Cisco Adaptation
2017/06/19 FIRST DAY
Bulky summary of the job follows...
BOIL IT ALL THE WHOLE OCEAN
wow this comment from cisco management SAYS IT ALL!!!
we want to use agile, one person takes a user story from start to finish
code, build, test, demo
lab
cisco-router-driven high-performance in-house lab; routers directly connectable and configurable vmWare vSphere VMs on robust in-house hardware we had access to grab and reserve any available IPs on lab subnet, first-come-first-serve
ongoing education
learning:
DevOps unconference:
my topicsL git and rad-scripts; best and worst automation attempts
ansible ciphers agile metrics kanban-reduced-work-in-progress
docker-for-cloned-environments
automated-testing: at 30 minute delay, it's broken - parallelize testing!
Michael DeHaan:
listen on irc or slack
REST level testing to remove fear
docs to help remember what old code does
users and devs intersect at right level, no ego, noone is a genius
python > go,java,ruby,closure...
OpenShift deep dive
containers virtualize the kernel libraries
os has SOURCE TO IMAGE S2I, eg take a github repo and figure tools and build container SAY WHAT
containers do not get logged into and add users, etc.
SERVICE is teh internal networking for OpenShift
SERVICE is used for ALL container communication, even on the same node, every flow
service is KEYWORD BASED, the service allows flows between pods with the same my-app keyword
do not put anything in the app that does NOT go through SERVICE
or you will have CONTAINER STATE and you;'ll be screwed when a new pod spins up to replace the old
each container has a mountpoint /mnt; openshift can have persistent volume, tells docker about it
a NEW S2I IMAGE can be generated via git hook for any commits - wow
upgrading openshift, pita, scripted; yum update atomic-openshift-utils (etc); atomic-openshift-installer upgrade
VIRTUAL TELEPRESENCE SERVER
evolved: cisco sold a lot of telepresence servers, used for corp conf rooms
limited to closed telepresence conferences
needed to be moved together
CMR HYBRID via telepresence server establishes a cascade link to webex
single connection with multiple streams - audoi, peoiple video, presentation, etc
big fat cascade stream
then all telepresence joins
source code in Hg, build on VM, creates ISO; also hotpatched with make; phabricator for reviews etc
ATE test suite, python, can call custom command console cmds
required to do FEDRAMP-compliant logging
remote
no critical information, but all events
heartbeating
i updated the ISO creation to bundle in logrotated
used python to set up logging - research what i did and document!
sudo easy_install pyinotify && sudo pip install pylint twisted pex
cd /home/m/development/cisco/root/platforms/fedramp-logger
sudo ./BUILD_PEX
adjusted cipher list to make it more secure
FEDRAMP req: every field change must be logged
also, jenkins, etc... dig in
Generic reusable FEDRAMP centralized logging and auditing and alarms
Cisco AWS admin also required jump servers to get from cisco lab to AWS and back all in cloud: Red Hat EL + Windows Server securely logging to centralized location
CUCM - Cisco Unified Communications Manager - manages thousands of VOIP phones
basics:
trunks between diff CUCM instances to route phones
local informix db
massive infrastructure of shared linux build machines, test systems
shared build machines generate OVA image used in vSphere to create a VM, live image that runs local install
very very slow, pulled out clearcase code using git branches to speed up dev
adaptation is adding new MVA feature
used to be handled by gateways, support being removed
MVA = dial in from a cell phone, authenticate with PIN, now cell is a node on CUCM
note not the same as Single-number-reach (SN), but related
SN = incoming call rings both your desk and mobile phones
i have 4 hardwired phones on desk + unlimited SIP softphones all connect in
configured cables from desk to lab and through lab to correct hardware
validate PIN, using similar process to existing MEETME conference code
digit processing - single vs multiple-with-terminator modes
call routing - always play Goodbye following any termination
language (locale) handling
CUCM bundles languages into language-specific COP files that can be added to any CUCM
upgrade the autogen db code to include new fields: C that generated Java and C++ informix access from csv
shared code, required coordination with several other projects where they closely automatically audit changes ("fissionizing" of code diffs)
migrate sound files from java au to c++ wav files, many codecs
coded MVA language configuration: can be selected at multiple levels with different priorities: user, profile, global
automated testing in python; created sql; stood up bulk call testing environment, supports hundreds of calls
encryption HIGH LEVEL:
AES 256-bit for encryption SHA-256 for signatures HMAC is a signature with a key - what I'm doing with JWT (HMAC-SHA256)
wireshark qualsys scans < cisco has bought this, use it! sonarqube
easy to setup and download; sonarqube.org sonarlint, availabe for intellij, eclipse and visual studio you can connect to sonarqube and apply your team's custom rules
openssl s_client openssl s_server nmap -sV -script ssl-enum-ciphers -p #port #host kali linux openssl API code is helpful to look at, better than docs (?) dave: run valgrind on open source code (oh brother) ryan: ciphers: ephemeral allows forward secrecy; I RECOMMEND you always use ephemeral if you run your own web servers!
NSA has Suite A (classified algorithms that will not be released) and Suite B cryptography algorithms
Suite B's components are:
Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits.
For traffic flow, AES should be used with either
the Counter Mode (CTR) for low bandwidth traffic or
the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (THIS CAN BE PARALLELIZED)
this was done by a Cisco Fellow i think?? ryan mentioned that...
Elliptic Curve Digital Signature Algorithm (ECDSA) – digital signatures
Elliptic Curve Diffie–Hellman (ECDH) – key agreement
Secure Hash Algorithm 2 (SHA-256 and SHA-384) – message digest
Stuff I've done
dev workstation:
corp hell: Oracle VirtualBox linux local VM on Windows, allows continued easy use of WebEx and other corp bs
new job: ALWAYS ALWAYS USE NATIVE LINUX NO MATTER WHAT even if they give you a MacBook
abettertrader c++ based webserver, gets A+ rating at ssllabs
via haproxy!
I serve up several domains from my home
most of them use SNI with apache
but! ... i'm running a C++ https server as well
i configured haproxy to read the domain name and redirect traffic to the c++ http server and port
ALL ssl handshaking is now done by haproxy! i just give it ALL my certs, and it does the negotiations
i was able to limit availabe ciphers to those listed as secure at ssllabs
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
ALSO i was able to turn on HSTS - this forces all http requests into https requests
and that got me an A+ rating on ssllabs - for ALL My sites - in one fell swoop!
ssl labs:
Key RSA 2048 bits (e 65537)
signature SHA256withRSA
certchain includes Let's Encrypt Authority X3, RSA 2048 bits, Signature: SHA256withRSA
TLS 1.2 (not allowed: TLS 1.1, 1.0; SSL 3, SSL 2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS