Cisco Adaptation: Difference between revisions
(Created page with "2017/06/19 FIRST DAY") |
No edit summary |
||
Line 1: | Line 1: | ||
2017/06/19 FIRST DAY | 2017/06/19 FIRST DAY | ||
Bulky summary of the job follows... | |||
BOIL IT ALL THE WHOLE OCEAN | |||
wow this comment from cisco management SAYS IT ALL!!! | |||
we want to use agile, one person takes a user story from start to finish | |||
code, build, test, demo | |||
lab | |||
cisco-router-driven high-performance in-house lab; routers directly connectable and configurable | |||
vmWare vSphere VMs on robust in-house hardware | |||
we had access to grab and reserve any available IPs on lab subnet, first-come-first-serve | |||
ongoing education | |||
learning: | |||
DevOps unconference: | |||
my topicsL git and rad-scripts; best and worst automation attempts | |||
ansible ciphers agile metrics kanban-reduced-work-in-progress | |||
docker-for-cloned-environments | |||
automated-testing: at 30 minute delay, it's broken - parallelize testing! | |||
Michael DeHaan: | |||
listen on irc or slack | |||
REST level testing to remove fear | |||
docs to help remember what old code does | |||
users and devs intersect at right level, no ego, noone is a genius | |||
python > go,java,ruby,closure... | |||
OpenShift deep dive | |||
containers virtualize the kernel libraries | |||
os has SOURCE TO IMAGE S2I, eg take a github repo and figure tools and build container SAY WHAT | |||
containers do not get logged into and add users, etc. | |||
SERVICE is teh internal networking for OpenShift | |||
SERVICE is used for ALL container communication, even on the same node, every flow | |||
service is KEYWORD BASED, the service allows flows between pods with the same my-app keyword | |||
do not put anything in the app that does NOT go through SERVICE | |||
or you will have CONTAINER STATE and you;'ll be screwed when a new pod spins up to replace the old | |||
each container has a mountpoint /mnt; openshift can have persistent volume, tells docker about it | |||
a NEW S2I IMAGE can be generated via git hook for any commits - wow | |||
upgrading openshift, pita, scripted; yum update atomic-openshift-utils (etc); atomic-openshift-installer upgrade | |||
VIRTUAL TELEPRESENCE SERVER | |||
evolved: cisco sold a lot of telepresence servers, used for corp conf rooms | |||
limited to closed telepresence conferences | |||
needed to be moved together | |||
CMR HYBRID via telepresence server establishes a cascade link to webex | |||
single connection with multiple streams - audoi, peoiple video, presentation, etc | |||
big fat cascade stream | |||
then all telepresence joins | |||
source code in Hg, build on VM, creates ISO; also hotpatched with make; phabricator for reviews etc | |||
ATE test suite, python, can call custom command console cmds | |||
required to do FEDRAMP-compliant logging | |||
remote | |||
no critical information, but all events | |||
heartbeating | |||
i updated the ISO creation to bundle in logrotated | |||
used python to set up logging - research what i did and document! | |||
sudo easy_install pyinotify && sudo pip install pylint twisted pex | |||
cd /home/m/development/cisco/root/platforms/fedramp-logger | |||
sudo ./BUILD_PEX | |||
adjusted cipher list to make it more secure | |||
FEDRAMP req: every field change must be logged | |||
also, jenkins, etc... dig in | |||
Generic reusable FEDRAMP centralized logging and auditing and alarms | |||
Cisco AWS admin | |||
also required jump servers to get from cisco lab to AWS and back | |||
all in cloud: Red Hat EL + Windows Server securely logging to centralized location | |||
CUCM - Cisco Unified Communications Manager - manages thousands of VOIP phones | |||
basics: | |||
trunks between diff CUCM instances to route phones | |||
local informix db | |||
massive infrastructure of shared linux build machines, test systems | |||
shared build machines generate OVA image used in vSphere to create a VM, live image that runs local install | |||
very very slow, pulled out clearcase code using git branches to speed up dev | |||
adaptation is adding new MVA feature | |||
used to be handled by gateways, support being removed | |||
MVA = dial in from a cell phone, authenticate with PIN, now cell is a node on CUCM | |||
note not the same as Single-number-reach (SN), but related | |||
SN = incoming call rings both your desk and mobile phones | |||
i have 4 hardwired phones on desk + unlimited SIP softphones all connect in | |||
configured cables from desk to lab and through lab to correct hardware | |||
validate PIN, using similar process to existing MEETME conference code | |||
digit processing - single vs multiple-with-terminator modes | |||
call routing - always play Goodbye following any termination | |||
language (locale) handling | |||
CUCM bundles languages into language-specific COP files that can be added to any CUCM | |||
upgrade the autogen db code to include new fields: C that generated Java and C++ informix access from csv | |||
shared code, required coordination with several other projects where they closely automatically audit changes ("fissionizing" of code diffs) | |||
migrate sound files from java au to c++ wav files, many codecs | |||
coded MVA language configuration: can be selected at multiple levels with different priorities: user, profile, global | |||
automated testing in python; created sql; stood up bulk call testing environment, supports hundreds of calls | |||
encryption HIGH LEVEL: | |||
AES 256-bit for encryption | |||
SHA-256 for signatures | |||
HMAC is a signature with a key - what I'm doing with JWT (HMAC-SHA256) | |||
wireshark | |||
qualsys scans < cisco has bought this, use it! | |||
sonarqube | |||
easy to setup and download; sonarqube.org | |||
sonarlint, availabe for intellij, eclipse and visual studio | |||
you can connect to sonarqube and apply your team's custom rules | |||
openssl s_client | |||
openssl s_server | |||
nmap -sV -script ssl-enum-ciphers -p #port #host | |||
kali linux | |||
openssl API code is helpful to look at, better than docs (?) | |||
dave: run valgrind on open source code (oh brother) | |||
ryan: ciphers: ephemeral allows forward secrecy; I RECOMMEND you always use ephemeral if you run your own web servers! | |||
NSA has Suite A (classified algorithms that will not be released) and Suite B cryptography algorithms | |||
Suite B's components are: | |||
Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. | |||
For traffic flow, AES should be used with either | |||
the Counter Mode (CTR) for low bandwidth traffic or | |||
the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (THIS CAN BE PARALLELIZED) | |||
this was done by a Cisco Fellow i think?? ryan mentioned that... | |||
Elliptic Curve Digital Signature Algorithm (ECDSA) – digital signatures | |||
Elliptic Curve Diffie–Hellman (ECDH) – key agreement | |||
Secure Hash Algorithm 2 (SHA-256 and SHA-384) – message digest | |||
Stuff I've done | |||
dev workstation: | |||
corp hell: Oracle VirtualBox linux local VM on Windows, allows continued easy use of WebEx and other corp bs | |||
new job: ALWAYS ALWAYS USE NATIVE LINUX NO MATTER WHAT even if they give you a MacBook | |||
abettertrader c++ based webserver, gets A+ rating at ssllabs | |||
via haproxy! | |||
I serve up several domains from my home | |||
most of them use SNI with apache | |||
but! ... i'm running a C++ https server as well | |||
i configured haproxy to read the domain name and redirect traffic to the c++ http server and port | |||
ALL ssl handshaking is now done by haproxy! i just give it ALL my certs, and it does the negotiations | |||
i was able to limit availabe ciphers to those listed as secure at ssllabs | |||
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12 | |||
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH | |||
ALSO i was able to turn on HSTS - this forces all http requests into https requests | |||
and that got me an A+ rating on ssllabs - for ALL My sites - in one fell swoop! | |||
ssl labs: | |||
Key RSA 2048 bits (e 65537) | |||
signature SHA256withRSA | |||
certchain includes Let's Encrypt Authority X3, RSA 2048 bits, Signature: SHA256withRSA | |||
TLS 1.2 (not allowed: TLS 1.1, 1.0; SSL 3, SSL 2 | |||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 | |||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 | |||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 | |||
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128 | |||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128 | |||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS |
Latest revision as of 16:01, 28 February 2018
2017/06/19 FIRST DAY
Bulky summary of the job follows...
BOIL IT ALL THE WHOLE OCEAN
wow this comment from cisco management SAYS IT ALL!!!
we want to use agile, one person takes a user story from start to finish code, build, test, demo
lab
cisco-router-driven high-performance in-house lab; routers directly connectable and configurable vmWare vSphere VMs on robust in-house hardware we had access to grab and reserve any available IPs on lab subnet, first-come-first-serve
ongoing education
learning: DevOps unconference: my topicsL git and rad-scripts; best and worst automation attempts ansible ciphers agile metrics kanban-reduced-work-in-progress docker-for-cloned-environments automated-testing: at 30 minute delay, it's broken - parallelize testing! Michael DeHaan: listen on irc or slack REST level testing to remove fear docs to help remember what old code does users and devs intersect at right level, no ego, noone is a genius python > go,java,ruby,closure... OpenShift deep dive containers virtualize the kernel libraries os has SOURCE TO IMAGE S2I, eg take a github repo and figure tools and build container SAY WHAT containers do not get logged into and add users, etc. SERVICE is teh internal networking for OpenShift SERVICE is used for ALL container communication, even on the same node, every flow service is KEYWORD BASED, the service allows flows between pods with the same my-app keyword do not put anything in the app that does NOT go through SERVICE or you will have CONTAINER STATE and you;'ll be screwed when a new pod spins up to replace the old each container has a mountpoint /mnt; openshift can have persistent volume, tells docker about it a NEW S2I IMAGE can be generated via git hook for any commits - wow upgrading openshift, pita, scripted; yum update atomic-openshift-utils (etc); atomic-openshift-installer upgrade
VIRTUAL TELEPRESENCE SERVER
evolved: cisco sold a lot of telepresence servers, used for corp conf rooms limited to closed telepresence conferences needed to be moved together CMR HYBRID via telepresence server establishes a cascade link to webex single connection with multiple streams - audoi, peoiple video, presentation, etc big fat cascade stream then all telepresence joins
source code in Hg, build on VM, creates ISO; also hotpatched with make; phabricator for reviews etc ATE test suite, python, can call custom command console cmds required to do FEDRAMP-compliant logging remote no critical information, but all events heartbeating i updated the ISO creation to bundle in logrotated used python to set up logging - research what i did and document! sudo easy_install pyinotify && sudo pip install pylint twisted pex cd /home/m/development/cisco/root/platforms/fedramp-logger sudo ./BUILD_PEX adjusted cipher list to make it more secure FEDRAMP req: every field change must be logged also, jenkins, etc... dig in
Generic reusable FEDRAMP centralized logging and auditing and alarms
Cisco AWS admin also required jump servers to get from cisco lab to AWS and back all in cloud: Red Hat EL + Windows Server securely logging to centralized location
CUCM - Cisco Unified Communications Manager - manages thousands of VOIP phones
basics: trunks between diff CUCM instances to route phones local informix db massive infrastructure of shared linux build machines, test systems shared build machines generate OVA image used in vSphere to create a VM, live image that runs local install very very slow, pulled out clearcase code using git branches to speed up dev adaptation is adding new MVA feature used to be handled by gateways, support being removed MVA = dial in from a cell phone, authenticate with PIN, now cell is a node on CUCM note not the same as Single-number-reach (SN), but related SN = incoming call rings both your desk and mobile phones i have 4 hardwired phones on desk + unlimited SIP softphones all connect in configured cables from desk to lab and through lab to correct hardware validate PIN, using similar process to existing MEETME conference code digit processing - single vs multiple-with-terminator modes call routing - always play Goodbye following any termination language (locale) handling CUCM bundles languages into language-specific COP files that can be added to any CUCM upgrade the autogen db code to include new fields: C that generated Java and C++ informix access from csv shared code, required coordination with several other projects where they closely automatically audit changes ("fissionizing" of code diffs) migrate sound files from java au to c++ wav files, many codecs coded MVA language configuration: can be selected at multiple levels with different priorities: user, profile, global automated testing in python; created sql; stood up bulk call testing environment, supports hundreds of calls
encryption HIGH LEVEL:
AES 256-bit for encryption SHA-256 for signatures HMAC is a signature with a key - what I'm doing with JWT (HMAC-SHA256)
wireshark qualsys scans < cisco has bought this, use it! sonarqube
easy to setup and download; sonarqube.org sonarlint, availabe for intellij, eclipse and visual studio you can connect to sonarqube and apply your team's custom rules
openssl s_client openssl s_server nmap -sV -script ssl-enum-ciphers -p #port #host kali linux openssl API code is helpful to look at, better than docs (?) dave: run valgrind on open source code (oh brother) ryan: ciphers: ephemeral allows forward secrecy; I RECOMMEND you always use ephemeral if you run your own web servers!
NSA has Suite A (classified algorithms that will not be released) and Suite B cryptography algorithms
Suite B's components are:
Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (THIS CAN BE PARALLELIZED) this was done by a Cisco Fellow i think?? ryan mentioned that... Elliptic Curve Digital Signature Algorithm (ECDSA) – digital signatures Elliptic Curve Diffie–Hellman (ECDH) – key agreement Secure Hash Algorithm 2 (SHA-256 and SHA-384) – message digest
Stuff I've done
dev workstation: corp hell: Oracle VirtualBox linux local VM on Windows, allows continued easy use of WebEx and other corp bs new job: ALWAYS ALWAYS USE NATIVE LINUX NO MATTER WHAT even if they give you a MacBook
abettertrader c++ based webserver, gets A+ rating at ssllabs via haproxy! I serve up several domains from my home most of them use SNI with apache but! ... i'm running a C++ https server as well i configured haproxy to read the domain name and redirect traffic to the c++ http server and port ALL ssl handshaking is now done by haproxy! i just give it ALL my certs, and it does the negotiations i was able to limit availabe ciphers to those listed as secure at ssllabs ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12 ssl-default-bind-ciphers AES128+EECDH:AES128+EDH ALSO i was able to turn on HSTS - this forces all http requests into https requests and that got me an A+ rating on ssllabs - for ALL My sites - in one fell swoop!
ssl labs: Key RSA 2048 bits (e 65537) signature SHA256withRSA certchain includes Let's Encrypt Authority X3, RSA 2048 bits, Signature: SHA256withRSA TLS 1.2 (not allowed: TLS 1.1, 1.0; SSL 3, SSL 2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS