps nested firewalls, or ones positioned strategically on the LAN as well as the WAN. Because of our network architecture at the time, that was the primary (and probably only required) protection. After years of de-perimeterization and the increase of threats from both remote-access and insiders, we have a much different landscape.

The addition of resources and availability in the network has lead to the addition of vulnerabilities and threats.

Now… our schools need to protect children from material online. Now… we need to stop Trojans from sneaking in with VoIP apps. We need to access our corporate network securely from Starbucks. Our corporations need to protect their network from users accessing or publishing illegal content on the Internet. We need to protect our email, make sure its virus-free and not allowing employees to send sensitive information to the outside world.

All these increased risks and threats lend to the need for more protection in the environment. There’s just no single silver bullet or cure-all for the problems we’re facing.

What does this mean? It means we’re adding security products to the network to address these issues. We need content filtering. We need layer-7 visibility on the WAN for inbound/outbound application control. We need data leakage prevention. We need email security. We SSL-VPNs for secure remote access… the list goes on.

So, what’s the problem? We’re living in a world of security buzzwords and ‘hot topic’ solutions. But the problem is 2-fold.

Problem 1- We forget to KISS IT. In the frenzy to understand and implement these hot new products, we’re losing sight of some basic security functions and overlooking some really important security fundamentals. Remember to KISS IT and keep your basic security solutions simple- then layer on top of that. Your hot new NAC or DLP solution won’t seem so impressive if your basic firewall rules haven’t been properly configured.

Problem 2- We forget thy layers. After you KISS IT, you need to start layering responsibly. That means having a CLEAR understanding of what each solution does- or does not- do. You wouldn’t believe how many customers call and want to hear about Widget A for a certain solution that Widget A is not designed to fix. I deal with it daily and I blame (for the most part) vendors for mis-advertising their product as a fix-all. Whether its hardware or software- know what each piece of your security solution is designed to do, what it’s actually doing, and keep that information documented. Documented- I’m going to say it again. Your firewall/UTM may offer content filtering and gateway AV, but are you using it? Are you using a WAN optimization product to stop prohibited applications, or is your web filter doing that? Do you even know?

rubiks2.jpgSolving the Cube. Layered security is like solving a Rubik’s Cube. You may think you’re on the right track after you get one side solved… but the other 5 are just a huge mess. There are patterns and algorithms you must follow to solve all sides together. Your layered security solution is no different. Understand what each piece is doing, how it fits in, and when to twist one layer here to implement a solution as part of a different layer over there.

# # #

Tags: ,   |  Posted under Network Niblets, Tips & Tricks  |  Comments  3 Comments
May
03/08
802.1X Terminology- Port ‘Closed’
Last Updated on Saturday, 28 January 2012 07:03
Written by JJ
Saturday, May 3rd, 2008

Recently, I’ve been asked to explain my choice of terminology when describing 802.1X during various talks and presentations. One piece of verbiage I tend to use is that an 802.1X-enabled port is ‘shut off’ or ‘closed’ prior to endpoint authentication.

My choice of words seems to raise a few eyebrows with my audience. You, like several others, may ask- “That seems like an ‘untechnical’ term, shouldn’t you say it ‘disables’ the port?”  (more…)

Tags: , , ,   |  Posted under NAC & 802.1X, Network Niblets  |  Comments  2 Comments
Apr
05/08
Fiber: Review of Optics, Cables & Connectors
Last Updated on Tuesday, 12 August 2008 04:18
Written by JJ
Saturday, April 5th, 2008

When I started this blog, I said I wanted to give you useful information, sometimes in the form of lengthy technology overviews, and sometimes in short snippets. I like to dig around the search terms, comments and emails to see what you want to know more about, and I’ve seen a lot of interest in fiber information.

The fiber types (such as multi-mode, single-mode), standards (SX, LX, LH) and  connectors (LC, ST, SC) seem to be topics that need clarification about 80% of the time when we’re working with customers on networking equipment or site surveys.

Here’s a brief review of the various types of fiber, optics, connectors and when to use what. Let’s start with the basic stuff, and move down the line.

Multi-mode vs Single-mode
First of all, we have multi-mode and single-mode fiber. Multimode has a larger diameter ‘core’ or the area in the middle the light travels through. The larger diameter- think of it as a big tunnel- lets the light take different paths, creating multiple rays, or modes (hence multi-mode). The light bounces around more, which means the connectors and splices for multimode are more forgiving than for singlemode, but the bouncing causes dispersion and fidelity loss. On the other hand, singlemode has a much smaller diameter core, giving the light one straight path, or mode, through the cable. Because of this, singlemode offers higher throughput and longer distance, but the light equipment and connectors are much more finely-tuned. Which, of course, means singlemode is much more expensive.

When you’re adding or surveying multimode fiber, you should know what core size you’re working with. The core size affects bandwidth and the maximum distance you can reliably run it. Multimode usually comes in 50- or 62.5-micron, which is the core diameter. The larger the core size, the more bouncing, so the shorter distance you’ can go. To give you a general comparison, most singlemode comes in 9-micron core, which is about 1/6th the diameter of multimode. The smaller the diameter, the more precision you get.

When to use what. In short, the fiber type you choose will depend on 1) budget and 2) distance. Mostly, you’ll use multimode for short fiber runs, between switches, to servers and possibly between buildings, if they’re adjacent. You should use singlemode when you need higher throughput or a longer distance. Here’s a quick look at the types and maximum distances for each. I’ve also included a proprietary rating, for connectors using 1550nm wavelength over singlemode fiber, to get increased distance. (Standard for singlemode is 1310).

  • Multimode – up to 220m with 62.5 micron core
  • Multimode – up to 550m with 50 micron core
  • Singlemode – up to 5km-10km (standard, using 1310nm optics)
  • Singlemode – up to 70+km* (proprietary, using 1550 nm optics)

Fiber Optic Standards
You’ll need to know the type of optic to specify for your network equipment. Some vendors have their own proprietary fiber optics, but the standards are 1000Base-SX for multimode, and 1000Base-LX for singlemode. You can use multimode with 1000Base-LX with the addition of a mode-conditioning cable to set the light along the correct path down the cable. LX, which is standard, uses the ~1310nm wavelength. Vendors have created 1000BASE-ZX and 1000BASE-LH, which use the 1550nm optics to obtain longer distances. Note, here we’re talking about 1-Gig fiber, not 10GbE, hence the 1000Base. We usually just refer to these as SX, LX and LH, leaving off the 1000Base- when talking about the optics.

  • 1000Base-SX – multimode
  • 1000Base-LX – singlemode standard (can be used over MM with mode-conditioning cable)
  • 1000Base-LH – singlemode non-standard (proprietary for longer distances at 1550nm)

Connectors
Here’s the fun part, and no one remembers what connectors they have (if they even knew in the first place!). There are several out there, but you’re probably going to only ever run into three - LC, ST and SC.

I’ll start with LC since that’s usually found on switches and other network equipment these days. LC stands for ‘Lucent Connector’ (the creator) and is the connection type on SFPs (Small Factor Pluggable) or Mini-GBICs. They’re small, and were designed to replace the SC connectors.

Since I mentioned SC, let’s go there next. SC, or ‘Standard Connector’ are the predecessor to LC, and are similar in shape, but quite a bit larger. We suggest using the mnemonic ‘Square Connector’ to remember SC.

Last- and possibly least- we have ST, which really means ‘Straight Tip’, but many folks have a better time thinking of ‘Stab and Twist’. You stick it in and lock it in place by turning the outer barrel, sort of like BNC did. And yes, I’m old enough to remember the BNC days ;)

Duplex and Simplex
Most often, you’ll be using duplex fiber, which consists of a pair of fiber for bi-directional communication. Then- of course- you would use simplex fiber cables if you only need to send data a single direction. Those applications are more specific, but they do exist. On duplex cables, you’ll noticed connectors that aren’t fixed-form will be marked or color-coded, one for transmit, one for receive.

Ordering Fiber Cables
If we’re translating all our acronyms and numbers into something we can use, then let’s talk about how you put it all together when you’re looking for the right cables.

For example, let’s say you’re purchasing short fiber jumpers for connecting your patch cable to your switch. Most likely, you’ll want multimode, in a short length (2meters), with LC on the end going to the switch and let’s say SC on your patch panel. In our example, we’re assuming we have 62.5micron mm fiber.

What you’ll ask for is: Fiber jumper, 2 meters, duplex, 62.5-micron multimode, LC to SC.

fiber_LC_2.jpg fiber_SC_2.jpg fiber_ST_2.jpg
LC SC ST

These are the best images I found to demonstrate the shapes and orientation of the various duplex fiber connectors we talked about. You can find these images and descriptions at Cables To Go.

 

Wowzers, I said this was going to be a short one. In fact, this post was originally titled “Fiber: A Very Brief Review of Cables & Connectors” but I had to rename it ;) Oh well- now you have all the information in one place for future reference.

# # #

Tags: , , , , ,   |  Posted under Network Niblets  |  Comments  4 Comments
Apr
02/08
What is 802.1X? Here’s a Technology Primer for You
Last Updated on Saturday, 28 January 2012 07:05
Written by JJ
Wednesday, April 2nd, 2008

I run into two fundamental problems when I start to talk to customers or audiences about Network Access Control and its related standards and protocols. What are they? Number 1, most folks have no clue what 802.1X actually is. Number 2, for the most part, they don’t really understand what NAC is either. (more…)

Tags: , , , , , , , ,   |  Posted under NAC & 802.1X, Network Niblets  |  Comments  32 Comments
Mar
27/08
NAC’s Polymorphic Paradigm
Last Updated on Saturday, 28 January 2012 07:06
Written by JJ
Thursday, March 27th, 2008

The recent post on ‘What’s holding back NAC’ elicited some great replies, both public and private. One comment, from Todd over at Napera brought up a great point regarding the ‘origins’ of NAC as we know it.

While all the innovative start-ups were working steadily on a new generation of security solutions, a majority of the industry’s big dogs jumped on the NACwagon, riding the buzzwords by simply re-branding a current technology as NAC. (more…)

Tags: , , ,   |  Posted under Industry Insider, NAC & 802.1X, Network Niblets  |  Comments  No Comments
« Older Entries
Newer Entries »

More Content

Find more of my content at
- Low Tech Hacking book
- Dark Reading
- Network Computing
- IANS
- SearchSecurity
- TechTarget

Get Social

RSSFacebookLinkedinYoutube

Topics