=================
PKI Server Infrastructure on IOS and IOS-XE
=================
------------------------
::Confirmed working OK::
Version 15.2(4)M1
Version 15.5(2)T
Also works ok on C180x and C1861
15.1(4)M12a
------------------------
-- tested first on the version below >> not supporting CA server command
::Not Working::
Cisco IOS XE Software, Version 03.12.03.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S3, RELEASE SOFTWARE (fc2)
------------------------
-- on CSR1000v the minimum version where PKI Server is supported
minimum IOS XE version supported:
3.16 (Denali)
------------------------
Friday, November 29, 2019
Thursday, November 28, 2019
Communication
Local forces armed with new technologies, including mobile devices that tap into
cellphone data in real time, dozens of local and state police agencies
are capturing information about thousands of cellphone users at a time,
whether they are targets of an investigation or not, according to public
records obtained by USA TODAY and Gannett newspapers and TV stations.
The records, from more than 125 police agencies in 33 states, reveal:
About one in four law-enforcement agencies have used a tactic known as a "tower dump," which gives police data about the identity, activity and location of any phone that connects to the targeted cellphone towers over a set span of time, usually an hour or two. A typical dump covers multiple towers, and wireless providers, and can net information from thousands of phones.
The records, from more than 125 police agencies in 33 states, reveal:
About one in four law-enforcement agencies have used a tactic known as a "tower dump," which gives police data about the identity, activity and location of any phone that connects to the targeted cellphone towers over a set span of time, usually an hour or two. A typical dump covers multiple towers, and wireless providers, and can net information from thousands of phones.
-----------------------------------------------------------------------------------------------------
The release pointed out that in 2012 alone AT&T and T-Mobile
documented over 600,000 requests for customer information made by local,
state and federal law enforcement.
The nation’s major cellphone carriers made the numbers available in response to an inquiry from Sen. Edward Markey (D-Mass.).
Verizon, in its response to Sen. Markey’s request, said that police requests for customers’ call records have approximately doubled over the last five years. The ACLU notes that often no warrant is required to compel cellphone carriers to turn over their customers’ information to police.
Christopher Calabrese, legislative counsel at the ACLU’s Washington Legislative Office said in a statement that there is no doubt that law enforcement sees mobile devices as the go-to source for information, likely in part because of the lack of privacy protections afforded by the law.
"Our mobile devices quite literally store our most intimate thoughts as well as the details of our personal lives," Calabrese wrote. "The idea that police can obtain such a rich treasure trove of data about any one of us without appropriate judicial oversight should send shivers down our spines."
The ACLU also notes that the carrier responses to Sen. Markey’s office also show that law enforcement conducts real-time surveillance of targets' web browsing habits.
According to AT&T’s letter, the company allows law enforcement to do real time web browsing surveillance. Police are also requesting "tower dumps," whereby cellphone companies give law enforcement the records of all cellphone users who have connected to a particular cellphone tower in a given time range.
The news comes as even more details surface about the NSA's extensive digital surveillance programs. Just last week, the Washington Post published a report that showed the NSA records and stores global cell phone location data.
In a letter to U.S. President Barack Obama, major tech companies in the United States are asking for a reform of government data collection practices.
"The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution," the letter said. "This undermines the freedoms we all cherish. It's time for a change."
The nation’s major cellphone carriers made the numbers available in response to an inquiry from Sen. Edward Markey (D-Mass.).
Verizon, in its response to Sen. Markey’s request, said that police requests for customers’ call records have approximately doubled over the last five years. The ACLU notes that often no warrant is required to compel cellphone carriers to turn over their customers’ information to police.
Christopher Calabrese, legislative counsel at the ACLU’s Washington Legislative Office said in a statement that there is no doubt that law enforcement sees mobile devices as the go-to source for information, likely in part because of the lack of privacy protections afforded by the law.
"Our mobile devices quite literally store our most intimate thoughts as well as the details of our personal lives," Calabrese wrote. "The idea that police can obtain such a rich treasure trove of data about any one of us without appropriate judicial oversight should send shivers down our spines."
The ACLU also notes that the carrier responses to Sen. Markey’s office also show that law enforcement conducts real-time surveillance of targets' web browsing habits.
According to AT&T’s letter, the company allows law enforcement to do real time web browsing surveillance. Police are also requesting "tower dumps," whereby cellphone companies give law enforcement the records of all cellphone users who have connected to a particular cellphone tower in a given time range.
The news comes as even more details surface about the NSA's extensive digital surveillance programs. Just last week, the Washington Post published a report that showed the NSA records and stores global cell phone location data.
In a letter to U.S. President Barack Obama, major tech companies in the United States are asking for a reform of government data collection practices.
"The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution," the letter said. "This undermines the freedoms we all cherish. It's time for a change."
Software Defined Networking | SD-WAN with Fortinet
Why SD-WAN?
Traditionally, network sensitive applications were typically handled through the use of Multi-Protocol Label Switching (MPLS) networks. These are dedicated links provided by a telecommunications company that had well defined Service Level Agreements (SLAs) by the provider to ensure the business that the network would meet a certain threshold when it comes to network characteristics such as latency and jitter. These types of circuits are known to be very expensive but were used by businesses because there were really no better ways to guarantee network performance.To get an understanding of why there is a huge shift to adopt SD-WAN, let’s identify some of the issues that plague this legacy paradigm:
Multi-Protocol Switching Label (MPLS) WAN links are expensive
Doing a quick search in Google, I discovered a PDF that lists costs for Verizon MPLS ports. According to this document, a 30 Mbps bandwidth port will cost the business $656.24 per month! Compare this with commodity business class Internet (Verizon Fios) that supports 150 Mbps bandwidth for $79.99 per month! Looking at the difference in price, can theoretically get 8 Fios circuits for the price of one MPLS circuit.
Intelligent Failover Requirements
The increased usage of latency/jitter sensitive applications (such as video conferencing and VoIP) that are less tolerant to sub-optimal network conditions, require a solution that is able to monitor the network beyond the standard link up/down and probe (ping) response. Also, networks need sub-second network convergence when a link does fail or show conditions that are not conducive to support the requirements for a network application.
MPLS WAN links are slower to provision than commodity circuits
A quick search in Google shows that on average, MPLS provisioning can take upwards to 60 days, and that is in the US. In other countries, it could take upwards to 120 days depending on the infrastructure and capabilities of the provider in those environments. However, many commodity circuits can be provisioned within a week and in some cases, the same day the circuit is ordered (i.e. dealing with wireless providers). This greatly shortens the amount of time needed to make an office operational with connectivity back to headquarters or the cloud.
Better control (security/path selection) over different traffic types
Traditional path control relies on using normal network based path control based on the network address where the destination network resides. In more intelligent platforms, the layer four (port) information of the protocol could be leveraged as well.
However, in cloud connected environments where multiple applications may be hosted in the same network address space on the same port (think web applications), this does not allow granular control with routing. SD-WAN solutions address this by using deep packet inspection to identify the application of the packet and use that criteria to define policy to route the traffic.
In addition to that, SD-WAN solutions have capabilities to help control Quality of Service (QoS) by giving order and precedence to certain traffic in case of link congestion.
SD-WAN Requirements
In order to take advantage of SD-WAN capabilities, there are a certain level of requirements that must be met by the environment SD-WAN will be deployed in.SD-WAN Requires Multiple Circuits for Connectivity
SD-WAN overcomes the lack of SLA by commodity circuits by spreading the risk over multiple circuits at the same time. The thought process is that a virtual circuit bundle comprised of multiple circuits will meet a defined SLA within in a certain time period, given that one or more circuits will meet the SLA requirements of the network applications utilizing that virtual circuit bundle.
SD-WAN Requires an Overlay Network
One of the consequences with leveraging many disparate internet circuits is that there is no control over the paths those circuits take to get to a common network. To accommodate for this, most SD-WAN solutions require an overlay network to route packets over to ensure a common topology for routing between networks. Creating this overlay network gives the SD-WAN administrator more control to provide a predictable path (built on top of the underlay network) for routing packets between two locations. This overlay network is commonly built with some type of tunneling/encapsulating protocol such as IPSec.
Secure SD-WAN with Fortinet
SD-WAN solutions typically provide a standard feature set comprised of:- Network measurement (through active or passive probing)
- Intelligent path control to route traffic based on network characteristics like latency, jitter and packet loss
- Forward Error Correction (FEC) for adding reliability to data transmission
- Application awareness via Deep Packet Inspection (DPI) of network streams
- Low (Zero) Touch Deployment and orchestration of SD-WAN solutions.
Source Based SD-WAN
The FortiGate does not need an overlay controller to provide the intelligent path control within its SD-WAN configuration. All decisions regarding the SD-WAN is made from the source of the traffic thus allowing the SD-WAN to be decentralized and not necessarily requiring a complete vendor lock-in to utilize the SD-WAN feature.This is specifically useful when performing load balancing of WAN connections from disparate ISPs. These load balancing methods can support a variety of methods to distribute load across multiple WAN circuits.
Enterprise Security Features
The FortiGate’s pedigree of being a NGFW gives it a distinct capability of supporting common enterprise grade security features. These features consist of the following:- Anti-Virus
- Intrusion Prevention
- Content Filtering
- Application Control
- Cloud-Application Inspection
- User Identity via Single-Sign On
- DNS Inspection
- Web Application Firewall
Dedicated Hardware for Overlay Network
The FortiGate has purpose built hardware that is used to accelerate throughput associated with IPSec VPN (commonly used for the overlay network). This allows for high throughput application with minimal delay (latency) with network applications that are sensitive to the sub-optimal conditions. Due to this, lower end FortiGates can be leveraged in remote locations providing a cost effective solution to enable highly capable solutions.This initial post serves are an overview of SD-WAN as well as a means to annotate the capabilities associated with the Fortinet SD-WAN solution. Subsequent posts will detail the configurations associated with this solution as well as provide demonstrations of the solution in action.
Subscribe to:
Posts (Atom)