enfoPoint

Juniper’s Mykonos Software goes on the offense with a novel approach against brute force authentication and directory traversal attacks.

Tom — Fri, 22 Feb 2013 03:39:11 +0000

Intrusion Deception: The ‘Tar Trap’ Approach to Web Application Security

Juniper’s Mykonos Software goes on the offense with a novel approach against brute force authentication and directory traversal attacks.
By Sean Michael Kerner | June 01, 2012

The deception of one’s enemies is a time-tested strategy that dates back to Sun Tzu’s The Art of War. Applied to the context of web application security, “intrusion deception” software tricks hackers into thinking they are about to hit the jackpot — when in fact they’ve simply been lured into a tar trap whose real purpose is to detect and disable their attack.

Mykonos Software’s Web Intrusion Prevention System works by inserting bogus server files, forms, and URLs into web applications. Deployed in front of any website or web application, the software inserts the tar traps at serve time and never actually touches the application server. Normal users never see the traps, which can only be found by malicious hackers. The company claims that its technology can detect hackers with absolute certainty and zero false positives during the reconnaissance phase of the attack.

In a new release of Mykonos, the software is now going a step further with a series of new protections that make it even more difficult and time-consuming for attackers to go after two common attack vectors: directory traversal and brute-force authentication. The new release is the first since Mykonos was acquired by Juniper in February 2012 for $80 million in cash.

Directory Traversal? Check Out These Bogus Files

In a directory traversal attack, hackers run automated tools against a site — trying to spider it and get a map of all the hidden files and directories that are present. The risk with this type of attack is that files that are normally not exposed can be discovered and mined for sensitive information such as passwords and configuration settings.

Kyle Adams, Chief Architect of Mykonos told eSecurity Planet that the risk of directory traversal is not something that a Google search would typically uncover. Adams explained that in a directory traversal attack, attackers have a list of common files names that are searched for with a custom tool. These are files that are not linked anywhere else in the site and could include items that are not intended for public disclosure.

“What we’re doing is identifying people that are probing for random files that don’t exist,” Adams said. “Once we identify the attacker, then the Mykonos system responds back that the files do exist.”

Since the tool is recursive, it would send the attacker on a feedback loop that could last forever. So if the attacker is looking for an admin file they will find a bogus file created by Mykonos that goes nowhere.

“Google will only spider resources that are referenced from the site,” Adams said. “Google will not say there is a readme file if it’s not referenced anywhere, whereas that hacker tool will pick that file up.”

Legitimate searchers are not likely to be requesting a large number of files that don’t exist, which limits the risk of blocking real users. The Mykonos system identifies the malicious directory traversal attempt based on the number of attempts.

Brute Force? Your Inputs Have Been Changed

The other improvement to the Mykonos system is with new brute-force authentication protection. In a brute-force attack, the attacker tries to gain unauthorized use to a system or application by trying out myriad passwords until one works. The traditional way that security systems have dealt with brute-force attacks is by blocking IP addresses based on the number of bad password entries. The Mykonos approach is a bit more devious and is designed to confuse the attacker and waste their time and resources.

The Mykonos system looks for failed logins to specific accounts. For example, if someone tries to login as Joe Smith five times and provides the wrong password, the system will serve up a CAPTCHA. The CAPTCHA is the first step and then if the attacker figures out how to get around the CAPTCHA, Mykonos has a layer of defensive deception.

“At a certain point, when we see that a particular user has failed to login a certain number of times, we say that from that point forward, for anyone that tries to login to that particular user, we’ll mess up the password,” Adams said.

So if the attacker attempts to login to the Joe Smith account with the password Joe123, the Mykonos system will actually change the input to be something else. As a result, when the attacker submits a password, it will come back as invalid, even if they submitted the correct password.

“So someone that is doing a brute force attack, they will have to test every possible combination of passwords and even if they guess it correctly the response will come back as invalid,” Adams said. “That’s pretty effective against brute force attacks.”

WAF Signatures

While the Myknos system is not technically defined as a Web Application Firewall (WAF), the new release now supports WAF signatures as well. Adams noted that Mykonos now support the open source mod_security WAF ruleset. With the mod_security rules, Mykonos will also be able to block known web application threats.

Moving forward, the Mykonos software is still in the process of being integrated into Juniper’s larger overall portfolio of solutions. Adams noted that they are still figuring out the different API and integration points.

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.

Juniper guns for Cisco again with smaller QFabric

Tom — Wed, 13 Jun 2012 17:05:07 +0000

Claims cable and power advantages over Nexus with 40G 1RU fabric switch

By Jim Duffy, Network World
June 12, 2012 12:05 AM ET

Juniper this week unveiled a version of its fabric switches for mid-sized data centers and also increased the scalability of its core Ethernet switches.

The extensions to Juniper’s QFabric and EX8200 switches are designed to broaden the addressable market for the devices while allowing customers to scale their networks and eliminate switching tiers. QFabric, for instance, is intended to enable users to build low latency, single-tier fabrics for data centers where each switch feels only one-hop away.

MORE THAN ONE WAY OUT: Figuring out the data center fabric maze

Mid-sized data centers and satellite facilities can now implement these designs with the new QFX3000-M. The QFX3000-M includes a fixed configuration interconnect, the QFX3600-I, with 16 40Gbps ports. It also includes a 40G top-of-rack switch, or node, called the QFX3600, also with 16 40G ports in 1 RU. The new system can also use the existing QFX3500 10G nodes that have been shipping since September 2011, and the QFX3600 can also serve as the node for the existing QFX3000-G Interconnect.

Juniper says customers can manage oversubscription from access to interconnect by choosing how many ports they configure as server access versus uplinks to the interconnect. This allows the following options on QFX3000-G or QFX3000-M with the QFX3600 as the node: 6:1, 3:1, 1:1 for 10G and also native 40G connectivity.

The QFX3000-M scales from 48 to 768 10G Ethernet ports with either the QFX3500 as the node or the QFX3600. The 40G ports on the QFX3600 can also be configured as 4x10G ports, Juniper said.

The existing QFX3000-G scales to 6,144 10G ports, Juniper says.

The QFX3000-M features three microseconds of latency, enabling server-to-server traffic speed equivalent to streaming 1,000 HD movies a second, Juniper says. Juniper also says the QFX3000-M offers four times the performance, in 63% less rack space, using 74% fewer cables and 57% less power than a fabric built with Cisco’s Nexus 7000 switches and Nexus 2000 fabric extenders.

Juniper says it has 150 QFabric customers.

The EX8200, meanwhile, is designed for mixed environments of 10G and Gigabit Ethernet. Up to eight of the switches can now be logically linked over distances of 80 kilometers using Juniper’s Virtual Chassis technology.

Previously, only two EX8200 could be linked using Virtual Chassis.

This enhancement allows users to manage up to four core networks of two switches each as a single switch.

The QFX3600-I is available now for $50,000, not including 40G optics. The QFX3600 will be available as a 16-port 40G Ethernet top-of-rack switch in the second half of 2012. It costs $40,000.

Separately, Juniper has named Andy Bach as its chief architect, financial services. Bach had been senior vice president, Global Head of Network Services at the NYSE Euronext, where he responsible for planning the worldwide networks that link the New York Stock Exchange (NYSE), Securities Industries Automation Corporation (SIAC), the American Stock Exchange, Pacific Stock Exchange, Archipelago, LIFFE and European cash markets, as well as the national markets system networks SIAC operates. Bach also designed and developed the Secure Financial Transaction Infrastructure, which grew from a New York metropolitan network to a global network spanning several continents.

NYSE is a Juniper EX and QFabric customer.

Bach will be responsible for helping define Juniper’s financial services market sales strategy and customer architectures for cloud computing and the mobile Internet. He will report to Gene Chao, vice president, global industries, strategy and solutions at Juniper.

Jim Duffy has been covering technology for over 25 years, 21 at Network World. He also writes The Cisco Connection blog and can be reached on Twitter @Jim_Duffy.

Read more about data center in Network World’s Data Center section.

enfoPoint Names Brad Darr as Technology Lead

Tom — Fri, 09 Mar 2012 20:51:28 +0000

Former Systems Engineer at Juniper Networks, Brad Darr to head Engineering at enfoPoint LLC

Brentwood TN, March 9, 2012 — enfoPoint Solutions today announced that Brad Darr will be joining the company as vice president and technology lead of Engineering. In this newly created role, Brad will oversee the company’s end-to-end engineering strategy and lead the newly formed Engineering Solutions Division. He joins the company from Juniper Networks (NYSE: JNPR) and will be a full partner along with Tom and Judy Spear.

Under Darr’s leadership, enfoPoint is expanding its focus to now include Juniper Networks, Microsoft, and Polycom as the three core engines of growth for the company. Juniper’s Junos based products is already a key differentiator for the company that drives customer adoption of solutions including industry leading Juniper Networks® MX Series and EX Series switching and WLAN Series Wireless offerings. The company plans to further accelerate this momentum as Darr assumes his new role.

“We are excited to have a leader of Brad’s caliber coming on board to lead enfoPoint’s engineering initiatives, and I’m confident that his vision, customer focus, and technical expertise will bring tremendous value to our organization,” said Judy Spear, President enfoPoint LLC . “As we continue to execute on our growth strategy centered on Junos based products, we look forward to Brad playing a central role in extending our leadership position in both Service Provider and Commercial business.”

Secure your Virtual Machines by taking the Fast Path Approach

Tom — Thu, 04 Aug 2011 16:28:45 +0000

Secure your virtual machines by taking the fast path approach

July 21, 2011

By: Tom Spear and Paula Parker

80% OF BUSINESSES today have some level of virtualization in their network infrastructure. Just like with physical servers, it is important to secure Virtual Machines (VMs) which have become software instances inside a host container. There are different ways to secure and restrict a VM or server. However, some methods can be slow, cumbersome and punitive. What is troubling is the growing battle of “speed vs. security” within many large organizations. A recent survey result indicated that speed still wins. Security News from Help Net Security www.net-security.org reported July 19, 2011 that the results of a Crossbeam Systems survey which polled nearly 500 participants of enterprises and service providers resulted in data indicating that “Ninety percent of respondents admit to making a trade-off between security and throughput performance.” That puts the organization, partners, employees and customers like yours potentially at risk.

So how do we address this conundrum? In the past, Security Administrators have used V-LANs to segment and secure their mission critical workloads. A second, more recent tactic has been to implement a “Slow Path” approach of securing VMs on a one to one firewall/VM ratio. This solution though, potentially uses up the hypervisor’s resource pool, slowing down the overall performance and adding a large amount of overhead. Both of the methods described above intensify the challenge of “speed vs. security”.

However, security must not be ignored. Consider the outburst in recent security breaches: HBGary Federal was breached in February of 2011, supposedly by the internet activist group “Anonymous”. In March, RSA endured a security breach from a targeted phishing attack compromising RSA’s SecurID authentication tokens which put at risk many Fortune 500 companies. Epsilon endured a breach in April, putting at risk those whose names were on millions of e-mail addresses that were stored by the company, which happens to be one of the world’s largest providers of e-mail service marketing.

Also during April, Sony’s Playstation Network was reported to have leaked personal information of over 70 million subscribers.

The company then again endured another breach in May. And, most recently, in June of this year, Citibank announced that personal and account information of an estimated 200,000 bank card customers in North America had been breached. Could the Citibank breach been linked to the massive Epsilon breach in April since it was reported that Citibank was one of Epsilon’s customers? The world is getting smaller and it would appear the attack footprint is getting bigger.

Yet, there is now a third unique solution that takes a “Fast Path” approach and can provide a balance point that removes the challenge of forgoing speed while securing the VM environment. This “Fast Path” approach doesn’t impair the ROI gained from going to the virtualization model and has minimal overhead. It was designed with high performance and virtualized security in mind. The Fast Path approach is only possible by taking advantage of VMware’s VMsafe APIs (Application Programming Interfaces). VMsafe is a security suite of API’s for the VMware Hypervisor. The VMsafe APIs allow vendors to advance security products that combat malware in ways that were not previously available to physical environments. Tom Spear, CEO of enfoPoint Solutions, http://enfopoint.com explains that the third option has a 10 times greater improvement over the alternatives in throughput with greater security, thanks to VMware opening up their API’s through the VMsafe certification program. At enfoPoint, we recommend that if you are looking for such a solution, you need a product that has had years of development and is purpose built from the ground up. Some of the features you should look for include the following:

• Agentless software to prevent malware from hiding within the hypervisor
• VM Safe certification
• Intrusion Detection System capabilities
• VM Introspection for gaining an X-Ray view of VM activity within the hypervisor
• Alerts and Reporting capabilities
• Compliance management and indicators for rating the current security posture
• High Availability (HA) options
• Ability to go from Global to granular for applying automated security policies.

This is not the future. There are products that meet all the above requirements today. Tom points out that it is important to select an agentless product so malware would have no place to hide. Malware can attack the infrastructure of a business, and can lay in wait to attack for long periods of time if left undetected. It’s an industry known problem that malware can disable agents and hide. The solution needs to be effective in addressing the security need to limit an in scope VM to a single function in order to comply with PCI DSS mandates.

THE MOST RECENT REVISION for PCI DSS compliance 2.0 was updated in the fall of 2010 specifically to address virtualization and how Cardholder Data should be treated in a Cardholder Data Environment (CDE) when the data is being processed, stored and/or transmitted (in scope). Additionally, cloud computing, both private and public, has an underlying platform based on virtualization. The PCI Security Standards Council released their “Information Supplement: PCI DSS Virtualization Guidelines” in June of 2011 stating in section 2.2.1 under Scope Guidance: “If any virtual component connected to, (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope”. So essentially, Virtual Machines that are processing, transmitting or storing cardholder data must be treated like an in scope server and limited to a single function based on PCI DSS requirements.

Both public and private cloud computing utilize virtualization because of the innate ability to optimize the performance of an organization’s network through resource pools and clustering for high availability, high performance computing, load balancing and utility grid computing. This however, also suggests a potential area of vulnerability and perhaps a security gap if security managers for both VMs and the cloud, public and private, have not taken all the due diligence necessary to secure the virtualized environment.

If your organization is considering Public Cloud Services, it is important to be aware that the PCI Security Standards Council advised that the responsibility for securing in scope VMs should be shared but weighted differently depending on the type of service the cloud is providing. See the graph below for the Council’s guidance for Infrastructure As A Service (IAAS), Platform As A Service (PAAS), and Software As A Service (SAAS).

enfoPoint Solutions offers compelling value propositions that help to address and minimize the security gaps from the issues above. Both hardware and software solutions are offered by the company that can literally address the performance and security concerns from layer 1 of the OSI model all the way through layer 7 providing not only defense in depth protection of physically connected servers but also purpose built security protection of virtual devices in a VMware environment that helps to maintain high throughput with minimal impact on the performance of organization and/or service provider’s network.

Tom enthusiastically adds that there is some break though products that have taken advantage of the VMsafe API certification program. He has invested time in addressing the solutions available and if you would like to learn more he encourages organizations struggling with the “speed vs. security” dilemma to contact him at info@enfopoint.com.
He also encourages you to please visit the enfoPoint booth at InfoSec Conference on September 15th at the Nashville Convention Center to learn more about the “Fast Path” solution.

Emerging Trends and Security Threats

Tom — Fri, 29 Jul 2011 21:42:51 +0000

Emerging Trends and Security Threats

by Paula Parker paula.parker@enfopoint.com

ADOPTION of the Government’s Cloud First Policy requires agencies to evaluate cloud options first, over traditional IT approaches. Is this right for your organization? According to CIO Magazine, in their June 15, 2011 edition, “Putting the Cloud First”, the magazine reported that 48% of IT Leaders surveyed were putting more money towards the cloud services. Still, some IT Leaders want to hold off on moving mission critical applications to the cloud. There is good reason for that concern. However, the reasons for the concerns can be remedied.

There are too many positive arguments for Cloud services not to consider the compelling value proposition; the main one being that it helps to reduce cap ex spending when gross profits continue to shrink or remain stagnant. This can be amplified when an organization is still suffering from operating losses from the Great Recession and could still be dealing with multi-year depreciation of capital goods purchased prior to the economic climate change and need a better way to manage cash flow as the organization continues to recover from the recession.

A second big reason to consider Cloud services is because the Cloud Service provider shares the cost of security. Many may believe that keeping the upgrades of the network up to date to stay current in protecting against more and more sophisticated threats is the responsibility of the cloud provider. However, in cases where businesses are required to adhere and comply with Industry Regulatory Requirements, such as HIPAA/HITECH, SOX and PCI DSS, it becomes a shared responsibility.

For example, the newest revision for PCI DSS compliance 2.0 was updated in the fall of 2010 specifically to address virtualization and how Cardholder Data should be treated in a Cardholder Data Environment (CDE) when the data is being processed, stored and/or transmitted. Essentially, cloud computing, both private and public, has an underlying platform based on virtualization. The PCI Security Standards Council released their “Information Supplement: PCI DSS Virtualization Guidelines” in June of 2011 stating that the responsibility should be shared but weighted differently depending on the type of service the cloud is providing. See the graph below for the Council’s guidance for Infrastructure As A Service (IAAS), Platform As A Service (PAAS), and Software As A Service (SAAS)

Putting mission critical workloads on the cloud often implies that organizations will be having the cloud host their virtual machines (VMs). Cloud computing utilizes virtualization because of the innate ability to maximize and optimize the performance of their network through resource pools and clustering for high availability, high performance computing, load balancing and utility grid computing. This however, also suggests a potential area of vulnerability and perhaps a security gap if security managers for both VMs and the cloud, public and private, have not taken all the due diligence necessary to secure the virtualized environment. The concern is heightened when sensitive data is being stored, processed and/or transmitted through both the cloud and in scope VMs, which have become virtualized instances in host containers.

In order to mitigate the security gap, a defense in depth strategy needs to take place. It is important to take the necessary precautionary measures. One way to do this is to assume that certain network components will fail due to unforeseen and ever-growing threats that arise out in the wild and around the world. The security of the network should be assessed by the ability to quickly alert to an anomalous event, contain it, and then mitigate and restore security in order to maintain business continuity and consumer trust.

Why is maintaining high levels of security so important? Consider the case of TJ MAX. In January of 2007 they had a breach where approximately 94 million credit cards were stolen. They were fined 9.75 million dollars because of the breach. If you think that is a big fine, consider other costs the company had to endure such as the cost of their reputation being damaged and the marketing expensed endured to restore their image. There was a cost too, of loss of stock value that could have been directly related to the breach. At the time the breach took place the stock was trading around $30.04. A two month window look at their stock shows a dramatic drop in the stock value with the stock closing around $26.77. By the third month it was still trying to regain its value prior to the breach. If the drop in the stock price was directly related to the drop in consumer confidence after the breach took place, then that represented a considerable amount of money since 413 million shares were outstanding at the time. The drop from $30.04 per share to $26.77 represented a difference of $3.27. Taking that amount and multiplying it against 413 million shares represents a loss in value of approximately 1.35 billion dollars.
Source: dailyfinance.com

TJX COS INC NEW ( TJX ) prices

Date Volume High Low Open Close

01/24/07 2.29 M 30.24 29.82 29.87 30.04

03/27/07 3.29 M 27.00 26.65 26.90 26.77

04/24/07 3.82 M 28.51 28.06 28.47 28.35

Fortunately for TJ Max, consumer confidence seems to have been restored and the stock is doing quite well now, but that is not always the case for every business that experiences a breach in their network. What is troubling is that there seems to be a growing trend where there seems to be a battle of “speed vs. security” within many large organizations. A recent survey result indicated that speed still wins. Security News from Help Net Security www.net-security.org reported July 19, 2011 that the results of a Crossbeam Systems survey which polled nearly 500 participants of enterprises and service providers resulted in data suggesting that “Ninety percent of respondents admit to making a trade-off between security and throughput performance.” That puts the organization, partners, employees and customers potentially at risk.

There has been a sophisticated outburst of security breaches during 2011. HBGary Federal was breached in February of 2011, supposedly by the internet activist group “Anonymous”. In March, RSA endured a security breach from a targeted phishing attack compromising RSA’s SecurID authentication tokens which put at risk many Fortune 500 companies. Lockheed Martin and Northrup Grumman also endured attacks on their respective systems. Epsilon endured a breach in April, putting at risk those whose names were on millions of e-mail addresses that were stored by the company. Epsilon happens to be one of the world’s largest e-mail service marketing service providers.

Also during April, Sony’s Playstation Network was reported to have leaked personal information of over 70 million subscribers. The company then again endured another breach in May. And, most recently, in June of this year, Citibank announced that personal and account information of an estimated 200,000 bank card customers in North America had been breached. Could the Citibank breach been linked to the massive Epsilon breach in April since it was reported that Citibank was one of Epsilon’s customers? The world is getting smaller and it would appear the attack footprint is getting bigger.

enfoPoint Solutions offers compelling value propositions that help to address and minimize the security gaps from the issues above. Both hardware and software solutions are offered by the company that can literally address the security and performance concerns from layer 1 of the OSI model all the way through layer 7, providing not only defense in depth protection of physically connected servers but also purpose built security protection of virtual devices in a VMware environment that helps to maintain high throughput with minimal impact on the performance of organization and/or service provider’s network. To see how enfoPoint Solutions can better address the security concerns of your organization, please contact Tom Spear, CEO and founder of enfoPoint Solutions or send an e-mail requesting information to info@enfopoint.com.

IBM develops ‘instantaneous’ memory, 100x faster than flash

Tom — Thu, 30 Jun 2011 12:22:32 +0000

By Sharif Sakr posted Jun 30th 2011 12:01AM

You’ve got to hand it to IBM’s engineers. They drag themselves into work after their company’s 100th birthday party, pop a few Alka-Seltzers and then promptlyannounce yet another seismic invention. This time it’s a new kind of phase change memory (PCM) that reads and writes 100 times faster than flash, stays reliable for millions of write-cycles (as opposed to just thousands with flash), and is cheap enough to be used in anything from enterprise-level servers all the way down to mobile phones. PCM is based on a special alloy that can be nudged into different physical states, or phases, by controlled bursts of electricity. In the past, the technology suffered from the tendency of one of the states to relax and increase its electrical resistance over time, leading to read errors. Another limitation was that each alloy cell could only store a single bit of data. But IBM employees burn through problems like these on their cigarette breaks: not only is their latest variant more reliable, it can also store four data bits per cell, which means we can expect a data storage “paradigm shift” within the next five years. Combine this with Intel’s promised 50Gbps interconnect, which has a similar ETA, and data will start flowing faster than booze from an open bar on the boss’s tab. There’s more detailed science in the PR after the break, if you have a clear head.

Juniper MX80 Bundles – The Real Story

Tom — Wed, 13 Apr 2011 14:29:33 +0000

By Tom Spear, Managing Partner, enfoPoint LLC

20 Port GE SFP, two rack units tall, Carrier Class Ethernet Router for under $30k, is this possible? Yes, Juniper recently announced the MX80 5G, 10G and 40G bundles, which are really 20G, 40G and 60G respectively and all are upgradeable the next model with license keys.

The under $30k model (MX-80-5G) comes with redundant AC or DC Power Supplies (same price), a 20Port 1G-SFP fiber MIC in Slot 1 (2^nd slot is license key active), JUNOS WW, License for full Scale L3 route and L3 VPN, VLAN queuing, and JFlow. In fact, if you suppose the chassis with 1 power supply is FREE, you would be still getting $101,500 of hardware and software for under $30k LIST. Yes LIST.

Who’s buying these routers? IOCs and Enterprises for core routers, Tier II ILECS and Service Providers for a reasonable edge router. Need 2 ports of 10G? No problem. Upgrade to the 40G model and add a 2 port 10G MIC. List price for all of that is only $62,500. The Cisco ASR1002 better beware. Most people I talk to compare the 5G Cisco versions only to find out the MX 5G are actually 20G and run in hardware at line rate.

At enfoPoint, the demand for these has grown exponentially. We have several demo units and would like to get your company / organization one next .

Juniper’s 100G Deployment

Tom — Wed, 30 Mar 2011 22:03:48 +0000

Data Networking & Wireline Equipment

Jess Lubert, CFA, Senior Analyst

Sector Rating: Data Networking & Wireline Equipment, Overweight

Event: Today, Verizon announced plans to begin deploying 100G technology in select US markets by end of second quarter 2011.

Impact: This announcement comes sooner than we had anticipated and appears to confirm Ciena and Juniper as the lead vendors for Verizon’s 100G deployment. Though Verizon previously deployed 100G in Europe (Paris-Frankfurt) using both Ciena and Juniper, we had anticipated a later start to the 100G build in the US with 40G temporarily filling in the gaps. However, with Verizon now expecting to begin deploying 100G across several US routes (Chicago-New York, Sacramento-LA, and Minneapolis-KC), we believe Verizon and other carriers faced with surging traffic volumes (particularly from mobile and video) may be accelerating network upgrade plans. We believe this bodes particularly well for Ciena, the leading provider of coherent 100G transport technology, as well as for Juniper, following recent upgrades to its router portfolio.

FREE JUNOS BOOTCAMP – April 6, 2011 Juniper Executive Briefing Center 10 Technology Park Dr Westford, MA 01886 US

Tom — Thu, 10 Mar 2011 20:19:07 +0000

The Juniper Networks JUNOS Boot Camp presented by enfoPoint Solutions is a one-day immersion training session at no cost for Service Provider engineering and technical staff on the unique performance and scalability of the Juniper JUNOS operating system. You will gain an understanding of the advantages of JUNOS, and the knowledge to work with and configure devices running JUNOS.

Fee: Boot Camp is FREE for Service Provider engineering staff Seating is limited. Please make your reservation today.

https://spreadsheets.google.com/viewform?formkey=dHlJZlhvSW5sRy1XY2FoaGxWWW1Hbnc6MA

Update: Juniper Networks merges network core elements to cut carrier costs

Tom — Wed, 09 Mar 2011 00:00:09 +0000

Juniper’s PTX switches, coming next year, combine optical and packet switching

By Stephen Lawson, IDG News Service
March 03, 2011 08:08 AM ET

Sponsored by:

Juniper Networks is developing a massive switch that could replace traditional IP (Internet Protocol) routers in the core of service-provider networks and combine optical and electronic technologies that today exist in separate systems with dedicated staffs.

ANALYSIS: Juniper leapfrogs Cisco with QFabric data center products

OPINION: What I like about Juniper’s QFabric

The PTX Series Packet Transport Switch platform, of which the first products will ship in the first quarter of next year, will combine two technologies that carriers use to bypass routing at the center of their networks. Routing involves the processor-intensive work of examining every packet, and it often isn’t necessary for traffic that is just traversing the core of the network. Instead, carriers use MPLS (Multiprotocol Label Switching) and optical switching, neither of which requires full routing intelligence, to move traffic through the core.

The PTX platform combines these approaches in the same box and is not designed as a router at all. Juniper wants to relegate routers to the edges of the network and devote the PTX chassis to switching. This will allow the company to focus the processing power of the new system on the tasks required of the core, Juniper said.

Carriers are under pressure to boost their network capacity to handle fast-growing traffic loads. They want to do so economically, because they continue to bring in about the same amount of revenue from their subscribers even as third-party service and content providers deliver more bandwidth-hungry offerings such as video, analysts said. By optimizing the PTX for switching instead of routing, and integrating optical technology into the same chassis, Juniper may cut carriers’ costs while bolstering their network capacity, they said.

For enterprises and consumers who buy services from carriers, this might mean a slower rise in their monthly bills or better services for the same rates.

“Because of some of this cost being reduced … you would hope that this kind of reduces the cost per bit and therefore is passed down to the IT guys,” said analyst Ray Mota of ACG Research.

Adding optical switching to a packet switch brings Juniper into a totally new market and could dramatically change carriers’ network operations over time. Today, carriers feed packets from their core routers into a separate optical infrastructure, which places the traffic on separate wavelengths of light for fast transmission. The traffic needs to be converted from the electronic to the optical realm, and then back again on the other end of the network. Putting both in the same chassis simplifies the network and removes those costly conversions, while also making it easier to scale up the infrastructure, Juniper said.

The company claims the PTX platform can cut network capital expenditures by between 40 percent and 65 percent compared with a traditional multiprotocol routing architecture and by 35 percent compared with an IP-only routing system.

The announcement of the PTX sets Juniper on a new architectural path for the second time in just two weeks. Last Wednesday, the company unveiled QFabric, a converged enterprise network platform that creates a single logical switch throughout an entire data center. Like the new carrier-network infrastructure, QFabric is designed to eliminate multiple layers of switches and reduce the number of required devices. The overall architecture, which Juniper calls the Converged Supercore, will also include ROADMs (reconfigurable optical add-drop multiplexers), management systems and other components, Juniper said.

The promise of the PTX systems also will change the role of the T4000, a traditional core router that Juniper announced last November and is not even scheduled to ship commercially until the fourth quarter of this year. A PTX switch will be able to take the place of a T4000 in the cores of networks, offering greater throughput and efficiency. In such an architecture, the T4000 would be Juniper’s option for the edge of the network, where it can also carry out high-end functions such as service management along with routing.

“I was impressed that [Juniper] took the step of competing with themselves and other core router companies by building this MPLS switch,” said analyst Michael Howard of Infonetics Research.

Each slot of the PTX switch chassis has double the 240G bps capacity of a T4000 slot, and its initial 480G bps slot capacity can be expanded to 2T bps. The PTX line will start out with two systems, the PTX 5020, with a total capacity of 8T bps, and the PTX 9020, with 16T bps. The architecture ultimately will be able to scale up to 32T bps, which Juniper said is 10 times the scale of competing products. Among the interface line cards available for the PTX switches will be four-port 100-Gigabit Ethernet modules, a step up from the one-port or two-port 100GE cards that other vendors are offering today.

Many carriers have been looking for pure MPLS switching for their network cores, according to Howard. In addition, large carriers maintain separate staffs of engineers for optical and electronic switching, as well as separate management systems, and they want to converge those infrastructures eventually, Howard said. The PTX switches could allow those big carriers to consolidate their staffs over time, he said. Those struggling with the most exploding traffic are looking to consolidate the technologies in two or three years, while others may take five to eight years, he said.

Juniper has a reasonable shot at getting into the optical equipment market, currently served by rival Cisco Systems as well as specialists such as Ciena, Mota of ACG Research said. He estimates the company’s optical revenue opportunity at $2 billion per year.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen’s e-mail address isstephen_lawson@idg.com

The IDG News Service is a Network World affiliate.

All contents copyright 1995-2011 Network World, Inc. http://www.networkworld.com

Comparing various network cable types for your data center

Tom — Tue, 08 Mar 2011 16:13:36 +0000

By Robert E. McFarlane, Contributor

SearchDataCenter.com

IT infrastructure news

ContentSyndication

Digg This

Stumble

Delicious

Google Fusion

This is the second of a two-part series on data center cabling. Read the first tip on implementing a data center cabling infrastructure.

It’s a given that data center cabling carries the computing network. But there are many out-of-band connections to consider that, although connected to the network, are not intrinsic to the network that carries computational data. Ancillary “out-of-band” connections may also be required for monitoring power, temperature, humidity, air conditioner and uninterruptible power supply (UPS) performance, surveillance cameras, server auto-shutdown, water leaks and many other functions that aren’t always IP-based.

Unlike servers, storage and network switches, these ancillary devices are generally low bandwidth and relatively non-critical. Does that mean that differentnetwork cable types should be used for each device? It’s partly dependant on cable topology, which dictates where copper and fiber are best employed. But for copper cable, it’s almost never cost-effective to use differentTelecommunications Industry Association (TIA) category cables for different systems. A homogeneous cable plant installs quicker, uses the same termination hardware throughout and makes every cable usable for all purposes. And since this type of plant uses the same patch cord types throughout, there should be no possibility of using a low-grade patch for a high-performance connection.

Network cable types: The ins and outs of fiber optic cable
Fiber optic cable is a different animal. There’s a big distinction between single-mode and multi-mode fiber. With the advent of the practical vertical cavity surface-emitting laser (VCSEL) in 1988, the development of laser-optimized multimode fiber (LOMMF) and the more recent adoption of OM4 fiber standards, high-speed fiber connectivity is economically realistic without needing to resort to single-mode, particularly over short distances that are normal to data centers. For now, there’s no indication that bandwidth will be needed inside the data center beyond what can be supported by LOMMF and VCSELs. But although high-grade multi-mode can handle virtually anything in the data center, it’s always concerning that bandwidth demand might exceed its capabilities, particularly in the network backbone.

Therefore, there’s a common tendency to install at least some single-mode fiber to be safe. After all, the actual fiber is pretty inexpensive; it’s the interface electronics that aren’t cheap. Many people often think that even if you never use it, single-mode is cheap insurance, and big investments in electronics won’t be made unless needed. It’s still money, however, and the more we move toward a mostly fiber infrastructure, the more unused fiber you could be putting in if following that a certain percentage must be single-mode.

Single-mode fiber is primarily useful for maintaining bandwidth over long distances. Therefore, over the relatively short distances normal to data centers, it may even be necessary to use in-line optical attenuators or a lot of coiled-up cable length to keep receivers from being swamped by the high-power laser launch devices. Lasers also use more power, which can result in unnecessary inefficiency in a large data center. Having single-mode strands in the primary trunking paths or for network connectivity outside the data center may help down the road. But unless prices for interface electronics decline substantially, single-mode will be costly. Use single-mode between data centers in different buildings or more distant areas of the building. Use high-performance multi-mode fiber for your high-bandwidth server and main backbone connections.

The importance of quality
Since we still need copper for many individual server connections, it only makes sense to use the best copper available to extend the installation life. This doesn’t just apply to cable — patch panels, connectors, terminations and patch cords should all be selected similarly. The installation must be properly tested and results should be reviewed against specified performance standards. There’s no point in paying for a high-performance cable just to have it marred by a sloppy installation. If paying for the best network cable types, you should demand the best results, and that means using only compatible patch cords to ensure you don’t degrade your investment. Amazingly, using incompatible patch cords is a common operational mistake. Old, low-performance patch cords lie around because they still work, yet prevent expensive new hardware from performing as expected.

Another growing issue is the fabrication of copper and fiber high-performance cables. Tolerances have become too critical, small errors too degrading and fiber connector densities too high to field assemble these cables in any lengths. To maintain the cable infrastructure quality and meet today’s performance requirements, no one should fabricate his own patch cords. However, an increasing number of full cable assemblies are now being prefabricated to length at the factory, in both copper and fiber network cable types. This ensures quality, makes it easier to add cable in the future and relieves the concern of underestimating cable quantities — it’s now easy to add more when needed.

Whether using copper or fiber for network cable types, the data center must have the best and fastest cabling. It shouldn’t matter what’s used in the rest of the building; the data center is special and expensive. And even if maximum performance isn’t needed on Day 1, it most likely will be over the life of the facility. That’s why we see a higher ratio of fiber to copper in new data center designs, and why installing less than the best to save money, be it copper or fiber, is a poor economic decision. Replacing a cable plant is expensive, potentially disruptive and should be avoided for as long as possible. The following table illustrates how quickly cable performance has changed:

YEAR STANDARD I.D. CABLE SPEED

1990 IEEE 802.3i 10Base-T Cat. 3 UTP 10MBit/Sec.

1991 ANSI/EIA/TIA 568 Cat. 3 UTP

1992 TSB 36 Cat 4 & 5 UTP

1993 IEEE 802.3j 10Base-F MM Fiber 10MBit/Sec

1995 IEEE 802.3u 100Base-TX 2 Pair Cat. 5 100MBit/Sec.

1995 IEEE 802.3u 100Base-T4 4 Pair Cat. 5 100MBit/Sec.

1995 IEEE 802.3u 100Base FX MM Fiber 100MBit/Sec.

1998 IEEE 802.3ab 1000Base-T Cat.5 UTP

2001 ANSI/EIA/TIA 568-B.2 Cat. 5e 1 GBit/Sec.

2002 ANSI/EIA/TIA 568-B.2-1 Cat. 6 10 GBit/Sec.

2002 ISO/IEC 11801 OM1 MM Fiber

2003 IEEE 802.3ae 10GBase-SR, -LR, -ER, -SW, -LW -EW LOMM Fiber 10 GBit/Sec.

2008 ANSI/EIA/TIA 568-B.2-10 Cat. 6A

2009/2010 IEEE 803.3ba
TIA-492-AAAD OM4 LOMM or SM Fiber 40 GBit/Sec
100 GBit/Sec.

2010 IEEE 803.3ba 4 Pair Cat. 6A UTP 40 GBit/Sec.

2010 IEEE 803.3ba 10 Pair Cat. 6A UTP 100 GBit/Sec.

Table 1: Chronology of major cable technology developments

Physical design and quantities
There are four major contributors to data center cabling challenges today:

Multiple network connections from each server — some copper, some fiber

Network switches with higher port count densities

Differing storage topologies depending on manufacturer and protocol

Changing cable standards to meet demands for ever higher speed

End-of-row consolidation addresses most of these needs with two drawbacks — deciding how much cable to install in each cabinet and the size and cost of the server access consolidation switches.

A standard cabinet can hold 42 1U servers, and each server can have three or more connections. There can also be power and temperature monitoring in the cabinet and cipher locks for security. Should there be six 24-port patch panels in every cabinet to support the highest possible number of connections? Not likely, but there’s no way to accurately predict the number of connections ultimately needed in every cabinet, and it’s restrictive to designate cabinets for specific purposes and cable them differently.

It’s popular to pick a realistic “middle number,” which usually entails installing more cable than required. That can be expensive and hard to justify, but it’s still cheaper than the cost of redundant, chassis-type access switches in each cabinet row with enough ports to match the cable count. Virtualization and consolidation can even exacerbate the situation by creating higher server and cable densities.

Moving to top-of-cabinet consolidation is more flexible than end-of-row because it’s relatively economical to put in empty fiber light boxes to fill only as necessary. Whether you have LT fiber connections, local switches or pre-terminated cable with Multi-fiber Push-On (MPO) connectors, pre-terminated fiber can be added quickly and easily without the mess accompanying field installation and termination of individual fibers. With 12 strands in a single connector, you can add a lot of capacity very quickly. And once lengths are determined by manufacturers looking at a data center scale drawing, ordering additional runs is quick and easy.

In the end, deciding on the data center cabling approach and density is always challenging. Too little cabling fails to support requirements, leading to ad-hoc cabling that grows and never goes away. But excessive cabling can become very expensive and difficult to justify. Modern approaches can simplify the problem, but it still takes thought and planning. Flexibility is one of the most important considerations of data center design, and cabling certainly must always be considered.

Douglas Smith, principal and manager of IT consulting, and Edward Ruggiero, senior associate at Shen Milsom & Wilke, contributed to this tip.

ABOUT THE AUTHOR: Robert McFarlane is a principal in charge of data center design for the international consulting firm Shen Milsom Wilke. McFarlane has spent more than 30 years in communications consulting, has experience in every segment of the data center industry and was a pioneer in developing the field of building cable design. McFarlane also teaches the data center facilities course in the Marist College Institute for Data Center Professionals program, is a data center power and cooling expert, is widely published and speaks at many industry seminars.

Ed Ruggiero is a senior consultant with Shen Milsom Wilke and holds BICSI‘s professional designation of Registered Communications Distribution Designer(RCDD).

Douglas Smith is a principal of Shen Milsom Wilke and manager of the IT practice. Smith is the senior network designer as well as a technical resource to the system integration teams.

28 Feb 2011

JUNOSPEDIA – The JUNOS Configuration Repository

Tom — Fri, 04 Mar 2011 00:38:52 +0000

Contribute, Share, or Borrow a JUNOS Configuration in the new JUNOSPEDIA Configuration Repository. Be an author! Be Published!

http://enfopoint.com/category/resources/junos-configurations

Juniper MWC Haul Includes Project Falcon Launch

Tom — Thu, 03 Mar 2011 01:59:26 +0000

By Chad Berndtson, CRN

Juniper on Monday debuted a new portfolio of products and services designed to help mobile service providers optimize their network delivery and generate new services revenue. Among the major releases is its long-awaited mobile packet core, dubbed MobileNext. Described by Juniper as “the industry’s first open mobile core,” it’s been in development for the past few years as Project Falcon.

Juniper made the announcements in line with Mobile World Congress, taking place this week in Barcelona. With billions of smartphones and machine-to-machine devices expected by 2020, Juniper is among vendors looking to offer a combined portfolio of IPand mobile technologies, from core networking to consumer services, designed to ease the mobile traffic burdens.

Among this debuts are Juniper MobileNext, a mobile packet core with an open, programmable platform, and the true name of Juniper’s oft-mentioned Project Falcon. MobileNext offers 2G/3G and Long Term Evolution (LTE) evolved packet core functions using the MobileNext Broadband Gateway, MobileNext Control Gatewayand MobileNext Policy Manager.

The Broadband Gateway itself is software implemented on Juniper’s MX 3D universal edge routers. The MobileNext Control Gateway, by contrast, is a standalone appliance that manages MobileNext’s signaling. The Policy Manager, also software, is what controls policy and charging rules function (PCRF) for LTE. All will be generally available by mid-2011, according to Juniper.

Beyond the MobileNext offering is MobileNext Consumer Services — providing simultaneous 2G/3G and LTE services — and a suite called MobileNext Business Services, which combines APN technology with an operator’s network via an SSL VPN with Juniper’s Junos Pulse platform, allowing secure connectivity by corporate users with mobile devices.

Deeper into the portfolio is Juniper’s Service Delivery Gateway software, which also sits on the MX 3Ds. The Service Delivery Gateway combines various IP functions such as carrier-grade network address translation (NAT), video optimization, applicationload balancing and dynamic subscriber awareness into a single Junos platform — something Juniper says can save service providers 36 percent total cost of ownership because they don’t have to buy point products for each function.

Other debuts this week include an expansion of Juniper’s Media Flow Solution with integrated video optimization from Openwave Systems, and added security for Junos Pulse, including anti-virus, anti-spam, malware protection, remote device lock and other functions.

Juniper further debuted a set of Mobile Internet Professional Services, including LTE and IPv6 readiness assessments and mobile video optimization. All will help service providers more easily migrate to LTE, according to Juniper.

Wendy Cartee, vice president of marketing at Juniper, described the product rollouts as helping service providers optimize their networks while also creating greater services revenue.

“This is to help mobile operators monetize the smartphone revolution,” Cartee told CRN Monday. “They need to upgrade their infrastructures or provide more bandwidth and performance. But it’s also reducing cost, and building a network that is IP-centric, with everything from netbooks to laptops to phones now wireless.”

For Juniper’s partner ecosystem, there’s an increasingly relevant play around software development for mobile infrastructure using Juniper’s Junos platform and its various pieces.

MobileNext, for example, incorporates Juniper’s Junos SDK to enable operators to develop applications and also work with third-party developers — who can develop on Junos via the Junos Space piece — to add services, Cartee explained.

“Imagine you’re a mobile operator and you have a pipeline full of innovation that will potentially never run out,” she said. “What we’ve seen in the smartphone era is applications that can be downloaded on the fly. And mobile operators are very cost sensitive — they need to drive down costs in the network, and performance and scale are very important to them.”

Cartee emphasized security services, but also carrier-grade NAT, parental controls and financial transactions, such as e-banking, as examples of the types of services a flexible platform will better enable.

“A fully programmable platform drives a business model,” she said.

Analyzer_EX4200_9-1R2-10

brad — Wed, 02 Mar 2011 03:17:32 +0000

DHCP-Relay J2350 9.6R2.11

ethernet-switching-options { analyzer VPNtranet { ratio 1; loss-priority low; input { ingress { interface ge-1/0/21.0; } egress { interface ge-1/0/22.0; } } output { interface { ge-1/0/23.0; } } } }

Download this config here.

DHCP-Relay_SRX650_9-6R2-11

brad — Wed, 02 Mar 2011 01:37:08 +0000

DHCP-Relay SRX650 9.6R2.11

forwarding-options { helpers { bootp { interface { vlan.101 { server 10.216.221.54; server 10.223.33.23; } } } } }

Download this config here.

Juniper Networks JUNOS Boot Camp – Boston MA 4-6-11

Tom — Mon, 28 Feb 2011 13:58:29 +0000

Juniper Networks JUNOS Boot Camp

presented by enfoPoint Solutions

The Juniper Networks JUNOS Boot Camp presented by enfoPoint Solutions is a one-day immersion training session at no cost for Service Provider engineering and technical staff on the unique performance and scalability of the Juniper JUNOS operating system.

Learn more about how you can leverage the JUNOS power of one operating system, one release train, and one modular architecture integrated across routing, switching, security, and services to reduce complexity, increase availability, lower costs and deploy services more quickly. You will gain an understanding of the advantages of JUNOS, and the knowledge to work with and configure devices running JUNOS.

enfoPoint is the fastest-growing Juniper Service Provider Infrastructure Elite-Certified Partner. enfoPoint solves complex business problems for Service Providers by providing network architecture, implementation and support expertise to drive new client business, support organic growth of your existing clients, fast deployment of new services and prepare for your clients’ migration to cloud computing.

Fee: Boot Camp is free for Service Provider engineering staff Seating is limited. Please make your reservation today – Click Here!

Juniper JUNOS Boot Camp Curriculum

9:00AM – Noon Course Introduction JUNOS Overview Introduction to the JUNOS CLI

Advantages of the JUNOS CLI

Noon – 1:00PM: Lunch

1:00PM – 5:00PM Interface Configuration Routing with JUNOS OSPF on JUNOS BGP on JUNOS Conclusion

Wednesday, April 6, 2011

Juniper Executive Briefing Center 10 Technology Park Drive Westford, MA 01886

For more information, please contact Rikk at 617.500.4409 or email rikk@enfopoint.com.

The push is on to cut 100G Ethernet’s price

Tom — Fri, 25 Feb 2011 10:23:50 +0000

By Stephen Lawson, IDG News Service

February 23, 2011 11:38 AM ET

Sponsored by:

Less than a year after 100-Gigabit Ethernet was standardized, an industry group is considering a set of specifications that might make the high-speed technology less expensive and more useful.

The IEEE 802.3 100-Gigabit Backplane and Copper Cable Study Group of the IEEE isn’t trying to change the 100GE standard but to make it easier to build modules with more 100GE ports, according to John D’Ambrosia, who is chairman of the new group. Its first meeting took place last month. D’Ambrosia spoke on the sidelines of the Ethernet Technology Summit on Tuesday in Santa Clara, Calif., though he emphasized that he was not speaking on behalf of the study group.

ANALYSIS: What’s beyond 10G Ethernet?

SLIDESHOW: Ethernet Everywhere

The effort to develop specifications for 100GE backplanes, which provide the connections within a switch, comes as the IEEE also starts to explore the possible need for an even faster standard. An ad hoc group will begin meeting on Monday to study users’ current bandwidth requirements, which could help determine the demand for a version of Ethernet above 100G bps (bits per second). But while a new speed record may be enticing, network engineers in the real world need to wire their data centers at low cost and be prepared for future needs, according to D’Ambrosia.

“Everyone wants the bandwidth, but they also want the bandwidth at lower and lower cost,” D’Ambrosia said. “People just don’t have money to throw around.”

Today, some 100GE LAN interfaces are on the market, but they only come with one or two ports per line card. Every inch of space on a switch chassis and every bit of floor space in a data center is very valuable, so dedicating a whole card to one or two ports is an expensive proposition, even apart from the actual cost of a 100GE interface. A module with several 100GE ports would probably be a better value as well as more useful, D’Ambrosia said.

As an example of 100GE pricing, Juniper Networks typically charges ten times the price per port of 10-Gigabit Ethernet, so a 100GE port may cost about $150,000, though prices vary, said Luc Ceuppens, vice president of marketing for platform systems.

A key challenge to increasing the port density of 100GE switch modules is that the current technology for connecting an interface module to a switch chassis typically won’t support more than one or two 100GE ports, D’Ambrosia said. Current technology won’t scale beyond that. Virtualization has made the problem even harder, because a data center full of virtualized servers tends to use the network more intensively, he said.

At the same time, the first-generation 100GE ports and line-card components themselves are fairly large and power-hungry, he said.

As with earlier technologies, standardization of the backplane should help 100GE move beyond proprietary designs and create a larger ecosystem of component vendors, eventually driving up production volumes and lowering costs through economies of scale, D’Ambrosia said. Power requirements also are likely to be driven down, he said.

The backplane group is also considering a new specification for a narrower cable interface, which should also help to save space in equipment designs and could lead to more flexible copper cables linking servers with data-center switches, D’Ambrosia said.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen’s e-mail address isstephen_lawson@idg.com

The IDG News Service is a Network World affiliate.

All contents copyright 1995-2011 Network World, Inc. http://www.networkworld.com

The 6 biggest misconceptions about IPv6

Tom — Thu, 24 Feb 2011 22:10:44 +0000

Debunking myths that keep CIOs from adopting next-gen Internet addressing scheme

By Carolyn Duffy Marsan, Network World
February 24, 2011 09:03 AM ET

Sponsored by:

For 15 years, Internet engineers and policymakers have been publicizing the need to upgrade the ‘Net’s current addressing scheme — known as IPv4 — to handle the network-of-network’s explosive growth. Yet many U.S. CIOs and CTOs continue to harbor misinformation that they use to justify why they are not adopting the next-generation IPv6 standard.

This issue is significant because the Internet is running out of IPv4 addresses. IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. The non-compatible replacement protocol, IPv6, uses 128-bit addresses and supports a virtually unlimited number of devices: 2 to the 128th power.

IPv6 MARKET MOMENTUM

Here is a list of the biggest misconceptions about IPv4 depletion and IPv6 deployment that we’ve read or heard in recent weeks:

1. The Internet still has plenty of IPv4 addresses.

Whether or not you think the Internet has run out of IPv4 addresses depends on where you live in the world and how fast your network is growing.

In early February, the free pool of unassigned IPv4 addresses was depleted when the Internet Assigned Numbers Authority (IANA) delegated the last five blocks of IPv4 address space – each with around 16.7 million addresses – to the five regional registries. The registries are expected to dole out the majority of these IPv4 addresses to carriers in 2011.

IPv4 free pool depletion is the first step in the Internet running out of IPv4 addresses. It is a significant milestone in the 40-year history of the Internet because it shows that IPv4 addresses are a limited resource.

Over the next few months, it will become increasingly difficult for mobile and broadband carriers with fast-growing networks to acquire the blocks of contiguous IPv4 address space that they need to build out their networks.

Some carriers are predicting massive IPv4 address shortages this year. Chinatelecom has predicted that it will be short 20 million IPv4 addresses in 2011, which will affect its roll-out of mobile broadband, IP TV and other popular services. As far as Chinatelecom is concerned, the Internet has already run out of IPv4 addresses.

Some U.S. government agencies and companies that were involved in the original research that evolved into the Internet received enormous blocks of IPv4 address space before anyone realized it would be a scarce resource. For these lucky organizations – like the U.S. military, IBM and the Massachusetts Institute of Technology – it won’t feel like the Internet has run out of IPv4 addresses any time soon.

Most U.S. companies that do business on the Internet have a limited number of IPv4 addresses. The day is fast-approaching when these companies will need IPv4 addresses and be unable to get them from their carriers. That will be the day when their CIOs realize the Internet has run out of IPv4 addresses.

2. My company doesn’t need to adopt IPv6 yet.

An IT executive at a company that operates a string of Web sites and earns more than $100 million in annual revenues recently said that the business case “hasn’t been made” for adopting IPv6. This company has not begun any development work on IPv6, nor has it earmarked funds in this year’s budget for such work.

This executive is under the false impression that IPv6 is an upgrade that can be postponed.

PANIC TIME QUIZ: Are you ready for IPv6?

John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), says all companies that do business over the Internet should support IPv6 on their public-facing Web servers and Web services by Jan. 1, 2012 or risk losing potential customers.

Similarly, the Obama Administration has mandated that all U.S. federal agencies upgrade their public-facing Web sites and services to support IPv6 traffic by Sept. 30, 2012.

Experts in IPv4 depletion say companies that don’t have a transition plan in place for IPv6 are already too late.

The depletion of the IPv4 free pool “is a wake-up call,” says Chris Davis, senior director of corporate marketing communications at NTT America, a leading provider of IPv6 transit and access services in the United States. “If you haven’t taken this seriously, you better start. If you don’t have a transition plan in place, you better make one…IPv6 is a reality.”

Part of the foot-dragging is the result of U.S. CIOs falsely believing that their carriers will take care of IPv6 transition for them. That’s not going to happen. Enterprises must IPv6-enable their own Web content through the deployment of native IPv6 or an IPv6-to-IPv4 translation mechanism on the front end of their Web servers.

“The carrier needs to take care of IPv6 as far as their infrastructure is concerned, but the enterprise has to take responsibility for their own networks and their own network access, including routers, firewalls and web services,” Davis says.

3. A lucky Internet user will get the last IPv4 address.

Experts predict that the Internet will run out of IPv4 addresses many months from now and in a different fashion than the receipt of a winning lottery ticket.

In February, IANA depleted the free pool of unassigned IPv4 addresses. Next, the regional Internet registries will dole out the remaining IPv4 addresses to carriers in a process that is expected to take anywhere from three to nine months. The registry that is expected to deplete its pool of IPv4 addresses last is AfriNIC, the African registry.

“Each regional registry will run out of IPv4 addresses at its own rate,” Curran says. “That almost certainly means, because of the current rate of demand, that AfriNIC will make the last assignment.”

The Asia Pacific Network Information Centre (APNIC) has a unique policy for distributing its last 16.7 million IPv4 addresses. It will allow carriers to get a one-time allotment of 1,024 IPv4 addresses, thereby holding some IPv4 addresses in reserve for start-ups. However, these tiny allotments of IPv4 addresses won’t meet the needs of fast-growing network operators. So for all practical purposes, IPv4 will be depleted in Asia this year.

For U.S. companies, IPv4 depletion will occur in 2011. ARIN says it has around 80 million IPv4 addresses left and expects to run out of these addresses within nine months.

Another reason that one lucky Internet user won’t get the last IPv4 address is that carriers are likely to share these increasingly scarce resources among multiple users. So even if you could figure out who got the last IPv4 address from a particular carrier in a particular region, the address would likely be shared among multiple users.

It’s also possible that IPv4 addresses will be recycled. Carriers and enterprises that upgrade to IPv6 can return their unused IPv4 addresses to the regional registries. Several U.S. organizations including the U.S. military, Stanford University and the Interop trade show have returned some of their unused IPv4 address space to ARIN. If recycling IPv4 addresses becomes more popular, the trend could stave off IPv4 depletion for a few more months.

“We do expect to see addresses that come in from the transfer policy,” Curran says. “The person who gets the last IPv4 address from the free pool won’t be the last person who gets an IPv4 address.”

4. A black market will emerge for IPv4 addresses.

Experts say a black market isn’t likely to emerge for IPv4 addresses because the regional Internet registries have created legal ways for organizations to transfer – or even sell – their unused IPv4 addresses.

ARIN, for example, has a process set up that allows network operators to apply for IPv4 address transfers much as they apply for new IPv4 addresses. In either case, network operators must show they have plans to use the IPv4 addresses to provide network services and not to hoard them for future use.

“There will be a market for transfers,” Curran says. “We do have a listing service, where parties who want address space can list it. ARIN’s job is to maintain accurate records of who has the address space.”

Curran says ARIN has the authority to reclaim IP addresses if they are transferred outside of the policies that it has established.

“People who are attempting to do that run the risk that their IP addresses will be revoked by ARIN and reissued,” Curran says. “There are enough people waiting for [IPv4 addresses] that they will get quickly used.”

The regional Internet registries are considering a new policy that will allow for IPv4 address space to be transferred from one region to another.

“North America has a large amount of address space issued in the early days of the Internet,” Curran says. “Those resources should be available to the entire Internet community. I expect we’ll see interregional transfers.”

Raul Echeberria, chairman of the Number Resource Organization, which represents the five regional Internet registries, admits that a black market for IPv4 addresses is a possibility but says that he is not sure it will evolve because of the existing rules for IPv4 address transfers.

“There is, of course, the possibility that some IPv4 addresses will trade outside the system, but I am confident that it will be a small amount compared to those that will be transferred within the system,” he says.

Echeberria adds that the value of IPv4 addresses will decline as network operators adopt IPv6, making this black market less attractive.

“If the Internet community moves to IPv6, the value of IPv4 addresses will decrease in the future,” he says. “There won’t be a reason for having that black market.”

5. IPv6 is more secure than IPv4.

IPv6 proponents say that one of the new protocol’s benefits is that it has built-in support for IP Security (IPsec), an Internet security standard that allows for authenticated and encrypted communications between two end points. But experts say that IPv4 supports IPsec well enough that security isn’t an advantage of IPv6.

“It’s a myth that IPv6 is more secure than IPv4,” says Qing Li, chief scientist for Blue Coat Systems, which supports IPv6 in its network appliances. “IPv6 was designed to facilitate the implementation of IPsec better, it allows IPsec to operate better, but that’s just a facility…It doesn’t mean that IPv6 by itself is more secure.”

IPv6 is likely to make the Internet less secure, not more secure, in the near term. That’s because so many network operators are going to upgrade to the relatively unproven IPv6 technology at the same time.

INVISIBLE IPV6 TRAFFIC

“Long term, IPv6 will greatly improve Internet security because every end point will have encryption available. But that wonderful nirvana is a long-time away,” Curran says. “Short term, IPv6 means turning on lots of code features for the first time. Any time you’re using new code all over the Internet, there are lots of possibilities of bugs. So people will need to be very alert.”

Another issue is that there are few network engineers with the know-how and experience to secure IPv6 networks.

“There is so little operational experience with IPv6 that people are going to naturally make mistakes,” says Cricket Liu, vice president of architecture and technology for Infoblox, which sellsIPv6-enabled DNS appliances. “Network engineers who are configuring IPv6 are going to make rookie mistakes with IPv6 that they wouldn’t make with IPv4. The quality of the implementations out there is going to be an issue.”

Also, security vendors are not providing the same number of features or the same level of performance in their IPv6 products as they offer in their IPv4 products.

“If your network vendor told you they have complete parity between IPv4 and IPv6, that’s a myth,” says Danny McPherson, CSO for VeriSign, operator of the .com and .net domains and a leader in IPv6 deployment. “It’s highly unlikely that most of the commercial products have realized the scale and capability with IPv6 that’s on par with IPv4.”

McPherson says deploying IPv6 will create new vulnerabilities for network operators. For example, the Internet will have more translation devices that can attract distributed denial-of-service attacks or be single points of failure. Also, network operators will have less visibility into Internet traffic patterns, so it will be harder for them to find threats like botnets.

“There’s going to be some window of vulnerability until we get up to speed with IPv6. The sooner we get past that the better,” McPherson says. He adds that “if you enable IPv6 on your network, you better make sure you have the same controls and countermeasures that you have for IPv4.”

6. IPv6 will make the Internet simpler.

IPv6 offers the promise of end-to-end communications with the removal of network address translation (NAT) devices and other middle boxes that were necessary to extend the life of IPv4′s limited addressing scheme.

But in reality, network operators are going to have to run IPv6 and IPv4 side by side for years – if not decades – to come. This lengthy co-existence of the two protocols is going to make network management more complex for the foreseeable future.

“IPv4 will still be out there for some number of decades,” Curran says. “There is no timeframe to get rid of IPv4, but over time it will become more cost effective to just run IPv6…There’s going to be the complication of running two network protocols for years and years.”

Network operators must run both protocols because IPv6 is not backwards compatible, a reality that many CIOs and CTOs just don’t believe possible. Indeed, the Internet engineering community has said that its biggest mistake in the design of IPv6 is that it is not backwards compatible with IPv4.

“Lots of people think that IPv4 and IPv6 are compatible and that not a lot of action is going to be required to interoperate between IPv4 and IPv6 hosts,” McPherson says. “If they don’t have dual stack, then they will need some translation device.”

IPv6 was once touted as the end of network address translation (NAT) devices, which Internet purists hate because they interrupt IP communications midstream. But network operators have delayed upgrading to IPv6 for so long that now they will need to rely on carrier-grade NATs and other IPv6-to-IPv4 translators to accommodate a rise in IPv6 network traffic that is expected to start within the next 12 months.

“Most of the transition technologies are either NATs themselves or are designed to work through NATs,” Liu says. “Teredo [an IPv6-over-IPv4 tunneling technology] is designed to work through NATs. Nat64 [an IPv6-to-IPv4 translation scheme] is a NAT technology. I don’t think NATs are going away anytime soon.”

IPv6 Tunnel Basics

Liu says he hopes that by 2016 most of the Internet’s backbone will be upgraded to IPv6 and that there will be just pockets of IPv4-only connectivity.

“For the next five years, things are going to be much more complex because we will have two protocols running side by side,” Liu says. “We’re going to have all of those crazy transition technologies. Not just one, but many…It’s a rose-colored view of the world to believe that IPv6 is suddenly going to bring us to this network nirvana of end-to-end.”

Read more about lans & wans in Network World’s LANs & WANs section.

All contents copyright 1995-2011 Network World, Inc. http://www.networkworld.com

DHCP-Relay_J-Series_9-6R2-11

Gregg — Thu, 24 Feb 2011 21:10:34 +0000

DHCP-Relay J2350 9.6R2.11

forwarding-options { helpers { bootp { interface { vlan.2 { server 192.168.215.10; vpn; <---- may be required if the DHCP is located on remote side of tunnel } vlan.3 { server 192.168.215.10; vpn; } vlan.4 { server 192.168.215.10; vpn; } vlan.24 { server 192.168.215.10; } vlan.23 { server 192.168.215.10; } vlan.22 { server 192.168.215.10; } vlan.14 { server 208.90.136.110; } vlan.13 { server 208.90.136.110; } vlan.12 { server 208.90.136.110; } } } } }

Download this config here.

JUNIPER NETWORKS® INTRODUCES VIRTUALIZED SECURITY SOLUTION FOR PRIVATE AND PUBLIC CLOUDS

Tom — Wed, 23 Feb 2011 21:52:07 +0000

Industry’s First Integrated Offering to Provide Security at Scale for Physical and Virtual Network Environments

SUNNYVALE, Calif. — Feb. 14, 2011 — Juniper Networks (NYSE: JNPR) today announced the integration of its new Juniper Networks® vGW Virtual Gateway with the Juniper Networks SRX Series Services Gateways to provide a consistent, virtualization-aware solution for private and public cloud deployments. This milestone marks the first step with Juniper’s acquisition of Altor in December 2010 in a multi-phased strategy to combine best-in-class products for both physical and virtual network environments and provide a comprehensive, automated approach for data center security.

Prior to the acquisition, Juniper and Altor partnered for several years to bring deep expertise to a dynamic threat landscape that requires enterprises to push beyond purely physical security layers. The Juniper Networks vGW Virtual Gateway is a first-of-its-kind product that offers organizations access to robust, comprehensive security optimized for high performance, flexibility and scale in virtualized environments.

With security and trust as primary concerns in enterprise cloud adoption, Juniper’s integrated solution enables a secure enterprise architecture through the isolation of virtual machines (VMs) and visibility into VM traffic layers. This differentiated approach enables comprehensive security and assurance that multiple VMs within a virtualized environment remain secure and isolated. Additionally, vGW security automation simplifies corporate and regulatory compliance oversight by regulating the creation and movement of VMs virtual environments.

“Enterprises building private clouds and public cloud service providers need a security solution that is consistent and pervasive across the physical and the virtualized network infrastructure,” said Douglas Murray, senior vice president and general manager, security business unit, at Juniper Networks. “The integrated SRX plus vGW solution ensures that security is maintained and enforced right down to each individual VM, while enhancing the operational efficiency of security management.”

Juniper’s SRX-vGW integration offers organizations visibility into virtualized environments by having the vGW automatically populate VM membership into Juniper SRX Zones. Key SRX-vGW benefits include:

Zone-based smart policy groups that are automatically created on the hypervisor;

Automated security classification and enforcement for new or cloned VMs;

Automated VM compliance assessment based on multiple VM attributes;

Quarantine of non-compliant VMs to eliminate administrative errors and reduce risk.

“As organizations continue to virtualize their data centers, workloads of higher sensitivity are being virtualized and the workloads themselves are becoming more mobile, challenging traditional data center security architectures which rely solely on physical appliance-based enforcement,” said Neil MacDonald, vice president and Gartner Fellow at Gartner. “It’s critical to implement a consistent way of defining and managing security policies across physical and virtual machines and delivering virtualization-awareness to security policy enforcement points, to reduce the complexity of administration.”

Availability

The Juniper Networks vGW Virtual Gateway is available now and Juniper will be showcasing live demonstrations of the SRX-vGW product integration at RSA 2011 in the Juniper Networks booth #1745. The most comprehensive forum on information security for both enterprise and technical professionals, RSA is being held February 14-18, 2011 in San Francisco.

About Juniper Networks

Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. Additional information can be found at Juniper Networks (www.juniper.net).

Juniper Networks and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks and Junos logos are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners

Date	Volume	High	Low	Open	Close
01/24/07	2.29 M	30.24	29.82	29.87	30.04
03/27/07	3.29 M	27.00	26.65	26.90	26.77
04/24/07	3.82 M	28.51	28.06	28.47	28.35

YEAR	STANDARD	I.D.	CABLE	SPEED
1990	IEEE 802.3i	10Base-T	Cat. 3 UTP	10MBit/Sec.
1991	ANSI/EIA/TIA 568		Cat. 3 UTP
1992	TSB 36		Cat 4 & 5 UTP
1993	IEEE 802.3j	10Base-F	MM Fiber	10MBit/Sec
1995	IEEE 802.3u	100Base-TX	2 Pair Cat. 5	100MBit/Sec.
1995	IEEE 802.3u	100Base-T4	4 Pair Cat. 5	100MBit/Sec.
1995	IEEE 802.3u	100Base FX	MM Fiber	100MBit/Sec.
1998	IEEE 802.3ab	1000Base-T	Cat.5 UTP
2001	ANSI/EIA/TIA 568-B.2		Cat. 5e	1 GBit/Sec.
2002	ANSI/EIA/TIA 568-B.2-1		Cat. 6	10 GBit/Sec.
2002	ISO/IEC 11801	OM1	MM Fiber
2003	IEEE 802.3ae	10GBase-SR, -LR, -ER, -SW, -LW -EW	LOMM Fiber	10 GBit/Sec.
2008	ANSI/EIA/TIA 568-B.2-10		Cat. 6A
2009/2010	IEEE 803.3ba TIA-492-AAAD	OM4	LOMM or SM Fiber	40 GBit/Sec 100 GBit/Sec.
2010	IEEE 803.3ba		4 Pair Cat. 6A UTP	40 GBit/Sec.
2010	IEEE 803.3ba		10 Pair Cat. 6A UTP		100 GBit/Sec.