blob
drs' stuff

Wednesday, 14 September 2005

IBGP design and testing

The need for a dynamic routing protocol on the Rhodes network is becoming apparent. At the moment, we've set up a bunch of static routes between our two Nortel Ethernet Routing Switch (neé Passport) 8600s, the Internet firewalls and the ResNet firewall. Next year, though, we'll be adding a third 8600 and a second ResNet firewall to the mix. The ResNet firewalls, in particular, will complicate matters as each will have about 20 not-very-aggregatable networks behind them....

Based on Guy's experience with the GINX BGP setup, we reckoned we'd setup IBGP rather than trying to get our heads around another routing protocol (such as OSPF, which we considered).

Guy's first tests with the 8600's BGP implementation weren't very fruitful: it flatly refused to advertise any networks to its peers. Now that we've upgraded the software on the 8600s, I've had another go at it, with much more success. So far, we've got two 8600s, an old Cisco 7200 and zebra on FreeBSD peering.

We're not as concerned about achieving reliability as ease of configuration. We're hoping that Nortel's SMLT/RSMLT implementation will provide us with a resiliant, triangular-shaped backbone segment, which will elegantly solve the reliability issues at layer 2 rather than layer 3.

Our intended BGP design tries to maintain our fairly flat routing structure: all routers will have an interface on the backbone subnet, and create a full IBGP mesh on that subnet. Full mesh should be easy enough to manage, because we should only need one peer group and n neighbour statements in each router. If that proves too painful, we could use the 8600s as route reflectors, with a full mesh between them.

Whiteboard Toys

posted at: 23:08 | path: | permanent link to this entry

Tuesday, 13 September 2005

Firewalls are magic things

Some years ago, nbm tried valiantly to explain what a firewall was to our class of I.S. III students. A few people got it, but it seems that about half the class learned only that firewalls were magic because they did security things and you needed them.

I guess I haven't spent enough time around I.S. graduates recently, because this conversation with a high-priced database consultant really got to me:

Consultant: What ports should I use for this? The developers will need to access the database from their PCs via these ports.

Me: Well, the port numbers don't really matter as long as we make the right holes in the firewall. What encryption protocol will this be using?

Consultant: No, I'm pretty sure there's no encryption.

Me: Will the developers need to log in?

Consultant: No.

Me: Um... can you tunnel it over SSH?

Consultant: I think so, but I've never done it before. Normally we just firewall the developers.

(slightly paraphrased)

So basically the database server exposes its databases on certain ports for the developers to access without authentication or encryption. [Cue all sorts of red lights in my head.] But apparently that would be OK because of the firewall... it must be magic.

It doesn't matter how much the consultant knows about how the database server works -- if he understands so little about security, he's a real danger to the information in the database.

Hopefully he'll learn how to do SSH tunnelling and set that up.

posted at: 00:06 | path: /rants | permanent link to this entry

Powered by Blosxom Powered by Apache Powered by FreeBSD
This work is licensed under a Creative Commons License