Podcasts about vlans

“We deliver Zero Trust out of the box—it's built in, not bolted on.” — Suresh Katukam, Chief Product Officer, Nile While the cybersecurity conversation continues to focus on Zero Trust and Secure Service Edge (SSE), Nile is calling out what many have missed: the campus network. In a world where cloud-based remote work has advanced rapidly, on-premises security—especially across corporate and hybrid environments—has lagged behind. In a Technology Reseller News podcast recorded just after Enterprise Connect, Suresh Katukam outlined why even the most well-resourced companies struggle to achieve Zero Trust in their campus networks—and how Nile's “out-of-the-box” approach changes the game. Campus Zero Trust: The Missing Link “The same users who are secure at home become vulnerable in the office,” said Katukam. “That's because campus networks were built on implicit trust—just plugging into an Ethernet port gives you access. That's broken by design.” While cloud Zero Trust has made strides, most enterprise campuses still rely on legacy NAC solutions, VLANs, ACLs, and other outdated, complex layers of bolt-on security. Nile flips that model—offering Zero Trust campus security as a native feature of the network itself. What “Out of the Box” Really Means Nile's solution is pre-configured for Zero Trust from day one. Every user and device is authenticated and authorized continuously, not just at login. Micro-segmentation, behavioral analytics, and continuous risk scoring mean that even compromised credentials won't lead to lateral movement or ransomware spread. “We call it a segment of one,” said Katukam. “You can't see other users on the network. You can't move laterally. Ransomware can't propagate.” Administrators have full control through a simplified interface that supports policy toggling, real-time response, and behavioral-based reauthentication—without layering in extra management tools. Security-Driven Network as a Service Nile isn't just a security company—it's a networking company that rethinks how networks are built and managed. Delivered as a service, Nile offers high-performance, low-latency connectivity with embedded Zero Trust principles. “Even large enterprises with robust security teams are choosing Nile—because the security is integrated into the network itself,” Katukam explained. For example, one financial services customer consolidated three segmented networks (IT, OT, and guest) into a single secure fabric using Nile. Another prevented a physical intrusion from turning into a breach, thanks to the system's strict device authentication and visibility controls. Universal Zero Trust: Bridging Campus and Cloud Nile's model doesn't stop at the office door. The company advocates for Universal Zero Trust, connecting campus-level protections with cloud-based SSE providers. “Whether a user is on-site or remote, whether it's an IT or OT device, they should be protected the same way,” said Katukam. “That's Universal Zero Trust—unifying cloud and campus with seamless security.” Learn More To explore how Nile is reimagining networking and delivering built-in Zero Trust, visit NileSecure.com or reach out to Suresh directly at Suresh@NileSecure.com #Nile #ZeroTrust #CampusSecurity #UniversalZeroTrust #OutOfTheBoxSecurity #NetworkSecurity #EnterpriseConnect2025 #SecureNetworking #NaaS #BehavioralAnalytics #Microsegmentation #Cybersecurity  

Recorded February 21, 2025 This week, we tackle the pressing issue of integrating PCs with AV gear on the same network, discussing the pros and cons of VLANs, and the legacy decisions that keep those separated. Marc introduces a thought-provoking exercise on prioritizing the capabilities of our learning spaces, and the panel debates the value of various technologies from interactive displays to lecture capture systems. As always, the conversation veers into the absurd, with plenty of laughs along the way. Plus, Jamie discusses a game-changing new product that could revolutionize how we connect AV devices to our networks.     AI-suggested alternate show titles: The VLAN Conundrum  Power to the Devices  From the Classroom to the Cloud  AV Integration: The Good, The Bad, and The Ugly  Decoding AV Over IP  The $100 Learning Space Challenge One VLAN to Rule Them All     Human alternate show titles: The only way to update ‘em is to pull ‘em off a wall Manufacturers on Blast The Rooms Trend Sometimes two, if you're a sociopath Because Zoom said so A think tank of individuals The things that happen on my campus are not my decision Larry's Mazlow's Hierarchy of Needs I'm not super successful We're not successful at it, but it's a need Pull off the data Actually it's more important My accidental crap Isolate the stupid traffic I'm still blasting it everywhere   We stream live every Friday at about 3:30 PM Eastern/12:30 PM Pacific, and you can listen to everything we record over at AVSuperFriends.com     ▀▄▀▄▀ CONTACT LINKS ▀▄▀▄▀  ► Website: https://www.avsuperfriends.com  ► Twitter: https://twitter.com/avsuperfriends  ► LinkedIn: https://www.linkedin.com/company/avsuperfriends  ► YouTube: https://www.youtube.com/@avsuperfriends  ► Email: mailbag@avsuperfriends.com     Donate to AVSF: https://www.avsuperfriends.com/support

Today we explore Virtual Local Area Networks (VLANs). This topic was prompted by a question from college student Douglas. We’ll explain the fundamental concepts of VLANs, such as their role in segmenting and managing network traffic, and the technical details for implementation. We’ll also address key topics including VLAN tags, access and trunk ports, and... Read more »

Today we explore Virtual Local Area Networks (VLANs). This topic was prompted by a question from college student Douglas. We’ll explain the fundamental concepts of VLANs, such as their role in segmenting and managing network traffic, and the technical details for implementation. We’ll also address key topics including VLAN tags, access and trunk ports, and... Read more »

Why cold storage is never as good as keeping your data warm and regularly tested, how the American air traffic control system became so outdated, and isolating your devices from a roommate's shenanigans.   Plug Support us on patreon and get an ad-free RSS feed with early episodes sometimes   News/discussion Music industry's 1990s hard […]

Why cold storage is never as good as keeping your data warm and regularly tested, how the American air traffic control system became so outdated, and isolating your devices from a roommate's shenanigans.   Plug Support us on patreon and get an ad-free RSS feed with early episodes sometimes   News/discussion Music industry's 1990s hard... Read More

A proposed solution to the WHOIS TLS verification problem gets a surprising amount of pushback. Plus isolating IoT devices, our thoughts on Ubiquiti gear, setting up WiFi in a new house, remote access with WireGuard, and our mini PC recommendations.   Plug Support us on patreon and get an ad-free RSS feed with early episodes […]

A proposed solution to the WHOIS TLS verification problem gets a surprising amount of pushback. Plus isolating IoT devices, our thoughts on Ubiquiti gear, setting up WiFi in a new house, remote access with WireGuard, and our mini PC recommendations.   Plug Support us on patreon and get an ad-free RSS feed with early episodes... Read More

Frank Padikkala of Audinate joins the show in Episode 267 and talks with Sean and Andy to talk about all things Dante. Frank is a senior technical sales engineer for Audinate, and brings his years of experience in IT/cybersecurity as well as AV integrations together to help clear up a bunch of common misunderstandings about Dante and AV networking in general. From IP addresses to managed versus unmanaged switches to VLANs and more, get ready to peel back the layers and learn how to make your audio networking life much easier and more reliable. This episode is sponsored by Allen & Heath and RCF.Episode Links:Dante Training and Certification ResourcesBest Practices for Managing Dante DevicesDante Whitepaper LibraryEpisode 267 TranscriptBe sure to check out the Signal To Noise Facebook Group and Discord Server. Both are spaces for listeners to create to generate conversations around the people and topics covered in the podcast — we want your questions and comments!Also please check out and support The Roadie Clinic, Their mission is simple. “We exist to empower & heal roadies and their families by providing resources & services tailored to the struggles of the touring lifestyle.”The Signal To Noise Podcast on ProSoundWeb is co-hosted by pro audio veterans Andy Leviss and Sean Walker.Want to be a part of the show? If you have a quick tip to share, or a question for the hosts, past or future guests, or listeners at home, we'd love to include it in a future episode. You can send it to us one of two ways:1) If you want to send it in as text and have us read it, or record your own short audio file, send it to signal2noise@prosoundweb.com with the subject “Tips” or “Questions”2) If you want a quick easy way to do a short (90s or less) audio recording, go to https://www.speakpipe.com/S2N and leave us a voicemail there

This week Mauro Gaspari and Lukas Märdian join us to give us a deep dive into using Netplan on an Ubuntu vHost. We give you a self hosted way to track your car's maintenance, and a suite of tools to use if you work in production or in live performances! -- During The Show -- 00:40 Cosmic Desktop Started with Elementary OS External displays Cosmic is a complete remake Cosmic splits the difference i3 shortcuts Releasing this fall 07:30 3CX vs Asterisk - jisbetterthanj 3CX 20 stamps out all open source clients Have you opened Asterisk to the internet? Write in about your open source VOIP experiences 10:18 Steve VPN Split VPN issues Guide followed (https://www.youtube.com/watch?v=ulRgecz0UsQ) 12:00 Vehicle Regulations Legislation requiring things Manufactures making it harder to work on vehicles Advanced drunk and impaired driving prevention technology Automatic Shutoff Technology (HR 3684 Section 24205) LubeLogger (https://lubelogger.com/) LubeLogger YouTube Video (https://www.youtube.com/watch?v=Thqo_mm7iUQ) 19:51 News Wire New Gnome Font - OMG Linux (https://www.omglinux.com/gnome-may-switch-to-inter-font/) Firefox 128 - Mozilla (https://www.mozilla.org/en-US/firefox/128.0/releasenotes/) Finnix 126 - Finnix (https://blog.finnix.org/2024/07/04/finnix-126-released/) Cmake 3.30 - Cmake.org (https://cmake.org/cmake/help/latest/release/3.30.html) GnuCash 5.8 - GnuCash (https://www.gnucash.org/news.phtml) OpenSSH Vulnerability - Marc.info (https://marc.info/?l=oss-security&m=172045570013195&w=2) Eldorado Ransomware - Tha Hacker News (https://thehackernews.com/2024/07/new-ransomware-as-service-eldorado.html) Gogs Flaws - The Hacker News (https://thehackernews.com/2024/07/critical-vulnerabilities-disclosed-in.html) Hot Plugging RAM - Toms Hardware (https://www.tomshardware.com/pc-components/cpus/risc-v-chips-will-support-replacing-ram-sticks-without-powering-off-the-system-hot-plugging-functionality-arriving-in-newer-flavors-of-linux) Monocle - Help Net Security (https://www.helpnetsecurity.com/2024/07/08/monocle-open-source-llm-binary-analysis-search/) Multi-Token Prediction Models - Silicon Angle (https://siliconangle.com/2024/07/04/meta-open-sources-new-multi-token-prediction-language-models/) RTX Remix Rest API - Toms Hardware (https://www.tomshardware.com/pc-components/gpus/nvidia-rtx-remix-goes-open-source) 21:35 NetPlan Mauro Gaspari Lukas Märdian - NetPlan Maintainer Bridging libvirt with NetPlan Special thanks to Lukas Märdian Danilo Egea Gondolfo Robert Krátký 3 Scenerios Single host, single NIC with bridge (https://netplan.readthedocs.io/en/latest/single-nic-vm-host/) Single host, single NIC, with VLANs and bridges (https://netplan.readthedocs.io/en/latest/single-nic-vm-host-with-vlans/) Single host, multiple NICs, with bonding, VLANs, and bridges (https://netplan.readthedocs.io/en/latest/multi-nic-vm-host-with-bonds-and-vlans/) NetPlan Why it exists What it is Where and how is it used Canonical Open Documentation Academy (https://discourse.ubuntu.com/t/about-the-open-documentation-academy/39615) You can contribute with out knowing code or command line 40:00 Stage Hacks Stage Hacks.com (https://www.stagehacks.com/) VDO Ninja (https://vdo.ninja/) Tally Arbiter (http://tallyarbiter.com/) OnTime (https://www.getontime.no/) StageTimer.io (https://stagetimer.io/) Dicaffine (https://dicaffeine.com/) NDI streamer for Linux HX and restreaming via RTMP Donations welcome DeckRack mounting hardware for Stream Decks Docs site Exploring the network Sound reference Cabling and more Production has unique technology challenges -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/398) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed) Special Guests: Lukas Märdian and Mauro Gaspari.

Send us a Text Message.Ready to conquer the CISSP exam? This episode promises to arm you with crucial insights into the OSI model and its real-world applications. We kick things off by unraveling the intricacies of VPN tunnels and the pivotal role the data link layer plays in encapsulating data packets for secure internet travel. Next, you'll grasp how a significant Border Gateway Protocol (BGP) security breach zeroes in on the network layer. We then dissect the limitations of firewalls at the transport layer, ensuring you understand which types of traffic remain beyond their reach.Switching gears, we tackle the security hurdles of converged networks and VLAN segmentation. Discover why adaptive security measures are essential in environments where voice and data traffic coexist and how misconfigurations can open doors to unauthorized access. We also highlight the havoc DDoS attacks wreak across multiple OSI layers and the vulnerabilities of VoIP over wireless LAN. By the end, you'll appreciate the necessity of detecting IP spoofing at the network layer and how VLANs bolster security through tailored policies and isolated broadcast domains. Join us as we not only aim to boost your CISSP readiness but also ignite your passion for a thriving career in cybersecurity.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Are SPAN ports sufficient to provide network traffic visibility for high-quality security (NDR) and network (NPM) investigations? What about cloud workloads?  What do you need to gain insights into cloud network activity?In this episode of the Endace Packet Forensic Files, I talk with Eric Buchaus, Director of Sales at Niagara Networks. Eric outlines potential pitfalls and challenges associated with SPAN ports and highlights situations where they may fall short for network and security analysts.Eric walks us through some alternative options, discussing the merits of network TAPS, network packet brokers, and in-line bypass solutions which can offer NoC / SoC teams more reliable, efficient, and scalable ways to get network packet data to the right tools in large-scale and complex environments.  He discusses some of the specific challenges of network visibility in cloud infrastructures and suggests some practical ways to overcome these obstacles.Eric suggests things organizations should consider when exploring different packet brokers or TAP vendors and outlines the management and scrutiny that needs to be applied to encrypted traffic to achieve in-depth visibility securely.Finally, Eric talks about how TAPs and packet brokers can help in dynamic SDN environments with high traffic volumes. He emphasizes why they are important for organizations looking to implement zero-trust infrastructures - particularly environments with many walled gardens and lots of VLANs for IOT/IOTM devices and technologies.

We break down the state of the pfSense changes and the red flags we see. Plus, we're joined by Wolfgang from Wolfgang's channel to dig into his homelab and much more. Special Guest: Wolfgang.

Join Us for a Podcast Ethernet Virtual LANs and Multiswitch VLANs! Are you eager to deepen your understanding of Ethernet Virtual LANs and Multiswitch VLANs? Want to learn how to create dynamic and efficient networks using trunking? Look no further! Infosectrain presents a live event featuring ASHISH, an expert in the field, who will share invaluable insights and practical tips. Join us for a knowledge-packed event that can accelerate your career growth. Share this event with your network and invite your colleagues to join the conversation. Let's delve into the world of Ethernet Virtual LANs and Multiswitch VLANs together!

In this episode of "Life of a CISO," hosted by Dr. Eric Cole, Dr. Cole discusses the concept of Zero Trust in cybersecurity. Zero Trust is all about minimizing access, controlling access, and information, focusing on designing and building environments that contain and control any potential breaches. Zero Trust involves segmentation at various levels to ensure that if any entity gets compromised, it can't impact any other entities. Dr. Cole emphasizes that embracing the reality of potential breaches is crucial and highlights the importance of both ultra segmentation and mega detection in implementing Zero Trust. He explains how implementing micro-level Zero Trust by running applications in separate virtual machines can significantly reduce the risk of ransomware. Additionally, he discusses the importance of isolating computers on separate VLANs and deploying internal firewalls for high-level segmentation. Monitoring and tracking data outbound is also a key aspect of Zero Trust. Dr. Cole urges cybersecurity professionals to focus not only on inbound prevention but also outbound detection. He challenges listeners to assess their environments and consider where they can apply Zero Trust principles to enhance security.

Eager to demystify the cloud environment and its cost-effectiveness compared to an on-premise setup? Well, gear up, because today, we're taking you on an enlightening journey through the world of cloud networking. We will be tackling everything from cloud security and its various models to the critical role of cloud security posture management (CSPM) in AWS deployment. So, whether you're a budding IT professional or an established one looking to enhance your CISSP knowledge and expertise, this episode has something for you.Ever wondered how security groups, network ACLs, platform as a service, and software as a service work in tandem to uphold cloud security? Or perhaps, you've been intrigued by the utilization of VLANs and traffic shaping for prioritization and quality of service. Well, curiosity ends here as we uncover these topics and more. And we'll also be spilling the beans on cloud access security brokers (CASBs), the pros of data loss prevention, tokenization, and the different types of cloud storage. Rest assured, by the end of the conversation, your understanding of cloud storage technologies and security will be second to none. In the grand finale of the episode, we unravel the secrets of cloud connectivity and the costs associated with it. We'll enlighten you on the importance of service endpoints, routing tables, and DNS resolution. Plus, we'll share a real-world use case of a public service endpoint. And of course, we touch upon the role of CSPM in maintaining a secure AWS deployment. So, buckle up and get ready to be armed with the knowledge and expertise that can take your CISSP skills to the next level.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

**Show Notes:** In this episode, Bryan sits down with experts Austin Hawthorne and Michael Kowal from Nile to unpack the intriguing topic of networking as a service. Dive into the discussions that span from defining the technology to its market implications and challenges. **Topics Covered:** - Introduction to Networking as a Service:   - Defined as tech always ready for business needs without complexities and costs.   - Other definitions including broadband, outsourcing IT, and managed services.    - Market Expectations:   - Influence of cloud adoption disrupting the market.   - Need for alignment of spend based on business performance.    - Challenges:   - For incumbent vendors to adjust due to tech debt, customer, and market demands.   - Complexity of delivering network as-a-service compared to other as-a-service offerings.    - Speed Benefits:   - Frequent software upgrades, faster fixes, and reduced failure radius.    - Network Deployment:   - Standardizing approaches for predictive outcomes.   - Secure networking involving zero trust and RADIUS.    - Automation & Configuration:   - Addressing underlying complexities before introducing automation.   - Reducing bugs through streamlined testing and the concept of a digital twin.    - Vendor Challenges:   - Existing codebase sizes, feature support, and delay in fixes and new features.   - Documenting profiles for new QS features and identifying bug dependencies.    - Security Aspects:   - Approaches to network edge security.   - Challenges between security and network teams.   - The trade-off between risk, complexity, and cybersecurity insurance.    - Zero-Trust Principles:   - Challenges with implementing dynamic ACLs, roles, and more.   - Importance of encryption, authorization, and enforcement.   - Limitations of traditional networking setups using VLANs.    - Firewalls:   - Machine-to-machine traffic and security benefits.   - Local switching and RADIUS and DHCP server roles.    - Network Access Control (NAC):   - Definition and implementations.   - SSO as a form of NAC and Zero Trust constructs for the network layer.    - Nile Network:   - Payment models and Proof of Value (POV) offerings.    - Network Implementation & Automation:   - Benefits of automation over manual approaches.   - Introduction of soft bots and Nile service block.    - Closing Notes:   - Visit the show's website, rate, and review the episodes, and reach out with questions, comments, or suggestions. --- **Links:** - Nile Secure - www.nilesecure.com - Join the Discord - discord.conft.show - Driven - www.driven.tech Thanks for tuning in to Conf T with your SE! If you found this episode informative and entertaining, please consider rating and reviewing our show on your favorite podcast platforms. Your support helps spread the word!

Welcome to "Navigating Networks: A CCNA Journey"!

Jonathan (Koz) Kozolchyk, General Manager for Certificate Services at AWS, joins Corey on Screaming in the Cloud to discuss the best practices he recommends around certificates. Jonathan walks through when and why he recommends private certs, and the use cases where he'd recommend longer or unusual expirations. Jonathan also highlights the importance of knowing who's using what cert and why he believes in separating expiration from rotation. Corey and Jonathan also discuss their love of smart home devices as well as their security concerns around them and how they hope these concerns are addressed moving forward. About JonathanJonathan is General Manager of Certificate Services for AWS, leading the engineering, operations, and product management of AWS certificate offerings including AWS Certificate Manager (ACM) AWS Private CA, Code Signing, and Encryption in transit. Jonathan is an experienced leader of software organizations, with a focus on high availability distributed systems and PKI. Starting as an intern, he has built his career at Amazon, and has led development teams within our Consumer and AWS businesses, spanning from Fulfillment Center Software, Identity Services, Customer Protection Systems and Cryptography. Jonathan is passionate about building high performing teams, and working together to create solutions for our customers. He holds a BS in Computer Science from University of Illinois, and multiple patents for his work inventing for customers. When not at work you'll find him with his wife and two kids or playing with hobbies that are hard to do well with limited upside, like roasting coffee.Links Referenced: AWS website: https://www.aws.com Email: mailto:koz@amazon.com Twitter: https://twitter.com/seakoz TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: In the cloud, ideas turn into innovation at virtually limitless speed and scale. To secure innovation in the cloud, you need Runtime Insights to prioritize critical risks and stay ahead of unknown threats. What's Runtime Insights, you ask? Visit sysdig.com/screaming to learn more. That's S-Y-S-D-I-G.com/screaming.My thanks as well to Sysdig for sponsoring this ridiculous podcast.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. As I record this, we are about a week and a half from re:Inforce in Anaheim, California. I am not attending, not out of any moral reason not to because I don't believe in cloud security or conferences that Amazon has that are named after subject lines, but rather because I am going to be officiating a wedding on the other side of the world because I am an ordained minister of the Church of There Is A Problem With This Website's Security Certificate. So today, my guest is going to be someone who's a contributor, in many ways, to that religion, Jonathan Kozolchyk—but, you know, we all call him Koz—is the general manager for Certificate Services at AWS. Koz, thank you for joining me.Koz: Happy to be here, Corey.Corey: So, one of the nice things about ACM historically—the managed service that handles certificates from AWS—is that for anything public-facing, it's free—which is always nice, you should not be doing upcharges for security—but you also don't let people have the private portion of the cert. You control all of the endpoints that terminate SSL. Whereas when I terminate SSL myself, it terminates on the floor because I've dropped things here and there, which means that suddenly the world of people exposing things they shouldn't or expiry concerns just largely seemed to melt away. What was the reason that Amazon looked around at the landscape and said, “Ah, we're going to launch our own certificate service, but bear with me here, we're not going to charge people money for it.” It seems a little bit out of character.Koz: Well, Amazon itself has been battling with certificates for years, long before even AWS was a thing, and we learned that you have to automate. And even that's not enough; you have to inspect and you have to audit, you need a controlled loop. And we learned that you need a closed loop to truly manage it and make sure that you don't have outages. And so, when we built ACM, we built it saying, we need to provide that same functionality to our customers, that certificates should not be the thing that makes them go out. Is that we need to keep them available and we need to minimize the sharp edges customers have to deal with.Corey: I somewhat recently caught some flack on one of the Twitter replacement social media sites for complaining about the user experience of expired SSL certs. Because on the one hand, if I go to my bank's website, and the response is that instead, the server is sneakyhackerman.com, it has the exact same alert and failure mode as, holy crap, this certificate reached its expiry period 20 minutes ago. And from my perspective, one of those is a lot more serious than the other. What also I wind up encountering is not just when I'm doing banking, but when I'm trying to read some random blog on how to solve a technical problem. I'm not exactly putting personal information into the thing. It feels like that was a missed opportunity, agree or disagree?Koz: Well, I wouldn't categorize it as a missed opportunity. I think one of the things you have to think about with security is you have to keep it simple so that everyone, whether they're a technologist or not, can abide by the rules and be safe. And so, it's much easier to say to somebody, “There's something wrong. Period. Stop.” versus saying there are degrees of wrongness. Now, that said, boy, do I wish we had originally built PKI and TLS such that you could submit multiple certificates to somebody, in a connection for example, so that you could always say, you know, my certificates can expire, but I've got two, and they're off by six months, for example. Or do something so that you don't have to close failed because the certificate expired.Corey: It feels like people don't tend to think about what failure modes are going to look like. Because, pfhh, as an expired certificate? What kind of irresponsible buffoon would do such a thing? But I've worked in enough companies where you have historically, the wildcard cert because individual certs cost money, once upon a time. So, you wound up getting the one certificate that could work on all of the stuff that ends in the same domain.And that was great, but then whenever it expired, you had to go through and find all the places that you put it and you always miss some, so things would break for a while and the corporate response was, “Ugh, that was awful. Instead of a one-year certificate, let's get a five-year or a ten-year certificate this time.” And that doesn't make the problem better; it makes it absolutely worse because now it proliferates forever. Everyone who knows where that thing lives is now long gone by the time it hits again. Counterintuitively, it seems the industry has largely been moving toward short-lived certs. Let's Encrypt, for example, winds up rotating every 90 days, by my estimation. ACM is a year, if memory serves.Koz: So, ACM certs are 13 months, and we start rotating them around the 11th month. And Let's Encrypt offers you 90-day certs, but they don't necessarily require you to rotate every 90 days; they expire in 90 days. My tip for everybody is divorce expiration from rotation. So, if your cert is a 90-day cert, rotate it at 45 days. If your cert is a year cert, give yourself a couple of months before expiration to start the rotation. And then you can alarm on it on your own timeline when something fails, and you still have time to fix it.Corey: This makes a lot of sense in—you know, the second time because then you start remembering, okay, everywhere I use this cert, I need to start having alarms and alerts. And people are bad at these things. What ACM has done super well is that it removes that entire human from the loop because you control all of the endpoints. You folks have the ability to rotate it however often you'd like. You could have picked arbitrary timelines of huge amounts of time or small amounts of time and it would have been just fine.I mean, you log into an EC2 instance role and I believe the credentials get passed out of either a 6 or a 12-hour validity window, and they're consistently rotating on the back end and it's completely invisible to the customer. Was there ever thought given to what that timeline should be,j what that experience should be? Or did you just, like, throw a dart at a wall? Like, “Yeah, 13 months feels about right. We're going to go with that.” And never revisited it. I have a guess which—Koz: [laugh].Corey: Side of that it was. Did you think at all about what you were doing at the time, or—yeah.Koz: So, I will admit, this happened just before I got there. I got to ACM after—Corey: Ah, blame the predecessor. Always a good call.Koz: —the launch. It's a God-given right to blame your predecessor.Corey: Oh, absolutely. It's their entire job.Koz: I think they did a smart job here. What they did was they took the longest lifetime cert that was then allowed, at 13 months, knowing that we were going to automate the rotation and basically giving us as much time as possible to do it, right, without having to worry about scaling issues or having to rotate overly frequently. You know, there are customers who while I don't—I strongly disagree with [pinning 00:07:35], for example, but there are customers out there who don't like certs to change very often. I don't recommend pinning at all, but I understand these cases are out there, and changing it once every year can be easier on customers than changing it every 20 minutes, for example. If I were to pick an ideal rotation time, it'd probably be under ten days because an OCSP response is good for ten days and if you rotate before, then I never have to update an OCSP response, for example. But changing that often would play havoc with many systems because of just the sheer frequency you're rotating what is otherwise a perfectly valid certificate.Corey: It is computationally expensive to generate certificates at scale, I would imagine.Koz: It starts to be a problem. You're definitely putting a lot of load on the HSMs at that point, [laugh] when you're generating. You know, when you have millions of certs out in deployment, you're generating quite a few at a time.Corey: There is an aspect of your service that used to be part of ACM and now it's its own service—which I think is probably the right move because it was confusing for a lot of customers—Amazon looks around and sees who can we compete with next, it feels like sometimes. And it seemed like you were squarely focused on competing against your most desperate of all enemies, my crappy USB key where I used to keep the private CA I used at any given job—at the time; I did not keep it after I left, to be very clear—for whatever I'm signing things for certificates for internal use. You're, like, “Ah, we can have your crappy USB key as a service.” And sure enough, you wound up rolling that out. It seems like adoption has been relatively brisk on that, just because I see it in almost every client account I work with.Koz: Yeah. So, you're talking about the private CA offering which is—Corey: I—that's right. Private CA was the new service name. Yes, it used to be a private certificate authority was an aspect of ACM, and now you're—mmm, we're just going to move that off.Koz: And we split it out because like you said customers got confused. They thought they had to only use it with ACM. They didn't understand it was a full standalone service. And it was built as a standalone service; it was not built as part of ACM. You know, before we built it, we talked to customers, and I remember meeting with people running fairly large startups, saying, “Yes, please run this for me. I don't know why, but I've got this piece of paper in my sock drawer that one of my security engineers gave me and said, ‘if something goes wrong with our CA, you and two other people have to give me this piece of paper.'” And others were like, “Oh, you have a piece of paper? I have a USB stick in my sock drawer.” And like, this is what, you know, the startup world was running their CAs from sock drawers as far as I can tell.Corey: Yeah. A piece of paper? Someone wrote out the key by hand? That sounds like hell on earth.Koz: [sigh]. It was a sharding technique where you needed, you know, three of five or something like that to—Corey: Oh, they, uh, Shamir's Secret Sharing Service.Koz: Yes.Corey: The SSSS. Yeah.Koz: Yes. You know, and we looked at it. And the other alternative was people would use open-source or free certificate authorities, but without any of the security, you'd want, like, HSM backing, for example, because that gets really expensive. And so yeah, we did what our customers wanted: we built this service. We've been very happy with the growth it's taken and, like you said, we love the places we've seen it. It's gone into all kinds of different things, from the traditional enterprise use cases to IoT use cases. At one point, there's a company that tracks sheep and every collar has one of our certs in it. And so, I am active in the sheep-tracking industry.Corey: I am certain that some wit is going to comment on this. “Oh, there's a company out there that tracks sheep. Yeah, it's called Apple,” or Facebook, or whatever crappy… whatever axe someone has to grind against any particular big company. But you're talking actual sheep as in baa, smell bad, count them when going to sleep?Koz: Yes. Actual sheep.Corey: Excellent, excellent.Koz: The certs are in drones, they're in smart homes, so they're everywhere now.Corey: That is something I want to ask you about because I found that as a competition going on between your service, ACM because you won't give me the private keys for reasons that we already talked about, and Let's Encrypt. It feels like you two are both competing to not take my money, which is, you know, an odd sort of competition. You're not actually competing, you're both working for a secure internet in different ways, but I wind up getting certificates made automatically for me for all of my internal stuff using Let's Encrypt, and with publicly resolvable domain names. Why would someone want a private CA instead of an option that, okay, yeah, we're only using it internally, but there is public validity to the certificate?Koz: Sure. And just because I have to nitpick, I wouldn't say we're competing with them. I personally love Let's Encrypt; I use them at home, too. Amazon supports them financially; we give them resources. I think they're great. I think—you know, as long as you're getting certs I'm happy. The world is encrypted and I—people use private CA because fundamentally, before you get to the encryption, you need secure identity. And a certificate provides identity. And so, Let's Encrypt is great if you have a publicly accessible DNS endpoint that you can prove you own and get a certificate for and you're willing to update it within their 90-day windows. Let's use the sheep example. The sheep don't have publicly valid DNS endpoints and so—Corey: Or to be very direct with you, they also tend to not have terrific operational practices around updating their own certificates.Koz: Right. Same with drones, same with internal corporate. You may not want your DNS exposed to the internet, your internal sites. And so, you use a private certificate where you own both sides of the connection, right, where you can say—because you can put the CA in the trust store and then that gets you out of having to be compliant with the CA browser form and the web trust rules. A lot of the CA browser form dictates what a public certificate can and can't do and the rules around that, and those are built very much around the idea of a browser connecting to a client and protecting that user.Corey: And most people are not banking on a sheep.Koz: Most people are not banking on a sheep, yes. But if you have, for example, a database that requires a restart to pick up a new cert, you're not going to want to redo that every 90 days. You're probably going to be fine with a five-year certificate on that because you want to minimize your downtime. Same goes with a lot of these IoT devices, right? You may want a thousand-year cert or a hundred-year cert or cert that doesn't expire because this is a cert that happens at—that is generated at creation for the device. And it's at birth, the machine is manufactured and it gets a certificate and you want it to live for the life of that device.Or you have super-secret-project.internal.mycompany.com and you don't want a publicly visible cert for that because you're not ready to launch it, and so you'll start with a private cert. Really, my advice to customers is, if you own both pieces of the connection, you know, if you have an API that gets called by a client you own, you're almost always better off with a private certificate and managing that trust store yourself because then you are subject not to other people's rules, but the rules that fit the security model and the threat assessment you've done.Corey: For the publication system for my newsletter, when I was building it out, I wanted to use client certificates as a way of authenticating that it was me. Because I only have a small number of devices that need to talk to this thing; other people don't, so how do I submit things into my queue and manage it? And back in those ancient days, the API Gateways didn't support TLS authentication. Now, they do. I would redo it a bunch of different ways. They did support API key as an authentication mechanism, but the documentation back then was so terrible, or I was so new to this stuff, I didn't realize what it was and introduced it myself from first principles where there's a hard-coded UUID, and as long as there's the right header with that UUID, I accept it, otherwise drop it on the floor. Which… there are probably better ways to do that.Koz: Sure. Certificates are, you know, a very popular way to handle that situation because they provide that secure identity, right? You can be assured that the thing connecting to you can prove it is who they say they are. And that's a great use of a private CA.Corey: Changing gears slightly. As we record this, we are about two weeks before re:Inforce, but I will be off doing my own thing on that day. Anything interesting and exciting coming out of your group that's going to be announced, with the proviso, of course, that this will not air until after re:Inforce.Koz: Yes. So, we are going to be pre-announcing the launch of a connector for Active Directory. So, you will be able to tie your private CA instance to your Active Directory tree and use private CA to issue certificates for use by Active Directory for all of your Windows hosts for the users in that Active Directory tree.Corey: It has been many years since I touched Windows in anger, but in 2003 or so, I was a mediocre Small Business Windows Server Admin. Doesn't Active Directory have a private CA built into it by default for whenever you're creating a new directory?Koz: It does.Corey: Is that one of the FSMO roles? I'm trying to remember offhand.Koz: What's a Fimal?Corey: FSMO. F-S-M-O. There are—I forget, it's some trivia question that people love to haze each other with in Microsoft interviews. “What are the seven FSMO roles?” At least back then. And have to be moved before you decommission a domain controller or you're going to have tears before bedtime.Koz: Ah. Yeah, so Microsoft provides a certificate authority for use with Active Directory. They've had it for years and they had to provide it because back then nobody had a certificate authority, but AD needed one. The difference here is we manage it for you. And it's backed by HSMs. We ensure that the keys are kept secure. It's a serverless connection to your Active Directory tree, you don't have to run any software of ours on your hosts. We take care of all of it.And it's been the top requests from customers for years now. It's been quite [laugh] a bit of effort to build it, but we think customers are going to love it because they're going to get all the security and best practices from private CA that they're used to and they can decommission their on-prem certificate authority and not have to go through the hassle of running it.Corey: A big area where I see a lot of private CA work has been in the realm of desktops for corporate environments because when you can pass out your custom trusted root or trusted CA to all of the various nodes you have and can control them, it becomes a lot easier. I always tended to shy away from it, just because in small businesses like the one that I own, I don't want to play corporate IT guy more than I absolutely have to.Koz: Yeah. Trust or management is always a painful part of PKI. As if there weren't enough painful things in PKI. Trust store management is yet another one. Thankfully, in the large enterprises, there are good tooling out there to help you manage it for the corporate desktops and things like that.And with private CA, you can also, if you already have an offline root that is in all of your trust stores in your enterprise, you can cross-sign the route that we give you from private CA into that hierarchy. And so, then you don't have to distribute a new trust store out if you don't want to.Corey: This is a tricky release and I'm very glad I'm taking the week off it's getting announced because there are two reactions that are going to happen to any snarking I can do about this. The first is no one knows what the hell this is and doesn't have any context for the rest, and the other folks are going to be, “Yes, shut up clown. This is going to change my workflow in amazing ways. I'll deal with your nonsense later. I want to do this.” And I feel like one of those constituencies is very much your target market and the other isn't. Which is fine. No service that AWS offers—except the bill—is for every customer, but every service is for someone.Koz: That's right. We've heard from a lot of our customers, especially as they—you know, the large international ones, right, they find themselves running separate Active Directory CAs in different countries because they have different regulatory requirements and separations that they want to do. They are chomping at the bit to get this functionality because we make it so easy to run a private CA in these different regions. There's certainly going to be that segment at re:Inforce, that's just happy certificates happen in the background and they don't think anything about where they come from and this won't resonate with them, but I assure you, for every one of them, they have a colleague somewhere else in the building that is going to do a happy dance when this launches because there's a great deal of customer heavy-lifting and just sharp edges that we're taking away from them. And we'll manage it for them, and they're going to love it.[midroll 0:21:08]Corey: One thing that I have seen the industry shift to that I love is the Let's Encrypt model, where the certificate expires after 90 days. And I love that window because it is a quarter, which means yes, you can do the crappy thing and have a calendar reminder to renew the thing. It's not something you have to do every week, so you will still do it, but you're also not going to love it. It's just enough friction to inspire people to automate these things. And that I think is the real win.There's a bunch of things like Certbot, I believe the protocol is called ACME A-C-M-E, always in caps, which usually means an acronym or someone has their caps lock key pressed—which is of course cruise control for cool. But that entire idea of being able to have a back-and-forth authentication pass and renew certificates on a schedule, it's transformative.Koz: I agree. ACM, even Amazon before ACM, we've always believed that automation is the way out of a lot of this pain. As you said earlier, moving from a one-year cert to a five-year cert doesn't buy you anything other than you lose even more institutional knowledge when your cert expires. You know, I think that the move to further automation is great. I think ACME is a great first step.One of the things we've learned is that we really do need a closed loop of monitoring to go with certificate issuance. So, at Amazon, for example, every cert that we issue, we also track and the endpoints emit metrics that tell us what cert they're using. And it's not what's on disk, it's what's actually in the endpoint and what they're serving from memory. And we know because we control every cert issued within the company, every cert that's in use, and if we see a cert in use that, for example, isn't the latest one we issued, we can send an alert to the team that's running it. Or if we've issued a cert and we don't see it in use, we see the old ones still in use, we can send them an alert, they can alarm and they can see that, oh, we need to do something because our automation failed in this case.And so, I think ACME is great. I think the push Let's Encrypt did to say, “We're going to give you a free certificate, but it's going to be short-lived so you have to automate,” that's a powerful carrot and stick combination they have going, and I think for many customers Certbot's enough. But you'll see even with ACM where we manage it for our customers, we have that closed loop internally as well to make sure that the cert when we issue a new cert to our client, you know, to the partner team, that it does get picked up and it does get loaded. Because issuing you a cert isn't enough; we have to make sure that you're actually using the new certificate.Corey: I also have learned as a result of this, for example, that AWS certificate manager—Amazon Certificate Manager, the ACM, the certificate thingy that you run, that so many names, so many acronyms. It's great—but it has a limit—by default—of 2500 certificates. And I know this because I smacked into it. Why? I wasn't sitting there clicking and adding that many certificates, but I had a delightful step function pattern called ‘The Lambda invokes itself.' And you can exhaust an awful lot of resources that way because I am bad at programming. That is why for safety, I always recommend that you iterate development-wise in an account that is not production, and preferably one that belongs to someone else.Koz: [laugh]. We do have limits on cert issuance.Corey: You have limits on everything in AWS. As it should because it turns out that whatever there's not a limit, A, free database just dropped, and B, things get hammered to death. You have to harden these things. And it's one of those things that's obvious once you've operated at a certain point of scale, but until you do, it just feels arbitrary and capricious. It's one of those things where I think Amazon is still—and all the cloud companies who do this—are misunderstood.Koz: Yeah. So, in the case of the ACM limits, we look at them fairly regularly. Right now, they're high enough that most of our customers, vast majority, never come close to hitting it. And the ones that do tend to go way over.Corey: And it's been a mistake, as in my case as well. This was not a complaint, incidentally. It was like, well, I want to wind up having more waste and more ridiculous nonsense. It was not my concern.Koz: No no no, but we do, for those customers who have not mistake use cases but actual use cases where they need more, we're happy to work with their account teams and with the customer and we can up those limits.Corey: I've always found that limit increases, with remarkably few exceptions, the process is, “Explain to you what your use case is here.” And I feel like that is a screen for, first, are you doing something horrifying for which there's a better solution? And two, it almost feels like it's a bit of a customer research approach where this is fine for most customers. What are you folks doing over there and is there a use case we haven't accounted for in how we use the service?Koz: I always find we learned something when we look at the [P100 00:26:05] accounts that they use the most certificates, and how they're operating.Corey: Every time I think I've seen it all on AWS, I just talk to one more customer, and it's back to school I go.Koz: Yep. And I thank them for that education.Corey: Oh, yeah. That is the best part of working with customers and honestly being privileged enough to work with some of these things and talk to the people who are building really neat stuff. I'm just kibitzing from the sideline most of the time.Koz: Yeah.Corey: So, one last topic I want to get into before we call it a show. You and I have been talking a fair bit, out of school, for lack of a better term, around a couple of shared interests. The one more germane to this is home automation, which is always great because especially in a married situation, at least as I am and I know you are as well, there's one partner who is really into home automation and the other partner finds himself living in a haunted house.Koz: [laugh]. I knew I had won that battle when my wife was on a work trip and she was in a hotel and she was talking to me on the phone and she realized she had to get out of bed to turn the lights off because she didn't have our Alexa Good Night routine available to her to turn all the lights off and let her go to bed. And so, she is my core customer when I do the home automation stuff. And definitely make sure my use cases and my automations work for her. But yeah, I'm… I love that space.Coincidentally, it overlaps with my work life quite a bit because identity in smart home is a challenge. We're really excited about the Matter standard. For those listening who aren't sure what that is, it's a new end-all be-all smart home standard for defining devices in a protocol-independent way that lets your hubs talk to devices without needing drivers from each company to interact with them. And one of the things I love about it is every device needs a certificate to identify it. And so, private CA has been a great partner with Matter, you know, it goes well with it.In fact, we're one of the leading certificate authorities for Matter devices. Customers love the pricing and the way they can get started without talking to anybody. So yeah, I'm excited to see, you know, as a smart home junkie and as a PKI guy, I'm excited to see Matter take off. Right now I have a huge amalgamation of smart home devices at home and seeing them all go to Matter will be wonderful.Corey: Oh, it's fantastic. I am a little worried about aspects of this, though, where you have things that get access to the internet and then act as a bridge. So suddenly, like, I have a IoT subnet with some controls on it for obvious reasons and honestly, one of the things I despise the most in this world has been the rise of smart TVs because I just want you to be a big dumb screen. “Well, how are you going to watch your movies?” “With the Apple TV I've plugged into the thing. I just want you to be a screen. That's it.” So, I live a bit in fear of the day where these things find alternate ways to talk to the internet and, you know, report on what I'm watching.Koz: Yeah, I think Matter is going to help a lot with this because it's focused on local control. And so, you'll have to trust your hub, whether that's your TV or your Echo device or what have you, but they all communicate securely amongst themselves. They use certificates for identification, and they're building into Matter a robust revocation mechanism. You know, in my case at home, my TV's not connected to the internet because I use my Fire TV to talk to it, similar to your Apple TV situation. I want a device I control not my TV, doing it. I'm happy with the big dumb screen.And I think, you know, what you're going to end up doing is saying there's a device out there you'll trust maybe more than others and say, “That's what I'm going to use as my hub for my Matter devices and that's what will speak to the internet,” and otherwise my Matter devices will talk directly to my hub.Corey: Yeah, there's very much a spectrum of trust. There's the, this is a Linux distribution on a computer that I installed myself and vetted and wound up contributing to at one point on the one end of the spectrum, and the other end of the spectrum of things you trust the absolute least in this world, which are, of course, printers. And most things fall somewhere in between.Koz: Yes, right, now, it is a Wild West of rebranded white-label applications, right? You have all kinds of companies spitting out reference designs as products and white labeling the control app for it. And so, your phone starts collecting these smart home applications to control each one of these things because you buy different switches from different people. I'm looking forward to Matter collapsing that all down to having one application and one control model for all of the smart home devices.Corey: Wemo explicitly stated that they're not going to be pursuing this because it doesn't let them differentiate the experience. Read as, cash grab. I also found out that Wemo—which is, of course, a Belkin subsidiary—had a critical vulnerability in some of the light switches it offered, including the one built into the wall in this room—until a week ago—where they're not going to be releasing a patch for it because those are end-of-life. Really? Because I log into the Wemo app and the only way I would have known this has been the fact that it's been a suspiciously long time since there was a firmware update available for it. But that's it. Like, the only way I found this out was via a security advisory, at which point that got ripped out of the wall and replaced with something that isn't, you know, horrifying. But man did that bother me.Koz: Yeah. I think this is still an open issue for the smart home world.Corey: Every company wants a moat of some sort, but I don't want 15 different apps to manage this stuff. You turned me on to Home Assistant, which is an open-source, home control automation system and, on some level, the interface is very clearly built by a bunch of open-source people—good for them; they could benefit from a graphic designer or three to—or user experience person to tie it all together, but once you wrap your head around it, it works really well, where I have automations let me do different things. They even have an Apple Watch app [without its 00:32:14] complications on it. So, I can tap the thing and turn on the lights in my office to different levels if I don't want to talk to the robot that runs my house. And because my daughter has started getting very deeply absorbed into some YouTube videos from time to time, after the third time I asked her what—I call her name, I tap a different one and the internet dies to her iPad specifically, and I wait about 30 to 45 seconds, and she'll find me immediately.Koz: That's an amazing automation. I love Home Assistant. It's certainly more technical than I could give to my parents, for example, right now. I think things like Matter are going to bring a lot of that functionality to the easier-to-use hubs. And I think Home Assistant will get better over time as well.I think the only way to deal with these devices that are going to end-of-life and stop getting support is have them be local control only and so then it's your hub that keeps getting support and that's what talks to the internet. And so, you don't—you know, if there's a vulnerability in the TCP stack, for example, in your light switch, but your light switch only talks to the hub and isn't allowed to talk to anything else, how severe is that? I don't think it's so bad. Certainly, I wall off all of my IoT devices so that they don't talk to the rest of my network, but now you're getting a fairly complicated networking… mojo that listeners to your podcast I'm sure capable of, but many people aren't.Corey: I had something that did something very similar and then I had to remove a lot of those restrictions, try to diagnose a phantom issue that it appears was an unreported bug in the wireless AP when you use its second ethernet port as a bridge, where things would intermittently not be able to cross VLANs when passing through that. As in, the initial host key exchange for SSH would work and then it would stall and resets on both sides and it was a disaster. It was, what is going on here? And the answer was it was haunted. So, a small architecture change later, and the problem has not recurred. I need to reapply those restrictions.Koz: I mean, these are the kinds of things that just make me want to live in a shack in the woods, right? Like, I don't know how you manage something like that. Like, these are just pain points all over. I think over time, they'll get better, but until then, that shack in the woods with not even running water sounds pretty appealing.Corey: Yeah, at some level, having smart lights, for example, one of the best approaches that all the manufacturers I've seen have taken, it still works exactly as you would expect when you hit the light switch on the wall because that's something that you really need to make work or it turns out for those of us who don't live alone, we will not be allowed to smart home things anymore.Koz: Exactly. I don't have any smart bulbs in my house. They're all smart switches because I don't want to have to put tape over something and say, “Don't hit that switch.” And then watch one of my family members pull the tape off and hit the switch anyways.Corey: I have floor lamps with smart bulbs in them, but I wind up treating them all as one device. And I mean, I've taken the switch out from the root because it's, like, too many things to wind up slicing and dicing. But yeah, there's a scaling problem because right now a lot of this stuff—because Matter is not quite there all winds up using either Zigbee—which is fine; I have no problem with that it feels like it's becoming Matter quickly—or WiFi. And there is an upper bound to how many devices you want or can have on some fairly limited frequency.Koz: Yeah. I think this is still something that needs to be resolved. You know, I've got hundreds of devices in my house. Thankfully, most of them are not WiFi or Zigbee. But I think we're going to see this evolve over time and I'm excited for it.Corey: I was talking to someone where I was explaining that, well, how this stuff works. Like, “Well, how many devices could you possibly have on your home network?” And at the time it was about 70 or 80. And they just stared at me for the longest time. I mean, it used to be that I could name all the computers in my house. I can no longer do that.Koz: Sure. Well, I mean, every light switch ends up being a computer.Corey: And that's the weirdest thing is that it's, I'm used to computers, being a thing that requires maintenance and care and feeding and security patches and—yes, relevant to your work—an SSL certificate. It's like, so what does all of that fancy wizardry do? Well, when it receives a signal, it completes a circuit. The end. And it's, are really better off for some of these things? There are days we wonder.Koz: Well, my light bill, my electric bill, is definitely better off having these smart switches because nobody in my house seems to know how to turn a light switch off. And so, having the house do it itself helps quite a bit.Corey: To be very clear, I would skewer you if you worked on an AWS service that actually charged money for anything for what you just said about the complaining about light bills and optimizing light bills and the rest—Koz: [laugh].Corey: —but I've never had to optimize your service's certificate bill beca—after you've spun off the one thing that charges—because you can't cost optimize free, as it turns out, and I've yet to find a way to the one optimization possible where now you start paying customers money. I'm sure there's a way to do that somewhere but damned if I can find it.Koz: Well, if you find a way to optimize free, please let me know and I'll share it with all of our customers.Corey: [laugh]. Isn't that the truth? I really want to thank you for taking the time to speak with me today. If people want to learn more, where's the best place for them to find you?Koz: I can give you the standard AWS answer.Corey: Yeah, www.aws.com. Yeah.Koz: Well, I would have said koz@amazon.com. I'm always happy to talk about certs and PKI. I find myself less active on social media lately. You can find me, I guess, on Twitter as @seakoz and on Bluesky as [kozolchyk.com 00:38:03].Corey: And we will put links to all of that in the [show notes 00:38:06]. Thank you so much for being so generous with your time. I appreciate it.Koz: Always happy, Corey.Corey: Jonathan Kozolchyk, or Koz as we all call him, general manager for Certificate Services at AWS. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, insulting comment that then will fail to post because your podcast platform of choice has an expired security certificate.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

Avi Freedman, CEO at Kentik, joins Corey on Screaming in the Cloud to discuss the fun of solving for observability. Corey and Avi discuss how great simplicity can be deceiving, and Avi points out that with great simplicity comes great complexity. Avi discusses examples of this that he sees in Kentik customer environments, as well as the differences he sees in cloud environments from traditional data center environments. Avi also reveals his predictions for the future and how enterprise M&A will affect the way companies view data centers and VPCs. About AviAvi Freedman is the co-founder and CEO of network observability company Kentik. He has decades of experience as a networking technologist and executive. As a network pioneer in 1992, Freedman started Philadelphia's first ISP, known as netaxs. He went on to run network operations at Akamai for over a decade as VP of network infrastructure and then as chief network scientist. He also ran the network at AboveNet and was the CTO of ServerCentral.Links Referenced: Kentik: https://kentik.com Email: avi@kentik.com Twitter: https://twitter.com/avifreedman LinkedIn: https://www.linkedin.com/in/avifreedman TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Most Companies find out way too late that they've been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching 'em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents. Check out what people are saying at canary.love today!Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. This promoted guest episode is brought to us by our friends at Kentik. And into my social grist mill, they have thrown Avi Freedman, their CEO. Avi, thank you for joining me.Avi: Thank you for having me, Corey. I've been a big fan for some time, I have never actually fallen off my seat laughing, but I've come close a couple times on some of your threads.Corey: You must have a great chair.Avi: I should probably upgrade it [laugh].Corey: [laugh]. I have been looking forward to this conversation for a while because you are one of those rare creatures who comes from a similar world to what I did where we were grumpy and old before our time because we worked on physical infrastructure in data centers, we basically wrangled servers into doing the things that we wanted them to do when hardware reliability was an aspiration rather than a reality. And we also moved on from that, in many ways. We are not blind to the modern order of how computers work. But you still run a lot of what you do in data centers, but many of your customers are in cloud. You speak both languages very fluently because of the unifying thread between all of this, which is, of course, the network. How did you wind up in, I guess we'll call it network hell.Avi: [laugh]. I mean, network hell was truly… in the '90s, when the internet was—I mean, the internet is sort of like the human body: the more you study it, the more amazing it is that it ever worked in the first place, not that it breaks sometimes—was the bugs, and trying to put together the technology back then, you know, that we had the life is pretty good nowadays, other than the [laugh] immense complexity that has been unleashed on us by everyone taking the same technology and then writing it in their own software and giving it their own marketing names. And thus, you have multi-cloud networking. So, got into it because it's a problem that needs to be solved, right? There's no ESP that connects the applications together; the network still needs to make it work. And now people own some of it, and then more of it, they don't own, but they're still responsible for it. So, it's a fun problem to solve.Corey: The timing of this episode is apt because I've used Kentik myself for a few things over the years. And to be fair, using it for any of my personal networking problems is a bit like noticing, “Oh, I have a loose thread here on my shirt. Pass me the chainsaw.” It's, my environment is tiny and it's over-scoped. But I just earlier this week wound up having to analyze a day's worth of Flow Logs from one of my clients, and to do this, I had to spin up an EC2 instance with 128 gigs of RAM and then load the Flow Logs for that day into RAM, and then—not kidding—I ran into OOM Killer because I ran out of RAM on this thing.Avi: [laugh].Corey: It is, like, yeah, that's right. The network is chatty, the logs are immense, and it's easy to forget. Because the reason I was doing this was just to figure out what are the things that are talking to each other in this environment to drive up some aspects of data transfer costs. But that is an esoteric use case for this; it's not why most people tend to think about network observability. So, I'm going to ask you the blunt question up front here because it might be a really short episode. Do we have to care about networking in the least now that cloud is the default in most locations? It is just an API call away, isn't it?Avi: With great simplicity comes great complexity. So, to the people running infrastructure, to developers or architects, turning it all on, it looks like just API calls. But did you set the policies right? Can the things talk to each other? Are they talking in patterns that are causing you wild data transfer costs?All these things ultimately come back to some team that actually has to make it go. And can be pretty hard to figure that out, right, because it's not just the VPC Flow Logs. It's, what's the policy? It's, what are they talking to that maybe isn't in that cloud, that's maybe in another cloud? So, how do you bring it all together? Like, you could have—and maybe you should have—used Athena, right? You can put VPC Flow Logs in S3 buckets and use Athena and run SQL queries if all you want is your top talker.Corey: Oh, I did. That's how I started, but Athena is, uh… it has some challenges. Let's just put it that way and leave it there. DuckDB is what I was using and I'm much happier with it for a variety of excellent reasons.Avi: Okay. Well, I'll tease you another time about, you know—I lost this battle at Kentik. We actually don't use swap, but I'm a big fan of having swap and monitoring it so the OOM Killer only does what you want or doesn't fire at all. But that's a separate religious debate.Corey: There's a counterargument of running an in-memory data store. And then oh, we're going to use it as swap though, so it's like, hang on, this just feels like running a normal database with extra steps.Avi: Computers allow you to do amazing things and only occasionally slap you nowadays with it. It's pretty amazing. But back to the question. APIs make it easy to turn on, but not so easy to run. The observability that you get within a given cloud is typically very limited.Google actually has the best. They show some topology and other things. I mean, a lot of what we do involves scraping API calls in the cloud to figure out what does this all mean, then convolving it with the VPC Flow Logs and making it look like a network, and what are the gateways, and what are the rules being applied and what can't talk to itself? If you just look at VPC Flow Logs like it's Syslog, good luck trying to figure out what VPCs are talking to each other. It's exactly the problem that you were describing.So, the ease of turning it on is exactly inversely proportional to the ease of running it. And, you know, as a vendor, we think it's an awesome [laugh] problem, but we feel for our customers. And you know, occasionally it's a pain to get the IAM roles set up to scrape things and help them, but that's you know, that's just part of the job.Corey: It's fascinating to me, just looking from an AWS perspective, just how much work clearly has to be done to translate their Byzantine and very strange networking environment and concepts into things that customers see. Because in many cases, the things that the virtual machines that we've run on top of EC2, let alone anything higher level, is being lied to the entire time about what the actual topology of the environment is. It was most notable, for me at least, at re:Invent 2022, the most recent one, where they announced they have a TCP replacement, scalable, reliable data grammar SRD. It's a new protocol entirely. It's, “Oh, wow, can we use it?” “No.” “Okay.” Like, I get that it's a lot of work, I get you're excited about it. Are you going to talk to us about how it actually works? “Oh, absolutely not.” So… okay, good for you, I guess.Avi: Doesn't Amazon have to write a press release before they build anything, and doesn't the press release have to say, like, why people give a shit, why people care?Corey: Yep. And their story on this was oh, it enables us to be a lot faster at letting EBS volumes talk to some of our beefier instances.Avi: [laugh].Corey: And that's all well and good, don't get me wrong, but it's also, “Yay, it's more reliable,” is a difficult message to send. I mean, it's hard enough when—and it's necessary because you've got to tacitly admit that reliability and performance haven't been all they could be. But when it's no longer an issue for most folks, now you're making them wonder, like, wait, how bad was it? It's just a strange message.Avi: Yeah. One of my projects for this weekend is, I actually got a gaming PC and I'm going to try compression offload to the CUDA cores because right now, we do compress and decompress with Intel cores. And like, if I'm successful there and we can get 30% faster subqueries—which doesn't really matter, you know, on the kind of massive queries we run—and 20% more use out of the computers that we actually run, I'm probably not going to do a press release about it. But good to see the pattern.But you know, what you said is pretty interesting. As people like Kentik, we have to put together, well, on Azure, you can have VPCs that cross regions, right? And in other places, you can't. And in Google, you have performance metrics that come out and you can get it very frequently, and in Amazon and Azure, you can't. Like, how do you take these kinds of telemetry that are all the same stuff underneath, but packaged up differently in different quantos and different things and make it all look the same is actually pretty fun and interesting.And it's pretty—you know, if you give some cloud engineers who focus on the infrastructure layer enough beers or alcohol or just room to talk, you can hear some funny stories. And it all made sense to somebody in the first place, but unpacking it and actually running it as a common infrastructure can be quite fun.Corey: One of the things that I have found notable about your perspective, as particularly, you're running all of the network ingest, to my understanding, in your data center environment. Because we talked about this when you were kind enough to invite me to your company all-hands offsite, presumably I assume when people do that, it's so they can beat me up in the alley, but that only happened twice. I was very pleasantly surprised.Avi: [And you 00:09:23] made fun of us only three times, so you know, you beat us—Corey: Exactly.Avi: —but it was all enjoyed.Corey: But always with love. Now, what I found fascinating was you and I sat down for a while and you talked about your data center architecture. And you asked me—since I don't have anything to sell you—is there an economical way that I could see running your environment on top of AWS? And the answer was sure, if by economical you mean an absolute minimum of six times what you're currently paying a year, sure you can get there. But it just does not make sense for any realistic approach to doing this.And the reason I bring this up is that you're in a data center not because of religious beliefs, “Of, well, this is good enough for my grandpappy, so it's good enough for me.” It's because it solves the problem you have in a way that the cloud providers clearly cannot. But you also are not anti-cloud. So, many folks who are all-in on data centers seem to be doing it out of pure self-interest where, well, if everyone goes all-in on cloud, then we have nothing left to sell them. I've used AWS VPC Flow Logs. They have nothing that could even remotely be termed network observability. Your future is assured as long as people understand what it is that you're providing them and what are you that adds. So yeah, people keep going in a cloud direction, you're happy as houses.Avi: We'll use the best tools for building our infrastructure that we can, right? We use cloud. In fact, we're just buying some reserved instances, which always, you know, I give it the hairy eyeball, but you know, we're probably always going to have our CI/CD bursty stuff in the cloud. We have performance testing regions on all the major clouds so that we can tell people what performance is to and from cloud. Like, that we have to use cloud for.And if there's an always-on model, which starts making sense in the cloud, then I try not to be the first to use anything, but [laugh] we'll be one of the first to use it. But every year, we talk to, you know, the major clouds because we're customers of all them, for as I said, our testing infrastructure if nothing else, and you know, some of them for some other parts, you know, for example, proxying VPC Flow Logs, we run infrastructure on Kubernetes in all—in the three biggest to proxy VPC Flow Logs, you know, and so that's part of our bill. But if something's always on, you know, one of our storage servers, it's a $15,000 machine that, you know, realistically runs five years, but even if you assume it runs three years, we get financing for it, cost a couple $100 a month to host, and that's inclusive of our ops team that runs, sort of, everything, you just do the math. That same machine would be, you know, even not including data transfer would be maybe 3500 a month on cloud. The economics just don't quite make sense.For burst, for things like CI/CD, test, seasonality, I think it's great. And if we have patterns like that, you know, we're the first to use it. So, it's just a question of using what's best. And a lot of our customers are in that realm, too. I would say some of them are a little over-rotated, you know, they've had big mandates to go one way or the other and don't have the right, you know, sort of nuanced view, but I think over time, that's going to fix itself. And yeah, as you were saying, like, the more people use cloud, the better we do, so it's just really a question of what's the best for us at our infrastructure and at any given time.Corey: I think that that is something that is not fully appreciated or well understood is that I work with cloud technologies because for what I do, it makes an awful lot of sense. But I've been lately doing a significant build-out in my home network on the perspective of yeah, this makes sense for what I do. And I now have increased number of workloads that I'm running here and I got to say, it feels a little strange, on some level, not to be paying AWS on something metered by the second whenever I'm running a job here. That always feels a little on the weird side. But I'm not suggesting I filled my house with servers either.Avi: [unintelligible 00:13:18] going to report you to the House on Cloudian Activities Committee [laugh] for—Corey: [laugh].Avi: To straighten you out about your infrastructure use and beliefs. I do have to ask you, and I do have some foreknowledge of this, where is the controller for your network running? Is it running in your house or—Corey: Oh, the WiFi controller lives in Ohio with all the other unpleasant things. I mean, even data transfer between Ohio and Virginia—if you're on AWS—is half-price because data wants to get out of Ohio just as much as the people do. And that's fine, but it can also fail out of band. I can chill that thing for a while and I'm not able to provision new equipment, I can't spin up new SSIDs, but—Avi: Right. It's the same as [kale scale 00:14:00], which is, like, sufficiently indistinguishable from magic, but it's nice there's [head scale 00:14:05] in case something happened to them. But yeah, you know, you just can't set up new stuff without your SSHing old way while it's down. So.Corey: And worst case, it goes away irretrievably, I can spin a new one up, I can pair everything locally, do it by repointing DNS locally, and life will go on. It's one of those areas where, like, I would not have this in Ohio if latency was a concern if it was routing every packet out halfway across the country before it hit the general internet. That would be a challenge for me. But that's not what I'm doing.Avi: Yeah, yeah. No, that makes sense. And I think also—Corey: And I certainly pay AWS by the second for that thing. That's—I have a three-year savings plan for that thing, and if nothing else, it was useful for me just to figure out what the living hell was going on with the savings plan purchase project one year. That was just, it was challenged to get that straightened out in some ways. Turns out that the high watermark of the console is a hundred-and-some-odd-thirty-million dollars you can add to cart and click the buy button. Have fun.Avi: My goodness. Okay, well.Corey: The API goes up to $26.2 billion. Try that in a free tier account, preferably someone else's.Avi: I would love to have such problems. Right now, that is not one of them. We don't spend that much on infrastructure.Corey: Oh, that is more than Amazon's—AWS's at least—quarterly revenue. So, if you wind up doing a $26.2 billion, it's like—it's that old saw. You owe Amazon a million dollars, you have a problem. If you owe Amazon $26 billion, Amazon has a problem. Yeah, that's when Andy Jassy calls you 20 minutes after you make that purchase, and at least to me, he yells at me with a, “Listen here, asshole,” and it sort of devolves from there.Avi: Well, I do live in Seattle, so you know, they send the posse out, I'm pretty sure.Corey: [laugh] I will be keynoting DevOpsDays Seattle on August 1st with a talk that might very well resonate with your perspective, “The Modern Devops: A Million Ways to Die in Production.”Avi: That is very cool. I mean, ultimately, I think that's what cloud comes back to. When cloud was being formed, it's just other people's computers, storage, and network. I don't know if you'd argue that there's a politics, control plane, or a—Corey: Oh, I would say, “Cloud? There's no cloud; just someone else's cost center.”Avi: Exactly. And so, how do you configure it? And back to the question of, should everything be on-prem or does cloud abstract at all, it's all the same stuff that we've been doing for decades and decades, just with other people's software and names, which you help decode. And then it's the question we've always had: what's the best thing to do? Do you like [Wellfleet 00:16:33] or [Protion 00:16:35]? Now, do you like Azure [laugh] or Google or Amazon or somebody else or running your own?Corey: It's almost this generation's equivalent of Vi versus Emacs.Avi: Yes. I guess there could be a crowd equivalent. I use VI, but only because I'm a lisp addict and I don't want to get stuck refining Eliza macros and connecting to the ChatGPT in Emacs. So, you know. Someone just did a Emacs as PID 0. So basically, no init, just, you know, the kernel boots into Emacs, and then someone of course had to do a VI as PID 0. And I have to admit, Emacs would be a lot more useful as a PID 0, even though I use VI.Corey: I would say that—I mean, you wind up in writing in Emacs and writing lisp in it, then I've got to say every third thing you say becomes a parenthetical.Avi: Exactly. Ha.Corey: But I want to say that there's also a definite moving of data going on there that I think is a scale that, for those of us working mostly in home labs and whatnot, can be hard to imagine. And I see that just in terms of the volume of Flow Logs, which to be clear, are smaller than the data transfer they are representing in almost every case.Avi: Almost every.Corey: You see so much of the telemetry that comes out of there and what customers are seeing and what their problems are, in different ways. It's not just Flow Logs, you ingest a whole bunch of different telemetry through a variety of modern and ancient and everything in between variety of protocols to support, you know, the horror that is network equipment interoperability. And just, I can't—I feel like I can't do a terrific job of doing justice to describing just how comprehensive Kentik is, once you get it set up as a product. What is on the wire has always been for me the arbiter of truth because computers will lie to you, but it's very tricky to get them to lie and get the network story to cover for it.Avi: Right. I mean, ultimately, that's one of the sources of truth. There's routing, there's performance testing, there's a whole lot of different things, and as you were saying, in any one of these slices of your, let's just pick the network. There's many different things that all mean the same, but look different that you need to put together. You could—the nerd term would be, you know, normalizing. You need to take all this stuff and normalize it.But traffic, we agree, that's where we started with. We call it the what if what is. What's actually happening on the infrastructure and that's the ancient stuff like IPFIX and NetFlow and sFlow. Some people that would argue that, you know, the [IATF 00:19:04] would say, “Oh, we're still innovating and it's still current,” but you know, it's certainly on-prem only. The major cloud vendors would say, “Oh, well, you can run the router—cloud routers—or you could run cloud versions of the big routers,” but we don't really see that as a super common pattern today.But what's really the difference between NetFlow and the VPC Flow Log? Well, some VPC Flow Logs have permit deny because they're really firewall logs, but ultimately, it's something went from here to there. There might not be a TCP flag, but there might be something else in cloud. And, you know, maybe there's rum data, which is also another kind of traffic. And ultimately, all together, we try to take that and then the business metadata to say, whether it's NetBox in the old world or Kubernetes in the new world, or some other [unintelligible 00:19:49], what application is this? What user is this?So, you can ask questions about why am I blowing up between these cloud regions? What applications are doing it, right? VPC Flow Logs by themselves don't know that, so you need to add that kind of metadata in. And then there's performance testing, which is sort of the what is. Something we do, Thousand Eyes does, some other people do.It's not the actual source of truth, but for example, if you're having a performance problem getting between, you know, us-east and Azure in the east, well, there's three other ways you can get there. If your actual traffic isn't getting there that way, then how do you know which one to use? Well, let's fire up some tests. There's all the metrics on what all of the devices are reporting, just like you get metrics from your machines and from your applications, and then there's stuff even up at the routing layer, which God help you, hopefully you don't need to actually get in and debug, but sometimes you do. And sometimes, you know, your neighbor tells the mailman that that mail is for me and not for you and they believe them and then you have a big problem when your bills don't get paid.The same thing happens in the cloud, the same thing happens on the internet [unintelligible 00:20:52] at the routing. So, the goal is, take all the different sources of it, make it the same within each type, and then pull it all together so you can look at a single place, you can look at a map, you can look at everything, whether it's the cloud, whether it's your own data centers, your own WAN, into the internet and in between in a coherent way that understands your application. So, it's a small task that we've bit off, but you know, we have fun solving it.Corey: Do you find that when you look at customer environments, that they are, and I don't mean to be disparaging here, truly I don't, but if you were to ask me to design something today, I would probably not even be using VPCs if I'm doing this completely greenfield. I would be a lot more cloud-first, et cetera, et cetera. Whereas in many cases, that is not the right path, especially if you know, customers have the temerity to not be founded within the last 18 months before AWS existed in some ways. Do you find that the majority of what they're doing looks like they're treating the cloud like data centers or do you find that they are leveraging cloud in ways that surprise you and would not be possible in traditional data centers? Because I can't shake the feeling that the network has a source of truth for figuring out what's really going on [is very hard to beat 00:22:05].Avi: Yes, for the most part, to both your assertion at the end and sort of the question. So, in terms of the question, for the most part, people think of VPCs as… you know, they could just equivalent be VLANs and [unintelligible 00:22:21], right? I've got policies, and I have these things that are talking to each other, and everything else is not local. And I've got—you know, it's not a perfect mapping to physical interfaces in VLANs but it's the equivalent of that.And that is sort of how people think about it. In the data center, you'd call it micro-segmentation, in the cloud, you call it clouding, but you know, just applying all the same policies and saying this stuff can talk to each other and not. Which is always sort of interesting, if you don't actually know what is talking [laugh] to each other to apply those policies. Which is a lot of what you know, Kentik gets brought in for first. I think where we see the cloud-native thinking, which is overlaid on top of that—you could call it overlay, I guess—which is service mesh.Now, putting aside the question of what's going to be a service mesh, what's going to be a network mesh, where there's something like [unintelligible 00:23:13] sit, the idea that there's a way that you look at traffic above the packets at, you know, layers three to more layer seven, that can do things like load balancing, do things like telemetry, do things like policy enforcement, that is a layer that we see very commonly that a lot of the old school folks have—you know, they want their lsu F5s and they want their F5 script. And they're like, “Why can't I have this in the cloud?”—which I guess you could buy it from F5 if you really want—but that's pretty common. Now, not everything's a sidecar anymore and there's still debates about what's going on there, but that's pretty common, even where the underlying cloud just looks like it could just be a data center.And that seems to be state of the art, I would say, our traditional enterprise customers, for sure. Our web company customers, and you know, service providers use cloud more for their OTT and some other things. As we work with them, they're a little bit more likely to be on-prem, you know, historic. But remember, in the enterprise, there's still a lot of M&A going on, I think that's even going to pick up in the next couple of years and a lot of what they're doing is lift-and-shift of [laugh] actual data centers. And my theory is, it's got to be easier to just make it look like VPCs than completely redo it.Corey: I'd say that there's reasons that things are the way that they are. Like, ignoring that this is the better approach from a technical perspective entirely because that's often not the only answer, it's we have assurances we made as part of audit compliance regimes, of our SOC 2, of how we handle certain things and what those controls are. And yeah, it's not hard for even a junior employee, most of the time, to design a reasonable architecture on a whiteboard. The problem is, how do you take something pre-existing and get it to a state that closely resembles that while not turning it off for a long time?Avi: Right. And I think we're starting to see some things that probably shouldn't exist, like, people trying to do VXLAN as overlays into and between VPCs because that was how their data s—you know, they're more modern on the data center side and trying to do that. But generally, I think people have an understanding they need to be designing architecture for greenfield things that aren't too far bleeding edge, unless it's like a pure developer shop, and also can map to the least common denominator kinds of infrastructure that people have. Now, sometimes that may be serverless, which means, you know, more CDN use and abstracted layers in front, but for, you know, running your own components, we see a lot of differences but also a lot of commonality. It's differences at the micro but commonality the macro. And I don't know what you see in your practice. So.Corey: I will say that what I see in practice is that there's a dichotomy where you have born-in-the-cloud companies where 80% of their spend is on a single workload and you can do a whole bunch of deep optimizations. And then you see the conglomerate approach where it's giant spend, but it's all very diffuse across 1500 different applications. And different philosophies, different processes, different cultures give rise to a lot of these things. I will say that if I had a magic wand, I would—and again, the fact that you sponsor and promote this episode is deeply appreciated. Thank you—Avi: You're welcome.Corey: —but it does not mean that you get to compromise my authenticity and objectivity. You can't buy my opinion, just my attention. But I will say this, that I would love it if my customers used Kentik because it is one of the best things I've ever seen to describe what is talking to what that scale and in volume without going super deep into the weeds. Now, obviously, I'm not allowed to start rolling out random things into customer environments. That's how I get sued to death. But, ugh, I wish it was there.Avi: You probably shouldn't set up IAM rules without asking them, yes. That wouldn't be bad.Corey: There's a reason that the only writable stuff that I have access to is generating reports in Cost Explorer.Avi: [laugh]. Okay.Corey: Everything else is read-only. All we do is to have conversations with folks. It sets context for those conversations. I used to think that we'd be doing this as a software offering. I no longer believe that actually solves the in-depth problems that people have.Avi: Well, I appreciate the praise. I even take some of the backhanded praise slash critique at the beginning because we think a lot about, you know, we did design for these complex and often hybrid infrastructures and it's true, we didn't design it for the two or four router, you know, infrastructure. If we had bootstrapped longer, if we'd done some other things, we might have done it that way. We don't want to be exclusionary. It's just sort of how we focus.But in the kind of customers that you have, these are things that we're thinking about what can we do to make it easier to onboard because people have these massive challenges seeing the traffic and understanding it and the cost and security and the performance, but to do more with the VPC Flow Logs, we need to get some of those metrics. We think about should we make an open-source thing. I don't know how much you've seen the concern that people have universally across cloud providers that they turn on something like Kentik, and they're going to hit their API rate limiter. Which is like, really, you can't build a cache for that at the scale that these guys run at, the large cloud providers. I don't really understand that. But it is what it is.We spent a lot of time thinking about that because of security policy, and getting the kind of metrics that we need. You know, if we open-source some of that, would it make it easier, plug it into people's observability infrastructure, we'd like to get that onboarding time down, even for those more complex infrastructures. But you know, the payoff is there, you know? It only takes a day of elapsed time and one hour or so. It's just you got to get a lot of approvals to get the kind of telemetry that you need to make sense of this in some environments.Corey: Oh, yes. And that's part of the problem, too, is like, you could talk about one of those big environments where you have 1500 apps all talking to each other. You can't make sense of any of it without talking to people and having contacts and occasionally get a little bit of [unintelligible 00:29:07] just what these things are named. But at that point, you're just speculating wildly. And, you know, it's an engineering trap, where I'm just going to guess rather than asking someone who knows the answer because I don't want to look foolish. It's… you just three weeks chasing your own tail. Who's the foolish one?Avi: We're not in a competitive business to yours—Corey: [laugh].Avi: But I do often ask when we're starting off, “So, can you point us at the source of truth that describes what all your applications are?” And usually, they're, like, “[laugh]. No.” But you know, at the same time to make sense of this stuff, you also need that metadata and that's something that we designed to be able to take.Now, Kubernetes has some of that. You may have some of it in ServiceNow, a lot of people use. You may have it in your own text file, CSV somewhere. It may be in NetBox, which we've seen people actually use for the cloud, more on the web company and service provider side, but even some traditional enterprise is starting to use it. So, a lot of what we have to do as a vendor is put all that together because yeah, when you're running across multiple environments and thousands of applications, ultimately scrying at IP addresses and VPC IDs is not going to be sufficient.So, the good news is, almost everybody has those sources and we just tried to drag it out of them and pull it back together. And for now, we refuse to actually try to get into that business because it's not a—seems sort of like, you know, SAP where you're going to be sending consultants forever, and not as interesting as the problems we're trying to solve.Corey: I really want to thank you, not just for supporting the show of course, but also for coming here to suffer my slings and arrows. If people want to learn more, where's the best place for them to find you? And please don't respond with an IP address.Avi: 127.0.0.1. You're welcome at my home at any time.Corey: There's no place like localhost.Avi: There's no place like localhost. Indeed. So, the company is kentik.com, K-E-N-T-I-K. I am avi@kentik.com. I am@avifriedman on Twitter and LinkedIn and some other things. And happy to chat with nerds, infrastructure nerds, cloud nerds, network nerds, software nerds, debate, maybe not VI versus Emacs, but should you swap space or not, and what should your cloud architecture look like?Corey: And we will, of course, put links to that in the [show notes 00:31:20].Avi: Thank you.Corey: Thank you so much for being so generous with your time. I really appreciate it.Avi: Thank you for having this forum. And I will let you know when I am down in San Francisco with some time.Corey: I would be offended if you didn't take the time to at least say hello. Avi Friedman, CEO at Kentik. I'm Cloud Economist Corey Quinn, and this has been a promoted guest episode of Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a all five-star review on your podcast platform of choice, along with an angry comment saying how everything, start to finish, is somehow because of the network.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

Recorded April 28, 2023 Instead of AV news, we return to the topic of digital canvases only a few days after our previous discussion. We're joined by Atkins Fleming who has a suggestion for a software platform that seems perfect for digital canvases and remote teaching and learning, but the company seems unaware of the education market. Then we hash out the support tools and skills necessary for modern AV systems. Jamie puts it best when he says, “bring your laptop.” As AV becomes more and more IT, those with an IT background seem most comfortable supporting IP-based AV and many of those who grew up with analog AV are struggling. If nothing else, buy everyone a few managed network switches and get them comfortable with managing IPs and VLANs. Finally, Jamie covers the news from NAB. There were lots of announcements related to large, cloud-based delivery platforms, but perhaps the best news is the increasing support for SMPTE 2110 as a unified interoperable AVoIP standard. Fingers crossed! ON24: https://www.on24.com Alternate show titles: Don't Say WebEx Novelty Checkbook I don't know; talk to Marc about that one Our skillset made it easy for us Piece of Pizza The team is like “what the heck?” This is right up our wheelhouse Catered Zoom Rooms Stop Grabbing Your Toolbag and take your laptop Stop grabbing that too Judging success by the number of USB adapters That's the beauty about what we're doing and it's also terrible I have a couple that I pulled off Maybe sometimes Just click it and it goes Ready for me to blast across the WAN I'm on the fence; I keep flip flopping

Guests: Justin Elze, CTO at TrustedSec [@TrustedSec]On LinkedIn | https://www.linkedin.com/in/justinelze/On Twitter | https://twitter.com/HackingLZMick Douglas, Founder and Managing Partner at InfoSec Innovations [@ISInnovations]On LinkedIn | https://linkedin.com/in/mick-douglasOn Twitter | https://twitter.com/bettersafetynet____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Edgescan | https://itspm.ag/itspegweb___________________________Episode NotesIn this new Redefining Cybersecurity Podcast episode, Justin Elze, Mick Douglas, and Sean Martin delve into the importance of understanding networking concepts in the realm of cybersecurity. They discuss the misconceptions surrounding networking knowledge and how it often becomes cumbersome for people to learn. They highlight the underappreciated areas of networking that are frequently encountered in enterprise environments, such as DNS issues, virtual machines, VLANs, and more. The conversation also touches on the OSI model and the need for a structured approach to learning and adapting to various enterprise environments.The episode highlights how the shift to cloud-based solutions and remote work has made certain aspects of networking easier while also changing the landscape of network security. The discussion examines the importance of understanding and implementing effective security controls based on the organization's needs and threat surface rather than relying on outdated or ritualistic practices. The trio further explores the concept of abstraction versus understanding the intricate details of IT security policy and controls.Justin and Mick also talk about the need for a standard body of knowledge for cybersecurity professionals when it comes to networking concepts. They emphasize that while it's not necessary to be a networking expert, a deeper understanding of core concepts can significantly improve the effectiveness of network defense. By fostering a better understanding of networking within the information security community, professionals can better identify and address potential vulnerabilities and misconfigurations within their environments.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist

Guests: Justin Elze, CTO at TrustedSec [@TrustedSec]On LinkedIn | https://www.linkedin.com/in/justinelze/On Twitter | https://twitter.com/HackingLZMick Douglas, Founder and Managing Partner at InfoSec Innovations [@ISInnovations]On LinkedIn | https://linkedin.com/in/mick-douglasOn Twitter | https://twitter.com/bettersafetynet____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Edgescan | https://itspm.ag/itspegweb___________________________Episode NotesIn this new Redefining Cybersecurity Podcast episode, Justin Elze, Mick Douglas, and Sean Martin delve into the importance of understanding networking concepts in the realm of cybersecurity. They discuss the misconceptions surrounding networking knowledge and how it often becomes cumbersome for people to learn. They highlight the underappreciated areas of networking that are frequently encountered in enterprise environments, such as DNS issues, virtual machines, VLANs, and more. The conversation also touches on the OSI model and the need for a structured approach to learning and adapting to various enterprise environments.The episode highlights how the shift to cloud-based solutions and remote work has made certain aspects of networking easier while also changing the landscape of network security. The discussion examines the importance of understanding and implementing effective security controls based on the organization's needs and threat surface rather than relying on outdated or ritualistic practices. The trio further explores the concept of abstraction versus understanding the intricate details of IT security policy and controls.Justin and Mick also talk about the need for a standard body of knowledge for cybersecurity professionals when it comes to networking concepts. They emphasize that while it's not necessary to be a networking expert, a deeper understanding of core concepts can significantly improve the effectiveness of network defense. By fostering a better understanding of networking within the information security community, professionals can better identify and address potential vulnerabilities and misconfigurations within their environments.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist

We have talked about this a lot on the pod, and now we have someone that can explain what you actually do with your network when you get a ransomware attack. It's Tom Hollingsworth from Gestalt IT, and we're excited to have him on the pod. Some of his recommendations of course, require some configuration in advance. We talk about VLANs, SEIM and access management tools, and why many networking admins are terrified of the "reject all" concept that would actually make your network much more resilient in an attack. There is some really good stuff in this episode.

Hoy vamos a hablar de Multiple Spanning Tree Protocol (802.1s) o también conocido como MST. En el mundo Cisco la mayoría de las empresas levantan VLANs, esas VLANs tienen asociada una instancia de Spanning Tree …

-- During The Show -- 00:30 Steve's Curl Issue Curl not picking up variables properly ``` myvar=RvNAQycq2KOrWaGVuaoHBwPgfEOwzPi2 curl -k -d "clientsecret=${myvar}" https://keycloak.k3s.lab/realms/myrealm/protocol/openid-connect/token |jq .idtoken) ``` 02:00 Pihole & Eero - Wyeth YouTube Video (https://www.youtube.com/watch?v=FnFtWsZ8IP0&t=721s) Tutorial (https://www.derekseaman.com/2019/09/how-to-pi-hole-plus-dnscrypt-setup-on-raspberry-pi-4.html) Eero System may be the issue Get the ISP to allow your old router Email Ask Noah show for Nextcloud setup 15:20 Suggestion for Church - Charlie AM/FM Radio 16:30 Audio over IP - Brett Church Setup Noah's thoughts 18:45 Storage Question - Jeremy External storage pros/cons Better to build storage box 21:25 Ceph or ZFS? - Russel Ceph is good for racks of storage ZFS is better for single box 23:30 Vlan on PFsense worksonmybox Trouble creating VLans on PFsense Check your trunk port UniFi treats VLans strangely 25:55 Espanso Espanso (https://espanso.org/) Open Source text expander Supports Linux, Windows, Mac Has a "Hub" Has search 27:55 ShuffleCake ShuffleCake (https://shufflecake.net/) Create hidden volumes Encrypt your volumes Decoy Volumes Decoy Passwords 29:35 Ubuntu Summit WSL & OpenPrinting Lots of KDE and Plasma Content Focus on community Entire Desktop won't be snapped The Register (https://www.theregister.com/2022/11/09/canonical_conference/) Day 1 Recording (https://www.youtube.com/watch?v=pqBbiT40Eak) Day 2 Recording (https://www.youtube.com/watch?v=wOLHFiuwn4w) Day 3 Recording (https://www.youtube.com/watch?v=0Nr3TumNf2I) 32:15 News Wire Rocky Linux's Type B Corp ZDnet (https://www.zdnet.com/article/rocky-linux-foundation-launches/) RHEL 8.7 9 to 5 Linux (https://9to5linux.com/red-hat-enterprise-linux-8-7-is-officially-out-with-new-capabilities-and-system-roles) Linux 6.0.8 Linux Compatible (https://www.linuxcompatible.org/story/linux-kernel-608-released/) Postgres 15.1 Postgresql (https://www.postgresql.org/about/news/postgresql-151-146-139-1213-1118-and-1023-released-2543/) MariaDB 10.9.4 Maria DB (https://mariadb.com/kb/en/mariadb-10-9-4-release-notes/) Pipewire 0.3.60 Linux Musicians (https://linuxmusicians.com/viewtopic.php?t=25060) AlmaLinux 8.7 Business Wire (https://www.businesswire.com/news/home/20221111005543/en/AlmaLinux-8.7-Now-Available) .Net 7 Phoronix (https://www.phoronix.com/news/Microsoft-dotNET-7) SteamOS 3.4 Game Rant (https://gamerant.com/steam-os-beta-update-linux-performance-stability/) DualShock 4 Controller Support Phoronix (https://www.phoronix.com/news/Sony-DualShock4-PlayStation-Drv) NVIDIA PhysX Released under BSD Liscense Gaming On Linux (https://www.gamingonlinux.com/2022/11/nvidia-physx-51-sdk-goes-open-source/) GitHub Vulnerability RepoJacking COP Magazine (https://www.cpomagazine.com/cyber-security/github-vulnerability-allows-hackers-to-hijack-thousands-of-popular-open-source-packages/) 34:20 32 Billion FTX Crypto Files for Bankrupcy The situation is not "crypto's fault" Don't get into crypto currency to make money Anytime you upload your private keys, you don't own your own crypto No Different than any other large scale fraud case Large well established groups got ripped off (Wall Street) ARS Technica (https://arstechnica.com/tech-policy/2022/11/sam-bankman-frieds-32-billion-ftx-crypto-empire-files-for-bankruptcy/) -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/312) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

Heavy Networking welcomes sponsor Netris to the show with a special episode for you network nerds who are really getting into automation, infrastructure as code, pipelines, and so on. Netris is all about bringing that public cloud VPC experience to the network you've already got. Imagine being able to consume your existing network with APIs and being able to stand up VLANs, VXLANs, elastic load balancers, firewalls, Internet gateways, and more the same way you do in the cloud, but on premises.

Heavy Networking welcomes sponsor Netris to the show with a special episode for you network nerds who are really getting into automation, infrastructure as code, pipelines, and so on. Netris is all about bringing that public cloud VPC experience to the network you've already got. Imagine being able to consume your existing network with APIs and being able to stand up VLANs, VXLANs, elastic load balancers, firewalls, Internet gateways, and more the same way you do in the cloud, but on premises. The post Heavy Networking 655: On-Prem VPC Networking With Netris (Sponsored) appeared first on Packet Pushers.

Heavy Networking welcomes sponsor Netris to the show with a special episode for you network nerds who are really getting into automation, infrastructure as code, pipelines, and so on. Netris is all about bringing that public cloud VPC experience to the network you've already got. Imagine being able to consume your existing network with APIs and being able to stand up VLANs, VXLANs, elastic load balancers, firewalls, Internet gateways, and more the same way you do in the cloud, but on premises.

Heavy Networking welcomes sponsor Netris to the show with a special episode for you network nerds who are really getting into automation, infrastructure as code, pipelines, and so on. Netris is all about bringing that public cloud VPC experience to the network you've already got. Imagine being able to consume your existing network with APIs and being able to stand up VLANs, VXLANs, elastic load balancers, firewalls, Internet gateways, and more the same way you do in the cloud, but on premises. The post Heavy Networking 655: On-Prem VPC Networking With Netris (Sponsored) appeared first on Packet Pushers.

Heavy Networking welcomes sponsor Netris to the show with a special episode for you network nerds who are really getting into automation, infrastructure as code, pipelines, and so on. Netris is all about bringing that public cloud VPC experience to the network you've already got. Imagine being able to consume your existing network with APIs and being able to stand up VLANs, VXLANs, elastic load balancers, firewalls, Internet gateways, and more the same way you do in the cloud, but on premises. The post Heavy Networking 655: On-Prem VPC Networking With Netris (Sponsored) appeared first on Packet Pushers.

Heavy Networking welcomes sponsor Netris to the show with a special episode for you network nerds who are really getting into automation, infrastructure as code, pipelines, and so on. Netris is all about bringing that public cloud VPC experience to the network you've already got. Imagine being able to consume your existing network with APIs and being able to stand up VLANs, VXLANs, elastic load balancers, firewalls, Internet gateways, and more the same way you do in the cloud, but on premises.

get the xls spreadsheet here: https://securitycompliance.thinkific.com/courses/cis-control-maps   Hey guys, this is Bruce and welcome to a convo course podcast. And today I want to talk about one thing in particular, and that is the CIS and how it maps to the ISO 27,000. And one, if you didn't know, both of these are security compliance frameworks that are used in the public sector and private sector, as well as international organizations. So pretty much a little slice of everybody use. One are the two of these particular security frameworks. CIS is typically used for the private sector. That means like retail stores or banking or community centers or those kind of organizations that are private Lee own organization. And sometimes nonprofits. I'll also say that in having worked in the public sector from time to time, we'll actually use CIS controls as well. It, just depends on what kind of what we're doing. Like we use the CIS benchmarks. I've seen those used within the government within like department of defense, cuz it's just a great tool to use. And if you're interested in finding this, just go to Google or being or Yahoo or your favorite search engine and just type in CIS controls and. Right now you have a mapping from the CIS controls version 7.1 to ISEL 27,001. Now right now, CIS controls are on version eight. I'm not, I don't think that one's out yet, but right now we are focusing on. Version 7.1, but we will revisit this once we get version eight. Okay. So that being said, I sell 27,001 is an international standard for information security management. And they both, do the same thing. It's for an organization to have a guidance on how to actually. Proceed as far as securing their entire network, not even just the software and hardware devices that are connected to the network, but also things like physical security, maintenance. All aspects of protecting the actual security of the system. Whether it's outside of the system whether who's touching the system who has access to the system, all those things let's start from the top. So what we're gonna do is just focus on the main security controls, like CIS control, one that is inventory and control of hardware assets. And you'll see that the IO 27,001 has something similar in and it's called a.eight.one.one. So inventory of assets, right? They kind of group 'em all together. They don't break 'em apart in individual things for ISO 27,001. Whereas I CIS controls, they break it up into do different things. CIS control one is hardware. Whereas CIS two is inventory of security controls. I inventory of security sorry, inventory and control of software assets. That is not broken apart by ISO 27,001. They keep those together as a dot eight, do one.one. Let's keep going here. We're gonna go to the next control, which is CIS control three, which is vulnerability management, continuous vulnerability management, every single security compliance. Framework does have some sort of vulnerability management, our continuous monitoring and vulnerability management they're hand in hand. And this one is no different, so I sold 27,001, let me see let's see if they have it here. They have more of a risk rating response. That's continuously done. management of technical vulnerabilities. Yeah. So they have a dot 12, do six.one that matches to CIS control three, 3.7, to be precise. Let's go on, keep moving here to CIS control four. And that covers controlled use of administrative privileges. And that's really important because you don't wanna give your admin accounts to everyone. That's one. One of the things that some organizations do is they'll just give admin rights to everyone, anyone who needs it, they'll just put it on individual laptops and think it's okay. And it's really not okay. Because if you have an administrative privilege on that system, you can pretty much do what you want with that particular system. And it might even allow you to escalate privileges on other systems. So you gotta be really careful with that. So that's why you have CIS control for. Controlled use of admin privileges and let's see what ISO 27,001 has. So ISO 27,001 does have this and they've broken it into parts and have it as password management systems as a dot nine dot four dot three. They also have managed privileged access rights. There you go right there. So that matches directly to CIS four controlled use. Admin privileges. Let's keep it high. So far, I've gone through a bio, probably about 50 different controls. If you break it into the sub controls, it's probably 50. We just hit, but we'll just keep it high level and just focus on the main security controls. Now let's move on to CIS five and this one deals with secure. Secure configuration and hardware software. This means like whenever you have a, laptop, a hard a laptop, a workstation, a server, there's a hardening process. Meaning we're gonna take this system and we're gonna make sure it doesn't have default passwords. Make sure it has it's locked down. The WiFi's not just open and, attaching to anything. Maybe the wifi is off. We have some sort of secure configuration that we put on all hardware and software for mobile devices, laptop. Workstations and servers. This is a common, this is a, best practice. That's using most security frameworks. So the ISO 27,001 does have this and they have it broken into two parts ex acceptable use of an asset where you would actually secure that system. And then also secure system engineering principles. Let's keep going to maintenance, monitoring, and analysis of audit. So the reason why audit logs in CIS control six is merged with maintenance is because audit logs are used not only for making sure that the incidents if you find any incidents, you can find them through the audit logs, but also for maintenance because every now and then a system goes down and you could put that in the log. So it goes directly to a server. So you can, your maintenance people can go in and say, okay, let's look at the logs and see where this thing crash. So CIS six actually covers this and it maps directly to two different security controls in ISO 27,001 mainly event logging and clock synchronization. The reason why clock synchronization is important is because if you need a timestamp for all logs, otherwise if, you see that the system went. You need to know what time it went down. So the actual clock synchronization is super important to event logs at the, and if the time is off, you don't know when an incident happened. You don't know when the system went down or whatever the log is telling you. All right. Let's keep going to CIS seven, which covers email and web browser. Protections and these just so you know, these are not that much different from CIS controls eight. This is the same one that's so far, these are all the same ones that are in CIS version eight. So anyway, let's keep going here. We wanna know if this maps to ISO 27,001 and it does. So it goes into susceptible use of assets, just like we seen on the, in the previous section. And then also it goes to restrictions on. Installations and that's what you have for protecting the email and browser protections. Another thing it has is network controls, making sure that the network traffic isn't going all over the place, making sure that we, making sure that the internal, our internal users are not allowed to go to. Sites that they're not supposed to go to another one that's broken up into in ISEL 27,001 is control against malware. And that's your anti-virus stuff. E electronic messages that is making sure that you have secure messaging going back and forth, making sure that you don't have like email spoofing, things like that. So it's broken up into several different parts, but let's keep going here to the next section to C I S eight and that's malware defense. This goes really deep into malware defenses for CIS controls those in everything from centralized management of, manage of anti malware software as, as well as ensuring that anti malware software signatures are updated and things like that. And we do have this on ISO 27,001 name. And the control against malware is where we would find that in ISO 27,001, but there's several other breakdowns in ISO 27,001 that also link to our malware protection. All right, let's keep going to CIS nine. And this goes to limitations and control of network, ports, protocols, and services. This is a common best practice that you'll find in this 800 you'll find in all of the different frameworks in some way, shape or form, do cover this on how to actually focus in. And use the, law of least functionality is what it's called the nest 800. But anyway let's, go into this one. So we're talking about associating, active ports and services with two asset inventories. So we need to know is if port 23 is on which systems are using port 23. And ensuring the next one is ensuring only approved ports and protocols are used are running like what we only use in what we need. And you'll find the same thing in ISO 27,000 in one with security of network services and segregation of networks. And then also network controls. Let's keep going here and see how we can map the next one, which is C I.  control 10, which is data recovery capabilities. So this one does map to ISO 27,001, namely in information backups that those two map directly to the CIS data recovery. And this is just what you might think is ensuring that you have regular automated backups making sure that you can recover from those backup. And, making sure that you protect those backups. All right, let's go to the next one. And we don't have that many more to go here. But this should give you an idea of what's in CIS controls and also what's in ISO 27,001 as well. So let's keep going. CIS control 11. So this is secure configuration of net for network devices, such as firewalls routers and switch. And if I'm not mistaken, this one might be a little bit different in the CIS eight. It's not the same. The content's the same. They just shifted things around a little bit. So this one is, dealing with maintaining a standard for security configurations for network devices. That's their switches. That's your routers, that's your firewalls and things like that. And let's see if there's a comparable. Control on ISO 27,001. Yeah, we have change management. This is where you would control the actual iOS security on a system and making sure that you have change management. But the, also the another one that they have here on ISO 27,001 is segregation of networks. That one is lined up with what you have in CIS controls as well. All right. Let's keep going.  C I S 12, and that is boundary defense. Now this is also in N 800. All the stuff that I've read so far is also in missed 800, maybe going forward, we will cover how CIS maps to N 800 because it does it all maps up. And if one, that's why I say in some of my other courses and in my other videos is if one, you know them. There's a little bit of change of terminology. The control names are different, but if one, you know them all, okay. So this one is dealing with boundary defense, and this is maintaining an inventory of what is in your network. What you need to know what's in your network. And to do this, you do things like scanning. You do things like denying certain communications from going to certain IPS. You have to control your boundary. In depth is used quite a bit with this one, but boundary defense and this one maps directly to network control. That's in the ISO 27,001. Okay. Let's keep going here. Let's keep keeping it high level. There's a lot of things that we're going over, cuz we want to keep this high level. Okay. N the CIS control, 13 data protection. What does this one deal with? This is maintaining an inventory of sensitive information removing sensitive data or systems not regularly accessed by the organization. Anything you don't need, we're gonna get rid of it. And making sure the sense of, data's not floating around out there, which is how a lot of data gets.  and ISO 27,001 has addresses this in several different controls. One is classification of information. Another one is network controls, another one's electronic messaging. And another one is mobile device policies. And there's a few others, but we are gonna keep going. All right. So C I S 14, this one deals with controlled access controlled access. On on the need to know. And so this one is segmenting the network based on sensitivity, enable fi enabling firewall filtering for between VLANs. And this sounds a lot like PCI compliance. So PCI compliance also maps to the CIS. PCI I'm, talking about PCI DSS, that's protection of credit cards and the credit card industries and retail retailers and hotels use this quite a bit. So they have to actually go through an audit and assessments and stuff for all of their card readers. So for this one, you have the same thing. ISO 27,001 has segmentation of network. Network control. You can see them, them using the same ones. Theirs is just broken up differently. So they group a lot of, the controls together. Let's keep going here. We don't have that many more to go. We're on 15 CIS control 15, which is wireless access control. So this one, as you would suspect it, it's disabling access points that are not used if they're not required detecting wireless access points. That are connected to the wired network and, taking an inventory of all your wireless stuff. And so this is covered in ISO 27,001 in the inventory of assets and the network controls and the acceptable use of AC of, assets. Let's keep going here to the CIS 16. And I think we only have two or three left here, but CIS controls 16. Account monitoring and control. So in, in N 800, And in this 800, you have this one is AC two, a C one C three. When you're doing account control and account management and things like that, this one is in CIS control 16. So how does this map? Two 27,001. Control. In the inventory of assets, that's where they control it in ISO 27,001. They also cover it in policy on the use of crypto cryptographic controls and control network controls and user registration. And deregistration so you can see it's just broken up. They're covering the same topics, but it's broken up into different parts. Now let's keep going to CI. Control 17. And I wanna say this is the last one. Let me see. 18, 19 20. Okay. There's only three more left. All right. 17 we'll just quickly go through these implementation of security awareness training. Self-explanatory you do have the same thing on ISO 27,001. It's literally called information security awareness, education and, training. Same. Okay, so we're gonna go to 18 and 18 is application software security. That's making sure that you're, whenever you're developing software is developed securely and is, establishing secure coding practices. And you have the same thing over ISO ISO 27001, which is a secure development policy. Whenever you're developing the actual software, you have to develop it securely. Okay. Then we go into 19, which is incident response. This is a big one. This is also in IR in the IR controls, IR 1, 2, 3, and 4 in the NIST 800. But how does this map over to ISO 27001? They have something called responsibilities and procedures. And they have reporting information, security events, and con contacting authorities. All right. Onto pen testing. So this is CIS control 20. This is penetration testing and red team exercises. And this one, I don't know, this one actually doesn't have a comparable ISO 27001 control, which is. Very shocking and that pretty much covers all the maps between CIS controls and ISO 27,001. And we also mentioned a couple of N 800 controls and I'll catch you guys on the next podcast. If you want to download your free copy of the CIS To ISO 27001. Then go ahead and go to https://securitycompliance.thinkific.com/courses/cis-control-maps

In this episode we are going to look at configuring Inter-VLAN Routing Challenge.In this activity, we will demonstrate and reinforce your ability to implement inter-VLAN routing, including configuring IP addresses, VLANs, trunking, and subinterfaces. Thank you so much for watching this episode of my series on Configuration Examples for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.comYouTube Channel: https://YouTube.com/KevTechify-------------------------------------------------------Cisco Certified Network Associate (CCNA)Configuration Examples for Switching, Routing, and Wireless Essentials v2 (SRWE)Inter-VLAN RoutingLab 4.5.1 - Inter-VLAN Routing ChallengePodcast Number: 44Season: 1-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

In this episode we are going to look at configuring Troubleshoot Inter-VLAN Routing.In this activity, we will troubleshoot connectivity problems caused by improper configurations related to VLANs and inter-VLAN routing. We will be Locating Network Problems, Implementing the Solution, and Verifying Network Connectivity.Thank you so much for watching this episode of my series on Configuration Examples for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.comYouTube Channel: https://YouTube.com/KevTechify-------------------------------------------------------Cisco Certified Network Associate (CCNA)Configuration Examples for Switching, Routing, and Wireless Essentials v2 (SRWE)Inter-VLAN RoutingLab 4.4.8 - Troubleshoot Inter-VLAN RoutingPodcast Number: 43Season: 1-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

In this episode we are going to look at configuring Configure Router-on-a-Stick Inter-VLAN Routing.In this activity we will configure VLANs and inter-VLAN routing. We will then enable trunk interfaces and verify connectivity between VLANs.We will be discussing Adding VLANs to a Switch, Configuring Subinterfaces, and Testing Connectivity with Inter-VLAN Routing.Thank you so much for watching this episode of my series on Configuration Examples for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.comYouTube Channel: https://YouTube.com/KevTechify-------------------------------------------------------Cisco Certified Network Associate (CCNA)Configuration Examples for Switching, Routing, and Wireless Essentials v2 (SRWE)Inter-VLAN RoutingLab 4.2.7 - Configure Router-on-a-Stick Inter-VLAN RoutingPodcast Number: 41Season: 1-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

Dave's been testing the new Synology RT6600ax router and has some “first look” thoughts to share. He, John, and Pete continue by answering your questions about mesh networks, VLANs, IoT devices, and more. Cool Stuff Found this week includes places to find discounted (or free!) apps, options for portable screens, […]

Is UniFi better than Cisco? What's great about UniFi and what's not? Tom Lawrence tells us his thoughts about UniFi WiFi, switches, routing and other products. For Transparency: Both Ubiquity and Cisco have given me products. Ubiquity have never paid me money for any video (but Cisco have sponsored videos in the past). // MENU // 00:00 ▶️ Cisco licenses are a nightmare 01:00 ▶️ Tom Lawrence & Unifi 03:12 ▶️ Difference between Unifi & Ubiquiti 05:56 ▶️ Tailored for WISP 07:08 ▶️ Cisco Business 09:08 ▶️ Configuring Unifi switches & access points 10:09 ▶️ Terrible Unifi support 11:51 ▶️ Making money resetting to default 12:10 ▶️ Do the devices have CLI? 13:09 ▶️ Web-browser on Unifi devices 13:30 ▶️ Unifi Controller 16:28 ▶️ Unifi Consoles 18:05 ▶️ Unifi Routing 21:16 ▶️ Do the switches support routing? 22:59 ▶️ Unifi switches as layer 2 switches 24:12 ▶️ Unifi USG 26:46 ▶️ Pros and Cons of Unifi 33:49 ▶️ Buggy Ubiquiti software 35:52 ▶️ Confidence in Unifi 37:44 ▶️ Access Points rule of thumb 38:42 ▶️ Advantages of Ubiquiti 43:17 ▶️ "The world is changing" 45:13 ▶️ Running the controller without a Unifi account 47:19 ▶️ Vlans & Routing 50:23 ▶️ Unifi Switches 54:23 ▶️ Unifi 6 Access Points 57:43 ▶️ Recommended products 01:01:56 ▶️ Unifi firmware updates 01:02:55 ▶️ Inexpensive options 01:05:04 ▶️ Third-party support 01:06:12 ▶️ Unifi 6 Long Range 01:07:22 ▶️ Unifi Camera 01:10:42 ▶️ Closing thoughts and recommendations 01:11:26 ▶️ Conclusion // Videos mentioned // Hackersploit: https://youtu.be/yYY5mJoUZjU Eric: https://youtu.be/cMR19vkNqS8 // Books Mentioned // Privilege Escalation Techniques: https://amzn.to/3FUDcLO Mastering Python Networking: https://amzn.to/3MkaZQN // David's SOCIAL // Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal // Tom's SOCIAL // Twitter: https://twitter.com/TomLawrenceTech YouTube: https://www.youtube.com/user/TheTeckn... Website: https://lawrencesystems.com/ LinkedIn: https://www.linkedin.com/in/lawrences... Instagram: https://www.instagram.com/lawrencesys... // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com wifi ubiquiti unifi ubiquiti networks ubiquiti unifi unifi dream machine unifi dream machine pro cisco vs ubiquiti access point dream machine pro unifi alternative unifi controller dream machine unifi udm unifi dream machine unifi dream machine review best wifi unifi switch unifi controller setup unifi controller linux unifi controller mac ubiquiti unifi setup unifi protect app unifi vs pfsense unifi vs omada unifi vs meraki unifi vs mikrotik unifi vs cisco cisco wifi tom lawrence lawrence systems lawrence unifi unifi tom lawrence unifi lawrence #unifi #ubiquiti #wifi

In Episode 271, Ben and Scott take a break from Microsoft 365 and Azure talk about smart home devices, including their favorite uses for different categories of devices such as lights, locks, and even blinds/shades. If you've been thinking about building out your smart home, give it a listen. We're sure you'll learn something new. Sponsors Intelligink - We focus on the Microsoft Cloud so you can focus on your business Show Notes Chipmaker Nvidia investigating potential cyberattack - report Isolate Your Smart Home Devices with UniFi Securing your smarthome devices – using VLANs to secure your home network Homebridge SmartThings yoolax Amazon links Lutron Caseta August Smart Locks Smart Garage Door Openers About the sponsors Intelligink utilizes their skill and passion for the Microsoft cloud to empower their customers with the freedom to focus on their core business. They partner with them to implement and administer their cloud technology deployments and solutions. Visit Intelligink.com for more info.

In this episode we are going to look at Dynamic Trunking Protocol.We will be discussing Introduction to DTP, Negotiated Interface Modes, Results of a DTP Configuration, and Verify DTP Mode.Thank you so much for listening to this episode of my series on Switching, Routing, and Wireless Essentials for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Switching, Routing, and Wireless Essentials v2Episode 3 - VLANsPart E - Dynamic Trunking ProtocolPodcast Number: 12-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

In this episode we are going to look at VLAN Trunks.We will be discussing Trunk Configuration Commands, Trunk Configuration, Verify Trunk Configuration, and Reset the Trunk to the Default State.Thank you so much for listening to this episode of my series on Switching, Routing, and Wireless Essentials for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Switching, Routing, and Wireless Essentials v2Episode 3 - VLANsPart D - VLAN TrunksPodcast Number: 11-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

In this episode we are going to look at VLAN Configuration.We will be discussing VLAN Ranges on Catalyst Switches, VLAN Creation Commands, VLAN Creation, VLAN Port Assignment Commands, Data and Voice VLANs, Verify VLAN Information, Change VLAN Port Membership, and Delete VLANs.Thank you so much for listening to this episode of my series on Switching, Routing, and Wireless Essentials for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Switching, Routing, and Wireless Essentials v2Episode 3 - VLANsPart C - VLAN ConfigurationPodcast Number: 10-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

In this episode we are going to look at VLANs in a Multi-Switched Environment.We will be discussing Defining VLAN Trunks, Network without VLANs, Network with VLANs, VLAN Identification with a Tag, Native VLANs and 802.1Q Tagging, and Voice VLAN Tagging.Thank you so much for listening to this episode of my series on Switching, Routing, and Wireless Essentials for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Switching, Routing, and Wireless Essentials v2Episode 3 - VLANsPart A - Overview of VLANsPodcast Number: 8-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

In this episode we are going to look at Overview of VLANs.We will be discussing VLAN Definitions, Benefits of a VLAN Design, and Types of VLANs.Thank you so much for listening to this episode of my series on Switching, Routing, and Wireless Essentials for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Switching, Routing, and Wireless Essentials v2Episode 3 - VLANsPart A - Overview of VLANsPodcast Number: 8-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment  

This month we dive deep into the world of AVoIP.  It's a thing.  The cost-delta is over point-to-point transmission almost nil, the technologies and products are maturing, and it opens an entire new world of finger pointing and shirking responsibility!  We first discussed AVoIP last October on Off the Rails Episode 4, so please give that a listen for more on how we're leveraging it at our institutions.  Justin is still living in the wild, wild west of networking, Jamie is firing NDI down dark fiber, Marc is transporting all his production cameras over the campus LAN, Larry is building an AVoIP eSports arena, and Chris is swapping HDBaseT for IP in new general classroom designs because why not? While we all have different approaches, one item we all agree on is to work closely with your networking team.  Some of us got lucky and just happened to be part of the Network/Telecom/Infrastructure teams and others had to go make friends to ensure their VLANs and ports were configured correctly.  If you're not a first-name basis with your networking colleagues, you will be soon, so be proactive and get to know them before you start firing traffic across the network. We also do a quick Lightning Round about our preferred managed network switches and we're again all over the map.  Cisco, Extreme, Luxul, Netgear, there's room for everyone! And even after all that, there's more to come, so stay tuned for the inevitable AVoIP part 3!

Dynamic Trunking Protocol (DTP) makes it easy to sniff traffic from other VLANs. Disable DTP on user facing ports by making those ports access ports. You need to learn to code! Learn Python. Learn Networking. You are going to be very powerful and very scary if you combine knowledge of networking with Python scripting! But, do good. Learn to code. Learn Linux. Learn Networking. Menu: You need to learn Python! 0:00 Network Topology: 0:57 Python Script overview: 1:28 Cisco switch DTP setup: 2:00 We can see other VLAN traffic: 3:00 Script demo: 3:45 Results of attack: 4:24 Script explanation: 5:09 Create a loop: 5:49 Wireshark capturing of a different VLAN: 6:50 Kali Linux can see all VLAN traffic: 9:07 ====== Scripts: ====== All scapy scripts here: https://davidbombal.wiki/githubscapy Scapy DTP attack: https://davidbombal.wiki/scapydtp Playlist: https://davidbombal.wiki/scapy ============== Scapy Resources: ============== Website: https://scapy.net/ Documentation: https://scapy.readthedocs.io/en/latest/ ================ Cisco Best practice: ================ Access ports (for vlan 2 in this case): Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Trunk ports: Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport nonegotiate ================ Connect with me: ================ Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal python scapy ccna ccnp python scapy dtp dynamic trunking protocol dynamic trunk protocol ccna 200-301 python scripts kali linux linux kali cisco kali linux 2021.2 kali linux 2021 vmware vmware kali kali linux install oscp ceh security+ pentest+ Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

It's so easy to hack badly configured networks using Kali Linux! See how easy it is to take out networks using Kali Linux and protocols like Dynamic Trunking Protocol (DTP) and VLAN Trunking Protocol (VTP); and also capture network traffic using Wireshark. Make sure you have configured your networks securely! Otherwise, look at how simple it is to hack networks using Kali Linux running on a Windows 10 computer. Applications like Yersinia make hacking with Kali Linux super easy! It's important that you as a network professional know how to protect networks from hackers. Even the new Cisco CCNA 200-301 exam covers some of these hacking topics. Don't just learn the theory of hacking, learn how to hack practically. In this Ethical Hacking with Kali Linux playlist, I'm going to show you step by step how to hack and protect networks. This is white-hat hacking, not black-hat - in other words this is about teaching you Ethical hacking to help you better secure your networks! In a previous video I showed you how to get started with Yersinia and hack CDP and Spanning Tree Protocol (STP). In this video I show you how to leverage DTP and VTP to hack networks with kali linux. Make sure you learn how network protocols work and understand their weaknesses. Just because a Cisco switch or router supports a protocol, doesn't mean you should enable it and use it. In many cases you need to either optimize the network protocol or disable it. Otherwise, hackers using Kali Linux will be able to hack your network and break things. Menu: Introduction 0:01 DTP hacks: 2:15 Wireshark: 5:18 VTP attacks: 8:00 Remotely Delete a VLAN: 10:54 Delete all VLANS! 13:33 ====================== CCNA content: ====================== Free CCNA content: https://www.youtube.com/playlist?list=PLhfrWIlLOoKM3niunUBTLjOR4gMt_uR_a CCNA course: http://bit.ly/2PmTVPD ====================== Free Network Software: ====================== Solar-PuTTY: http://bit.ly/SolarPutty SolarWinds TFTP Server: http://bit.ly/2mbtD6j WAN Killer: http://bit.ly/wankiller Engineers Toolset: http://bit.ly/gns3toolset IP Address Scanner: http://bit.ly/swipscan Network Device Scanner: http://bit.ly/swnetscan Wifi Heat Map: http://bit.ly/wifiheat Wifi Analyzer: http://bit.ly/swwifianalyzer SolarWinds NPM: http://bit.ly/getnpm Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! ======================== Switch configuration: ======================== c2960-CG# sh run ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname c2960-CG ! boot-start-marker boot-end-marker ! enable password cisco ! no aaa new-model ! ip dhcp pool vlan1 network 10.1.1.0 255.255.255.0 default-router 10.1.1.254 dns-server 10.1.1.254 ! ip dhcp pool vlan2 network 10.1.2.0 255.255.255.0 default-router 10.1.2.254 dns-server 10.1.2.254 ! ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! ! ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 switchport access vlan 2 switchport mode access ! interface GigabitEthernet0/3 switchport access vlan 2 switchport mode access ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface Vlan1 ip address 10.1.1.254 255.255.255.0 no ip route-cache ! interface Vlan2 ip address 10.1.2.254 255.255.255.0 no ip route-cache ! ip http server ip http authentication local ip http secure-server ! ! ! ! line con 0 line vty 0 4 password cisco login transport input all line vty 5 15 login ! end ======================== #kalilinux #ethicalhacking #hacker

Most of you have heard of a Voice VLAN and you may even know how to configure it….but how does it really work? And why do we need it?

In this episode, we take a look at the reimplementation of NetBSD using a Microkernel, check out what makes DHCP faster, and see what high-process count support for DragonflyBSD has to offer, and we answer the questions you've always wanted to ask us. This episode was brought to you by Headlines A Reimplementation Of Netbsd Using a Microkernel (http://theembeddedboard.review/a-reimplementation-of-netbsd-using-a-microkernel-part-1-of-2/) Minix author Andy Tanenbaum writes in Part 1 of a-reimplementation-of-netbsd-using-a-microkernel (http://theembeddedboard.review/a-reimplementation-of-netbsd-using-a-microkernel-part-1-of-2/) Based on the MINIX 3 microkernel, we have constructed a system that to the user looks a great deal like NetBSD. It uses pkgsrc, NetBSD headers and libraries, and passes over 80% of the KYUA tests). However, inside, the system is completely different. At the bottom is a small (about 13,000 lines of code) microkernel that handles interrupts, message passing, low-level scheduling, and hardware related details. Nearly all of the actual operating system, including memory management, the file system(s), paging, and all the device drivers run as user-mode processes protected by the MMU. As a consequence, failures or security issues in one component cannot spread to other ones. In some cases a failed component can be replaced automatically and on the fly, while the system is running, and without user processes noticing it. The talk will discuss the history, goals, technology, and status of the project. Research at the Vrije Universiteit has resulted in a reimplementation of NetBSD using a microkernel instead of the traditional monolithic kernel. To the user, the system looks a great deal like NetBSD (it passes over 80% of the KYUA tests). However, inside, the system is completely different. At the bottom is a small (about 13,000 lines of code) microkernel that handles interrupts, message passing, low-level scheduling, and hardware related details. Nearly all of the actual operating system, including memory management, the file system(s), paging, and all the device drivers run as user-mode processes protected by the MMU. As a consequence, failures or security issues in one component cannot spread to other ones. In some cases a failed component can be replaced automatically and on the fly, while the system is running. The latest work has been adding live update, making it possible to upgrade to a new version of the operating system WITHOUT a reboot and without running processes even noticing. No other operating system can do this. The system is built on MINIX 3, a derivative of the original MINIX system, which was intended for education. However, after the original author, Andrew Tanenbaum, received a 2 million euro grant from the Royal Netherlands Academy of Arts and Sciences and a 2.5 million euro grant from the European Research Council, the focus changed to building a highly reliable, secure, fault tolerant operating system, with an emphasis on embedded systems. The code is open source and can be downloaded from www.minix3.org. It runs on the x86 and ARM Cortex V8 (e.g., BeagleBones). Since 2007, the Website has been visited over 3 million times and the bootable image file has been downloaded over 600,000 times. The talk will discuss the history, goals, technology, and status of the project. Part 2 (http://theembeddedboard.review/a-reimplementation-of-netbsd-using-a-microkernel-part-2-of-2/) is also available. *** Rapid DHCP: Or, how do Macs get on the network so fast? (https://cafbit.com/post/rapid_dhcp_or_how_do/) One of life's minor annoyances is having to wait on my devices to connect to the network after I wake them from sleep. All too often, I'll open the lid on my EeePC netbook, enter a web address, and get the dreaded "This webpage is not available" message because the machine is still working on connecting to my Wi-Fi network. On some occasions, I have to twiddle my thumbs for as long as 10-15 seconds before the network is ready to be used. The frustrating thing is that I know it doesn't have to be this way. I know this because I have a Mac. When I open the lid of my MacBook Pro, it connects to the network nearly instantaneously. In fact, no matter how fast I am, the network comes up before I can even try to load a web page. My curiosity got the better of me, and I set out to investigate how Macs are able to connect to the network so quickly, and how the network connect time in other operating systems could be improved. I figure there are three main categories of time-consuming activities that occur during network initialization: Link establishment. This is the activity of establishing communication with the network's link layer. In the case of Wi-Fi, the radio must be powered on, the access point detected, and the optional encryption layer (e.g. WPA) established. After link establishment, the device is able to send and receive Ethernet frames on the network. Dynamic Host Configuration Protocol (DHCP). Through DHCP handshaking, the device negotiates an IP address for its use on the local IP network. A DHCP server is responsible for managing the IP addresses available for use on the network. Miscellaneous overhead. The operating system may perform any number of mundane tasks during the process of network initialization, including running scripts, looking up preconfigured network settings in a local database, launching programs, etc. My investigation thus far is primarily concerned with the DHCP phase, although the other two categories would be interesting to study in the future. I set up a packet capture environment with a spare wireless access point, and observed the network activity of a number of devices as they initialized their network connection. For a worst-case scenario, let's look at the network activity captured while an Android tablet is connecting: This tablet, presumably in the interest of "optimization", is initially skipping the DHCP discovery phase and immediately requesting its previous IP address. The only problem is this is a different network, so the DHCP server ignores these requests. After about 4.5 seconds, the tablet stubbornly tries again to request its old IP address. After another 4.5 seconds, it resigns itself to starting from scratch, and performs the DHCP discovery needed to obtain an IP address on the new network. In all fairness, this delay wouldn't be so bad if the device was connecting to the same network as it was previously using. However, notice that the tablet waits a full 1.13 seconds after link establishment to even think about starting the DHCP process. Engineering snappiness usually means finding lots of small opportunities to save a few milliseconds here and there, and someone definitely dropped the ball here. In contrast, let's look at the packet dump from the machine with the lightning-fast network initialization, and see if we can uncover the magic that is happening under the hood: The key to understanding the magic is the first three unicast ARP requests. It looks like Mac OS remembers certain information about not only the last connected network, but the last several networks. In particular, it must at least persist the following tuple for each of these networks: > 1. The Ethernet address of the DHCP server > 2. The IP address of the DHCP server > 3. Its own IP address, as assigned by the DHCP server During network initialization, the Mac transmits carefully crafted unicast ARP requests with this stored information. For each network in its memory, it attempts to send a request to the specific Ethernet address of the DHCP server for that network, in which it asks about the server's IP address, and requests that the server reply to the IP address which the Mac was formerly using on that network. Unless network hosts have been radically shuffled around, at most only one of these ARP requests will result in a response—the request corresponding to the current network, if the current network happens to be one of the remembered networks. This network recognition technique allows the Mac to very rapidly discover if it is connected to a known network. If the network is recognized (and presumably if the Mac knows that the DHCP lease is still active), it immediately and presumptuously configures its IP interface with the address it knows is good for this network. (Well, it does perform a self-ARP for good measure, but doesn't seem to wait more than 13ms for a response.) The DHCP handshaking process begins in the background by sending a DHCP request for its assumed IP address, but the network interface is available for use during the handshaking process. If the network was not recognized, I assume the Mac would know to begin the DHCP discovery phase, instead of sending blind requests for a former IP address as the Galaxy Tab does. The Mac's rapid network initialization can be credited to more than just the network recognition scheme. Judging by the use of ARP (which can be problematic to deal with in user-space) and the unusually regular transmission intervals (a reliable 1.0ms delay between each packet sent), I'm guessing that the Mac's DHCP client system is entirely implemented as tight kernel-mode code. The Mac began the IP interface initialization process a mere 10ms after link establishment, which is far faster than any other device I tested. Android devices such as the Galaxy Tab rely on the user-mode dhclient system (part of the dhcpcd package) dhcpcd program, which no doubt brings a lot of additional overhead such as loading the program, context switching, and perhaps even running scripts. The next step for some daring kernel hacker is to implement a similarly aggressive DHCP client system in the Linux kernel, so that I can enjoy fast sign-on speeds on my Android tablet, Android phone, and Ubuntu netbook. There already exists a minimal DHCP client implementation in the Linux kernel, but it lacks certain features such as configuring the DNS nameservers. Perhaps it wouldn't be too much work to extend this code to support network recognition and interface with a user-mode daemon to handle such auxillary configuration information received via DHCP. If I ever get a few spare cycles, maybe I'll even take a stab at it. You can also find other ways of optimizing the dhclient program and how it works in the dhclient tutorial on Calomel.org (https://calomel.org/dhclient.html). *** BSDCam Trip Report (https://www.freebsdfoundation.org/blog/bsdcam-2017-trip-report-michael-lucas/) Over the decades, FreeBSD development and coordination has shifted from being purely on-line to involving more and more in-person coordination and cooperation. The FreeBSD Foundation sponsors a devsummit right before BSDCan, EuroBSDCon, and AsiaBSDCon, so that developers traveling to the con can leverage their airfare and hammer out some problems. Yes, the Internet is great for coordination, but nothing beats a group of developers spending ten minutes together to sketch on a whiteboard and figuring out exactly how to make something bulletproof. In addition to the coordination efforts, though, conference devsummits are hierarchical. There's a rigid schedule, with topics decided in advance. Someone leads the session. Sessions can be highly informative, passionate arguments, or anything in between. BSDCam is… a little different. It's an invaluable part of the FreeBSD ecosystem. However, it's something that I wouldn't normally attend. But right now, is not normal. I'm writing a new edition of Absolute FreeBSD. To my astonishment, people have come to rely on this book when planning their deployments and operations. While I find this satisfying, it also increases the pressure on me to get things correct. When I wrote my first FreeBSD book back in 2000, a dozen mailing lists provided authoritative information on FreeBSD development. One person could read every one of those lists. Today, that's not possible—and the mailing lists are only one narrow aspect of the FreeBSD social system. Don't get me wrong—it's pretty easy to find out what people are doing and how the system works. But it's not that easy to find out what people will be doing and how the system will work. If this book is going to be future-proof, I needed to leave my cozy nest and venture into the wilds of Cambridge, England. Sadly, the BSDCam chair agreed with my logic, so I boarded an aluminum deathtrap—sorry, a “commercial airliner”—and found myself hurtled from Detroit to Heathrow. And one Wednesday morning, I made it to the William Gates building of Cambridge University, consciousness nailed to my body by a thankfully infinite stream of proper British tea. BSDCam attendance is invitation only, and the facilities can only handle fifty folks or so. You need to be actively working on FreeBSD to wrangle an invite. Developers attend from all over the world. Yet, there's no agenda. Robert Watson is the chair, but he doesn't decide on the conference topics. He goes around the room and asks everyone to introduce themselves, say what they're working on, and declare what they want to discuss during the conference. The topics of interest are tallied. The most popular topics get assigned time slots and one of the two big rooms. Folks interested in less popular topics are invited to claim one of the small breakout rooms. Then the real fun begins. I started by eavesdropping in the virtualization workshop. For two hours, people discussed FreeBSD's virtualization needs, strengths, and weaknesses. What needs help? What should this interface look like? What compatibility is important, and what isn't? By the end of the session, the couple dozen people had developed a reasonable consensus and, most importantly, some folks had added items to their to-do lists. Repeat for a dozen more topics. I got a good grip on what's really happening with security mitigation techniques, FreeBSD's cloud support, TCP/IP improvements, advances in teaching FreeBSD, and more. A BSDCan devsummit presentation on packaging the base system is informative, but eavesdropping on two dozen highly educated engineers arguing about how to nail down the final tidbits needed to make that a real thing is far more educational. To my surprise, I was able to provide useful feedback for some sessions. I speak at a lot of events outside of the FreeBSD world, and was able to share much of what I hear at Linux conferences. A tool that works well for an experienced developer doesn't necessarily work well for everyone. Every year, I leave BSDCan tired. I left BSDCam entirely exhausted. These intense, focused discussions stretched my brain. But, I have a really good idea where key parts of FreeBSD development are actually headed. This should help future-proof the new Absolute FreeBSD, as much as any computer book can be future-proof. Plus, BSDCam throws the most glorious conference dinner I've ever seen. I want to thank Robert Watson for his kind invitation, and the FreeBSD Foundation for helping defray the cost of this trip Interview - The BSDNow Crew As a kid, what did you dream of to become as an adult? JT: An Astronaut BR: I wanted to be a private detective, because of all the crime novels that I read back then. I didn't get far with it. However, I think the structured analysis skills (who did what, when, and such) help me in debugging and sysadmin work. AJ: Didn't think about it much How do you manage to stay organized day to day with so much things you're actively doing each day? (Day job, wife/girlfriend, conferences, hobbies, friends, etc.) JT: Who said I was organized? BR: A lot of stuff in my calendar as reminders, open browser tabs as “to read later” list. A few things like task switching when getting stuck helps. Also, focus on a single goal for the day, even though there will be distractions. Slowly, but steadily chip away at the things you're working on. Rather than to procrastinate and put things back to review later, get started early with easy things for a big task and then tackle the hard part. Often, things look totally chaotic and unmanageable, until you start working on them. AJ: I barely manage. Lots of Google Calendar reminders, and the entire wall of my office is covered in whiteboard sheet todo lists. I use pinboard.in to deal with finding and organizing bookmarks. Write things down, don't trust your memory. What hobbies outside of IT do you have? JT: I love photography, but I do that Professional part time, so I'm not sure if that counts as a hobby anymore. I guess it'd have to be working in the garage on my cars. BR: I do Tai Chi to relax once a week in a group, but can also do it alone, pretty much everywhere. Way too much Youtube watching and browsing the web. I did play some games before studying at the university and I'm still proud that I could control it to the bare minimum not to impact my studies. A few “lapses” from time to time, revisiting the old classics since the newer stuff won't run on my machines anyway. Holiday time is pretty much spent for BSD conferences and events, this is where I can relax and talk with like-minded people from around the world, which is fascinating. Plus, it gets me to various places and countries I never would have dared to visit on my own. AJ: I play a few video games, and I like to ski, although I don't go very often as most of my vacation time is spent hanging out with my BSD friends at various conferences How do you relax? JT: What is this word ‘relax' and what does it mean? BR: My Tai Chi plays a big part in it I guess. I really calms you and the constant stream of thoughts for a while. It also gives you better clarity of what's important in life. Watching movies, sleeping long. AJ: Usually watching TV or Movies. Although I have taken to doing most of my TV watching on my exercise bike now, but it is still mentally relaxing If FreeBSD didn't exist, which BSD flavour would you use? Why? JT: I use TrueOS, but if FreeBSD didn't exist, that project might not either… so… My other choice would be HardenedBSD, but since it's also based on FreeBSD I'm in the same dillema. BR: I once installed NetBSD to see what It can do. If FreeBSD wouldn't exist, I would probably try my luck with it. OpenBSD is also appealing, but I've never installed it. AJ: When I started using FreeBSD in 2000, the only other BSD I had heard of at the time was OpenBSD. If FreeBSD wasn't around, I don't think the world would look like it does, so it is hard to speculate. If any of the BSD's weren't around and you had to use Linux, which camp would belong to? (Redhat, SUSE, Debian, Ubuntu, Gentoo?) JT: I learned Linux in the mid 90s using Slackware, which I used consistently up until the mid 2000s, when I joined the PuppyLinux community and eventually became a developer (FYI, Puppy was/is/can be based on Slackware -- its complicated). So I'd go back to using either Slackware or PuppyLinux. BR: I tried various Linux distributions until I landed at Debian. I used is pretty extensively as my desktop OS at home, building custom kernels and packages to install them until I discovered FreeBSD. I ran both side by side for a few months for learning until one day I figured out that I had not booted Debian in a while, so I switched completely. AJ: The first Linux I played with was Slackware, and it is the most BSD like, but the bits of Linux I learned in school were Redhat and so I can somewhat wrap my head around it, although now that they are changing everything to systemd, all of that old knowledge is more harmful than useful. Are you still finding yourself in need to use Windows/Mac OS? Why? JT: I work part time as a professional Photographer, so I do use Windows for my photography work. While I can do everything I need to do in Linux, it comes down to being pragmatic about my time. What takes me several hours to accomplish in Linux I can accomplish in 20 minutes on Windows. BR: I was a long time Windows-only user before my Unix days. But back when Vista was about to come out and I needed a new laptop, my choice was basically learning to cope with Vistas awful features or learn MacOS X. I did the latter, it increased my productivity since it's really a good Unix desktop experience (at least, back then). I only have to use Windows at work from time to time as I manage our Windows Terminal server, which keeps the exposure low enough and I only connect to it to use a certain app not available for the Mac or the BSDs. AJ: I still use Windows to play games, for a lot of video conferencing, and to produce BSD Now. Some of it could be done on BSD but not as easily. I have promised myself that I will switch to 100% BSD rather than upgrade to Windows 10, so we'll see how that goes. Please describe your home networking setup. Router type, router OS, router hardware, network segmentation, wifi apparatus(es), other devices connected, and anything else that might be interesting about your home network. BR: Very simple and boring: Apple Airport Express base station and an AVM FritzBox for DNS, DHCP, and the link to my provider. A long network cable to my desktop machine. That I use less and less often. I just bought an RPI 3 for some home use in the future to replace it. Mostly my brother's and my Macbook Pro's are connected, our phones and the iPad of my mother. AJ: I have a E3-1220 v3 (dual 3.1ghz + HT) with 8 GB of ram, and 4x Intel gigabit server NICs as my router, and it runs vanilla FreeBSD (usually some snapshot of -current). I have 4 different VLANs, Home, Office, DMZ, and Guest WiFi. WiFi is served via a tiny USB powered device I bought in Tokyo years ago, it serves 3 different SSIDs, one for each VLAN except the DMZ. There are ethernet jacks in every room wired for 10 gigabit, although the only machines with 10 gigabit are my main workstation, file server, and some machines in the server rack. There are 3 switches, one for the house (in the laundry room), one for the rack, and one for 10gig stuff. There is a rack in the basement spare bedroom, it has 7 servers in it, mostly storage for live replicas of customer data for my company. How do guys manage to get your work done on FreeBSD desktops? What do you do when you need to a Linux or Windows app that isn't ported, or working? I've made several attempts to switch to FreeBSD, but each attempt failed because of tools not being available (e.g. Zoom, Dropbox, TeamViewer, Crashplan) or broken (e.g. VirtualBox). BR: I use VIrtualBox for everything that is not natively available or Windows-only. Unfortunately, that means no modern games. I mostly do work in the shell when I'm on FreeBSD and when it has to be a graphical application, then I use Fluxbox as the DE. I want to get work done, not look at fancy eye-candy that get's boring after a while. Deactivated the same stuff on my mac due to the same reason. I look for alternative software online, but my needs are relatively easy to satisfy as I'm not doing video editing/rendering and such. AJ: I generally find that I don't need these apps. I use Firefox, Thunderbird, OpenSSH, Quassel, KomodoEdit, and a few other apps, so my needs are not very demanding. It is annoying when packages are broken, but I usually work around this with boot environments, and being able to just roll back to a version that worked for a few days until the problem is solved. I do still have access to a windows machine for the odd time I need specific VPN software or access to Dell/HP etc out-of-band management tools. Which desktop environments are your favorite, and why? For example, I like i3, Xfce, and I'm drawn to Lumina's ethos, but so far always seem to end up back on Xfc because of its ease of use, flexibility, and dashing good looks. JT: As a Lumina Desktop developer, I think my preference is obvious. ;) I am also a long timeOpenBox user, so I have a soft place in my heart for that as well. BR: I use Fluxbox when I need to work with a lot of windows or an application demands X11. KDE and others are too memory heavy for me and I rarely use even 20% of the features they provide. AJ: I was a long time KDE user, but I have adopted Lumina. I find it fast, and that it gets out of my way and lets me do what I want. It had some annoyances early on, but I've nagged the developers into making it work for me. Which command-line shells do you prefer, why, and how (if at all) have you customised the environment or prompt? BR: I use zsh, but without all the fancy stuff you can find online. It might make you more productive, yes. But again, I try to keep things simple. I'm slowly learning tmux and want to work more in it in the future. I sometimes look at other BSD people's laptops and am amazed at what they do with window-management in tmux. My prompt looks like this: bcr@Voyager:~> 20:20 17-08-17 Put this in your .zshrc to get the same result: PROMPT='%n@%m:%~>' RPROMPT='%T %D' AJ: I started using tcsh early on, because it was the shell on the first box I had access to, and because one of the first things I read in “BSD Hacks” was how to enable ‘typo correction”, which made my life a lot better especially on dial up in the early days. My shell prompt looks like this: allan@CA-TOR1-02:/usr/home/allan% What is one thing (or more) missing in FreeBSD you would import from another project or community? Could be tech, process, etc. JT: AUFS from Linux BR: Nohup from Illumos where you can detach an already running process and put it in the background. I often forget that and I'm not in tmux when that happens, so I can see myself use that feature a lot. AJ: Zones (more complete Jails) from IllumOS how do you manage your time to learn about and work on FreeBSD? Does your work/employment enable what you do, or are your contributions mainly done in private time? JT: These days I'm mostly learning things I need for work, so it just falls into something I'm doing while working on work projects. BR: We have a lot of time during the semester holidays to learn on our own, it's part of the idea of being in a university to keep yourself updated, at least for me. Especially in the fast moving world of IT. I also read a lot in my free time. My interests can shift sometimes, but then I devour everything I can find on the topic. Can be a bit excessive, but has gotten me where I am now and I still need a lot to learn (and want to). Since I work with FreeBSD at work (my owndoing), I can try out many things there. AJ: My work means a spend a lot of time working with FreeBSD, but not that much time working ON it. My contributions are mostly done outside of work, but as I own the company I do get more flexibility to take time off for conferences and other FreeBSD related stuff. we know we can bribe Michael W Lucas with gelato (good gelato that is), but what can we use to bribe you guys? Like when I want to have Allan to work on fixing a bug which prevents me from running ZFS on this fancy rock64 board? BR: Desserts of various kinds. AJ: I am probably not the right person to look at your rock64 board. Most people in the project have taken to bribing me with chocolate. In general, my todo list is so long, the best way is a trade, you take this task and I'll take that task. Is your daily mobile device iOS, Android, Windows Mobile, or other? Why? JT: These days I'm using Android on my Blackberry Priv, but until recently I was still a heavy user of Sailfish OS. I would use SailfishOS everyday, if I could find a phone with a keyboard that I could run it on. BR: iOS on the iPhone 7 currently. Never used an Android phone, saw it on other people's devices and what they can do with it (much more). But the infrequent security updates (if any at all) keep me away from it. AJ: I have a Google Nexus 6 (Android 7.1). I wanted the ‘pure' Android experience, and I had been happy with my previous Nexus S. I don't run a custom OS/ROM or anything because I use the phone to verify that video streams work on an ‘average users device'. I am displeased that support for my device will end soon. I am not sure what device I will get next, but it definitely won't be an iPhone. News Roundup Beta Update - Request for (more) Testing (http://undeadly.org/cgi?action=article&sid=20170808065718&mode=flat&count=30) https://beta.undeadly.org/ has received an update. The most significant changes include: The site has been given a less antiquated "look". (As the topic icons have been eliminated, we are no longer seeking help with those graphics.) The site now uses a moderate amount of semantic HTML5. Several bugs in the HTML fragment validator (used for submissions and comments) have been fixed. To avoid generating invalid HTML, submission content which fails validation is no longer displayed in submission/comment previews. Plain text submissions are converted to HTML in a more useful fashion. (Instead of just converting each EOL to , the converter now generates proper paragraphs and interprets two or more consecutive EOLs as indicating a paragraph break.) The redevelopment remains a work-in-progress. Many thanks to those who have contributed! As before, constructive feedback would be appreciated. Of particular interest are reports of bugs in behaviour (for example, in the HTML validator or in authentication) that would preclude the adoption of the current code for the main site. High-process-count support added to master (http://lists.dragonflybsd.org/pipermail/users/2017-August/313552.html) We've fixed a number of bottlenecks that can develop when the number of user processes runs into the tens of thousands or higher. One thing led to another and I said to myself, "gee, we have a 6-digit PID, might as well make it work to a million!". With the commits made today, master can support at least 900,000 processes with just a kern.maxproc setting in /boot/loader.conf, assuming the machine has the memory to handle it. And, in fact, as today's machines start to ratchet up there in both memory capacity and core count, with fast storage (NVMe) and fast networking (10GigE and higher), even in consumer boxes, this is actually something that one might want to do. With AMD's threadripper and EPYC chips now out, the IntelAMD cpu wars are back on! Boasting up to 32 cores (64 threads) per socket and two sockets on EPYC, terabytes of ram, and motherboards with dual 10GigE built-in, the reality is that these numbers are already achievable in a useful manner. In anycase, I've tested these changes on a dual-socket xeon. I can in-fact start 900,000 processes. They don't get a whole lot of cpu and running 'ps' would be painful, but it works and the system is still responsive from the shell with all of that going on. xeon126# uptime 1:42PM up 9 mins, 3 users, load averages: 890407.00, 549381.40, 254199.55 In fact, judging from the memory use, these minimal test processes only eat around 60KB each. 900,000 of them ate only 55GB on a 128GB machine. So even a million processes is not out of the question, depending on the cpu requirements for those processes. Today's modern machines can be stuffed with enormous amounts of memory. Of course, our PIDs are currently limited to 6 digits, so a million is kinda the upper limit in terms of discrete user processes (verses pthreads which are less restricted). I'd rather not go to 7 digits (yet). CFT: Driver for generic MS Windows 7/8/10 - compatible USB HID multi-touch touchscreens (https://lists.freebsd.org/pipermail/freebsd-current/2017-August/066783.html) Following patch [1] adds support for generic MS Windows 7/8/10 - compatible USB HID multi-touch touchscreens via evdev protocol. It is intended to be a native replacement of hid-multitouch.c driver found in Linux distributions and multimedia/webcamd port. Patch is made for 12-CURRENT and most probably can be applied to recent 11-STABLE and 11.1-RELEASE (not tested) How to test" 1. Apply patch [1] 2. To compile this driver into the kernel, place the following lines into your kernel configuration file: device wmt device usb device evdev Alternatively, to load the driver as a module at boot time, place the following line in loader.conf(5): wmt_load="YES" 3. Install x11-drivers/xf86-input-evdev or x11-drivers/xf86-input-libinput port 4. Tell XOrg to use evdev or libinput driver for the device: ``` Section "ServerLayout" InputDevice "TouchScreen0" "SendCoreEvents" EndSection Section "InputDevice" Identifier "TouchScreen0" Driver "evdev" # Driver "libinput" Option "Device" "/dev/input/eventXXX" EndSection ``` Exact value of "/dev/input/eventXXX" can be obtained with evemu-record utility from devel/evemu. Note1: Currently, driver does not support pens or touchpads. Note2: wmt.ko should be kld-loaded before uhid driver to take precedence over it! Otherwise uhid can be kld-unloaded after loading of wmt. wmt review: https://reviews.freebsd.org/D12017 Raw diff: https://reviews.freebsd.org/D12017.diff *** Beastie Bits BSDMag Programing Languages Infographic (https://bsdmag.org/programm_history/) t2k17 Hackathon Report: Bob Beck on buffer cache tweaks, libressl and pledge progress (http://undeadly.org/cgi?action=article&sid=20170815171854) New FreeBSD Journal (https://www.freebsdfoundation.org/past-issues/resource-control/) NetBSD machines at Open Source Conference 2017 Kyoto (http://mail-index.netbsd.org/netbsd-advocacy/2017/08/10/msg000744.html) *** Feedback/Questions Dan - HDD question (http://dpaste.com/3H6TDJV) Benjamin - scrub of death (http://dpaste.com/10F086V) Jason - Router Opinion (http://dpaste.com/2D9102K) Sohrab - Thanks (http://dpaste.com/1XYYTWF) ***

We cover TrueOS/Lumina working to be less dependent on Linux, How the IllumOS network stack works, Throttling the password gropers & the 64 bit inode call for testing. This episode was brought to you by Headlines vBSDCon CFP closed April 29th (https://easychair.org/conferences/?conf=vbsdcon2017) EuroBSDCon CFP closes April 30th (https://2017.eurobsdcon.org/2017/03/13/call-for-proposals/) Developer Commentary: Philosophy, Evolution of TrueOS/Lumina, and Other Thoughts. (https://www.trueos.org/blog/developer-commentary-philosophy-evolution-trueoslumina-thoughts/) Philosophy of Development No project is an island. Every single project needs or uses some other external utility, library, communications format, standards compliance, and more in order to be useful. A static project is typically a dead project. A project needs regular upkeep and maintenance to ensure it continues to build and run with the current ecosystem of libraries and utilities, even if the project has no considerable changes to the code base or feature set. “Upstream” decisions can have drastic consequences on your project. Through no fault of yours, your project can be rendered obsolete or broken by changing standards in the global ecosystem that affect your project's dependencies. Operating system focus is key. What OS is the project originally designed for? This determines how the “upstream” dependencies list appears and which “heartbeat” to monitor. Evolution of PC-BSD, Lumina, and TrueOS. With these principles in mind – let's look at PC-BSD, Lumina, and TrueOS. PC-BSD : PC-BSD was largely designed around KDE on FreeBSD. KDE/Plasma5 has been available for Linux OS's for well over a year, but is still not generally available on FreeBSD. It is still tucked away in the experimental “area51” repository where people are trying to get it working first. Lumina : As a developer with PC-BSD for a long time, and a tester from nearly the beginning of the project, I was keenly aware the “winds of change” were blowing in the open-source ecosystem. TrueOS : All of these ecosystem changes finally came to a head for us near the beginning of 2016. KDE4 was starting to deteriorate underneath us, and the FreeBSD “Release” branch would never allow us to compete with the rate of graphics driver or standards changes coming out of the Linux camp. The Rename and Next Steps With all of these changes and the lack of a clear “upgrade” path from PC-BSD to the new systems, we decided it was necessary to change the project itself (name and all). To us, this was the only way to ensure people were aware of the differences, and that TrueOS really is a different kind of project from PC-BSD. Note this was not a “hostile takeover” of the PC-BSD project by rabid FreeBSD fanatics. This was more a refocusing of the PC-BSD project into something that could ensure longevity and reliability for the foreseeable future. Does TrueOS have bugs and issues? Of course! That is the nature of “rolling” with upstream changes all the time. Not only do you always get the latest version of something (a good thing), you also find yourself on the “front line” for finding and reporting bugs in those same applications (a bad thing if you like consistency or stability). What you are also seeing is just how much “churn” happens in the open-source ecosystem at any given time. We are devoted to providing our users (and ourselves – don't forget we use TrueOS every day too!) a stable, reliable, and secure experience. Please be patient as we continue striving toward this goal in the best way possible, not just doing what works for the moment, but the project's future too. Robert Mustacchi: Excerpts from The Soft Ring Cycle #1 (https://www.youtube.com/watch?v=vnD10WQ2930) The author of the “Turtles on the Wire” post we featured the other week, is back with a video. Joyent has started a new series of lunchtime technical discussions to share information as they grow their engineering team This video focuses on the network stack, how it works, and how it relates to virtualization and multi-tenancy Basically, how the network stack on IllumOS works when you have virtual tenants, be they virtual machines or zones The video describes the many layers of the network stack, how they work together, and how they can be made to work quickly It also talks about the trade-offs between high throughput and low latency How security is enforced, so virtual tenants cannot send packets into VLANs they are not members of, or receive traffic that they are not allowed to by the administrator How incoming packets are classified, and eventually delivered to the intended destination How the system decides if it has enough available resources to process the packet, or if it needs to be dropped How interface polling works on IllumOS (a lot different than on FreeBSD) Then the last 20 minutes are about how the qemu interface of the KVM hypervisor interfaces with the network stack We look forward to seeing more of these videos as they come out *** Forcing the password gropers through a smaller hole with OpenBSD's PF queues (http://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html) While preparing material for the upcoming BSDCan PF and networking tutorial (http://www.bsdcan.org/2017/schedule/events/805.en.html), I realized that the pop3 gropers were actually not much fun to watch anymore. So I used the traffic shaping features of my OpenBSD firewall to let the miscreants inflict some pain on themselves. Watching logs became fun again. The actual useful parts of this article follow - take this as a walkthrough of how to mitigate a wide range of threats and annoyances. First, analyze the behavior that you want to defend against. In our case that's fairly obvious: We have a service that's getting a volume of unwanted traffic, and looking at our logs the attempts come fairly quickly with a number of repeated attempts from each source address. I've written about the rapid-fire ssh bruteforce attacks and their mitigation before (and of course it's in The Book of PF) as well as the slower kind where those techniques actually come up short. The traditional approach to ssh bruteforcers has been to simply block their traffic, and the state-tracking features of PF let you set up overload criteria that add the source addresses to the table that holds the addresses you want to block. For the system that runs our pop3 service, we also have a PF ruleset in place with queues for traffic shaping. For some odd reason that ruleset is fairly close to the HFSC traffic shaper example in The Book of PF, and it contains a queue that I set up mainly as an experiment to annoy spammers (as in, the ones that are already for one reason or the other blacklisted by our spamd). The queue is defined like this: queue spamd parent rootq bandwidth 1K min 0K max 1K qlimit 300 yes, that's right. A queue with a maximum throughput of 1 kilobit per second. I have been warned that this is small enough that the code may be unable to strictly enforce that limit due to the timer resolution in the HFSC code. But that didn't keep me from trying. Now a few small additions to the ruleset are needed for the good to put the evil to the task. We start with a table to hold the addresses we want to mess with. Actually, I'll add two, for reasons that will become clear later: table persist counters table persist counters The rules that use those tables are: block drop log (all) quick from pass in quick log (all) on egress proto tcp from to port pop3 flags S/SA keep state (max-src-conn 2, max-src-conn-rate 3/3, overload flush global, pflow) set queue spamd pass in log (all) on egress proto tcp to port pop3 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 6/3, overload flush global, pflow) The last one lets anybody connect to the pop3 service, but any one source address can have only open five simultaneous connections and at a rate of six over three seconds. The results were immediately visible. Monitoring the queues using pfctl -vvsq shows the tiny queue works as expected: queue spamd parent rootq bandwidth 1K, max 1K qlimit 300 [ pkts: 196136 bytes: 12157940 dropped pkts: 398350 bytes: 24692564 ] [ qlength: 300/300 ] [ measured: 2.0 packets/s, 999.13 b/s ] and looking at the pop3 daemon's log entries, a typical encounter looks like this: Apr 19 22:39:33 skapet spop3d[44875]: connect from 111.181.52.216 Apr 19 22:39:33 skapet spop3d[75112]: connect from 111.181.52.216 Apr 19 22:39:34 skapet spop3d[57116]: connect from 111.181.52.216 Apr 19 22:39:34 skapet spop3d[65982]: connect from 111.181.52.216 Apr 19 22:39:34 skapet spop3d[58964]: connect from 111.181.52.216 Apr 19 22:40:34 skapet spop3d[12410]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[63573]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[76113]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[23524]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[16916]: autologout time elapsed - 111.181.52.216 here the miscreant comes in way too fast and only manages to get five connections going before they're shunted to the tiny queue to fight it out with known spammers for a share of bandwidth. One important takeaway from this, and possibly the most important point of this article, is that it does not take a lot of imagination to retool this setup to watch for and protect against undesirable activity directed at essentially any network service. You pick the service and the ports it uses, then figure out what are the parameters that determine what is acceptable behavior. Once you have those parameters defined, you can choose to assign to a minimal queue like in this example, block outright, redirect to something unpleasant or even pass with a low probability. 64-bit inodes (ino64) Status Update and Call for Testing (https://lists.freebsd.org/pipermail/freebsd-fs/2017-April/024684.html) Inodes are data structures corresponding to objects in a file system, such as files and directories. FreeBSD has historically used 32-bit values to identify inodes, which limits file systems to somewhat under 2^32 objects. Many modern file systems internally use 64-bit identifiers and FreeBSD needs to follow suit to properly and fully support these file systems. The 64-bit inode project, also known as ino64, started life many years ago as a project by Gleb Kurtsou (gleb@). After that time several people have had a hand in updating it and addressing regressions, after mckusick@ picked up and updated the patch, and acted as a flag-waver. Overview : The ino64 branch extends the basic system types inot and devt from 32-bit to 64-bit, and nlink_t from 16-bit to 64-bit. Motivation : The main risk of the ino64 change is the uncontrolled ABI breakage. Quirks : We handled kinfo sysctl MIBs, but other MIBs which report structures depended on the changed type, are not handled in general. It was considered that the breakage is either in the management interfaces, where we usually allow ABI slip, or is not important. Testing procedure : The ino64 project can be tested by cloning the project branch from GitHub or by applying the patch to a working tree. New kernel, old world. New kernel, new world, old third-party applications. 32bit compat. Targeted tests. NFS server and client test Other filesystems Test accounting Ports Status with ino64 : A ports exp-run for ino64 is open in PR 218320. 5.1. LLVM : LLVM includes a component called Address Sanitizer or ASAN, which triesto intercept syscalls, and contains knowledge of the layout of many system structures. Since stat and lstat syscalls were removed and several types and structures changed, this has to be reflected in the ASAN hacks. 5.2. lang/ghc : The ghc compiler and parts of the runtime are written in Haskell, which means that to compile ghc, you need a working Haskell compiler for bootstrap. 5.3. lang/rust Rustc has a similar structure to GHC, and same issue. The same solution of patching the bootstrap was done. Next Steps : The tentative schedule for the ino64 project: 2017-04-20 Post wide call for testing : Investigate and address port failures with maintainer support 2017-05-05 Request second exp-run with initial patches applied : Investigate and address port failures with maintainer support 2017-05-19 Commit to HEAD : Address post-commit failures where feasible *** News Roundup Sing, beastie, sing! (http://meka.rs/blog/2017/01/25/sing-beastie-sing/) FreeBSD digital audio workstation, or DAW for short, is now possible. At this very moment it's not user friendly that much, but you'll manage. What I want to say is that I worked on porting some of the audio apps to FreeBSD, met some other people interested in porting audio stuff and became heavily involved with DrumGizmo - drum sampling engine. Let me start with the basic setup. FreeBSD doesn't have hard real-time support, but it's pretty close. For the needs of audio, FreeBSD's implementation of real-time is sufficient and, in my opinion, superior to the one you can get on Linux with RT path (which is ugly, not supported by distributions and breaks apps like VirtualBox). As default install of FreeBSD is concerned with real-time too much, we have to tweak sysctl a bit, so append this to your /etc/sysctl.conf: kern.timecounter.alloweddeviation=0 hw.usb.uaudio.buffer_ms=2 # only on -STABLE for now hw.snd.latency=0 kern.coredump=0 So let me go through the list. First item tells FreeBSD how many events it can aggregate (or wait for) before emitting them. The reason this is the default is because aggregating events saves power a bit, and currently more laptops are running FreeBSD than DAWs. Second one is the lowest possible buffer for USB audio driver. If you're not using USB audio, this won't change a thing. Third one has nothing to do with real-time, but dealing with programs that consume ~3GB of RAM, dumping cores around made a problem on my machine. Besides, core dumps are only useful if you know how to debug the problem, or someone is willing to do that for you. I like to not generate those files by default, but if some app is constantly crashing, I enable dumps, run the app, crash it, and disable dumps again. I lost 30GB in under a minute by examining 10 different drumkits of DrumGizmo and all of them gave me 3GB of core file, each. More setup instructions follow, including jackd setup and PulseAudio using virtual_oss. With this setup I can play OSS, JACK and PulseAudio sound all at the same time, which I was not able to do on Linux. FreeBSD 11 Unbound DNS server (https://itso.dk/?p=499) In FreeBSD, there is a built-in DNS server called Unbound. So why would run a local DNS server? I am in a region where internet traffic is still a bit expensive, that also implies slow, and high response times. To speed that a up a little, you can use own DNS server. It will speed up because for every homepage you visit, there will be several hooks to other domains: commercials, site components, and links to other sites. These, will now all be cached locally on your new DNS server. In my case I use an old PC-Engine Alix board for my home DNS server, but you can use almost everything, Raspberry Pi, old laptop/desktop and others. As long as it runs FreeBSD. Goes into more details about what commands to run and which services to start Try it out if you are in a similar situation *** Why it is important that documentation and tutorials be correct and carefully reviewed (https://arxiv.org/pdf/1704.02786.pdf) A group of researchers found that a lot of online web programming tutorials contain serious security flaws. They decided to do a research project to see how this impacts software that is written possibly based on those tutorials. They used a number of simple google search terms to make a list of tutorials, and manually audited them for common vulnerabilities. They then crawled GitHub to find projects with very similar code snippets that might have been taken from those tutorials. The Web is replete with tutorial-style content on how to accomplish programming tasks. Unfortunately, even top-ranked tutorials suffer from severe security vulnerabilities, such as cross-site scripting (XSS), and SQL injection (SQLi). Assuming that these tutorials influence real-world software development, we hypothesize that code snippets from popular tutorials can be used to bootstrap vulnerability discovery at scale. To validate our hypothesis, we propose a semi-automated approach to find recurring vulnerabilities starting from a handful of top-ranked tutorials that contain vulnerable code snippets. We evaluate our approach by performing an analysis of tens of thousands of open-source web applications to check if vulnerabilities originating in the selected tutorials recur. Our analysis framework has been running on a standard PC, analyzed 64,415 PHP codebases hosted on GitHub thus far, and found a total of 117 vulnerabilities that have a strong syntactic similarity to vulnerable code snippets present in popular tutorials. In addition to shedding light on the anecdotal belief that programmers reuse web tutorial code in an ad hoc manner, our study finds disconcerting evidence of insufficiently reviewed tutorials compromising the security of open-source projects. Moreover, our findings testify to the feasibility of large-scale vulnerability discovery using poorly written tutorials as a starting point The researchers found 117 vulnerabilities, of these, at least 8 appear to be nearly exact copy/pastes of the tutorials that were found to be vulnerable. *** 1.3.0 Development Preview: New icon themes (https://lumina-desktop.org/1-3-0-development-preview-new-icon-themes/) As version 1.3.0 of the Lumina desktop starts getting closer to release, I want to take a couple weeks and give you all some sneak peaks at some of the changes/updates that we have been working on (and are in the process of finishing up). New icon theme (https://lumina-desktop.org/1-3-0-development-preview-new-icon-themes/) Material Design Light/Dark There are a lot more icons available in the reference icon packs which we still have not gotten around to renaming yet, but this initial version satisfies all the XDG standards for an icon theme + all the extra icons needed for Lumina and it's utilities + a large number of additional icons for application use. This highlights one the big things that I love about Lumina: it gives you an interface that is custom-tailored to YOUR needs/wants – rather than expecting YOU to change your routines to accomodate how some random developer/designer across the world thinks everybody should use a computer. Lumina Media Player (https://lumina-desktop.org/1-3-0-development-preview-lumina-mediaplayer/) This is a small utility designed to provide the ability for the user to play audio and video files on the local system, as well as stream audio from online sources. For now, only the Pandora internet radio service is supported via the “pianobar” CLI utility, which is an optional runtime dependency. However, we hope to gradually add new streaming sources over time. For a long time I had been using another Pandora streaming client on my TrueOS desktop, but it was very fragile with respect to underlying changes: LibreSSL versions for example. The player would regularly stop functioning for a few update cycles until a version of LibreSSL which was “compatible” with the player was used. After enduring this for some time, I was finally frustrated enough to start looking for alternatives. A co-worker pointed me to a command-line utility called “pianobar“, which was also a small client for Pandora radio. After using pianobar for a couple weeks, I was impressed with how stable it was and how little “overhead” it required with regards to extra runtime dependencies. Of course, I started thinking “I could write a Qt5 GUI for that!”. Once I had a few free hours, I started writing what became lumina-mediaplayer. I started with the interface to pianobar itself to see how complicated it would be to interact with, but after a couple days of tinkering in my spare time, I realized I had a full client to Pandora radio basically finished. Beastie Bits vBSDCon CFP closes April 29th (https://easychair.org/conferences/?conf=vbsdcon2017) EuroBSDCon CFP closes April 30th (https://2017.eurobsdcon.org/2017/03/13/call-for-proposals/) clang(1) added to base on amd64 and i386 (http://undeadly.org/cgi?action=article&sid=20170421001933) Theo: “Most things come to an end, sorry.” (https://marc.info/?l=openbsd-misc&m=149232307018311&w=2) ASLR, PIE, NX, and other capital letters (https://www.dragonflydigest.com/2017/04/24/19609.html) How SSH got port number 22 (https://www.ssh.com/ssh/port) Netflix Serving 90Gb/s+ From Single Machines Using Tuned FreeBSD (https://news.ycombinator.com/item?id=14128637) Compressed zfs send / receive lands in FreeBSD HEAD (https://svnweb.freebsd.org/base?view=revision&revision=317414) *** Feedback/Questions Steve - FreeBSD Jobs (http://dpaste.com/3QSMYEH#wrap) Mike - CuBox i4Pro (http://dpaste.com/0NNYH22#wrap) Steve - Year of the BSD Desktop? (http://dpaste.com/1QRZBPD#wrap) Brad - Configuration Management (http://dpaste.com/2TFV8AJ#wrap) ***