I was teaching a lab on Context Based Access Control on a cisco 2600 and experimented using NAT and CBAC. Here are some very interesting facts concerning CBAC:
1) No matter on what interface the ip inspection rule is applied, the return temporary access control list entry to allow the traffic back into the router based on the protocol being inspected is applied to all acls the traffic will encounter on the way back to the source. ie. if ip inspect FWRULE in is applied to the inside interface, and there is an ACL applied outbound on the inside interface and inbound on the out outside interface, then a temporary ACL entry will be applied to both lists.
2) If you are using NAT and you are inspecting traffic inbound on the internal interface, and you have an inbound ACL on the external interface, then CBAC is smart enough to add the temporary ACL entry to the inbound ACL using the inside global address. I must say I'm quite impressed.
Wednesday, January 26, 2005
Friday, January 21, 2005
What You'll Wish You'd Known in High School....
Read about this article on Slashdot. It's a speech Paul Graham was going to give to a high school class, but was vetoed by school authorities. However I feel the concepts here are not restricted to High School students. They apply to college students and many adults. I think even now few people have figured this out.
What You'll Wish You'd Known
What You'll Wish You'd Known
Tuesday, January 18, 2005
Schneier on Security: The Legacy of DES
I had a student post a great link to an Essay, Schneier on Security: The Legacy of DES.
Schneier is a security god with this stuff. This is just one of the great papers he has written! It's so cool to read about people who try and blow the lid off of flawed algorithms used by big industry players, as well as keeping a close eye on government intelligence organizations and actions they might take to limit the public's ability to maintain privacy.
It gets back to the age old debate on privacy versus national security. Obviously terrorist cells and criminals will try to take advantage of a technology that protects them from prying eyes, but does the giving up of some of our civil liberties really mean our security forces get that much closer to these guys? As the years go by I'm becoming more and more cynical about just how some of this information that the government has access to can be misused. It would just take one dark character to access a national database of personal information and we are all in danger of being taken advantage of. A very careful balance has to be struck between convenience and security. I've no idea what the solution is or where that line should be drawn, but it strikes me that people need to keep a very close eye on just how vulnerable they are to identity theft and distribution of private information.
Schneier is a security god with this stuff. This is just one of the great papers he has written! It's so cool to read about people who try and blow the lid off of flawed algorithms used by big industry players, as well as keeping a close eye on government intelligence organizations and actions they might take to limit the public's ability to maintain privacy.
It gets back to the age old debate on privacy versus national security. Obviously terrorist cells and criminals will try to take advantage of a technology that protects them from prying eyes, but does the giving up of some of our civil liberties really mean our security forces get that much closer to these guys? As the years go by I'm becoming more and more cynical about just how some of this information that the government has access to can be misused. It would just take one dark character to access a national database of personal information and we are all in danger of being taken advantage of. A very careful balance has to be struck between convenience and security. I've no idea what the solution is or where that line should be drawn, but it strikes me that people need to keep a very close eye on just how vulnerable they are to identity theft and distribution of private information.
Friday, January 14, 2005
Neptune
Read about an awsome project going on with CANARIE. This is just an example of why we this regional initiative to connect all educational institutions in the Okanagan to the research networks should happen. It would present all kinds of opportunities. Here is an excerpt.....
*************************************************************************
Monday, December 20, 2004
With Neptune -- an acronym for North-East Pacific Time-Series Networked Experiment -- complete in Canada and the U.S., 3,000 kilometres of fibre-optic cable and power lines will be buried three kilometres under the ocean floor to monitor the entire Juan de Fuca plate running from Vancouver to Oregon.
Sensors and instruments will measure everything from currents to fluids in the seabed to tremors on the sea floor. Robotic submersibles will shuttle the area to perform experiments on command, docking themselves at underwater power stations when they are done.
Television cameras will pan, tilt and survey the area, controlled remotely through the Internet so researchers can manipulate their view from their desks and school children will capture live footage of sea life.
The unparalleled look into the deep will run 24 hours a day, seven days a week for 30 years. Its tasks will be many: tracking whales and other marine mammals, monitoring fish stocks, investigating undersea gas deposits, examining how tectonic plates work, running experiments to monitor climate change, measuring underwater earthquakes, recording underwater volcanic activities and providing new insights into tsunamis.
Another concept is to have a specific instrument on the sea floor dedicated to a specific high school for a semester. It is their instrument, they can do whatever they want with it.
Chris Barnes is the project director for Neptune Canada. Mr. Barnes says such systems could save governments money by providing them with a rich data source to make better decisions. He points to the collapse of the cod stocks off Newfoundland.
Canarie's job is to come up with the tools that will allow schoolchildren and researchers to tap into the observatory through the Internet.
"When you have an instrument on the ocean floor 3,000 metres down, how do you provide a researcher who may be located in the other coast of the country access to that instrument, to control it, to change its parameters -- to 'turn the knobs' -- and also get the data from the instruments to the researcher's desktop?" says Mr. St. Arnaud.
"And so we have to develop the technologies to allow them to remotely control that instrument. So we are working in partnership with the National Research Council and Neptune Canada to develop what are called web service tools to allow them to control the instrument."
Mr. St. Arnaud believes similar technology could be used to run offshore oil operations without the need for pricey oil rigs or to operate mines without putting humans down the shafts.
___________________________________________
To SUBSCRIBE: send an e-mail message to majordomo@canarie.ca The text of the message should only say subscribe news
To UNSUBSCRIBE: send an email message to majordomo@canarie.ca The text of the message should only say unsubscribe news _____________________________________________
*************************************************************************
*************************************************************************
Monday, December 20, 2004
With Neptune -- an acronym for North-East Pacific Time-Series Networked Experiment -- complete in Canada and the U.S., 3,000 kilometres of fibre-optic cable and power lines will be buried three kilometres under the ocean floor to monitor the entire Juan de Fuca plate running from Vancouver to Oregon.
Sensors and instruments will measure everything from currents to fluids in the seabed to tremors on the sea floor. Robotic submersibles will shuttle the area to perform experiments on command, docking themselves at underwater power stations when they are done.
Television cameras will pan, tilt and survey the area, controlled remotely through the Internet so researchers can manipulate their view from their desks and school children will capture live footage of sea life.
The unparalleled look into the deep will run 24 hours a day, seven days a week for 30 years. Its tasks will be many: tracking whales and other marine mammals, monitoring fish stocks, investigating undersea gas deposits, examining how tectonic plates work, running experiments to monitor climate change, measuring underwater earthquakes, recording underwater volcanic activities and providing new insights into tsunamis.
Another concept is to have a specific instrument on the sea floor dedicated to a specific high school for a semester. It is their instrument, they can do whatever they want with it.
Chris Barnes is the project director for Neptune Canada. Mr. Barnes says such systems could save governments money by providing them with a rich data source to make better decisions. He points to the collapse of the cod stocks off Newfoundland.
Canarie's job is to come up with the tools that will allow schoolchildren and researchers to tap into the observatory through the Internet.
"When you have an instrument on the ocean floor 3,000 metres down, how do you provide a researcher who may be located in the other coast of the country access to that instrument, to control it, to change its parameters -- to 'turn the knobs' -- and also get the data from the instruments to the researcher's desktop?" says Mr. St. Arnaud.
"And so we have to develop the technologies to allow them to remotely control that instrument. So we are working in partnership with the National Research Council and Neptune Canada to develop what are called web service tools to allow them to control the instrument."
Mr. St. Arnaud believes similar technology could be used to run offshore oil operations without the need for pricey oil rigs or to operate mines without putting humans down the shafts.
___________________________________________
To SUBSCRIBE: send an e-mail message to majordomo@canarie.ca The text of the message should only say subscribe news
To UNSUBSCRIBE: send an email message to majordomo@canarie.ca The text of the message should only say unsubscribe news _____________________________________________
*************************************************************************
Thursday, January 06, 2005
Read the Specs...
I just installed a relative's voice and data communciations in their new house and encountered a class blunder on my part. I ordered the usual NORDX Bix Rails, slots, RJ45 to BIX rails to be used to terminate the connections. A couple of us punched down the telecommunications side of things on to the Bix and I punched down one quick data connection before I left. I plugged it directly in to the cable modem, and wham everything came up. So I thought I would leave it at that and come back to the rest when I had more time.
Later that week I purchased a Wireless Linksys router and plugged everything in for them. However low and behold their connection on the to the PC starts flapping on and off! I got out the tester and started checking it out and got the following wiring layout:
1 2 3 4 5 6 7 8
2 7 3 4 5 6 1 8
I thought what the hell is this? Why the heck was it working on the Cable modem? With this kind of wiring mismatch nothing should have worked? I checked all the terminations again, which looked fine and then second guessed myself a few times before talking to a colleague very knowledgeable in this area. He said mmmmmm, this looks like a USOC set up but I've never heard of an RJ45 to BIX USOC rail. Well guess what!!!! There is! The mistake I made was that I sent in the spec sheet for a quote and it contained both the EIA/TIA 568A rail and the USOC rail. The account manager quoted me on the USOC rail and I didn't notice!
It is easily fixed with some simple repunching, but what a classic mistake!
Later that week I purchased a Wireless Linksys router and plugged everything in for them. However low and behold their connection on the to the PC starts flapping on and off! I got out the tester and started checking it out and got the following wiring layout:
1 2 3 4 5 6 7 8
2 7 3 4 5 6 1 8
I thought what the hell is this? Why the heck was it working on the Cable modem? With this kind of wiring mismatch nothing should have worked? I checked all the terminations again, which looked fine and then second guessed myself a few times before talking to a colleague very knowledgeable in this area. He said mmmmmm, this looks like a USOC set up but I've never heard of an RJ45 to BIX USOC rail. Well guess what!!!! There is! The mistake I made was that I sent in the spec sheet for a quote and it contained both the EIA/TIA 568A rail and the USOC rail. The account manager quoted me on the USOC rail and I didn't notice!
It is easily fixed with some simple repunching, but what a classic mistake!
Subscribe to:
Posts (Atom)