An unabashedly nerdy swan dive into networking technology. Weekly episodes feature industry experts, real-life network engineers and vendors sharing useful information to keep your professional knowledge sharp.
Innovation Or Stagnation - A Year-End Networking Review
Today’s Heavy Networking considers the current state of networking technologies and the networking market. We discuss the notion of multi-location networking, whether “software-defined” has finally arrived, how network engineers and the industry are dealing with complexity, and whether organizations can “cloud” their way out of legacy problems.
We also debate whether we’ve seen any significant innovations over the past year, if the industry has stagnated, or if we’re simply trying to stay on top of disruptions caused by cloud, the Covid pandemic, and the erosion of traditional network boundaries.
There are no guests or sponsors on today’s show, just Greg Ferro, Ethan Banks, and Drew Conry-Murray having a bit of a year-end chin-wag.
Everything You Ever Wanted To Know About NAC (And Then Some)
Network Admission Control (also called Network Access Control), or NAC, is our topic today. Roughly stated, NAC is about whether to allow a wired or wireless “thing” (a user, a device) onto your network. And if you do allow them, what will they be able to access? If you’ve worked with 802.1X, Cisco ISE, Aruba ClearPass, RADIUS, etc., you’re in the world of NAC.
Our guest is Arne Bier. Arne’s a Senior Consulting Engineer and CCIE who emailed us asking to have this NAC conversation. We hit a bunch of topics including MAC authentication bypass, client certificates, EAP methods, and more. We also discuss reasons why NAC is worth deploying despite the effort.
By the way, maybe you’re an independent engineer with something you’d like to discuss on a future Heavy Networking podcast. Hit our contact form at packetpushers.net, or email email@example.com. We’d love to hear from you and consider your topic.
NS1 delivers DNS, DHCP, IPAM, and traffic steering as a service for your applications on premises and in the cloud. Find out more at ns1.com/packetpushers.
802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) – Cisco
Cisco ISE Secure Wired Access Prescriptive Deployment Guide – Cisco
* BTW: NAC can also mean Device Administration (TACACS+/RADIUS) but we are discussing end-client NAC today – in particular wired and wireless endpoints
* No. 1 reason: Security Compliance (company mandate or even industry regulations – PCI/HIPAA etc)
* Visibility (what’s connecting to my network at any one time)
* Enabler for dynamic authorization – e.g. quarantine a compromised device
* Config consistency and Plug&Play simplicity (esp on Switch ports)
Common NAT Hot Topics At The Start Of A Project:
* Most customers don’t know what is in their environment and struggle to create an all-encompassing policy that describes WHAT is allowed to connect, and HOW to treat each device
* Certificate based authentication is the gold standard (EAP-TLS)
* 802.1X requires client certificates (common misconception and reason to not implement 802.1X)
* Server certificate and Client Certificates often mixed up – which one is used for what and when?
* Which CA should I use to sign the EAP certificate?
* 802.1X is too complicated – let’s just do MAB! We’ll discuss MAB later
Technical Explanation Of The 802.1X “Ingredients” Required
* IEEE standard – Layer 2 authentication method
* Uses the EAP framework (IETF) – defined in RFCs
* EAP carried over Layer 3 using RADIUS (SP’s also use DIAMETER)
* RADIUS is not secure – RADSec solution – TLS tunnel
* Supplicant (client) – Windows 7 and later, MACOS, iOS, Android, Linux, and many others
* Authenticator (Switch/WLC) – Most Enterprise Class Switches will have this
* Authenticating server (RADIUS) – Cisco ISE, Aruba Clearpass, Microsoft NPS, Juniper SBR (Steel-Belted RADIUS), Free RADIUS
* EAP Methods: e.g. EAP-PEAP, EAP-TLS, EAP-SIM – pros and cons of each
* Identity Sources: AD, LDAP, ODBC, Internal Users (internal to the RADIUS platform) – not all support MS-CHAPv2
ZTNA Everywhere With VMware SASE (Sponsored)
Today’s Heavy Networking podcast delves into Secure Access Service Edge (SASE). SASE is a much-abused marketing term these days as various vendors have brought their own ideas and product portfolios to the notion of cloud-delivered security, networking, and zero-trust technology.
In today’s sponsored show with VMware, we take a fresh look at its SASE solution, including Zero Trust Network Access (ZTNA) capabilities. VMware has a breadth of products that allow for a differentiated overall solution. Joining us today is Craig Connors, Vice President and Chief Technology Officer of Service Provider and Edge at VMware.
* The impact of multi-cloud and edge computing on application deployment and access
* Addressing security issues when users and applications are widely distributed
* Pinning down a definition of SASE
* Differentiators in VMware’s SASE offering
* Incorporating visibility, telemetry, managability
@egregious – Craig Connors on Twitter
Dealing With DNS And Domain Name Abuse
The Domain Name System (DNS) holds the Web together. It’s operated by people with a wide spectrum of competency and perspectives. End users just want their domain names, registrars want to make money for minimum effort, and the whole ecosystem relies on goodwill, common interest, and best efforts.
At the same time, bad actors take advantage of DNS for nefarious purposes such as malware and botnets. On today’s show we talk with Graeme Bunton, Director, at the DNS Abuse Institute.
The institute is a community effort to create recommended practices, foster collaboration, and develop solutions to DNS-related problems including malware, botnets, phishing, pharming, and spam. It was developed by the Public Interest Registry (PRI), which operates the .ORG top-level domain.
* The diffuse nature of DNS and the challenges of collective action
* How domain names can be used to do bad things
* The tools that registries and registrars have, and what their limits are
* How the institute works to combat DNS abuse
Sponsor: Dell Technologies
Dell Technologies is helping enterprise customers to pave the way for transforming their networks with innovative open networking offerings and global support and services. A key component of this journey are commercial versions of open source SONiC both within the data center and further.
Learn how open source SONiC can play multiple roles in your enterprise network infrastructure with Dell Technologies. Go to delltechnologies.com/networking.
DNS Abuse Definition: Attributes of Mitigation – CircleID
DNS Abuse Institute.org
How cnvrg.io Metacloud Can Help Solve MLOps Challenges (Sponsored)
Today on Heavy Networking, we consider a newly announced platform for artificial intelligence workloads. And if that sounds more like a Day Two Cloud episode, you might be right. But what we challenge you to think about as an infrastructure engineer is the overall architecture here.
We’re covering the cnvrg.io Meta Cloud announcement today, which as a computing platform is typical of a hybrid cloud design that’s increasingly common. Data on-premises being processed in the public cloud. How do you design a network infrastructure that plumbs up the on-prem environment you own with the SaaS environment you don’t? How do you make it performant, secure, and resilient? Do you just slap up a VPN tunnel? That’s often the go-to, but when you’re dealing with specialized workloads and large datasets, is that really what you want to be doing?
Our sponsor today is Intel, and they brought the cnvrg.io Meta Cloud story to us today. Our guest is Yochay Ettun, Co-founder and CEO at cnvrg.io. We’re going to chat about Meta Cloud with Yochay, and then wrap up this episode kicking around some architectural considerations.
cnvrg.io Early Access
@intelbusiness – Twitter
@intelAI – Twitter
@cnvrg_io – Twitter
Yochay Ettun on LinkedIn
@yochze – Yochay Ettun on Twitter
Taking A Systems Approach To Networking With Bruce Davie
Today’s Heavy Networking continues our Future of Networking series by diving into the notion of taking a systems approach to networking with Bruce Davie, Ph.D.
Dr. Davie got his start at Bell Corp. in 1988, developing hardware for gigabit networking. Since then he’s worked for a number of companies including Cisco, where he worked on the MPLS protocol, and VMware. He was part of the SDN startup Nicira, which was later acquired by VMware.
Dr. Davie has written a number of IETF RFCs and is co-author of the book Computer Networks: A Systems Approach, which you can read online for free. You can also find a free book series at systemsapproach.org/books.
* Whether MPLS was a good idea
* The emergence of HTTP as a dominant protocol
* Taking a systems approach to networking
* Systems approach vs. optimizing boxes
* Thinking about cross-layer interactions
* Is there still a need for QoS?
* Network as a service
Itential is network and cloud automation. Itential’s software makes it easy for network teams to get insights into your entire infrastructure, immediately detect non-compliant assets for rapid remediation, and manage and deploy changes across both CLI & API infrastructure. Find out more at www.itential.com/packetpushers.
Systems Approach Books
Systems Approach – Substack
@_drbruced – Bruce Davie on Twitter
Computer Networks: A Systems Approach
LEDBAT – Wikipedia
Amazing Deep Networking Podcast!
Came across packet pushers and I can’t stop! As a Network Engenieer myself I find the topics, the guest, the insights and deep dives phenomenal, informative, educational and very enjoyable. Thank you guys for putting a high quality podcast and all your efforts. Keep em coming!
Great source of information
I’m a software engineer in the valley and I find your podcasts to be extremely useful in understanding larger picture. Thanks for freely sharing this with rest of the community.
Valuable and Accessible Perspectives and Analysis
The unfortunate state of technology-related podcasts is that the dry delivery of the content is hard to stay engaged with and/or the hosts/guests aren’t relatable or aware of their audience. Fortunately for everyone, the guys at Packet Pushers have brilliantly created a mix of technology, business, industry analysis, and the daily realities of engineers and architects delivered to the listener with wit, humor, and an unpretentious voice that is accessible for the newest help desk technician, the veteran tech CEO/CIO/CTO, and everyone in between.
I’ve pointed a number of professionals at the Packet Pushers collection of podcasts and every one of them has become a regular listener and found the information professionally useful in their day-to-day careers.