When encountering a mess like this, always remember your towel to keep your cool. Your goal in cleaning up a mess like this should be to (1) minimize downtime, and (2) clean up the mess to make future maintenance easier. The emphasis here is definitely on (1), as (2) is really just a sub-point to your overall network goals of keeping all services up with minimal disruptions. So, despite the urge to completely unplug and rip everything out, take a deep breathe and tackle things in a methodical calm manner. Eventually, you’ll end up with much more manageable racks.

How do you reduce downtime to get from point A to point B? One server at a time. Here’s a short checklist of things to do before powering down a server:

• Check scheduled tasks/cronjobs and make sure none are running when shutdown commences. Run any missed vital tasks manually upon restart.
• Work with end-users to make sure downtime occurs at most convenient time (taking into consideration other items in this list).
• Have a space, if possible, ready for after the server is shutdown. If you’re moving it, that means install rails (if available) or, at least, the space clear where you’ll want to install it. If simply keeping it in place, but needing to shut it down to switch power or untangle cables, have everything ready to perform that task.
• Work in pairs. Keep one person on each side of the rack to efficiently remove and install server.
• Breathe.

Hopefully, you and/or your predecessors have done the job right the first time and you’ll never have to encounter such a mess. If you are unfortunate enough to find yourself doing such a job, you have my deepest sympathy. Good luck.

I’m sure all of you already know (or should already know) that Wi-fi speeds are measured in Gigabits per second, but currently most Wi-fi implementations are running at 150mbps or less. Apparently, next-gen Wi-fi will come in two different frequencies, 5GHz (802.11ac) and 60Ghz (802.11ad), which will push out data at 1.3Gbps and 7Gbps, respectively. IEEE has moved away from using the 2.4GHz frequency, as it has become ridiculously crowded with a vast array of wireless devices. Anybody can see what a ridiculous jump in performance that is, and what a difference this is going to make for Wi-fi users (more or less everybody in the developed world).

I feel that I should go ahead and note that neither of these standards is fully developed yet, and will probably not be certified for about another year. There are companies that are already starting to premier their new pieces of hardware that implement the new standards, and some will be out before the certification.

Even if the new stuff isn’t working perfectly at that point, don’t worry too much as everything is backwards compatible. For example, even if you have an old card and there is only a 802.11ac access point in your vicinity, you can use it, just without the benefits of the new technology. Honestly, I love the idea of not having to wait forever for my movies on Netflix to load up, as I would like to get on with my life.

If you’re not getting better, you’re getting worse.

My high school football coach used to consistently remind us that by failing to improve, we were actually getting worse. In the land of competition, there is no treading water. As soon as you think you no longer need to improve, your competition catches up, or worse, passes you up. Apparently, Amazon is well aware of this. As the leader in cloud services, they have chosen to continue to expand and improve upon their services, and have finished up 2011 strongly. In case you missed it, here’s some of the highlights for 2011.

Elastic Beanstalk

Elastic Beanstalk was introduced in January this year as a way for developers to quickly and easily launch and manage cloud based solutions. Although this feature currently only supports Java on Apache Tomcat, it “is designed so that it can be extended to support multiple development stacks and programming languages in the future.” Various improvements where made throughout the year, however, additional language support was not one of them. It will be interesting to see in 2012 what additional languages become part of the Beanstalk platform.

Simple Email Service

Amazon’s Simple Email Service (SES) is a bulk mailer platform. Also launched in January, SES takes the headaches out of complying with all the various ISP mail handling policies for those needing to send bulk mail. With the recent addition of SMTP support, SES can easily be utilized by simply configuring your application to use a SMTP server instead of a custom Amazon AWS SDK call.

New Locations

Amazon has added the following edge locations (utilized in Route 53 and CloudFront) in 2011:

• Paris, France
• Stockholm, Sweden
• South Bend, Indiana
• San Jose, California
• New York, New York (second location)

Amazon has added the following regions (everything, including EC2) in 2011:

• Toyko (two zones)
• Oregon
• Sao Paulo, Brazil

Pricing!

Amazon continued to drop prices this year. On July 1, they completely removed costs for transferring data in, as well as added additional pricing tiers for > 1 PB. CloudFront prices were also dropped across the board on this date. AWS Direct Connect was also introduced in August to help assist with data transfer pricing. This service simply establishes a relationship between your office and/or datacenter with Amazon Web Services, and thus gives you a discounted price for transfers between those locations. EC2 Reserved Instances also saw price optimization, as you could define your usage on your reserved instance to gain further savings.

ElastiCache

Amazon’s own caching engine was announced in August. ElastiCache is basically a MemCache clone running on EC2 instances at a reduced cost. As ElastiCache continues to see use, Amazon will likely improve the service to be more efficient and hopefully cheaper. Amazon built this service with MemCache users in mind, as existing MemCache libraries typically play nice with ElastiCache without the need for additional configuration.

Check out the complete list of announcements in 2011.

The Data Center Network solution was developed by the two companies to allow users an easy way to store and move data across networks. According the Alcetec-Lucent website, it “targets the network interconnecting data centers and also optimizes all infrastructure resources, to improve functionality, performance and scalability.” Supposedly, this new solution increases the flexibility of an organization’s infrastructure and lowers costs dramatically when compared to traditional methods. He is a list of benefits from the site:

• Increased network performance with faster, more reliable throughput
• Improved time-to-market through an integrated end-to-end hardware, software and services solution
• Increased uptime by protecting against data loss
• Enhanced flexibility and agility with an open-standard based design
• Reduced total-cost-of-ownership

The other product, CloudSystem, is not brand new like the Data Center Network solution, but it is now being integrated with technology from Alcatel-Lucent. According to HP, the update will

“enable communications services providers to deliver high-value cloud services using carrier-class network and IT. The combination of IT infrastructure, software and telecommunications-grade network lets communications services providers automate the provisioning and management of cloud resources through a highly reliable network.”

It is clear that the announcements of these two products being so close to each other is no coincedence, as they very clearly are meant to interact with each other. For more information on the collaboration between to two companies, go the the site for the HP and Alcatel-Lucent Strategic Alliance and learn more. Be sure to stay updated for future updates, as this collaboration could offer some very interesting possibilities.

Based in Ft. Lauderdale, FL, Citrix Systems is a company that server/desktop virtualization, networking, and cloud infrastructure. They offer an array of cloud-ready products and services, such as the ones listen below:

• XenServer – a server virtualization tool that comes in an array of formats, including a basic free version (keeping with its open source roots). It allows you to manage multiple virtual machines from a single physical server. The supported “guest” operating systems can be just about anything, including the big 3 (Windows, OS X, and Linux) and the hypervisor keeps them appropriately separated.
• CloudStack – an infrastructure-as-a-service platform provided through cloud.com (which was acquired by Citrix in July 2011. It is an open source solution, and has a very easy to use AJAX web interface.

Citrix also offers a few more solutions, so go and take a look at their website (www.citrix.com) for more information on their products. The other service provider that I’ll look at is Unisys, which also has a large portfolio of cloud-ready solutions. Here are a few of their offerings:

• CloudBuild Services – Unisys will help you build and deploy a cloud and offer you support services to keep it running.
• Unisys Secure Cloud Solution
• Unisys Hosted Secure Private Cloud Solution
• Unisys Secure Private Cloud
• Virtual Office as a Services (VoaaS)

Like Citrix, Unisys also offers a huge array of products and services that you can get more information about on their website at http://www.unisys.com/. Remember, these are just two of the more prominent providers of cloud-ready services, and there are many more out there, so do a good deal of research to find out what companies offer the services that you actually need.

Some of the tools commonly used within the Windows 3.1 / DOS environment were:

• userlist – This command that was executed at the DOS command prompt displayed a list of users currently logged into the specific Novell NetWare network. These users in the list are sorted by the port number the user was logged into, and was also designated by the moment in time they logged in as well.
• attach – If you are currently logged in under one username/account, you can also attach another user onto your current networking session. This is great if you have a person who wants to share a file with you, or the person you are attaching wants to access a file that is in their user’s folder.
• syscon – Short for system configuration, this is a GUI (Graphic User Interface) that allows the supervisor or administrator user to manage the accounts on their network. Various options to manage on the accounts are:
• Account Balance – If there are monetary/financial records associated with this account, the supervisor/administrator can set restrictions if this balance gets low.
• Login Script – If you would like to have a specific user perform certain commands/functions upon their logging into the network, the supervisor/administrator can edit the login script for the specific user here.
• Time Restrictions – If you would like a user to be only logged in for a certain amount of time, the supervisor/administrator can set the specific time period allotted for the user.

For the Microsoft Windows distributions of 95 and 98, Novell NetWare functions were able to be managed from the system tray by right clicking on a red N that appeared next to the clock. This setup of NetWare functions made the DOS commands obselete, and not as frequently used like the GUI functions have been.

For those unaware, it is appropriate to mention that Netfilter who develops iptables is a longstanding team of developers who have contributed code since 1998. Though iptables is for Linux, even admins who use mostly Windows often have a Linux firewall, and in the case of Windows only, at least the concepts of IP routing will be of benefit.

And now, without further ado, (drumroll please…) — iptables! Iptables is an administration tool for IPv4 packet filtering and NAT. This little tool can make packets leap tall buildings, be in two places at once, or even disappear! Iptables is the place where magic happens!

Have you ever wanted to block brute force attacks, blacklist IP addresses, send “knocks” to open secret ports on your server, reroute port 9001 to 80, limit the number of connections to a port, or limit the amount of time a port is open? Iptables can do all of this and more.

Next, we will take an overview of what makes up iptables and how to use it. That will give some substance to this eulogy. In the mean time, we will leave you in awe with one of iptable’s wonders: the auto-updating IP blacklist! Behold!

wget -qO - http://infiltrated.net/blacklisted|awk '!/#|[a-z]/&&/./{print "iptables -A INPUT -s "$1" -j DROP"}'

This little snippet of code is found on Linuxaria and uses the blacklist published by infiltrated.net which is updated hourly.

The ComodoHacker, who is an ideologically-driven Iranian, takes credit for the breach. Allegedly, this is ComodoHacker’s second feat this year, the first being the Comodo CA in March when false certificates were obtained for Google, Yahoo, Skype, and other major websites. Fox-IT’s report (PDF) links the hacker to Iran and suggests the objective was to intercept secure communications in Iran.

Mike Fratto’s article puts into perspective the massive implications of the breach, even if we know who the hacker and intended targets were. The Tor Project posted a list of all 531 rogue certs signed by DigiNotar.

In immediate response to these rogue certs being discovered, Firefox, Chrome, Apple, Microsoft, and Ubuntu each revoked all of DigiNotar’s certificates. The intensity of the reaction reflects the severity of what happened.

GlobalSign, another CA halted operations as a precaution, but it appears there are no signs of false certificates having been issued. Although a false certificate can really only be exploited by a man-in-the-middle (MITM) attack, which is difficult, the enormous value of being able to listen on secure channels to email providers and other major websites is enough to give hackers the drive to do so.

ZDNet has an outstanding article on TLS/SSL that explains how the PKI system works. The events that have taken place are certainly a major blow to the public key system, but it is currently the best system available. In time, it will improve and adapt to the incredibly fast-changing network we live on.

dig zappos.com

The result will show a query time of say 357 msec. When it is run again right after it should drop down to perhaps even 1 msec if caching is enabled. However, there are some disadvantages to internal DNS. If the software is not updated and patched it could leave networks vulnerable to DDoS attacks or various forms of poisoning. Also, designing and maintaining an internal DNS is a significant cost both because of the time and expertise required, though not as much for setting up a local DNS on smaller networks.

Second, is the external DNS option. As Network Computing comments, a Verisign report showed that companies using external DNS experienced half the downtime compared to those that have internal DNS or DNS provided by their ISP. The cause for this lies in the use of anycast which ensures a DNS server is always available. Most companies do not have the finances to build and maintain a DNS system that could compete with the performance provided by DNS services. Another advantage of external DNS services is that they can better handle DDoS attacks because of their distributed architecture and available bandwidth.

Only reflecting on the network layout and needs of one’s company could a certain decision be made between internal and external DNS. In either case, there are best solutions for each. Using DNS appliances can help get around some of the issues with internal DNS, such as the expertise to install and maintain such as system. Externally, Google Public DNS may have advantages over other solutions. As with many problems in IT, a bit of planning and problem solving can go a lot further than hasty or expensive solutions.