Cisco Adaptation: Difference between revisions

From Bitpost wiki
(Created page with "2017/06/19 FIRST DAY")
 
No edit summary
 
Line 1: Line 1:
2017/06/19 FIRST DAY
2017/06/19 FIRST DAY
Bulky summary of the job follows...
BOIL IT ALL THE WHOLE OCEAN
wow this comment from cisco management SAYS IT ALL!!!
    we want to use agile, one person takes a user story from start to finish
        code, build, test, demo
lab
    cisco-router-driven high-performance in-house lab; routers directly connectable and configurable
    vmWare vSphere VMs on robust in-house hardware
    we had access to grab and reserve any available IPs on lab subnet, first-come-first-serve
ongoing education
    learning:
        DevOps unconference:
            my topicsL git and rad-scripts; best and worst automation attempts
            ansible ciphers agile metrics kanban-reduced-work-in-progress
            docker-for-cloned-environments
            automated-testing: at 30 minute delay, it's broken - parallelize testing!
            Michael DeHaan:
                listen on irc or slack
                REST level testing to remove fear
                docs to help remember what old code does
                users and devs intersect at right level, no ego, noone is a genius
                python > go,java,ruby,closure...
        OpenShift deep dive
            containers virtualize the kernel libraries
            os has SOURCE TO IMAGE S2I, eg take a github repo and figure tools and build container SAY WHAT
            containers do not get logged into and add users, etc.
            SERVICE is teh internal networking for OpenShift
                SERVICE is used for ALL container communication, even on the same node, every flow
                service is KEYWORD BASED, the service allows flows between pods with the same my-app keyword
                do not put anything in the app that does NOT go through SERVICE
                or you will have CONTAINER STATE and you;'ll be screwed when a new pod spins up to replace the old
            each container has a mountpoint /mnt; openshift can have persistent volume, tells docker about it
            a NEW S2I IMAGE can be generated via git hook for any commits - wow
            upgrading openshift, pita, scripted; yum update atomic-openshift-utils (etc); atomic-openshift-installer upgrade
VIRTUAL TELEPRESENCE SERVER
    evolved: cisco sold a lot of telepresence servers, used for corp conf rooms
      limited to closed telepresence conferences
      needed to be moved together
      CMR HYBRID via telepresence server establishes a cascade link to webex
      single connection with multiple streams - audoi, peoiple video, presentation, etc
      big fat cascade stream
      then all telepresence joins
    source code in Hg, build on VM, creates ISO; also hotpatched with make; phabricator for reviews etc
    ATE test suite, python, can call custom command console cmds
    required to do FEDRAMP-compliant logging
        remote
        no critical information, but all events
        heartbeating
    i updated the ISO creation to bundle in logrotated
    used python to set up logging - research what i did and document!
        sudo easy_install pyinotify && sudo pip install pylint twisted pex
        cd /home/m/development/cisco/root/platforms/fedramp-logger
        sudo ./BUILD_PEX
    adjusted cipher list to make it more secure
    FEDRAMP req: every field change must be logged
    also, jenkins, etc... dig in
Generic reusable FEDRAMP centralized logging and auditing and alarms
    Cisco AWS admin
    also required jump servers to get from cisco lab to AWS and back
    all in cloud: Red Hat EL + Windows Server securely logging to centralized location
CUCM - Cisco Unified Communications Manager - manages thousands of VOIP phones
    basics:
        trunks between diff CUCM instances to route phones
        local informix db
        massive infrastructure of shared linux build machines, test systems
            shared build machines generate OVA image used in vSphere to create a VM, live image that runs local install
            very very slow, pulled out clearcase code using git branches to speed up dev
    adaptation is adding new MVA feature
        used to be handled by gateways, support being removed
        MVA = dial in from a cell phone, authenticate with PIN, now cell is a node on CUCM
            note not the same as Single-number-reach (SN), but related
            SN = incoming call rings both your desk and mobile phones
    i have 4 hardwired phones on desk + unlimited SIP softphones all connect in
        configured cables from desk to lab and through lab to correct hardware
    validate PIN, using similar process to existing MEETME conference code
    digit processing - single vs multiple-with-terminator modes
    call routing - always play Goodbye following any termination
    language (locale) handling
        CUCM bundles languages into language-specific COP files that can be added to any CUCM
        upgrade the autogen db code to include new fields: C that generated Java and C++ informix access from csv
            shared code, required coordination with several other projects where they closely automatically audit changes ("fissionizing" of code diffs)
        migrate sound files from java au to c++ wav files, many codecs
        coded MVA language configuration: can be selected at multiple levels with different priorities: user, profile, global
    automated testing in python; created sql; stood up bulk call testing environment, supports hundreds of calls
encryption HIGH LEVEL:
  AES 256-bit for encryption
  SHA-256 for signatures
  HMAC is a signature with a key - what I'm doing with JWT (HMAC-SHA256)
wireshark
qualsys scans < cisco has bought this, use it!
sonarqube
    easy to setup and download; sonarqube.org
    sonarlint, availabe for intellij, eclipse and visual studio
    you can connect to sonarqube and apply your team's custom rules
openssl s_client
openssl s_server
nmap -sV -script ssl-enum-ciphers -p #port #host
kali linux
openssl API code is helpful to look at, better than docs (?)
dave: run valgrind on open source code (oh brother)
ryan: ciphers: ephemeral allows forward secrecy; I RECOMMEND you always use ephemeral if you run your own web servers!
NSA has Suite A (classified algorithms that will not be released) and Suite B cryptography algorithms
  Suite B's components are:
    Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits.
      For traffic flow, AES should be used with either
        the Counter Mode (CTR) for low bandwidth traffic or
        the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (THIS CAN BE PARALLELIZED)
            this was done by a Cisco Fellow i think??  ryan mentioned that...
    Elliptic Curve Digital Signature Algorithm (ECDSA) – digital signatures
    Elliptic Curve Diffie–Hellman (ECDH) – key agreement
    Secure Hash Algorithm 2 (SHA-256 and SHA-384) – message digest
Stuff I've done
    dev workstation:
        corp hell: Oracle VirtualBox linux local VM on Windows, allows continued easy use of WebEx and other corp bs
        new job: ALWAYS ALWAYS USE NATIVE LINUX NO MATTER WHAT even if they give you a MacBook
    abettertrader c++ based webserver, gets A+ rating at ssllabs
    via haproxy!
      I serve up several domains from my home
      most of them use SNI with apache
      but! ... i'm running a C++ https server as well
      i configured haproxy to read the domain name and redirect traffic to the c++ http server and port
        ALL ssl handshaking is now done by haproxy!  i just give it ALL my certs, and it does the negotiations
          i was able to limit availabe ciphers to those listed as secure at ssllabs
            ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
            ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
        ALSO i was able to turn on HSTS - this forces all http requests into https requests
          and that got me an A+ rating on ssllabs - for ALL My sites - in one fell swoop!
    ssl labs:
      Key RSA 2048 bits (e 65537)
      signature SHA256withRSA
      certchain includes Let's Encrypt Authority X3, RSA 2048 bits, Signature: SHA256withRSA
      TLS 1.2 (not allowed: TLS 1.1, 1.0; SSL 3, SSL 2
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH secp256r1 (eq. 3072 bits RSA)  FS 128
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH secp256r1 (eq. 3072 bits RSA)  FS 128
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)    ECDH secp256r1 (eq. 3072 bits RSA)  FS 128
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)      DH 2048 bits  FS 128
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)      DH 2048 bits  FS 128
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)        DH 2048 bits  FS

Latest revision as of 16:01, 28 February 2018

2017/06/19 FIRST DAY

Bulky summary of the job follows...

BOIL IT ALL THE WHOLE OCEAN

wow this comment from cisco management SAYS IT ALL!!!

   we want to use agile, one person takes a user story from start to finish
       code, build, test, demo

lab

   cisco-router-driven high-performance in-house lab; routers directly connectable and configurable
   vmWare vSphere VMs on robust in-house hardware
   we had access to grab and reserve any available IPs on lab subnet, first-come-first-serve

ongoing education

   learning:
       DevOps unconference:
           my topicsL git and rad-scripts; best and worst automation attempts
           ansible ciphers agile metrics kanban-reduced-work-in-progress
           docker-for-cloned-environments
           automated-testing: at 30 minute delay, it's broken - parallelize testing!
           Michael DeHaan:
               listen on irc or slack
               REST level testing to remove fear
               docs to help remember what old code does
               users and devs intersect at right level, no ego, noone is a genius
               python > go,java,ruby,closure...
       OpenShift deep dive
           containers virtualize the kernel libraries
           os has SOURCE TO IMAGE S2I, eg take a github repo and figure tools and build container SAY WHAT
           containers do not get logged into and add users, etc.
           SERVICE is teh internal networking for OpenShift
               SERVICE is used for ALL container communication, even on the same node, every flow
               service is KEYWORD BASED, the service allows flows between pods with the same my-app keyword
               do not put anything in the app that does NOT go through SERVICE
               or you will have CONTAINER STATE and you;'ll be screwed when a new pod spins up to replace the old
           each container has a mountpoint /mnt; openshift can have persistent volume, tells docker about it
           a NEW S2I IMAGE can be generated via git hook for any commits - wow
           upgrading openshift, pita, scripted; yum update atomic-openshift-utils (etc); atomic-openshift-installer upgrade

VIRTUAL TELEPRESENCE SERVER

   evolved: cisco sold a lot of telepresence servers, used for corp conf rooms
     limited to closed telepresence conferences
     needed to be moved together
     CMR HYBRID via telepresence server establishes a cascade link to webex
     single connection with multiple streams - audoi, peoiple video, presentation, etc
     big fat cascade stream
     then all telepresence joins
   source code in Hg, build on VM, creates ISO; also hotpatched with make; phabricator for reviews etc
   ATE test suite, python, can call custom command console cmds
   required to do FEDRAMP-compliant logging
       remote
       no critical information, but all events
       heartbeating
   i updated the ISO creation to bundle in logrotated
   used python to set up logging - research what i did and document!
       sudo easy_install pyinotify && sudo pip install pylint twisted pex
       cd /home/m/development/cisco/root/platforms/fedramp-logger
       sudo ./BUILD_PEX
   adjusted cipher list to make it more secure
   FEDRAMP req: every field change must be logged
   also, jenkins, etc... dig in

Generic reusable FEDRAMP centralized logging and auditing and alarms

   Cisco AWS admin
   also required jump servers to get from cisco lab to AWS and back
   all in cloud: Red Hat EL + Windows Server securely logging to centralized location

CUCM - Cisco Unified Communications Manager - manages thousands of VOIP phones

   basics:
       trunks between diff CUCM instances to route phones
       local informix db
       massive infrastructure of shared linux build machines, test systems
           shared build machines generate OVA image used in vSphere to create a VM, live image that runs local install
           very very slow, pulled out clearcase code using git branches to speed up dev
   adaptation is adding new MVA feature
       used to be handled by gateways, support being removed
       MVA = dial in from a cell phone, authenticate with PIN, now cell is a node on CUCM
           note not the same as Single-number-reach (SN), but related
           SN = incoming call rings both your desk and mobile phones
   i have 4 hardwired phones on desk + unlimited SIP softphones all connect in
       configured cables from desk to lab and through lab to correct hardware
   validate PIN, using similar process to existing MEETME conference code
   digit processing - single vs multiple-with-terminator modes
   call routing - always play Goodbye following any termination
   language (locale) handling
       CUCM bundles languages into language-specific COP files that can be added to any CUCM
       upgrade the autogen db code to include new fields: C that generated Java and C++ informix access from csv
           shared code, required coordination with several other projects where they closely automatically audit changes ("fissionizing" of code diffs)
       migrate sound files from java au to c++ wav files, many codecs
       coded MVA language configuration: can be selected at multiple levels with different priorities: user, profile, global
   automated testing in python; created sql; stood up bulk call testing environment, supports hundreds of calls

encryption HIGH LEVEL:

 AES 256-bit for encryption
 SHA-256 for signatures
 HMAC is a signature with a key - what I'm doing with JWT (HMAC-SHA256)

wireshark qualsys scans < cisco has bought this, use it! sonarqube

   easy to setup and download; sonarqube.org
   sonarlint, availabe for intellij, eclipse and visual studio
   you can connect to sonarqube and apply your team's custom rules

openssl s_client openssl s_server nmap -sV -script ssl-enum-ciphers -p #port #host kali linux openssl API code is helpful to look at, better than docs (?) dave: run valgrind on open source code (oh brother) ryan: ciphers: ephemeral allows forward secrecy; I RECOMMEND you always use ephemeral if you run your own web servers!

NSA has Suite A (classified algorithms that will not be released) and Suite B cryptography algorithms

 Suite B's components are:
   Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits.
     For traffic flow, AES should be used with either
       the Counter Mode (CTR) for low bandwidth traffic or
       the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (THIS CAN BE PARALLELIZED)
           this was done by a Cisco Fellow i think??  ryan mentioned that...
   Elliptic Curve Digital Signature Algorithm (ECDSA) – digital signatures
   Elliptic Curve Diffie–Hellman (ECDH) – key agreement
   Secure Hash Algorithm 2 (SHA-256 and SHA-384) – message digest

Stuff I've done

   dev workstation:
       corp hell: Oracle VirtualBox linux local VM on Windows, allows continued easy use of WebEx and other corp bs
       new job: ALWAYS ALWAYS USE NATIVE LINUX NO MATTER WHAT even if they give you a MacBook
   abettertrader c++ based webserver, gets A+ rating at ssllabs
   via haproxy!
     I serve up several domains from my home
     most of them use SNI with apache
     but! ... i'm running a C++ https server as well
     i configured haproxy to read the domain name and redirect traffic to the c++ http server and port
       ALL ssl handshaking is now done by haproxy!  i just give it ALL my certs, and it does the negotiations
         i was able to limit availabe ciphers to those listed as secure at ssllabs
           ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
           ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
       ALSO i was able to turn on HSTS - this forces all http requests into https requests
         and that got me an A+ rating on ssllabs - for ALL My sites - in one fell swoop!
   ssl labs:
     Key RSA 2048 bits (e 65537)
     signature SHA256withRSA
     certchain includes Let's Encrypt Authority X3, RSA 2048 bits, Signature: SHA256withRSA
     TLS 1.2 (not allowed: TLS 1.1, 1.0; SSL 3, SSL 2
       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)     ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)      DH 2048 bits   FS 128
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)      DH 2048 bits   FS 128
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)         DH 2048 bits   FS