Wow, just when you though big government was someone else's problem
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow. http://lauren.vortex.com/Cyber-S-2009.pdf I'll just give you a teaser: SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. 3 (a) INGENERAL.—Within 3 years after the date of 4 enactment of this Act, the Assistant Secretary of Com- 5 merce for Communications and Information shall develop 6 a strategy to implement a secure domain name addressing 7 system. The Assistant Secretary shall publish notice of the 8 system requirements in the Federal Register together with 9 an implementation schedule for Federal agencies and in- 10 formation systems or networks designated by the Presi- 11 dent, or the President’s designee, as critical infrastructure 12 information systems or networks. 13 Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one. If only we knew: to achieve a secure DNS all you need to do is publish a notice in the Federal Register. jy
Re: Wow, just when you though big government was someone else's problem
On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young wrote: > This comes from Lauren Weinstein's list and it's worth a read. > It's a bill introduced into legislation, who knows where and when > and if it will become law but, wow. > > http://lauren.vortex.com/Cyber-S-2009.pdf Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore. > I'll just give you a teaser: > > SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware? > Other pearls of wisdom: the government will license all "cyber" security > folks and you don't work on government or "any network deemed by > the president to be critical infrastructure" without one. Do you by any chance get to go work on sensitive government networks without, say, a security clearance? --srs
Re: Nipper and Cisco configuration results
I looked at the configurations yesterday on the routers. The vty line does not have any "transport" line below it. All the routers showing "Rlogin enabled" have similar configuration. What are the default services that are enabled for vty on IOS 12.4? I know there are only telnet, SSH and Rlogin. Is there any particular sequence that IOS processes the vty access? Subba Rao --- On Thu, 4/2/09, Lee wrote: From: Lee Subject: Re: Nipper and Cisco configuration results To: castellan2004-...@yahoo.com Cc: nanog@nanog.org Date: Thursday, April 2, 2009, 11:31 PM On 4/2/09, Subba Rao wrote: > I am using Nipper for verifying my Cisco configuration. Nipper is finding > the "rlogin" service that is not in the configuration. I have searched the > access lists and do not see it anywhere. The explanation by Nipper about > this finding, "Telnet protocol implemented by this service" is > confusing. Here is the Nipper's output: <..snip ..> > Can someone explain why Nipper is saying "Rlogin is enabled" when I do not > see it in the configuration file? Is there something else that I need to be > looking at? I played with it a bit - removing the "transport input telnet" on a vty line got me the rlogin service is enabled. Add it back & nipper says it's disabled... Do you have a "transport input telnet" on each vty? If not, does adding it fix the nipper report? Regards, Lee
Re: Nipper and Cisco configuration results
On 4/3/09, Subba Rao wrote: > > I did see a few false positives too with Nipper. What do you think about > Router Audit Tool (RAT) instead? RAT is the approved IOS security audit tool at $work, so it doesn't matter what I think about it :) But it is fairly nice ... as long as you keep in mind it's limitations. I looked at Nipper a while back; it had some nice features but not enough to keep me from uninstalling it. The problem I have with both RAT and Nipper is they're geared towards security and I'm more interested in verifying that the routers are configured correctly. What kind of tools are people using for that? For an example of the type of thing I'm interested in, see filter_audit in the presentation at http://www.nanog.org/mtg-0210/abley.html > I downloaded ncat (aka RAT), but it does > not have a global configuration file which I can use for all the routers and > switches I have. Works for me.. just remember that RAT is pretty old & fails miserably on things like 6500s that are both routers and switches. So figure out what's common to all your routers and configure RAT to check that set of parameters. Then create another RAT config for L2/L3 switches that doesn't check as much (eg. don't check for proxy-arp being disabled) Regards, Lee
Re: Nipper and Cisco configuration results
On 4/4/09, Subba Rao wrote: > I looked at the configurations yesterday on the routers. The vty line does > not have any "transport" line below it. All the routers showing "Rlogin > enabled" have similar configuration. > > What are the default services that are enabled for vty on IOS 12.4? I know > there are only telnet, SSH and Rlogin. Is there any particular sequence > that IOS processes the vty access? I think a better question would be "What services do I need on the vtys and how do I assure that only those services are enabled?" but see http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#transport_input Regards, Lee
Re: Wow, just when you though big government was someone else's problem
Read it again. It says all government networks and any network the president deems vital, I'd have to assume that would at least be all of the major backbones. What's the point of picking on the source of the information? Sure his list is moderated and a bit self-serving, that's why you read from the source. And yes, I am aware of a number of activities inside the Fed Gov around secure DNS, while I applaud them for making a first step, an effective total effort will not come via government procurement. Or aren't you aware? jy On Apr 4, 2009, at 6:46, Suresh Ramasubramanian wrote: On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young wrote: This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow. http://lauren.vortex.com/Cyber-S-2009.pdf Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore. I'll just give you a teaser: SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware? Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one. Do you by any chance get to go work on sensitive government networks without, say, a security clearance? --srs
Re: Wow, just when you though big government was someone else's problem
Suresh Ramasubramanian wrote: On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young wrote: This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow. http://lauren.vortex.com/Cyber-S-2009.pdf Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore. Personally, I always read press releases from the White House and take that as absolute fact. You can't trust people to give you accurate information if they aren't completely subservient to the agenda. I'll just give you a teaser: SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware? Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one. Do you by any chance get to go work on sensitive government networks without, say, a security clearance? --srs
Re: Wow, just when you though big government was someone else's problem
On Sat, Apr 4, 2009 at 9:47 PM, Jeff Young wrote: > Read it again. It says all government networks and any network the > president deems vital, I'd have to assume that would at least be all of the > major backbones. Deeming something vital / critical has a whole lot of extra baggage attached to it. Check out for example the OECD surveys on critical information infrastructure. a. http://www.oecd.org/dataoecd/49/28/40839436.pdf - OECD Seoul Declaration for the Future of the Internet Economy, b. http://www.oecd.org/dataoecd/25/10/40761118.pdf - comparative study of CIIP in OECD economies (Australia, Canada, Korea, Japan, The Netherlands, the United Kingdom and the United States) --srs
Re: Register.com DNS hosting issues
On Fri, 3 Apr 2009, Charles Wyble wrote: This is probably a good time to remind the uninitiated to have some secondary DNS with a totally separate company if your DNS is that important to you. Preferably with a provider that announces out of multiple ASN :) AT&T and Akami both provide good distributed DNS service. I imagine there are other carriers, but I can't comment on them as I haven't used them. I can highly recommend DNSmadeEasy.com. Inexpensive, Anycasted, always fast and reliable. Good for primary and/or secondary, IMO, though it is sage advice to use two different providers if you are super ultra serious about never being down. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Register.com DNS hosting issues
On Sat, Apr 4, 2009 at 2:05 PM, Peter Beckman wrote: > On Fri, 3 Apr 2009, Charles Wyble wrote: > > This is probably a good time to remind the uninitiated to have some >>> secondary DNS with a totally separate company if your DNS is that >>> important to you. >>> >> >> Preferably with a provider that announces out of multiple ASN :) >> >> AT&T and Akami both provide good distributed DNS service. I imagine there >> are other carriers, but I can't comment on them as I haven't used them. >> > > I can highly recommend DNSmadeEasy.com. Inexpensive, Anycasted, always > fast and reliable. Good for primary and/or secondary, IMO, though it is > sage advice to use two different providers if you are super ultra serious > about never being down. > Seconded. We use DNSmadeeasy as a primary for quite a few domains, but also have had good luck with DynDNS as well. -brandon > > --- > Peter Beckman Internet Guy > beck...@angryox.com > http://www.angryox.com/ > --- > > -- Brandon Galbraith Voice: 630.400.6992 Email: brandon.galbra...@gmail.com
Re: Wow, just when you though big government was someone else's problem
* Jeff Young: > If only we knew: to achieve a secure DNS all you need to do is > publish a notice in the Federal Register. In the end, this is how we got many of our (non-public-key) cryptographic algorithms, and people seem to be quite happy about them.
Re: Register.com DNS hosting issues
* Peter Beckman: > I can highly recommend DNSmadeEasy.com. Inexpensive, Anycasted, always > fast and reliable. Good for primary and/or secondary, IMO, though it is > sage advice to use two different providers if you are super ultra serious > about never being down. Or put some of your DNS servers on the same connectivity as your main services. After all, DNS is not an end in itself for most people. Running some of the servers yourself makes sure those are available even if some other customer at your DNS provider is DoSed, taking the entire DNS provider out at the same time. (Speaking in general, not about specific cases.) And if you're the DoS target, ultra-resilient DNS will simply cause the attackers to pick some other weakness of your setup. IMHO, fate-sharing as a strategy for increasing availability is somewhat underrated.
Re: Register.com DNS hosting issues
> IMHO, fate-sharing as a strategy for increasing availability is > somewhat underrated. from rfc 2182 3.3. A Myth Exploded An argument is occasionally made that there is no need for the domain name servers for a domain to be accessible if the hosts in the domain are unreachable. This argument is fallacious. + Clients react differently to inability to resolve than inability to connect, and reactions to the former are not always as desirable. + If the zone is resolvable yet the particular name is not, then a client can discard the transaction rather than retrying and creating undesirable load on the network. + While positive DNS results are usually cached, the lack of a result is not cached. Thus, unnecessary inability to resolve creates an undesirable load on the net. + All names in the zone may not resolve to addresses within the detached network. This becomes more likely over time. Thus a basic assumption of the myth often becomes untrue. It is important that there be nameservers able to be queried, available always, for all forward zones. randy
Re: Register.com DNS hosting issues
* Randy Bush: >> IMHO, fate-sharing as a strategy for increasing availability is >> somewhat underrated. > > from rfc 2182 Randy, I didn't write, "don't keep off-site name servers". I wrote, "keep on-site name servers, even if you pay for off-site name service". > 3.3. A Myth Exploded > + While positive DNS results are usually cached, the lack of a >result is not cached. Thus, unnecessary inability to resolve >creates an undesirable load on the net. This has been corrected in some implementations since then. >It is important that there be nameservers able to be queried, >available always, for all forward zones. Not answering crap queries (such as queries to addresses for which the resolver has a good reason to believe that they are still unreachable) tends to increase network load, but in some cases, it's the only way to make people notice the problem (like flooding servers with identical queries at an 1/RTT rate). It pushes some of the hurt to a place where it can be addressed. But looking back at incidents such as the Zonelabs/Abovenet issue, your advice is correct for the network we have today. However, we're really covering up a resolver implementation issue, nothing more.
Re: Register.com DNS hosting issues
> But looking back at incidents such as the Zonelabs/Abovenet issue, > your advice is correct for the network we have today. as that rfc is over a decade old, i am not optimistic that change is neigh . and it is amusing to see ;; ANSWER SECTION: harvard.edu.10794 IN NS ns2.harvard.edu. harvard.edu.10794 IN NS ns3.br.harvard.edu. harvard.edu.10794 IN NS ns.harvard.edu. harvard.edu.10794 IN NS ns1.harvard.edu. ;; ADDITIONAL SECTION: ns.harvard.edu. 10794 IN A 128.103.201.100 ns1.harvard.edu.10794 IN A 128.103.200.101 ns2.harvard.edu.10794 IN A 128.103.1.1 ns3.br.harvard.edu. 10794 IN A 128.119.3.170 and ;; ANSWER SECTION: mit.edu.21600 IN NS STRAWB.mit.edu. mit.edu.21600 IN NS W20NS.mit.edu. mit.edu.21600 IN NS BITSY.mit.edu. ;; ADDITIONAL SECTION: BITSY.mit.edu. 21600 IN A 18.72.0.3 STRAWB.mit.edu. 21600 IN A 18.71.0.151 W20NS.mit.edu. 21600 IN A 18.70.0.160 but microsoft/hotmail learned the lesson the hard way, if you remember, and look to have reasonable looking deployment, though i have not looked at traceroutes. randy
Re: Wow, just when you though big government was someone else's problem
I suggest that we wait until the actual text of S.778 actually shows up at http://thomas.loc.gov before reacting to hyperbolic analysis of drafts not actually assigned to the Committee on Homeland Security and Governmental Affairs. Although I am concerned with what has been attributed to this bill, not all drafts seem to contain the worst text. Once the Committee takes up the bill, the most effective way to fix or kill it is for the constituents of the members of that Committee to call or write them: http://hsgac.senate.gov/public/index.cfm?Fuseaction=About.Membership John On 2009Apr4, at 6:46 AM, Suresh Ramasubramanian wrote: On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young wrote: This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow. http://lauren.vortex.com/Cyber-S-2009.pdf Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore. I'll just give you a teaser: SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware? Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one. Do you by any chance get to go work on sensitive government networks without, say, a security clearance? --srs
Re: Register.com DNS hosting issues
* Randy Bush: >> But looking back at incidents such as the Zonelabs/Abovenet issue, >> your advice is correct for the network we have today. > > as that rfc is over a decade old, i am not optimistic that change is > neigh . DNSSEC obscures quite a few failures which can hit secondaries. I think it changes the cost/benefit ratio of additional name service somewhat. Without DNSSEC, it's just another party who can redirect your traffic to Elbonia, so I understand if folks are quite conservative about it.
Re: Nipper and Cisco configuration results
> The problem I have with both RAT and Nipper is they're geared towards > security and I'm more interested in verifying that the routers are > configured correctly. What kind of tools are people using for that? > For an example of the type of thing I'm interested in, see > filter_audit in the presentation at > http://www.nanog.org/mtg-0210/abley.html Homebrew: pull configs on a regular basis. Decompose monolithic configs into a file tree of "configlets." Diff configlet tree against peer and template devices. "Invert" device specific configlet tree into element specific tree. This helps diffs stand out for config elements that should be consistent. Put it all into a git repository for revision control. Run git-web for the user interface. Catches most of the obvious stuff, and gives a nice history of changes. The configlet tree also gets used for "grep | xarg" style pipelines for automation scripts. Would like to improve the diff process to mask out common information (ip address, hsrp priority etc.) This would help reduce the amount of diff noise for interfaces. We looked at free (RANCID, Ziptie) and expen$ive (Opsware) but none of them really did what we wanted. Tim:>
RE: Wow, just when you though big government was someone else's problem
Wrong bill. You want S.773, not S.778. There were two bills introduced concerning cyber security. The one that has everybody talking is S.773. S.778 concerns the creation of the Office of National Cybersecurity Advisor within the Executive Office of the President. S.773 Title: A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes. Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009) Cosponsors (3) Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Commerce, Science, and Transportation. S.778 Title: A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor. Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009) Cosponsors (3) Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Homeland Security and Governmental Affairs. Marc -- Marc Sachs Director, SANS ISC -Original Message- From: John Schnizlein [mailto:schnizl...@isoc.org] Sent: Saturday, April 04, 2009 8:20 PM To: Suresh Ramasubramanian Cc: nanog@nanog.org; Jeff Young Subject: Re: Wow, just when you though big government was someone else's problem I suggest that we wait until the actual text of S.778 actually shows up at http://thomas.loc.gov before reacting to hyperbolic analysis of drafts not actually assigned to the Committee on Homeland Security and Governmental Affairs. Although I am concerned with what has been attributed to this bill, not all drafts seem to contain the worst text. Once the Committee takes up the bill, the most effective way to fix or kill it is for the constituents of the members of that Committee to call or write them: http://hsgac.senate.gov/public/index.cfm?Fuseaction=About.Membership John On 2009Apr4, at 6:46 AM, Suresh Ramasubramanian wrote: > On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young wrote: >> This comes from Lauren Weinstein's list and it's worth a read. >> It's a bill introduced into legislation, who knows where and when >> and if it will become law but, wow. >> >> http://lauren.vortex.com/Cyber-S-2009.pdf > > Relying on Lauren to hear about cybersecurity related news is like > relying on Fox News for an accurate picture of what Obama is doing. > Ignore. > >> I'll just give you a teaser: >> >> SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. > > There's more than enough government supported work going on that > promotes DNSSEC, in case you're not aware? > >> Other pearls of wisdom: the government will license all "cyber" >> security >> folks and you don't work on government or "any network deemed by >> the president to be critical infrastructure" without one. > > Do you by any chance get to go work on sensitive government networks > without, say, a security clearance? > > --srs >
ISC DLV
Guys, are you having problems to validate DNSEC using ISC DLV? Regards, -- Marcelo Gardini do Amaral www.spin.blog.br -- $>cd /pub $>more beer
Re: ISC DLV
On Sat, Apr 4, 2009 at 11:55 PM, Marcelo Gardini do Amaral wrote: > > are you having problems to validate DNSEC using ISC DLV? Yes, I had to disable DNSSEC validation a few hours ago to get DNS resolution operating again. -- Jeff Ollie
Re: ISC DLV
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Apr 4, 2009 at 9:55 PM, Marcelo Gardini do Amaral wrote: > Guys, > > are you having problems to validate DNSEC using ISC DLV? > No idea, but I did see another reference to this over on the OARC dns-ops list: https://lists.dns-oarc.net/pipermail/dns-operations/2009-April/003726.html - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ2Dzoq1pz9mNUZTMRAvanAKCmR4CF7qVKC8XE9qpsM62EQHbVgQCgh1oO A3pBEoMDGY30bS57WzhfAyQ= =UnS+ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/