Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - wintermute000

#1
looks amazing
#2
Forum Lobby / Re: Welcoming myself back
March 10, 2023, 08:18:07 PM
lol ditto
#3
Security / Re: Using RADIUS as a sub for TACACS+
January 29, 2022, 07:25:23 PM
Fundamentally though this is a limitation in IOS - doesn't help 'in reality' but its really IOS's inability to do RBAC based on RADIUS than any fundamental limitation on RADIUS itself.

Exhibit A: Any NGFW, you can do RBAC roles, assign to different logins / profiles, and then auth them via any bloody protocol you want.

On the open source side, tac_plus is quite common esp. in ISP / service provider land. I'm not sure of the exact feature-set comparison vs ISE.

Speaking tactically (hahahaha) though this is the last of your $VENDOR worries IMO, the big C will always be there because their switches carry the same logo, end of story. Your best chance is a big SD-Access push that inevitably turns into a dumpster fire, and then they end up hating ISE because of the golden rule of NAC - any NAC is painful, so if ISE is their first encounter, they will hate it by default. lol

MS don't care, they're trying to take AD DS out the back and shoot it, like they would care about TACACS. LDAP/RADIUS/TACACS/kerberos etc. is old school and busted in cloud, its SAML/OIDC or GTFO, any use-cases that aren't neatly covered can go jump lol.
I am laughing now imagining a bunch of offshored CCNA's trying to configure SAML on a router (yeah I know its web based, but its still funny).


Also, since we're doing $VENDOR talk, I'll just leave this here (before you get worked up, this is not a NAC, its an identity server)
Administration Guide | FortiAuthenticator 6.4.1 | Fortinet Documentation Library
#4
Renew Azure Certified Solutions Arch Expert, deadline June.
Might take the Azure network engineer associate and security associate ones  just for kicks.


MS has changed it around a lot, now their certs expire quicker, but, you can renew with a free online test from Microsoft Learn (and I don't think its formally proctored with time bookings, spyware etc. like the Pearson ones).

#5
Yeah, also I just discovered I can redo those viptela courses (again), so I will probably wring 20-30 points out that way and then cover the rest with ~1.5k of network automation courses (at least I'm practicing multi-vendor skills).

Its really a shock to the system not being given exams for free anymore (only $VENDOR exams are free, lol). They won't even pay for my Azure certs!
#6
There's no real reason not to just do NSSA just in case

With modern networks / CPU / RAM there really isn't a huge use-case (except for terrible WAN conditions etc.) for using lots of OSPF areas. A lot of ISPs will have 100+ routers in the same area lol
#7
Quote from: Dieselboy on January 14, 2022, 01:50:01 AM
Quote from: wintermute000 on January 13, 2022, 01:49:50 AM
What's the quickest / easiest / cheapest / useful way to extend these days with continuing education? By the time my next expiry rolls around I will be literally just a year off a decade so I will make no bones about the fact that its a minimum effort lurch over the line, get the Emeritus badge and never bother with it again. Unfortunately work will no longer pay LOL. Could cram a CCNP core and a CCNP concentration exam but even that is almost 1k USD (!!!), not to mention a lot of legit effort. Maybe easiest to spend that money on digital learning so at least there's no chance of failing. Taking the devnet course(s) is my current idea since practicing python is pretty much multi-vendor. 

I've been CCNP certified more than 10 years now - you make it sound like there is a reward ? I'd like a reward :) A pat on the back would suffice :)

(edit - I accidentally clicked modify because someone was talking to me, i reverted the accidental edit)

Its a CCIE thing - 10 years+ and you can pay them $350 (last time I checked...) and they will stamp you as "Emeritus" which never expires. So you get off the treadmill, but you can still call yourself a CCIE (Emeritus). The ego-stroking / sunk-cost fallacy is real.

Not counting $vendor, aside from this I'm only going to bother extending Azure ones.
 
#8
What's the quickest / easiest / cheapest / useful way to extend these days with continuing education? By the time my next expiry rolls around I will be literally just a year off a decade so I will make no bones about the fact that its a minimum effort lurch over the line, get the Emeritus badge and never bother with it again. Unfortunately work will no longer pay LOL. Could cram a CCNP core and a CCNP concentration exam but even that is almost 1k USD (!!!), not to mention a lot of legit effort. Maybe easiest to spend that money on digital learning so at least there's no chance of failing. Taking the devnet course(s) is my current idea since practicing python is pretty much multi-vendor. 
#9
MS are gunning for their former partners hard in this space and unlike ye olde Microsoft they actually have good products this time round, throw in 365 / Azure and its Embrace Extend Extinguish in full flight
#10
Security / Re: MFA prompt frequency
August 07, 2021, 08:38:46 PM
I'd personally say 2 weeks because this is Azure AD's default and Microsoft knows best :p

To reduce friction, get something that can do push notifications i.e. instead of having to read the number and type, just have it come up as a notification that yuo can quickly hit yes to. OFC this will also make it easier for people to blindly hit yes.

To counter this, get the CIO to sign off on MFA phishing testing (not sure of exact term) but basically show to other C levels how easily they all hit the yes button or blindly tell the nice IT guy on the phone the current code and boom you're pwned. Fear is the only way LOL (of course if you go too far you end up with the guys who can extract cookies/tokens from endpoints to bypass 2FA as well ROFL but hey its a game of layers right).

I read a study once from a red team who literally just brute forced compromised credentials and the majority of managers they targeted just hit yes, even when it was literally sitting at the dinner table, should I approve the system saying I'm trying to login, obviously I'm eating dinner so imma hit YES because I am a big brain manager. THE MAJORITY.
#11
even with NFSen on my old mom-and-pop ISP where I implemented it we would be getting tens of gigs a day from just maybe 3 dozen routers.It was always a battle with the SAN guys how much storage we were allocated.
A commercial vendor should be able to give you some mechanism to have a stab at quantifying the storage requirements.
#12
Well there are dedicated flow solutions, those integrated into bigger/wider products, and roll your own. I would have guessed you'd go for roll your own lol.

Shiny and resource intensive
https://docs.elastiflow.com/docs/
The OG mom-and-pop-telco/msp solution, raw as guts but 'works'
http://nfsen.sourceforge.net/
And then all the commercial solutions - Plixer Scrutinizer, PRTG, etc.
#13
Welcome to vendor land,  this is the way.

I've even let my AWS ones expire,  decided to maintain only azure,  and one more cisco cycle then emeritus thank God
#14
Forum Lobby / Re: Meat Got Hacked
July 16, 2021, 06:33:32 PM
I'm loving all the C-level marketing/mindshare talks/podcasts/presentations/conferences about this crap. Its all boils down to security basics which we as competent engineers all know (regardless of vendor/platofrm/tool). But these morons have to waste reams of paper/bytes over and over again to explain what is really basic arithmetic level concepts. It would be funny if it wasn't for the fact that these are all very highly paid, very senior management. The head of one of the largest telcos in my region just did one of these conferences and I could boil down his very expensive time to: 2FA, have backups. He's 100% right, but if you don't know this shit by now should you really be in an IT management position.... yet this is the height of the bar, and this is what it takes to lift the general discourse.

OTOH its really good for business LOL
German military intelligence was notoriously terrible, I mean they consistently underestimated Russian numbers since day 1 of Barbarossa, its really a miracle that anyone believed them at all by 1943. Not helped by Hitler's megomaniac Trumpian rejection of reality.
#15
the issue is smooth shutdown of systems, and wear on PSU/HDDs.
If you have shutdown/startup procedures down pat then its just a case of playing the lottery on HW failure, to be honest I don't know enough stats to definitely tell, except that everyone says that poweron / poweroff is when stuff explodes (particular PSUs and HDDs).
Then there's logical isolation like schedule based firewall policies and VM auto shutdown / startup.