25 Sep

GDPR/RODO discussion streaming [PL]

Attention polish speaking users!

During PLNOG19 conference, on Tuesday 26th of September at 14:10 CEST, we will host a discussion about GDPR/RODO law implementation in Poland. As panelists, we will welcome Andrzej Karpiński (Orange Poland), Marcin Kuczera (Leon sp. z o.o.) and Adam Kubica (ART-COM sp. z .o.o). The panel will be moderated by Andrzej Targosz (ProIdea). During the discussion which will include the audience we will talk about the status of GDPR/RODO implementation in Poland, requirements, best practices etc.

This panel is part of PLNOG Community Corner I am proudly creating during PLNOG conferences, and we will stream it live on Internet! Check PLNOG website and Facebook profile for further details.

05 Sep

AWS Step Functions for networkers – the CLI approach

Step Function Workflow Graph

In the previous post, I told you that it is not possible to update State Machine configuration once you create it. I prefer an approach like in API Gateway where you have stages of the same project, but Amazon for some reason did not follow this way. So if you want to deploy a new version of your Step Functions project you need to delete old and create new State Machine. Using the GUI interface is not efficient in a long term, you can do this much easier using AWS CLI.

Read More

30 Aug

AWS Step Functions for networkers – Workflow definition

Step Function Workflow Graph

AWS has many great tools and products that may simplify your task. In day to day work, no matter if you are networks engineer, software administrator or have a different role in your organization you will perform small repetitive tasks to complete the bigger project. Writing a long, complex scripts or programs is a solution, but it is flexible? Step Functions is a good option in such cases.

Good programming rule is to create small functions to complete small chunk of work and then pass it on another one. So instead of writing one script that will log into 100 devices to fetch firmware version you create a small function that does it for one device and then you call it in a loop in other function passing the new IP as an argument. That is exactly what AWS Step Functions are meant for. Using this service you can create a flow of small tasks, each dependent on other if required, to complete bigger work. Let me show you the basics and how you can use it.

Read More

28 Aug

VIRL 1.3 – the first impression

Cisco VIRL

Last week Cisco released the VIRL PE 1.3 (previously called just VIRL). This version includes major technology upgrade to the underlying infrastructure; only minor adjustments are visible to the users. That was something everyone expected as old Ubuntu used for VIRL 1.2 regularly asked for packages updates.

I worked with new VIRL for few hours. I must say I am not impressed. Some old problems got back, at least in my installation. Frequent snapshots of the VIRL VM are something required again. Here is my quick summary of my thoughts and experience so far

Read More

24 Aug

IGMP Snooping on single switch

The IGMP Snooping is a nice feature to limit propagation of multicast traffic in Layer 2 Ethernet network. It listens to IGMP (Internet Group Management Protocol) messages traversing the network to learn about source and receivers. Using this information switch builds a map of links where it replicates the multicast frames. What if we do not have this feature enabled? The switch will treat multicast frames as an unknown type and will broadcast over all active ports no matter is there is receiver interested in frames from the particular multicast group or not.

IGMP Snooping on a single switch is useful to limit propagation of multicast frames when source and receivers are in same layer 2 broadcast domain, in the same VLAN. IGMP Snooping is enabled on Cisco switches by default, but it does not mean it will work out-of-box.

Read More

18 Aug

Generate multicast​ traffic in VIRL using Ostinato

Cisco and VIRL logos

Ostinato is a traffic generator. You can use it to craft packets and send flow into your network. You can even send multiple streams if required. It is a tool that network admins and developers should use for testing the system or application against various scenarios. Ostinato is by default available on Cisco VIRL so we can use it as a packet generator in our simulations.

Ostinato consists of two components – the LXC image run in a simulation that generates the traffic and GUI frontend. In this article, I will show you how to use it to generate a multicast stream in VIRL simulation.

Read More

08 Aug

Cisco Firepower NGIPSv on ESXi

Secure Your Network

Cisco Firepower NGIPS is available on multiple platforms. One of deployment option you have is virtual appliance running on top of ESXi hypervisor. This product is called NGIPSv in Cisco documentation.

Using a single physical machine with ESXi hypervisor in an isolated network is one of the best ways to perform Proof of Concept (PoC) labs for IPS solution. You cannot evaluate the product without testing it in a sandbox where you can try to hack it, infect it or do any other nasty things. This way, you can in single ESXi run NGIPSv, Firepower Management Center (FMCv) and one or more VMs in the back.

Here is a quick step-by-step guide how to deploy NGIPSv in transparent mode on single ESXi host. What we want to accomplish is having NGIPSv in front of other virtual machines. In this scenario, there is no firewall, just NGIPSv sensor. It is of course not the safest, the best practice and the most flexible way to deploy sensor. You should not use it just like that in your production network. I use this setup only for quick demo purposes when I want to show how Cisco Firepower NGIPS solution is working, get network discovery working, some IPS policy and get the end host infected by malware.

Read More

28 Jul

AWS Lambda guide part IV – API Gateway and Lambda without S3

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

It is time for some new final tuning of my small certificate signing service. In previous parts, I showed you what AWS Lambda service is and how to import simple Python application into serverless microservice. I also connected Lambda function to S3 storage service where I put certificates and key files. Then I added a trigger to the function, so Lambda function will execute automatically every time someone uploads new CSR file with certificate request to S3 bucket. Now I will show you not only how to make this function serverless but also storageless using API Gateway. It is not standard approach but in some scenarios might be interesting. So we will connect API Gateway and Lambda without S3 backend for keys and certificates.

Read More

07 Jul

How to display HTML page using only AWS API Gateway

API Gateway is a powerful tool you can use to create a frontend for your application hosted on AWS. It let developers create, maintain, secure and monitor API on a large scale. This API is a gateway to access your data, functions, logic or any web application hosted on AWS. Logic is based on RESTful API framework used in an example by web servers and can be used to eliminate physical or virtual servers from infrastructure. API Gateway is a tool for a dynamic and flexible approach for data transformation. Let me show you how to display HTML page using only AWS API Gateway.

Read More

04 Jul

AWS Lambda guide part III – Adding S3 trigger in Lambda function

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

This is third part of the tutorial of AWS Lambda. In previous chapters I presented my small Python app I created for signing certificate requests and imported it to AWS Lambda service (check AWS Lambda guide part I – Import your Python application to Lambda). Then I modified the code so instead of using reference to static local files we can read and write to S3 bucket (check AWS Lambda guide part II – Access to S3 service from Lambda function). Now let’s move forward and add S3 trigger in Lambda function.

We can always execute Lambda function manually either from web panel or using CLI. We can also execute it from our other application if required. But microservices are often triggered by events. In this article I will show you how to automatically sign certificate using my Lambda function when request file is uploaded to S3 bucket. Let me show you how to program S3 trigger in Lambda.

Read More