Wednesday, February 2, 2011

Madren Conference Center, Meeting Room III
Clemson University
Clemson, SC

IP Cameras and Video Networking

  • Place devices on a separate network?
  • Using QoS?
  • Short term storage in building and permanent archive centrally
  • If network disruptions, store locally
  • Private IP addresses in a private VRF
  • Viewing workstations dual homed
  • Cameras for safety, not security
  • Once recording keep it for for how long?
  • Archive for how long?
  • What about a freedom of information request?
  • Cameras use PoE
  • Video conferencing on:
    • Telepresence on VoIP LAN
    • VRF
    • a LAN
    • Video Conferencing VLAN
  • New Tandberg can do 802.1X
  • Firewall performance issues
    • avoid firewall
    • H.460 tunnel around firewall
  • Capture lecture audio/video
  • Echo360, Video Furnace
  • Multicast?
  • DIRECTV IP-Advantage (MFH3)
  • Campus televideo

IPv6 Server Security

  • How to get your top level web on IPv6 but not defaced
  • Proxy it
  • Dual stacked, just check the IPv4 side?
  • F5 Global server load balancing (GSLB)
  • Security office wants to disable IPv6 on server
  • I2 workshop on IPvv6 on Layer 4 and above (server/DNS/www/security/desktop
  • Have local 6to4 and terado gateways
  • Tracking IPv6 address on a switch port
    • privacy addresses
    • Scrape neighbor table
    • enforce a SLAAC on a port
  • DHCPv6
  • DHCPv6 helper?
  • SRX / ASA / FWSM
  • BlueCat / InfoBlocks
  • RA Guard or filter RA on switch port
  • Eliminate firewalls with ACLs on routers?
  • TCAMs
  • IDS inline
  • Snort
  • QRadar
  • ISS
  • Taps to IDS boxen
  • Juniper STRM
  • FireEye
  • Bot detection
  • Firewall
  • Host patching better more effective than cleaning the network
  • Barracuda Load Balancer with IPS
  • Web filter proxying system
  • IPv6 black hole route injection
  • Protections from IPv6
    • privacy addresses and ACLs
    • security office wants DHCPv6
    • Don't just port IPv4 tools to IPv6
  • DHCP snooping and dynamic arp inspection
  • MAC authentication
    • VLAN placement based on MAC
    • registration VLAN
  • If users fail 802.1X, fail back to captive portal

OTP

  • Enterprise level stuff
  • Bastian host for network administration
  • Gold vs Silver on token
  • RSA vs Alladin
  • TACCAS
  • RADIUS
  • Groups to control which users can administrate what devices
  • Command accounting
  • Placating auditors
  • Change management
    • RANCID
    • templates
    • RAT
    • home grown PERL scripts

Thursday, February 3, 2011

Peer to Peer

  • Abandoning Packeteer
  • Anagran
  • Use Packeteer to find DDOS
  • What do you use when DDOS
    • inMon and alarms
    • QRadar
    • Red lamda
  • Education not technology
  • Warn user when detected
  • BAYU - be aware what you're uploading
  • Passively monitor, if detected email user
  • Sandvine and Procera
  • Packeteer not as good since Blue Coat acquisition
  • Taps on outbound traffic
  • OC3mon and argus
  • Statseeker
  • Traffic Sentinel
  • Firewalls notice more quickly
  • Don't notice, just absorb attacks
  • NetFlow and flow-tools
  • Border router rolls over on DDOS, when detected - mitigate
  • Juniper policers, rate limit the flows
  • Cisco put traffic in a scavanger class
  • Control plane policy on core cisco routers
  • Comcast uses Sandvines for power boost
  • What about research traffic?
  • Not shaping from campus to R&E networks
  • Tippingpoint to block P2P

MPLS

  • PE device in building
  • Just in the core
  • Cisco 6524
  • Juniper MX80
  • VRF on a single router
  • VRF lite or MPLS

Subnet sizing

  • /21 for wireless
  • 100 to 150 hosts per subnet

Data Center

  • Trill
  • LISP
  • L2 focus
  • vMotion
  • GLSB
  • Opti-man fiber circuit

Measurement

  • PerfSonar
  • iperf
  • Cisco IP LSA
  • Smokeping, multicast beacon

VoIP e911 Location Granularity

  • Building
  • 50 foot radius
  • Floor of building
  • Building, room, floor
  • Records of phone jack to location
  • Limit access to closets to prevent users moving devices
  • If port not used in six months recover port, reuse port in one year

WiMax

  • least spectrum
  • Carrier hotel for out of band management
  • CLEAR, Sprint

DAS

  • Sprint/Nextel and 800mhz public safety in deep tunnels
  • Leaky coax in the tunnels
  • Verizon/AT&T

OpenFlow

  • NAC in the future
  • Replacement for gigamon boxes; stripe flows for snort and like boxes
  • Arista switch - 10G
  • Standards base solution
  • How soon for production?
  • Ifmap?

Self Service

  • VLAN port assignment
  • Query port status
  • No packet capture

IPv6 Reverse DNS

  • Static addresses no problem
  • Wild card domain reverse?
  • Must be static if want reverse?
  • Fill DNS cache if someone walks it

RADIUS Certificate Expiration

  • Use a four year certificate to minimized issue
  • Use a three year inCommon Comodo certificate
  • Build an .exe and instruction sheet?
  • idEngines?
  • Cloudpath?
  • AD policy push?

Cisco Catalyst 6509

  • Tune buffers and hold queues
  • SVI interfaces - traffic is bumped to supervisor
  • Remember dropping some packets is a good thing, TCP cannot work without it

Wireless

  • Access points under auditorium seats
  • People make good attenuators
  • Turn off low data rates, 11 and below
    • In high density areas, turn off 5 and below
    • System wide, turn off 1 and 2
    • But! Nintendo DS only 1 or 2

Game Consoles

  • Look the other way when users put own wireless in dorm room
  • Register consoles separately
  • PPPoE?
  • uPnP?
  • MAC OIU - DHCP differently
  • DHCP client identifier
  • No labels