None of the ASA's support BGP. I didn't think so but I went ahead and did the
research for you:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/glossary.html#wp1027964
he security appliance does not support BGP.
-Kevin
-Original Message-
From: "David DiGiacomo"
S
They could make it out of the box but this is why Dylan made his statement. The
platform simply doesn't perform well enough enough to support all of that
functionality on the current ASA models. I know first-hand from much of our
testing the ASA's rarely meet the box specs for PPS/throughput sim
My personal opinion has been that we have seen great success in large
environments with FreeRadius and using radrelay for mysql synchronization then
an OpenLDAP-backend. We used FreeBSD/CARP and/or FreeVRRPd for failover but
this can be accomplished in other methods.
FreeRadius has a built-in C
When you say monitoring...
Do you mean servers and network gear or just network? What type of gear? What
kind of information are looking to get? (How detailed?)
What kind of budget do you have?
Really all of those are needed to make a recommendation. I'm guessing this is a
small network? How m
Are you considering doing SNTP or regular NTP?
If regular NTP... I once read some excellent advice on AnyCast:
"It often doesn't make sense to go through the extra complexity in deploying a
service with AnyCast addressing if it doesn't justify the benefit."
In this sense, I really don't understa
Folks,
We have a strange situation occurring lately where we are getting some reports
of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically
configured for inbound traffic and do not emit outbound traffic unless for
response. Specifically, these are ddos mitigation IP's
Thanks Matt,
That's what we believe we're seeing at this point but we're trying to convince
our upstream. :) We have seen this in the past but proving it is occurring
seems to be the primary issue we're running into at this point.
-Kevin
-Original Message-
From: "Matt Hite"
Sent: Sund
Excellent!
Thanks John. We have seen this sort of signature before but we couldn't find
the reference source in our library. I don't believe this is one we had.
Thanks!
Kevin
--Original Message--
From: John Kristoff
To: Kevin Hatfield
Cc: nanog@nanog.org
Subject: Re: Very Strange - TCP S
What kind of budget do you have? I think it really depends on what you're going
after.
Both would work... Is there something specific you want to do? Honestly, your
current bandwidth utilization and need could be handled by an OpenBSD system.
I think I may be missing your exact question. Are y
My comment would be:
That is simply matter of opinion and opinions may be swayed depending on the
market that signs your check? :)
There have been a fair share of appliance bugs/sec vulnerabilities over the
years as well.
I agree software-based deployments have their flaws but I do not agree t
I haven't done real world testing with Vyatta but we consistently pass 750KPPS+
without the slightest hiccup on our FreeBSD routing systems.
Correct hardware with the right configuration can make all of the difference.
-Original Message-
From: "Dobbins, Roland"
Date: Tue, 13 Jul 2010 1
Routing.
We can route that. If it were targeting the box itself it would depend if the
attack were getting through.
Certainly iptables can't handle something like that but pf does well with high
PPS rates. If it were all 'DROP' traffic then likely higher. If it were hitting
the box directly a
In that case you are entirely accurate. If you were to use Vyatta
(linux-based) systems for this then you would likely need additional
infrastructure to firewall or zone it to ensure it can't be hit directly.
Depending on what all it has running and the configuration it could be
firewalled off
I have to agree that this is all good information.
Your question on ITIL: My personal opinion is that ITIL best practices are
great to apply to all environments. It makes sense, specifically in the change
control systems.
However, as stated, it's also highly dependent on how many devices being
eTOM is best regarded as a companion to ITIL practices. It has additional
layers not covered by ITIL and vice versa.
I think a combination of practices from both is the best method.
-Kevin
-Original Message-
From: "Xavier Banchon"
Date: Sat, 17 Jul 2010 20:20:26
To: ; Kasper Adel
Repl
Hello,
From our past experience this can be accomplished without issue as long as you
have good log records and tracking in place. Ensure you have long-term
retention for the logs to cover yourself.
Many ISP's are moving to this sort of environment simply due to the reasoning
stated.
-Kevin
/agree
Looks like a stunt to drive traffic to his blog unless he actually has
something to back this up.
Mr. Wallace: I think I speak for a majority of the members on this list when I
say that we are busy enough dealing with real business. Please do not sacrifice
the professionalism of this l
It's pretty standard for any company to terminate upon taking something without
permission.
I worked with a company that threw away / recycled nearly an entire 100k sq.
foot datacenter. All of the gear still in working order. It's just one those
things...
Your employer tells you to throw it aw
(Excuse me if I missed part of the email chain. This may have already been
mentioned)
It could be a bit of an annoyance for configuration but the one method you
could use is to force a proxy internally.
I am a bit unsure why most don't do this already but it has it's flaws.
1) Lack of static/dy
Most of the ones I have seen (2 out of 3) were inhouse/home-grown solutions.
I believe the other was provided by SA (Scientific Atlanta). I tried to do a
quick search on it and it appears that product may now be provided by Cisco in
partnership with SA.
Best of luck
-Original Message-
Kind of funny how they intend to do enough 'WholesaleVoIP" on a 10Mbps
connection/1GB RAM for a /20 :)
That is a giveaway in itself.
-Original Message-
From: Tero Toikkanen
Date: Tue, 7 Sep 2010 08:24:05
To: NANOG list
Subject: IPv4 squatters on the move again?
Anyone hear of the Sun
We run a *free* WISP and block 25 but I'm not sure why you would want to force
all traffic through it. That's a touchy argument but it would really bother me
as a paying subscriber.
We use customized squid to haproxy (custom) to route traffic. Our main business
is ddos protection and we use dat
No matter how they spin it, it isn't legal. Likely he won't be touched in India
but in the U.S. he and the industry paying him would be facing a judge.
The guy is a moron. Wanna be elitist.
--Original Message--
From: Michael Painter
To: nanog@nanog.org
Subject: Re: Copyright Enforcement D
He mentioned doing work (for hire) in AU and such. I think he may be in for a
rude awakening since our past experience with the Australian authorities is
they are more active chasing ddos/cyber-crimes than the U.S. Those guys pull
out all the stops to prosecute. (Which I am happy to see)
Sadly,
I may be missing the point here completely but to me Teredo just seems like a
glorified hack/workaround for a bigger problem. Isn't is better (yes less
cost-effective) to just upgrade equipment?
I really don't see the advantage here. Maybe someone can explain away my
ignorance to the concept?
-
Thanks for the explanation.
And Owen: thanks, I just thought most networks/facilities (colo/private) should
be close to ipv6 now days. At least capable, maybe not configured.
I think I was just making an assumption so thanks for the info.
--Original Message--
From: Jeff Kell
To: Kevin Ha
2350 is about an accurate date considering how quickly migration is happening
in most places :)
-Original Message-
From: Nathan Eisenberg
Date: Sun, 12 Sep 2010 20:54:49
To: nanog@nanog.org
Subject: RE: List of Teredo servers and teredo relays
> While I would agree in principle, in prac
Speaking to your example with Blizzard:
The Blizzard downloader does provide an option to disable P2P transfers which
then downloads direct via http from Blizzard.
Yes, the update software defaults to allow P2P but it isn't like they are
forcing it upon their users. I have seen Sony do the sam
I do agree here. If you are not moving a lot of data then something like BSD or
Vyatta may be a good alternative. You do still have possible reboots required
and things you would not see as often with a hardware-appliance model. However,
for cheaper than the cost of 1 appliance you could build
Now that's some paranoia ;)
-Original Message-
From: "Heath Jones"
Sent: Tuesday, September 28, 2010 4:05pm
To: nanog@nanog.org
Subject: Re: AS11296 -- Hijacked?
He blocked google mail? WTF?
-- Forwarded message --
From: Mail Delivery Subsystem
Date: 28 September 2010
30 matches
Mail list logo
