Cisco Adaptation

From Bitpost wiki

2017/06/19 FIRST DAY

Bulky summary of the job follows...


wow this comment from cisco management SAYS IT ALL!!!

   we want to use agile, one person takes a user story from start to finish
       code, build, test, demo


   cisco-router-driven high-performance in-house lab; routers directly connectable and configurable
   vmWare vSphere VMs on robust in-house hardware
   we had access to grab and reserve any available IPs on lab subnet, first-come-first-serve

ongoing education

       DevOps unconference:
           my topicsL git and rad-scripts; best and worst automation attempts
           ansible ciphers agile metrics kanban-reduced-work-in-progress
           automated-testing: at 30 minute delay, it's broken - parallelize testing!
           Michael DeHaan:
               listen on irc or slack
               REST level testing to remove fear
               docs to help remember what old code does
               users and devs intersect at right level, no ego, noone is a genius
               python > go,java,ruby,closure...
       OpenShift deep dive
           containers virtualize the kernel libraries
           os has SOURCE TO IMAGE S2I, eg take a github repo and figure tools and build container SAY WHAT
           containers do not get logged into and add users, etc.
           SERVICE is teh internal networking for OpenShift
               SERVICE is used for ALL container communication, even on the same node, every flow
               service is KEYWORD BASED, the service allows flows between pods with the same my-app keyword
               do not put anything in the app that does NOT go through SERVICE
               or you will have CONTAINER STATE and you;'ll be screwed when a new pod spins up to replace the old
           each container has a mountpoint /mnt; openshift can have persistent volume, tells docker about it
           a NEW S2I IMAGE can be generated via git hook for any commits - wow
           upgrading openshift, pita, scripted; yum update atomic-openshift-utils (etc); atomic-openshift-installer upgrade


   evolved: cisco sold a lot of telepresence servers, used for corp conf rooms
     limited to closed telepresence conferences
     needed to be moved together
     CMR HYBRID via telepresence server establishes a cascade link to webex
     single connection with multiple streams - audoi, peoiple video, presentation, etc
     big fat cascade stream
     then all telepresence joins
   source code in Hg, build on VM, creates ISO; also hotpatched with make; phabricator for reviews etc
   ATE test suite, python, can call custom command console cmds
   required to do FEDRAMP-compliant logging
       no critical information, but all events
   i updated the ISO creation to bundle in logrotated
   used python to set up logging - research what i did and document!
       sudo easy_install pyinotify && sudo pip install pylint twisted pex
       cd /home/m/development/cisco/root/platforms/fedramp-logger
       sudo ./BUILD_PEX
   adjusted cipher list to make it more secure
   FEDRAMP req: every field change must be logged
   also, jenkins, etc... dig in

Generic reusable FEDRAMP centralized logging and auditing and alarms

   Cisco AWS admin
   also required jump servers to get from cisco lab to AWS and back
   all in cloud: Red Hat EL + Windows Server securely logging to centralized location

CUCM - Cisco Unified Communications Manager - manages thousands of VOIP phones

       trunks between diff CUCM instances to route phones
       local informix db
       massive infrastructure of shared linux build machines, test systems
           shared build machines generate OVA image used in vSphere to create a VM, live image that runs local install
           very very slow, pulled out clearcase code using git branches to speed up dev
   adaptation is adding new MVA feature
       used to be handled by gateways, support being removed
       MVA = dial in from a cell phone, authenticate with PIN, now cell is a node on CUCM
           note not the same as Single-number-reach (SN), but related
           SN = incoming call rings both your desk and mobile phones
   i have 4 hardwired phones on desk + unlimited SIP softphones all connect in
       configured cables from desk to lab and through lab to correct hardware
   validate PIN, using similar process to existing MEETME conference code
   digit processing - single vs multiple-with-terminator modes
   call routing - always play Goodbye following any termination
   language (locale) handling
       CUCM bundles languages into language-specific COP files that can be added to any CUCM
       upgrade the autogen db code to include new fields: C that generated Java and C++ informix access from csv
           shared code, required coordination with several other projects where they closely automatically audit changes ("fissionizing" of code diffs)
       migrate sound files from java au to c++ wav files, many codecs
       coded MVA language configuration: can be selected at multiple levels with different priorities: user, profile, global
   automated testing in python; created sql; stood up bulk call testing environment, supports hundreds of calls

encryption HIGH LEVEL:

 AES 256-bit for encryption
 SHA-256 for signatures
 HMAC is a signature with a key - what I'm doing with JWT (HMAC-SHA256)

wireshark qualsys scans < cisco has bought this, use it! sonarqube

   easy to setup and download;
   sonarlint, availabe for intellij, eclipse and visual studio
   you can connect to sonarqube and apply your team's custom rules

openssl s_client openssl s_server nmap -sV -script ssl-enum-ciphers -p #port #host kali linux openssl API code is helpful to look at, better than docs (?) dave: run valgrind on open source code (oh brother) ryan: ciphers: ephemeral allows forward secrecy; I RECOMMEND you always use ephemeral if you run your own web servers!

NSA has Suite A (classified algorithms that will not be released) and Suite B cryptography algorithms

 Suite B's components are:
   Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits.
     For traffic flow, AES should be used with either
       the Counter Mode (CTR) for low bandwidth traffic or
       the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (THIS CAN BE PARALLELIZED)
           this was done by a Cisco Fellow i think??  ryan mentioned that...
   Elliptic Curve Digital Signature Algorithm (ECDSA) – digital signatures
   Elliptic Curve Diffie–Hellman (ECDH) – key agreement
   Secure Hash Algorithm 2 (SHA-256 and SHA-384) – message digest

Stuff I've done

   dev workstation:
       corp hell: Oracle VirtualBox linux local VM on Windows, allows continued easy use of WebEx and other corp bs
       new job: ALWAYS ALWAYS USE NATIVE LINUX NO MATTER WHAT even if they give you a MacBook
   abettertrader c++ based webserver, gets A+ rating at ssllabs
   via haproxy!
     I serve up several domains from my home
     most of them use SNI with apache
     but! ... i'm running a C++ https server as well
     i configured haproxy to read the domain name and redirect traffic to the c++ http server and port
       ALL ssl handshaking is now done by haproxy!  i just give it ALL my certs, and it does the negotiations
         i was able to limit availabe ciphers to those listed as secure at ssllabs
           ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
           ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
       ALSO i was able to turn on HSTS - this forces all http requests into https requests
         and that got me an A+ rating on ssllabs - for ALL My sites - in one fell swoop!
   ssl labs:
     Key RSA 2048 bits (e 65537)
     signature SHA256withRSA
     certchain includes Let's Encrypt Authority X3, RSA 2048 bits, Signature: SHA256withRSA
     TLS 1.2 (not allowed: TLS 1.1, 1.0; SSL 3, SSL 2
       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)     ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)      DH 2048 bits   FS 128
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)      DH 2048 bits   FS 128
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)         DH 2048 bits   FS