Patrick K. Henderson

7Oct09 Rack Space’s July 2009 Dallas/Fort Worth Recap

CEO Lanham Napier’s fanatical response to a very serious outage this last summer would even amaze an Army General. Mr. Napier reported on what happened, what they are doing about it and what they are doing to ensure it doesn’t happen again. He did so on the company blog and on youtube.com. Thank you sir for leading from the top!

1 Comment Posted by admin in Random Opinions & Blurbs
Tagged rack space outage

9Jul09 German Government Testimonial for IPv6

http://www.ipv6actnow.org/2009/06/ipv6-video-testimonial-the-german-government/

1 Comment Posted by admin in High Availability & High Performance
Tagged german

23Jun09 “oh my God—it’s full of stars!”

- NO - I am not talking about billions and billions and billions and billions of stars but I am talking about IPv6; 340 undecillion IPs to be exact.

340 undecillion (3.4 x 10 to the 38th)

This monolith of IP space can provide every human on Earth with a /48, and still have enough IPs for every Saint in the Roman Catholic Church. You may ask yourself why this is important, what problems are we trying to solve and how it applies to every day life. IPv4 is limited and since 1990 we have known that we have been depleting our IPv4 space, so as soon as we discovered the Internet we saw the insurmountable challenge of limited IP space. We saved ourselves for awhile with classless interdomain routing (CIDR) and NAT, but they have only slowed problem. Any technology leader today should start making plans to embrace IPv6. The US Government and some developed nations, like Japan, have already adopted and supported IPv6 for a few years. The increasing expansion of wirelesss phones have increased interest in the adoption of this IP space. Here are the key advantages and enhancements that IPv6 provides over IPv4:

Expanded address space – 128-bit addressing instead of the 32-bit utilized in IPv4
Globaly unique IP addresses – The additional addresses allow each node to have a unique adddress, which eliminates the need for NAT
Fixed header Length – IPv6 header length is fixed, allowing vendors to improve switching efficiency
Improved option mechanism – IPv6 options are placed in separate optional headers that are located between the IPv6 header and the transport layer header. The option headers are not required
Address auto-configuration – This capability provides for dynamic assignment of IPv6 addresses. IPv6 hosts can automatically configured themselves, with our without an DHCP server.
Support for labeling traffic flows – Instead of the type-of-service field in IPv4, IPv6 enables the labeling of packets belonging to a particular traffic class for which the sender requests special handling. This support aids specialized traffice, such as real-time video.
Security – IPv6 includes features that support authentication and privacy.
Maximum tranmission unit (MTU) – path discovery – IPv6 eliminates the need to gragment packets by implementing MTU path discovery before sending packets to a destination.
Site multihoming – IPv6 allows mutlihoming of hosts and networks to have multiple IPv6 prefixes, which facilitates connection to multiple ISPs.

Let me first explain why the additional address space will improve service on the Internet. Currently, to address the limited IPv4 space many networks impose NAT to route traffic from one network to another. This increases the complexity of the multiple routes that your data packet may take, which leads to a less than elegant network, and it may take a longer time to diagnose network troubles. With Global IP addressing, data packets can easily reach their unique address anywhere in the world through theoretically less complicated routing. This should result in up-time and efficiency on a network. I also believe that the elimination of the single DHCP server on a network will also eliminate the single point of failure which leads to high availability of network services.

The additional features like site multihoming, MTU path discovery, security, support for labeling traffic flows, fixed header length, and an improved option mechanism will lead to an overall better experience on the Internet; but ultimately these are very specific to the network experts and network vendors that will have much more ease in their ability to perform their functions and job responsibilities.

The overall theme with IPv6 is simpler, and that is what the header provides in IPv6. The fragment offset fields and flags in IPv4 have been removed, and a flow label field has been replaced in IPv6 for quality-of-serice (QoS). While the overall length of the addressing if four times that of IPv4, the efficiency is improved for switching. Improvements have also been addressed with the addressing allocations (unicast, multicast, and broadcast). IPv6 maintains these functions but defines them differently. There is a special ‘all-nodes’ IPv6 multicast that handles the broadcast function, and it introduces the ‘anycast’ address type. These three (3) sections/allocations have space that is reserved for each function. The unicast (one-to-one) address is the logical identifier to a single-host interface. These addresses are divided into global and link-local addresses. The ‘anycast’ addressing (one-to-nearest) is allocated from a set of unicast adresses . They should share common characteristics and are explicitly configured for anycast. This addressing sends packets to the geographically closer device based on a routing protocol. Multicast (one-to-many) also identifies a set of hosts, and the packet is delivered to all of the identified hosts. IPv6 replaces the broadcasting function with multicast, so you would use a ‘all-nodes’ multicast address instead.

One of the most distinctive differences between IPv4 and IPv6 are the mechanisms for address resolution, address assignments and routing protocols.

ARP is replaced with IPv6 ND
IPv6 uses ICMPv6
DNS adds a new record locator for resolving FQDN to IPv6

IPv6 Network Discovery (ND) is intended for plug-in-play to discover all nodes on the same link. It finds the routers and checks for duplicate addresses. It also performs redirects, neighbor unreachability detection, next hop determination, parameter discovery, prefix discovery, aut0configuration (w/o DHCP), and address resolution. Address resolution determines the MAC address of nodes on the link without using ARP.

Name Resolution [RR] QUAD-A [AAAA]

Name Resolution is being addressed in IPv6 by simply adding a resource record (RR) to the A record in DNS. The domain name will be associated with AAAA, so that is all that is required to resolve a domain name with a IPv6 address. This small addition is considered a transitional step towards IPv4 and IPv6 compatibility.

As I hinted at before, IPv6 autoconfigures its addresses, so it doesn’t rely on a DHCP server. This feature is considered stateful and it accomplishes this on its own through these steps:

Obtains their local-link address when initialized
Checks for duplicate addresses

The host joins all of the nodes in a multicast group and waits for a neighborhoold advertisements. It sends a neighbor-solication message with a tenative IP, and if the IP is in use then a neighborhood advertisement is initiated. If the host does not receive the neighborhood advertisement the tenative IP becomes its link-local address.

(Native IPsec)

Security has been enhance in IPv6 by providing for native IPsec security. It is the intention to provide operating-system security for all IPsec hosts, with encyrpted payloads, authentication and integrity.

(Routing Protocols)

Nearly all IPv4 protocols have been reshaped for IPv6 (RIPng, EIGRP, OSPFv3, IS-IS, an BGP4). RIPng is changed by using a different port for UDP, and RIPng supports IPv6 addresses and prefixes. Cisco IOS supports BGP4, IS-IS, OSPFv3,RIPng, and developed EIGRP support for IPv6 networks that is managed separately from IPv4. IPv6 addressing is supported by all of these protocols.

These are many of the highlights of a very involved discussion about the future of networking. I look forward to your comments on this subject.

8 Comments Posted by admin in Cisco Designs

18Jun09 Jungle | Security

If data isn’t accessible through the Internet it simply doesn’t exist. You are not truly operating a business if you do not have an Internet presense, so the global communication grid of the Internet is a wild, interwoven, complex, and dangerous just like a jungle. This reality becomes more absurd when you get a call from your client that says they have a client that must comply with multitudes of security requirements for HIPPA, GLBA, SOX and the European Union’s Protection Directive 95/45/EC.

U.S. Health Insurance Portaability and Accountability ACT (HIPPA)
Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)
Sarbanes-Oxley (SOX)
EU Data Protection Directive 95/45/EC

The Internet was designed to be free and open, but prevalent with any ecosystem are the malicious predators. Many hosts try to provide a wide and open network environment, so they can attract a diverse customer base that doesn’t require such stringent security requirements. Medical and financial related data services are looking to expand their global presence, but they should be prepared for three major threats. They are classified in these three (3) broad categories: Denial of Service (DoS), obtaining unauthorized access, and information gathering. The most common, of course, is DoS attacks that are aimed to overwhelm the resources of a server or service. These attacks are usually coordinated and being initiated from multiple locations. An attacker may also gain access to a system to cause damage by removing, altering or just reading the confidential data. Lastly, there are network tools available to discover information about the hosting platform itself or the network to launch malicious attacks in the near future.

In general these predators target the hosts network infrastructure (throughput/capacity), endpoints (management stations/IP phones), network services (dhcp/dns), and infrastructure devices (routes/switches/firewalls). Cisco Secure Connectivity Systems provide technologies such as MPLS VPS with IPsec, MPSL VPSN, SSLs, SSH, and IPsec to address unauthorized access to infrastructure devices. The Ciso Self-Defending Network (Threat Defense) provides a strong defense against Dos, man-in-the-middle attacks, and Trojan horses. Additionally, the Cisco ASAs, routers, and Catalyst switches provide some built-in infrastructure protection all with an enhanced Cisco IOS. Here are some examples:

Adaptive Security Appliances (ASA) integrates essential security technologies in one platform (firewall, IPsec, IPsec VPN, SSL VPN)
Routers consolidates IOS firewall, IPS, IPsec VPNS, DMSPN and SSL VPSN in the routing platforms to secure the router if attacked
Catalyst switches combines firewall, IPS, SSL VPN, IPsec VPN, DoS mitigation and virtual services t build into security zones

It is recommended that telnet be replaced with SSH access to network infrastructure, enable SYSLOG collection and review for analysis, use SNMPv3 for all security and privacy features, disable unused network services such as ctp-small-servers and udp-small-servers, use FTP or SFTP instead of TFTP to manage images, use access to classes to restrict access to management and the CLI, enable routing protocolo authentication when available (EIGRP, OSPF, IS-IS, BGP, HSRP, VTP). and use one-step lock down in Security Device Manager (DSM) before connecting the router to the Internet.

These are just a few of many considerations that should be implemented to protect sensitive data and service. It is equally important to provide software security and hardening to the servers themselves, and train support personnel on recognizing social engineering attacks and physical security. Securing your hosting solution is one of the many paths that lead to high availability and high performance.

2 Comments Posted by admin in Cisco Designs
Tagged cisco, cisco asa, hippa, network security, security

13May09 Facebook: Science and the Social Graph

How Facebook Works

5 Comments Posted by admin in High Availability & High Performance
Tagged facebook

13May09 The “i” in FBI.

Web Hosting Review reminded us all of McColo’s shutdown in 2008 in their March 2009 magazine issue. McColo had a reputation for hosting critical control elements of the majority of malicious software and phony anti-virus scans on the Internet; Microsoft posted a $250,000.00 reward for the authors of the Conficker worm and botnet. SPAM is being taken seriously and that is why the FBI subscribes to IRONPORT security appliances. IRONPORT is also used by the top ten ISPs in the world and 20 percent of the worlds largest enterprise companies. So, why is IRONPORT a product demanded by those with serious security concerns?

FEATURES!

IRONPORT products provide far more than just simple signature based spam filtering. While their competitors dump millions of dollars into marketing budgets, IRONPORT continues to develop services that are truly enterprise grade.

Reputation Filters
Anti-Spam Filters
Spam Quarantine
Virus Protection
Data Loss Prevention
E-mail Authentication
Enterprise Management tools
MTA Platform

This list looks common to many other spam filtering appliances, but it is IRONPORT’s multi-layered approach that includes not only reactive but proactive measures to deal with the scum of data that circulates the Internet. This most unique in their Context Adaptive Scanning Engine (TM) (CASE). IRONPORT is an easy return on investment because it provides for real-time and historical management of e-mail data, consolidating management into a single interface, and increases worker productivity with its reporting features.

Highest spam catch-rate, greater than 98 percent with less than one in one million false positives

Reputation Filter eliminates 80 percent of junk e-mail, before it enters your network

DomainKeys (DKIM) signing, directory harvest attack (DHA) prevention and complete protection against bounced-message attacks

Set different filtering policies for different groups within your organization

Real-time reporting allows administrators to be proactive about e-mail security and modify policies if they are under attack

6 Comments Posted by admin in High Availability & High Performance
Tagged fbi, ironport, microsoft

12May09 High Availability & High Performance Managed Hosting

What does it mean to be “high” available or “high” performance? Many web masters have a vague grasp or idea about these terms but what does it really mean? Are there any differences between the two?

Answer: Absolutely!

A high availability hosting solution provides for service interruptions that your site visitors may not be aware of because there are multiple layers of redundancy built into your hosting solution. To accomplish this you must eliminate every single point of failures; you should duplicate the number of load balancers, firewalls, private networks, data base servers and of course web servers.

Most load balancers do not sychronize or replicate your data for you, so advanced configurations must be implemented to facilitate data continuity during a service interruption. There are many open source solutions available and Microsoft has native solutions for Windows IIS and MSSQL hosting solutions.

High Availability is not necessarily fast

In contrast to high availability, the high performance solution focuses on speed, rapid deployment of webpages or embedded content. The high availability solution is not focused on this aspect of the hosting experience because its primary goal to provide 100% up-time and this doesn’t always equate to high performance. There are two major challenges to this solution geographic considerations and server resources. Geographic locale can cause problems due to the distances between the user and the web server, the user’s local security protocols, and server resources.

If a user is browsing your site from South Africa and you may be hosted in a world class data center in the United States the site may experience a lag. This lag is due to the amount of images, files, media or other services that may load on the home page, so it would be best to minimize your homepage content. Additionally, there are content delivery networks or services available to serve cached content, provide live streaming or remote storage from a geographically closer nodes (servers or appliances) to your site visitor.

An important consideration that should be noted is the local government’s polices at the network fire-wall level. China has an elaborate fire-walled Internet access and many Middle Eastern countries block any content that deem to be inappropriate or immoral. These conditions make it very tricky to promote your site has a high performance service, so it should be carefully researched and considered when launching a new site.

The easiest way to increase your site’s performance is the selection of hardware resources. Many sites simply need more horse power behind them to rapidly improve page loading times. I am talking about QUAD CORE processing power, additional RAM (as much as you can get your hands on), faster hard drives for i/o performance (SAS, SCSI, SSD), and Gigabit networking.

RAID 10 is KING!

Hardware selection is critical for high performance sites, so RAID selection is important. Since all copies of data in a RAID1 must be written and read from two or more drives a RAID5 presents a cost effective performance improvement over RAID 1. Nevertheless, RAID 10 is the primary choice for high performance databases due to absence of of parity to calculate enhances the performance of hard drive writes.

A CLOUD can never replace the customization required for high performance, high availability web sites or applications.

9 Comments Posted by admin in High Availability & High Performance