IT security managers say the dangers posed by computer worms and hacker attacks have compelled them to shift defenses from passively monitoring their networks to actively blocking attacks, even though legitimate traffic sometimes gets blocked.
With the growth of intrusion-prevention systems, established IPS vendors and start-ups are introducing an ever-widening array of products.
However, while IPSs appears to be usurping intrusion-detection systems (IDS) in more organizations, they come with the risk of blocking good traffic and bad.
"It's a calculated risk," says Chris Hoff, information security officer at Western Corporate Federal Credit Union (WesCorp) in San Dimas, Calif., about his company's decision to shift from IDS to IPS over the last six months.
WesCorp, which has $25 billion in assets and provides back-office management services to about 1,000 credit unions, deployed the Internet Security Systems (ISS) Proventia G-100 IPS appliance to start automatically blocking attack traffic. The main reason is that even one hit from the growing number of worms and hacker attempts would be too high a price to pay, Hoff says. However, the downside is that legitimate traffic occasionally is blocked along with attack traffic, he adds.
"Legitimate traffic can be blocked, and we spend an enormous amount of time tracking down false positives and false negatives," Hoff says. He adds that there needs to be improvement in IPS blocking to filter out the "harmful stuff" while allowing good traffic through.
In spite of the problems false positives cause - the same kind that plagued passive IDS sensors over the years - Hoff says he has no intention of giving up intrusion prevention. He adds that WesCorp isn't buying network-based IDS any more. Instead, the company is using vulnerability-assessment much more than it did in the past, and deploying products from Skybox Technologies and Qualys to determine which server and desktops require patching and updates.
Hoff says he's interested in host-based IPS, too, but is waiting for prices to drop. Costs typically run into the hundreds of dollars for the software for each server that needs protection.
According to IDC, the market for IDS and IPS together - collectively known as intrusion detection and prevention (IDP) - is about $730 million, with host-based software half of network-based software and hardware last year.
Several analyst firms, including Infonetics Research and IDC, say it's admittedly hard to figure out the exact number of blocking-capable IPS products that were sold in any year vs. IDS. This is because some of the larger IDP vendors, including ISS and Symantec, are reluctant to break this out. The reason often given is that IPS typically includes passive IDS functionality, and sometimes customers use IPS for passive monitoring or in a "mixed mode" where they block some traffic but monitor other portions.
Nevertheless, there's strong reason to believe IPS is gaining ground among enterprise customers, says Charles Kolodgy, research director for security products at IDC. He predicts that within a matter of a few years "IPS will eventually be the predominant technology."
IPS is selling better than IDS, confirms Clarence Morey, senior manager for product strategy at ISS, adding IPS is often preferred for the most mission-critical networks. ISS, which focused on software-based intrusion detection until the launch of its Proventia appliance line in mid-2003, declines to offer more detail on numbers. But in its latest quarterly legal filing at the Securities and Exchange Commission, ISS indicated that the Proventia line of IPS appliances accounted for 61% of product and license sales in the third quarter of this year, and 53% of sales revenue for the nine months of the year. ISS stated its nine-month revenue as $88.9 million, as opposed to $76.1 million for the same period a year ago. According to this statement, IPS has overtaken sales of traditional IDS.
IDC also points out that several of the top vendors in the IDP market - McAfee, NetScreen Technologies (which Juniper bought last year) and Top Layer Networks - generate their revenue through IPS products alone. IDC also cites the explosion of new market entries in the last six months as an indicator of growing demand for IPS.
On the host-based IPS side, eEye Digital Security's Blink software and products from start-ups such as Bodacion and Determina were introduced this year.
On the network-based IPS side, the new-product barrage came from start-ups such as Barrier Group, Beadwindow and Captus Networks. A few, such as Sentryware, offer network- and host-based IPS.
McAfee recently unveiled two new versions of its IntruShield IPS, the multi-gigabit models 4010 and 3000 with expanded ports for large corporations and ISPs.
Amid this cornucopia of IPS offerings, there's no shortage of early adopters willing to try network-based IPS to protect their networks through blocking.
"I look at it as a disaster-prevention element," says Eben Berry, manager of IS at managed healthcare provider Network Health in Cambridge, Mass., which serves 60,000 Medicaid recipients. The healthcare organization uses V-Secure's 100M bit/sec V-100 appliance at the perimeter to block attacks on its Web site.
Berry says the V-100 appliance doesn't rely on signatures to pinpoint attacks but instead monitors patterns of activity. On its internal LAN, Network Health deployed a different IPS: Juniper's NetScreen IDP-100, because it can filter on a bidirectional basis, something V-Secure's appliance only recently added.
Todd Woyke, engineer at Diversico Industries, a tool manufacturer in Minneapolis, decided to use Barrier Group's IPS after being blitzed repeatedly by dozens of computer worms and hackers that broke into servers. "So far, all I can say is we aren't seeing any intrusions," Woyke says, and adds he's sold on intrusion prevention.
Tuesday, October 30, 2007
Unclassified but Sensitive Internet Protocol Router Network Security Policy
The Unclassified but Sensitive Internet Protocol Router Network is a network of government-owned Internet protocol routers used to exchange unclassified but sensitive information between DoD users. The Unclassified but Sensitive Internet Protocol Router Network is also the primary entrance into the Internet. As of August 2000, over 70 percent of Unclassified but Sensitive Internet Protocol Router Network traffic is directed toward the Internet. As the growth and usage of the Internet surge, so do the dangers of intrusion into sensitive networks. In a policy memorandum on "Increasing the Security Posture of the Unclassified but Sensitive Internet Protocol Router Network," August 22, 1999, the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) expressed interest and concern over the multitude of interconnections between the Unclassified but Sensitive Internet Protocol Router Network and the Internet.
Secret Internet Protocol Router Network (SIPRNET)
SIPRNET replaces the DDN DSNET1 as the SECRET portion of DISN. Its complete architecture will be achieved by constructing a new worldwide backbone router system. The primary method for secret-level network connectivity is via Base secret-level networks which in turn provide Base Router connectivity to SIPRNET. Various DOD router services and systems will migrate onto the SIPRNET backbone router network to serve the long-haul data transmission needs of the users. Transmission services will use smart multiplexer and 512 kilobits per second (kbps) channels. Other transmission services will be acquired or leased as needed. Future expansion will progress to the T1 circuit data rate of 1.544 Megabits (Mbps) and potentially to the T3 data rate of 45 Mbps. High speed packet switched service will be provided through the use of IP routers. This SECRET router layer of the DISN is intended to support national defense C3I requirements, to include the issuing of COMSEC keys used with the STU-III to make secure dial-up SIPRNET comm server connections.
The Secret Internet Protocol Router Network (SIPRNET) has matured to be the core of our warfighting command and control capability. Many expeditionary commanders ask for SIPRNET ahead of secure voice when deploying their forces. SIPRNET is fast becoming the defacto standard of preferred data services, even over NIPRNET. The SIPRNET is the new, worldwide router-based network replacing the older X.25-based packet switched network (the Defense Secure Network One (DSNET1) of the Defense Data Network (DDN)). The initial SIPRNET backbone router network went online 3 March 1994. Subscribers started coming on line shortly thereafter. The SIPRNET WAN (as of 31 May 1995) consisted of a collection of 31 backbone routers interconnected by high-speed serial links to serve the long-haul data transport needs of secret-level DoD subscribers. Additional SIPRNET backbone routers are being planned to meet increased customer requirements. SIPRNET supports the DoD standard Transmission Control Protocol/Internet Protocol (TCP/IP) protocol service. Subscribers within the DoD and other Government Agencies are able to use the SIPRNET for passing datagrams at the Secret-Not Releasable to Foreign Nationals (SECRET-NOFORN) classification level.
The Secret Internet Protocol Router Network (SIPRNET) has matured to be the core of our warfighting command and control capability. Many expeditionary commanders ask for SIPRNET ahead of secure voice when deploying their forces. SIPRNET is fast becoming the defacto standard of preferred data services, even over NIPRNET. The SIPRNET is the new, worldwide router-based network replacing the older X.25-based packet switched network (the Defense Secure Network One (DSNET1) of the Defense Data Network (DDN)). The initial SIPRNET backbone router network went online 3 March 1994. Subscribers started coming on line shortly thereafter. The SIPRNET WAN (as of 31 May 1995) consisted of a collection of 31 backbone routers interconnected by high-speed serial links to serve the long-haul data transport needs of secret-level DoD subscribers. Additional SIPRNET backbone routers are being planned to meet increased customer requirements. SIPRNET supports the DoD standard Transmission Control Protocol/Internet Protocol (TCP/IP) protocol service. Subscribers within the DoD and other Government Agencies are able to use the SIPRNET for passing datagrams at the Secret-Not Releasable to Foreign Nationals (SECRET-NOFORN) classification level.
Tuesday, October 23, 2007
Security and VPN Management Solution
As today's enterprises transform their networks into a tool that enables employees to be more productive, they must find ways to protect the network and the data that traverses it. The Cisco Self-Defending Network leverages integrated Cisco security infrastructure to ensure the enterprise network defends against external security threats, protects systems and information through internal trust and identity policies, and provides secure business communications. The result is security assurance and protection of company profits and assets.
The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including: configuration, monitoring, analysis, and response. The key components of this suite are the Cisco Security Manager and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS).
Cisco Security Manager and Cisco Security MARS can be deployed separately to provide flexibility for any network environment. However, when used together, an administrator can achieve even greater value and productivity benefits. These applications are integrated to provide an outstanding ability to continuously monitor and improve the security of the network as threats arise. This allows organizations to realize the following business benefits:
With a powerful set of applications, an integrated architecture, and a comprehensive ecosystem partner strategy, the Cisco Security Management Suite is positioned as the ideal management solution for the Cisco Self-Defending Network
The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including: configuration, monitoring, analysis, and response. The key components of this suite are the Cisco Security Manager and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS).
1. Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN, and intrusion prevention system (IPS) policies on Cisco security appliances, firewalls, routers, and switch modules.
2. Cisco Security MARS, is an appliance-based, all-inclusive solution that allows network and security administrators to monitor, identify, isolate, and counter security threats.
Cisco Security Manager and Cisco Security MARS can be deployed separately to provide flexibility for any network environment. However, when used together, an administrator can achieve even greater value and productivity benefits. These applications are integrated to provide an outstanding ability to continuously monitor and improve the security of the network as threats arise. This allows organizations to realize the following business benefits:
1. Simplified management of an integrated security fabric
2. Higher network availability through faster threat mitigation
3. Reduced complexity across multiple security platforms
4. IT Investment preservation
With a powerful set of applications, an integrated architecture, and a comprehensive ecosystem partner strategy, the Cisco Security Management Suite is positioned as the ideal management solution for the Cisco Self-Defending Network
Monday, October 22, 2007
Cisco Cable High Speed Data (HSD) Solutions
Add DOCSIS-Based High-Speed Data Services
Cable operators have enjoyed great success offering Internet access. Cisco has the real-world experience, proven products, and advanced technologies to help you supply cable high-speed data (HSD) services, based on DOCSIS standards, for homes and businesses.
Cisco HSD solutions (Figure 1) blend broadband cable RF technology with Cisco’s highly scalable, secure, and flexible IP core technology. The Cisco portfolio includes industry-leading, DOCSIS-compliant CMTSs, leading-edge business and home CPE, and advanced IP backbone and edge products. Along with residential HSD products, Cisco offers tested business service solutions, including VPNs, Metro Ethernet, and virtual LANs, that can generate higher margins and higher revenue.
Cisco works with you to integrate its broad array of products into a single, highly productive HSD solution tailored to your needs.
How the DOCSIS-Based Solution Works
Your high-speed data backbone can be used for interconnection between different regional networks, as well as to external networks. High-speed trunks using DWDM and SONET/SDH technologies support Ethernet interfaces used by both routers and switches. The statistically multiplexed links can, in turn, use Dynamic Packet Transport (DPT), Resilient Packet Rings (RPRs), or other Ethernet transport standards such as 10 Gigabit Ethernet links.
Next-generation technology incorporates Modular CMTS architectures (M-CMTS) based on DOCSIS 3.0 downstream channel-bonding techniques that more effectively use bandwidth. Your customers can receive 100 Mbps services and beyond via your existing cable plant. You can add this new technology on a node-by-node basis, responding to competition as it arises. Our solutions let you take advantage of DOCSIS 3.0 channel bonding without a major infrastructure upgrade and also allow you to support DOCSIS 1.x, 2.0, and 3.0 simultaneously.
Cable operators have enjoyed great success offering Internet access. Cisco has the real-world experience, proven products, and advanced technologies to help you supply cable high-speed data (HSD) services, based on DOCSIS standards, for homes and businesses.
Cisco HSD solutions (Figure 1) blend broadband cable RF technology with Cisco’s highly scalable, secure, and flexible IP core technology. The Cisco portfolio includes industry-leading, DOCSIS-compliant CMTSs, leading-edge business and home CPE, and advanced IP backbone and edge products. Along with residential HSD products, Cisco offers tested business service solutions, including VPNs, Metro Ethernet, and virtual LANs, that can generate higher margins and higher revenue.
Cisco works with you to integrate its broad array of products into a single, highly productive HSD solution tailored to your needs.
How the DOCSIS-Based Solution Works
Your high-speed data backbone can be used for interconnection between different regional networks, as well as to external networks. High-speed trunks using DWDM and SONET/SDH technologies support Ethernet interfaces used by both routers and switches. The statistically multiplexed links can, in turn, use Dynamic Packet Transport (DPT), Resilient Packet Rings (RPRs), or other Ethernet transport standards such as 10 Gigabit Ethernet links.
Next-generation technology incorporates Modular CMTS architectures (M-CMTS) based on DOCSIS 3.0 downstream channel-bonding techniques that more effectively use bandwidth. Your customers can receive 100 Mbps services and beyond via your existing cable plant. You can add this new technology on a node-by-node basis, responding to competition as it arises. Our solutions let you take advantage of DOCSIS 3.0 channel bonding without a major infrastructure upgrade and also allow you to support DOCSIS 1.x, 2.0, and 3.0 simultaneously.
Figure 1 Cisco Cable DOCSIS-Based High-Speed Data Solutions
Click on a product name for more information
Thursday, October 18, 2007
Best Practices for Software Performance Testing
Many organizations fail to utilize automated tools as a means to test the large scale performance of applications. This significantly limits their ability to adequately measure the capabilities of programs under various user loads, network conditions and server and database utilization rates. This Podcast details best practices for performance testing, highlighting the various errors that such testing can bring to light.
This Podcast highlights the best practices necessary for effective software performance testing. In this Podcast, you will learn about:
The components of performance testing
Issues performance testing uncovers
Important factors affecting software performance
The impact of Web 2.0 and Ajax on software performance testing
CLICK HERE TO PLAY THE AUDIO
--------------------------
SPEAKERS:
Paul Gillin
Principal, Paul Gillin Communications
Paul Gillin is a veteran technology journalist with more than 23 years of editorial leadership, including positions as chief editor of TechTarget and Computerworld. He is now a content marketing consultant specializing in technology and new media. He advises business-to-business marketers on how to optimize online channels to reach buyers most cost-effectively. His forthcoming book about social media, The New Influencers, will be published by Quill Driver Books in Spring, 2007.
Siva Darivemula
Director of Product Marketing, Hewlett-Packard Company
Siva Darivemula is the Director of Product Marketing for the HP Performance Center software product line. In this role, he is responsible for the go-to-market strategy of performance testing solutions. He has many years of experience with enterprise software and solutions and product marketing. He has worked at IBM, Microsoft and Adobe Systems with industry-leading solutions such as WebSphere, Microsoft Office, and Flex.
This Podcast highlights the best practices necessary for effective software performance testing. In this Podcast, you will learn about:
The components of performance testing
Issues performance testing uncovers
Important factors affecting software performance
The impact of Web 2.0 and Ajax on software performance testing
CLICK HERE TO PLAY THE AUDIO
--------------------------
SPEAKERS:
Paul Gillin
Principal, Paul Gillin Communications
Paul Gillin is a veteran technology journalist with more than 23 years of editorial leadership, including positions as chief editor of TechTarget and Computerworld. He is now a content marketing consultant specializing in technology and new media. He advises business-to-business marketers on how to optimize online channels to reach buyers most cost-effectively. His forthcoming book about social media, The New Influencers, will be published by Quill Driver Books in Spring, 2007.
Siva Darivemula
Director of Product Marketing, Hewlett-Packard Company
Siva Darivemula is the Director of Product Marketing for the HP Performance Center software product line. In this role, he is responsible for the go-to-market strategy of performance testing solutions. He has many years of experience with enterprise software and solutions and product marketing. He has worked at IBM, Microsoft and Adobe Systems with industry-leading solutions such as WebSphere, Microsoft Office, and Flex.
Small Business Networking
By James Gaskin
HP's c3000 aims at medium and small businesses.
If you're drooling over the advances in the world of blade servers, wishing you could afford a rack or two of them, that day may arrive sooner than you think. Looking to replace the jumble of servers stacked in the storage closet, er, server room? Don't have a fancy raised floor and heavy duty air conditioner? No problem.
Of course, if you read about the heavy power requirements for a rack full of blades, such as three phase power modules, you figure blades will elude you forever. When you read about problems large companies have cooling a cabinet full of 64 blade servers, all with two processors and 32GBs of RAM generating heat like the August sun, you may be glad to avoid such headaches.
But the truth is blade servers create less heat, and require less power, than stand-alone servers with the same horsepower. They just need the power and cool air in one small spot. Second generation blade server chassis now do a better job dispersing the heat generated by blades than ever before, and cooling product vendors have adapted their tools to better handle the heat created by racks of blade servers. Still takes work, but it is getting easier.
Even better, HP now has a smaller blade enclosure system called the c3000, or Shorty. The company based the unit on the enterprise class c7000 blade enclosure used by the big data centers, so many parts from the high end system work in the c3000, such as the special cooling fans. Aiming at branch offices of large companies, HP actually made a great “introductory” blade server system for small and midsize businesses.
The best thing about the c3000 for small businesses is its ability to run in the same kind of environment your current servers do: the “nothing special” environment. It runs on power from a normal 120 volt wall socket. It runs in rooms cooled by standard office air conditioning. In other words, you can get a blade system and treat it as badly as you treat your current servers. There's no need to upgrade your storage closet/server room.
Blade system vendors say the price for blades evens out with stand-alone servers when buying five servers. You have to amortize the cost of the chassis over five servers to get the individual server cost down to match similar stand-alone server pricing. While it's more efficient to provide power and cooling fans in the chassis for multiple servers rather than in each case for stand-alone servers, that does drive up the cost of the chassis. Blade production volumes continue to increase, but traditional servers still get lower pricing from higher volume production runs.
Full height blade servers aren't much smaller than the rackable 1U pizza box style servers they replace. They moved the cooling and power supplies off the server motherboard into the chassis, but they didn't make a huge leap in server density. Blades reduced management overhead and did away with 9 of 10 cables used inside a normal rack, but the server density didn't jump way up.
HP's half height blades, however, pack two complete servers into the same space as one of their full height blade slots. Since the c3000 Shorty chassis can handle four full height blades, eight half height blades, or any combination that works mathematically, you can choose exactly what your blade server system includes.
These second generation blade servers, both full and half height, include more storage options onboard and storage blades, packed with hard disks rather than processors, provide additional capacity as well. The release of 3.5 inch hard drives with 1 terabyte of data space really allows you to pack plenty of storage into a small space. In this case, pack it into a small slot.
Blade technology dominates future plans in large data centers. For the first time, small and growing businesses can jump into blade territory without worrying about concentrated cooling and power demands faced by the enterprise data centers.
Keep an eye on Network World's review pages. Tom Henderson, a fellow member of the Test Alliance, has a c3000 on his testing bench for review right now.
Although vendors only promise you'll come out even price-wise if you buy five blade servers, you should plan ahead a little. If you need three servers now, or even two, check out the c3000, especially if you know your next server purchase will be within a few months.
Like the book from the '70s said, small is beautiful. Small and powerful, however, is gorgeous.
HP's c3000 aims at medium and small businesses.
If you're drooling over the advances in the world of blade servers, wishing you could afford a rack or two of them, that day may arrive sooner than you think. Looking to replace the jumble of servers stacked in the storage closet, er, server room? Don't have a fancy raised floor and heavy duty air conditioner? No problem.
Of course, if you read about the heavy power requirements for a rack full of blades, such as three phase power modules, you figure blades will elude you forever. When you read about problems large companies have cooling a cabinet full of 64 blade servers, all with two processors and 32GBs of RAM generating heat like the August sun, you may be glad to avoid such headaches.
But the truth is blade servers create less heat, and require less power, than stand-alone servers with the same horsepower. They just need the power and cool air in one small spot. Second generation blade server chassis now do a better job dispersing the heat generated by blades than ever before, and cooling product vendors have adapted their tools to better handle the heat created by racks of blade servers. Still takes work, but it is getting easier.
Even better, HP now has a smaller blade enclosure system called the c3000, or Shorty. The company based the unit on the enterprise class c7000 blade enclosure used by the big data centers, so many parts from the high end system work in the c3000, such as the special cooling fans. Aiming at branch offices of large companies, HP actually made a great “introductory” blade server system for small and midsize businesses.
The best thing about the c3000 for small businesses is its ability to run in the same kind of environment your current servers do: the “nothing special” environment. It runs on power from a normal 120 volt wall socket. It runs in rooms cooled by standard office air conditioning. In other words, you can get a blade system and treat it as badly as you treat your current servers. There's no need to upgrade your storage closet/server room.
Blade system vendors say the price for blades evens out with stand-alone servers when buying five servers. You have to amortize the cost of the chassis over five servers to get the individual server cost down to match similar stand-alone server pricing. While it's more efficient to provide power and cooling fans in the chassis for multiple servers rather than in each case for stand-alone servers, that does drive up the cost of the chassis. Blade production volumes continue to increase, but traditional servers still get lower pricing from higher volume production runs.
Full height blade servers aren't much smaller than the rackable 1U pizza box style servers they replace. They moved the cooling and power supplies off the server motherboard into the chassis, but they didn't make a huge leap in server density. Blades reduced management overhead and did away with 9 of 10 cables used inside a normal rack, but the server density didn't jump way up.
HP's half height blades, however, pack two complete servers into the same space as one of their full height blade slots. Since the c3000 Shorty chassis can handle four full height blades, eight half height blades, or any combination that works mathematically, you can choose exactly what your blade server system includes.
These second generation blade servers, both full and half height, include more storage options onboard and storage blades, packed with hard disks rather than processors, provide additional capacity as well. The release of 3.5 inch hard drives with 1 terabyte of data space really allows you to pack plenty of storage into a small space. In this case, pack it into a small slot.
Blade technology dominates future plans in large data centers. For the first time, small and growing businesses can jump into blade territory without worrying about concentrated cooling and power demands faced by the enterprise data centers.
Keep an eye on Network World's review pages. Tom Henderson, a fellow member of the Test Alliance, has a c3000 on his testing bench for review right now.
Although vendors only promise you'll come out even price-wise if you buy five blade servers, you should plan ahead a little. If you need three servers now, or even two, check out the c3000, especially if you know your next server purchase will be within a few months.
Like the book from the '70s said, small is beautiful. Small and powerful, however, is gorgeous.
Wednesday, October 17, 2007
Juniper unveils giant router
Juniper claims router surpasses Cisco offering
Juniper Networks Monday announced a eight-slot core router for service providers that boasts bandwidth of 1.6Tbps, more than twice that of the company’s previous high-end system.
The vendor’s T1600, in a half-rack configuration, blows past the 5-year-old T640, which tops out at 640Gbps. Juniper claims its new box provides 2.5 times the capacity of Cisco’s CRS-1 router with 30% less power and cooling requirements.
T640 customers can upgrade to the new router in 90 minutes without service interruption, Juniper says.
Given that the T640 came out in 2002, they might be eager to do just that.
“The T640 is old,” says Mark Seery, an analyst at Ovum. “Five years is a long time in this business.”
Service-aware routers
The T1600 is also “service aware,” according to Juniper, meaning that it can provide content-specific transmission quality depending on the traffic type – voice and video, in addition to data. Core networks that are not service aware delay new service introduction, lead to inefficient use of resources, force the construction of complex network architectures, and ultimately limit an operator’s competitiveness, according to Juniper.
Service awareness is achieved through in-depth packet processing and policy control. Policy is enabled by Juniper’s recently announced Session Resource Control products, hardware-based controllers running applications which mange subscribers and network resources.
The T1600 also supports the recently introduced point-to-multipoint MPLS (P2MP) feature in the JUNOS operating system. P2MP is intended to provide efficient core video distribution and enhanced optical network integration at 10G and 40Gbps.
A potential downside to the T1600 is its initial lack of support on Juniper’s TX switching matrix, a centralized fabric designed to connect T-series routers into a multiterabit-per-second virtual megarouter. Juniper says customers are demanding higher density and capacity in individual elements for scale rather than connecting multiple lower density systems together.
Juniper also says TX will require an upgrade to support the 100Gbps-per-slot capacity of the T1600. Company officials did not say when this upgrade would be unveiled.
What carriers think
Ovum’s Seery says carriers are not yet confident in the multichassis interconnect options from their vendors.
“I believe all carriers are trying to assess whether they are comfortable with multichassis configurations,” he says. Some carriers are looking for redundancy features, such as the ability to deploy dual distributed switch fabrics, to eliminate the single point of failure current offerings present, Seery says.
Juniper’s hoping carriers won’t wait for the TX support before buying the T1600. Juniper’s deployed 2,500 T640s to date but the company’s share in the core router market slipped from 37% to 30% over the past year.
And Cisco, which announced Monday that it shipped 900 CRS-1s since the product’s launch in 2004, stole some thunder when AT&T picked the CRS-1 to replace its Avici Systems installation after Avici announced it was exiting the core router market.
“The T1600 will help defend Juniper against [Cisco’s] CRS-1,” Seery says. “But it’s not in a strong position until it’s in a TX configuration.”
The T1600 is slated for fourth quarter availability.
The vendor’s T1600, in a half-rack configuration, blows past the 5-year-old T640, which tops out at 640Gbps. Juniper claims its new box provides 2.5 times the capacity of Cisco’s CRS-1 router with 30% less power and cooling requirements.
Juniper Networks Monday announced a eight-slot core router for service providers that boasts bandwidth of 1.6Tbps, more than twice that of the company’s previous high-end system.
The vendor’s T1600, in a half-rack configuration, blows past the 5-year-old T640, which tops out at 640Gbps. Juniper claims its new box provides 2.5 times the capacity of Cisco’s CRS-1 router with 30% less power and cooling requirements.
T640 customers can upgrade to the new router in 90 minutes without service interruption, Juniper says.
Given that the T640 came out in 2002, they might be eager to do just that.
“The T640 is old,” says Mark Seery, an analyst at Ovum. “Five years is a long time in this business.”
Service-aware routers
The T1600 is also “service aware,” according to Juniper, meaning that it can provide content-specific transmission quality depending on the traffic type – voice and video, in addition to data. Core networks that are not service aware delay new service introduction, lead to inefficient use of resources, force the construction of complex network architectures, and ultimately limit an operator’s competitiveness, according to Juniper.
Service awareness is achieved through in-depth packet processing and policy control. Policy is enabled by Juniper’s recently announced Session Resource Control products, hardware-based controllers running applications which mange subscribers and network resources.
The T1600 also supports the recently introduced point-to-multipoint MPLS (P2MP) feature in the JUNOS operating system. P2MP is intended to provide efficient core video distribution and enhanced optical network integration at 10G and 40Gbps.
A potential downside to the T1600 is its initial lack of support on Juniper’s TX switching matrix, a centralized fabric designed to connect T-series routers into a multiterabit-per-second virtual megarouter. Juniper says customers are demanding higher density and capacity in individual elements for scale rather than connecting multiple lower density systems together.
Juniper also says TX will require an upgrade to support the 100Gbps-per-slot capacity of the T1600. Company officials did not say when this upgrade would be unveiled.
What carriers think
Ovum’s Seery says carriers are not yet confident in the multichassis interconnect options from their vendors.
“I believe all carriers are trying to assess whether they are comfortable with multichassis configurations,” he says. Some carriers are looking for redundancy features, such as the ability to deploy dual distributed switch fabrics, to eliminate the single point of failure current offerings present, Seery says.
Juniper’s hoping carriers won’t wait for the TX support before buying the T1600. Juniper’s deployed 2,500 T640s to date but the company’s share in the core router market slipped from 37% to 30% over the past year.
And Cisco, which announced Monday that it shipped 900 CRS-1s since the product’s launch in 2004, stole some thunder when AT&T picked the CRS-1 to replace its Avici Systems installation after Avici announced it was exiting the core router market.
“The T1600 will help defend Juniper against [Cisco’s] CRS-1,” Seery says. “But it’s not in a strong position until it’s in a TX configuration.”
The T1600 is slated for fourth quarter availability.
The vendor’s T1600, in a half-rack configuration, blows past the 5-year-old T640, which tops out at 640Gbps. Juniper claims its new box provides 2.5 times the capacity of Cisco’s CRS-1 router with 30% less power and cooling requirements.
The Right Fit for Your Business—Versatile Value and Premium Power Networks
3Com® secure converged networks are unique in terms of value and performance. They let customers address their individual needs with choices that feature advanced, end-to-end solutions backed by years of networking experience, robust research, focused development and global support services—all with an emphasis on reduced complexity and cost.
With increasing dependence on meeting business challenges using secure converged networks, organizations need to align performance requirements and budget limits. How can they affordably help people thousands of miles apart meet online to solve a problem, undergo training, edit documents or serve customers—using voice, video or web conferencing technologies and an IP network? How can mobile workers be assured of instant access to critical applications and data? How can communications and business assets be kept safe and secure? How can budgets and resources be stretched?
3Com helps address these challenges. Standards-based, best-in-class security, wireline and wireless switching, routing and Voice over IP technology deliver sophisticated solutions with minimal complexity to ensure fast returns on investment, increased productivity and high-performance communications.
With increasing dependence on meeting business challenges using secure converged networks, organizations need to align performance requirements and budget limits. How can they affordably help people thousands of miles apart meet online to solve a problem, undergo training, edit documents or serve customers—using voice, video or web conferencing technologies and an IP network? How can mobile workers be assured of instant access to critical applications and data? How can communications and business assets be kept safe and secure? How can budgets and resources be stretched?
3Com helps address these challenges. Standards-based, best-in-class security, wireline and wireless switching, routing and Voice over IP technology deliver sophisticated solutions with minimal complexity to ensure fast returns on investment, increased productivity and high-performance communications.
Sunday, September 23, 2007
Cognio's spectrum intelligence technology to enhance, complement Cisco's Unified Wireless Network vision
SAN JOSE, Calif. - September 18, 2007 - Cisco® today announced a definitive agreement to purchase Germantown, MD-based Cognio, Inc., the market leader in wireless spectrum analysis and management for wireless networks.
Cognio's industry-leading spectrum technology enhances performance, reliability and security of wireless networks by detecting, classifying, locating and mitigating sources of radio frequency (RF) interference. The acquisition will provide Cisco with complementary and differentiating technology, intellectual property and a core team to expand Cisco's leadership in unified wireless networking.
Wireless and mobility are becoming mission critical components of today's networks, with businesses viewing the wireless spectrum as a strategic corporate asset. Businesses now require robust, next generation wireless networks to support the unprecedented growth of wireless devices and the increased reliance on mobility applications. Cognio's spectrum intelligence solution enables network managers to proactively manage their wireless spectrum and minimize RF interference for an optimal user experience.
"With a strong product and technology portfolio and consistent innovation from a talented group of engineers, Cognio has emerged as the leader in spectrum intelligence technology," said Brett Galloway, vice president and general manager of the Wireless Networking Business Unit, Cisco. "Wireless spectrum is a strategic asset for our customers, and its management is key to the robust delivery of mobility applications. Cognio's innovation in spectrum intelligence will help ensure Cisco continues to differentiate our ability to deliver our customers rich and dependable end-user mobility experiences."
The Cognio acquisition complements Cisco developed technology as well as expertise from other acquisitions that Cisco has made in the wireless networking space. This acquisition will expedite the delivery of industry-changing capabilities and is consistent with how Cisco uses business development strategies to move into new markets or to gain new technologies. Cisco classifies wireless networking as a Cisco Advanced Technology -- one of six -- with application networking services, home networking, security, storage networking and unified communications being the others.
The Cognio acquisition is subject to various standard closing conditions and is expected to close in the first quarter of Cisco's 2008 fiscal year. Upon the close of the acquisition, Cisco plans to integrate Cognio into its Wireless Networking Business Unit, under the Ethernet and Wireless Technology Group.
The Cognio acquisition will be No. 122 for Cisco and the first one in fiscal year 2008.
Cognio's industry-leading spectrum technology enhances performance, reliability and security of wireless networks by detecting, classifying, locating and mitigating sources of radio frequency (RF) interference. The acquisition will provide Cisco with complementary and differentiating technology, intellectual property and a core team to expand Cisco's leadership in unified wireless networking.
Wireless and mobility are becoming mission critical components of today's networks, with businesses viewing the wireless spectrum as a strategic corporate asset. Businesses now require robust, next generation wireless networks to support the unprecedented growth of wireless devices and the increased reliance on mobility applications. Cognio's spectrum intelligence solution enables network managers to proactively manage their wireless spectrum and minimize RF interference for an optimal user experience.
"With a strong product and technology portfolio and consistent innovation from a talented group of engineers, Cognio has emerged as the leader in spectrum intelligence technology," said Brett Galloway, vice president and general manager of the Wireless Networking Business Unit, Cisco. "Wireless spectrum is a strategic asset for our customers, and its management is key to the robust delivery of mobility applications. Cognio's innovation in spectrum intelligence will help ensure Cisco continues to differentiate our ability to deliver our customers rich and dependable end-user mobility experiences."
The Cognio acquisition complements Cisco developed technology as well as expertise from other acquisitions that Cisco has made in the wireless networking space. This acquisition will expedite the delivery of industry-changing capabilities and is consistent with how Cisco uses business development strategies to move into new markets or to gain new technologies. Cisco classifies wireless networking as a Cisco Advanced Technology -- one of six -- with application networking services, home networking, security, storage networking and unified communications being the others.
The Cognio acquisition is subject to various standard closing conditions and is expected to close in the first quarter of Cisco's 2008 fiscal year. Upon the close of the acquisition, Cisco plans to integrate Cognio into its Wireless Networking Business Unit, under the Ethernet and Wireless Technology Group.
The Cognio acquisition will be No. 122 for Cisco and the first one in fiscal year 2008.
Wednesday, September 19, 2007
Complete Security and Networking Tools
This is what almost computer geek want. 175 Security and network monitoring tools in one package. Good News is its completely Freeware. Yes its freeware i love freeware. imagine if you have to pay fo 175 Software. That coss a lot. So spend your money for your girlfriends. Make she feel happy. Stop mumbling.
Lets take look what inside this freeware called Net Tools.
Net Tools 5.0.70
All-in-one network and system toolkit
1. IP Address Scanner
2. IP Calculator
3. IP Converter
4. Port Listener
5. Port Scanner
6. Ping
7. NetStat (2 ways)
8. Trace Route (2 ways)
9. TCP/IP Configuration
10. Online - Offline Checker
11. Resolve Host & IP
12. Time Sync
13. Whois & MX Lookup
14. Connect0r
15. Connection Analysator and protector
16. Net Sender
17. E-mail seeker
18. Net Pager
19. Active and Passive port scanner
20. Spoofer
21. Hack Trapper
22. HTTP flooder (DoS)
23. Mass Website Visiter
24. Advanced Port Scanner
25. Trojan Hunter (Multi IP)
26. Port Connecter Tool
27. Advanced Spoofer
28. Advanced Anonymous E-mailer
29. Simple Anonymous E-mailer
30. Anonymous E-mailer with Attachment Support
31. Mass E-mailer
32. E-mail Bomber
33. E-mail Spoofer
34. Simple Port Scanner (fast)
35. Advanced Netstat Monitoring
36. X Pinger
37. Web Page Scanner
38. Fast Port Scanner
39. Deep Port Scanner
40. Fastest Host Scanner (UDP)
41. Get Header
42. Open Port Scanner
43. Multi Port Scanner
44. HTTP scanner (Open port 80 subnet scanner)
45. Multi Ping for Cisco Routers
46. TCP Packet Sniffer
47. UDP flooder
48. Resolve and Ping
49. Multi IP ping
50. File Dependency Sniffer
51. EXE-joiner (bind 2 files)
52. Encrypter
53. Advanced Encryption
54. File Difference Engine
55. File Comparasion
56. Mass File Renamer
57. Add Bytes to EXE
58. Variable Encryption
59. Simple File Encryption
60. ASCII to Binary (and Binary to ASCII)
61. Enigma
62. Password Unmasker
63. Credit Card Number Validate and Generate
64. Create Local HTTP Server
65. eXtreme UDP Flooder
66. Web Server Scanner
67. Force Reboot
68. Webpage Info Seeker
69. Bouncer
70. Advanced Packet Sniffer
71. IRC server creater
72. Connection Tester
73. Fake Mail Sender
74. Bandwidth Monitor
75. Remote Desktop Protocol Scanner
76. MX Query
77. Messenger Packet Sniffer
78. API Spy
79. DHCP Restart
80 File Merger
81. E-mail Extractor (crawler / harvester bot)
82. Open FTP Scanner
83. Advanced System Locker
84 Advanced System Information
85. CPU Monitor
86 Windows Startup Manager
87. Process Checker
88. IP String Collecter
89. Mass Auto-Emailer (Database mailer; Spammer)
90. Central Server (Base Server; Echo Server; Time Server; Telnet Server; HTTP Server; FTP Server)
91. Fishing Port Scanner (with named ports)
92. Mouse Record / Play Automation (Macro Tool)
93. Internet / LAN Messenger Chat (Server + Client)
94. Timer Shutdown/Restart/Log Off/Hibernate/Suspend/ Control
95. Hash MD5 Checker
96. Port Connect - Listen tool
97. Internet MAC Address Scanner (Multiple IP)
98. Connection Manager / Monitor
99. Direct Peer Connecter (Send/Receive files + chat)
100. Force Application Termination (against Viruses and Spyware)
101. Easy and Fast Screenshot Maker (also Web Hex Color Picker)
102. COM Detect and Test
103. Create Virtual Drives
104. URL Encoder
105. WEP/WPA Key Generator
106. Sniffer.NET
107. File Shredder
108. Local Access Enumerater
109. Steganographer (Art of hiding secret data in pictures)
110. Subnet Calculater
111. Domain to IP (DNS)
112. Get SNMP Variables
113. Internet Explorer Password Revealer
114. Advanced Multi Port Scanner
115. Port Identification List (+port scanner)
116. Get Quick Net Info
117. Get Remote MAC Address
118. Share Add
119. Net Wanderer
120. WhoIs Console
121. Cookies Analyser
122. Hide Secret Data In Files
123. Packet Generator
124. Secure File Splitting
125. My File Protection (Password Protect Files, File Injections)
126. Dynamic Switch Port Mapper
127. Internet Logger (Log URL)
128. Get Whois Servers
129. File Split&Merge
130. Hide Drive
131. Extract E-mails from Documents
132. Net Tools Mini (Client/Server, Scan, ICMP, Net Statistics, Interactive, Raw Packets, DNS, Whois, ARP, Computer's IP, Wake On LAN)
133. Hook Spy
134. Software Uninstaller
135. Tweak & Clean XP
136. Steganographic Random Byte Encryption
137. NetTools Notepad (encrypt your sensitive data)
138. File Encrypter/Decrypter
139. Quick Proxy Server
140. Connection Redirector (HTTP, IRC, ... All protocols supported)
141. Local E-mail Extractor
142. Recursive E-mail Extractor
143. Outlook Express E-mail Extractor
144. Telnet Client
145. Fast Ip Catcher
146. Monitor Host IP
147. FreeMAC (MAC Address Editor)
148. QuickFTP Server (+user accounts support)
149. NetTools Macro Recorder/Player (Keybord and Mouse Hook)
150. Network Protocol Analyzer
151. Steganographic Tools (Picture, Sounds, ZIP Compression and Misc Methods)
152. WebMirror (Website Ripper)
153. GeoLocate IP
154. Google PageRank Calculator
155. Google Link Crawler (Web Result Grabber)
156. Network Adapter Binder
157. Remote LAN PC Lister
158. Fast Sinusoidal Encryption
159. Software Scanner
160. Fast FTP Client
161. Network Traffic Analysis
162. Network Traffic Visualiser
163. Internet Protocol Scanner
164. Net Meter (Bandwidth Traffic Meter)
165. Net Configuration Switcher
166. Advanced System Hardware Info
167. Live System Information
168. Network Profiler
169. Network Browser
170. Quick Website Maker and Web Gallery Creator
171. Remote PC Shutdown
172. Serial Port Terminal
173. Standard Encryptor
174. Tray Minimizer
175. Extra Tools (Check Out Yourself)
Net Tools requires Microsoft .NET Framework 2.0
Lets take look what inside this freeware called Net Tools.
Net Tools 5.0.70
All-in-one network and system toolkit
1. IP Address Scanner
2. IP Calculator
3. IP Converter
4. Port Listener
5. Port Scanner
6. Ping
7. NetStat (2 ways)
8. Trace Route (2 ways)
9. TCP/IP Configuration
10. Online - Offline Checker
11. Resolve Host & IP
12. Time Sync
13. Whois & MX Lookup
14. Connect0r
15. Connection Analysator and protector
16. Net Sender
17. E-mail seeker
18. Net Pager
19. Active and Passive port scanner
20. Spoofer
21. Hack Trapper
22. HTTP flooder (DoS)
23. Mass Website Visiter
24. Advanced Port Scanner
25. Trojan Hunter (Multi IP)
26. Port Connecter Tool
27. Advanced Spoofer
28. Advanced Anonymous E-mailer
29. Simple Anonymous E-mailer
30. Anonymous E-mailer with Attachment Support
31. Mass E-mailer
32. E-mail Bomber
33. E-mail Spoofer
34. Simple Port Scanner (fast)
35. Advanced Netstat Monitoring
36. X Pinger
37. Web Page Scanner
38. Fast Port Scanner
39. Deep Port Scanner
40. Fastest Host Scanner (UDP)
41. Get Header
42. Open Port Scanner
43. Multi Port Scanner
44. HTTP scanner (Open port 80 subnet scanner)
45. Multi Ping for Cisco Routers
46. TCP Packet Sniffer
47. UDP flooder
48. Resolve and Ping
49. Multi IP ping
50. File Dependency Sniffer
51. EXE-joiner (bind 2 files)
52. Encrypter
53. Advanced Encryption
54. File Difference Engine
55. File Comparasion
56. Mass File Renamer
57. Add Bytes to EXE
58. Variable Encryption
59. Simple File Encryption
60. ASCII to Binary (and Binary to ASCII)
61. Enigma
62. Password Unmasker
63. Credit Card Number Validate and Generate
64. Create Local HTTP Server
65. eXtreme UDP Flooder
66. Web Server Scanner
67. Force Reboot
68. Webpage Info Seeker
69. Bouncer
70. Advanced Packet Sniffer
71. IRC server creater
72. Connection Tester
73. Fake Mail Sender
74. Bandwidth Monitor
75. Remote Desktop Protocol Scanner
76. MX Query
77. Messenger Packet Sniffer
78. API Spy
79. DHCP Restart
80 File Merger
81. E-mail Extractor (crawler / harvester bot)
82. Open FTP Scanner
83. Advanced System Locker
84 Advanced System Information
85. CPU Monitor
86 Windows Startup Manager
87. Process Checker
88. IP String Collecter
89. Mass Auto-Emailer (Database mailer; Spammer)
90. Central Server (Base Server; Echo Server; Time Server; Telnet Server; HTTP Server; FTP Server)
91. Fishing Port Scanner (with named ports)
92. Mouse Record / Play Automation (Macro Tool)
93. Internet / LAN Messenger Chat (Server + Client)
94. Timer Shutdown/Restart/Log Off/Hibernate/Suspend/ Control
95. Hash MD5 Checker
96. Port Connect - Listen tool
97. Internet MAC Address Scanner (Multiple IP)
98. Connection Manager / Monitor
99. Direct Peer Connecter (Send/Receive files + chat)
100. Force Application Termination (against Viruses and Spyware)
101. Easy and Fast Screenshot Maker (also Web Hex Color Picker)
102. COM Detect and Test
103. Create Virtual Drives
104. URL Encoder
105. WEP/WPA Key Generator
106. Sniffer.NET
107. File Shredder
108. Local Access Enumerater
109. Steganographer (Art of hiding secret data in pictures)
110. Subnet Calculater
111. Domain to IP (DNS)
112. Get SNMP Variables
113. Internet Explorer Password Revealer
114. Advanced Multi Port Scanner
115. Port Identification List (+port scanner)
116. Get Quick Net Info
117. Get Remote MAC Address
118. Share Add
119. Net Wanderer
120. WhoIs Console
121. Cookies Analyser
122. Hide Secret Data In Files
123. Packet Generator
124. Secure File Splitting
125. My File Protection (Password Protect Files, File Injections)
126. Dynamic Switch Port Mapper
127. Internet Logger (Log URL)
128. Get Whois Servers
129. File Split&Merge
130. Hide Drive
131. Extract E-mails from Documents
132. Net Tools Mini (Client/Server, Scan, ICMP, Net Statistics, Interactive, Raw Packets, DNS, Whois, ARP, Computer's IP, Wake On LAN)
133. Hook Spy
134. Software Uninstaller
135. Tweak & Clean XP
136. Steganographic Random Byte Encryption
137. NetTools Notepad (encrypt your sensitive data)
138. File Encrypter/Decrypter
139. Quick Proxy Server
140. Connection Redirector (HTTP, IRC, ... All protocols supported)
141. Local E-mail Extractor
142. Recursive E-mail Extractor
143. Outlook Express E-mail Extractor
144. Telnet Client
145. Fast Ip Catcher
146. Monitor Host IP
147. FreeMAC (MAC Address Editor)
148. QuickFTP Server (+user accounts support)
149. NetTools Macro Recorder/Player (Keybord and Mouse Hook)
150. Network Protocol Analyzer
151. Steganographic Tools (Picture, Sounds, ZIP Compression and Misc Methods)
152. WebMirror (Website Ripper)
153. GeoLocate IP
154. Google PageRank Calculator
155. Google Link Crawler (Web Result Grabber)
156. Network Adapter Binder
157. Remote LAN PC Lister
158. Fast Sinusoidal Encryption
159. Software Scanner
160. Fast FTP Client
161. Network Traffic Analysis
162. Network Traffic Visualiser
163. Internet Protocol Scanner
164. Net Meter (Bandwidth Traffic Meter)
165. Net Configuration Switcher
166. Advanced System Hardware Info
167. Live System Information
168. Network Profiler
169. Network Browser
170. Quick Website Maker and Web Gallery Creator
171. Remote PC Shutdown
172. Serial Port Terminal
173. Standard Encryptor
174. Tray Minimizer
175. Extra Tools (Check Out Yourself)
Net Tools requires Microsoft .NET Framework 2.0
Download hereA bunch of tools ha!
Check out yourselfDownload Net Tools
Sunday, September 16, 2007
Juniper and Symantec security alliance to challenge Cisco
The recent announcement of an alliance between Juniper Networks Inc and Symantec Corp in the area of security means they will present a united front, particularly against Cisco Systems Inc.
The two Californian companies, Juniper from Sunnyvale and Symantec from Cupertino, recently announced what they call "a broad strategic partnership" in security, involving joint development of unified threat management (UTM) appliances, intrusion-prevention systems, and network access control.
The two are heavyweights in their respective areas, and though they compete today in firewall/VPN, NAC and IDS/IPS, they are both major competitors to Cisco, a factor that clearly forms the backdrop to this alliance.
Depending on the analyst firm, Juniper is either number two or three in the carrier routing market behind Cisco. The other player is Alcatel, which some analysts rank above Juniper whose efforts to break into the enterprise market with its J-Series routers had a tepid reception, so two years ago it adopted a different tack, and spent $4bn to acquire firewall/VPN, SSL VPN and IDS/IPS upstart NetScreen.
Earlier this year it began to move into UTM appliances, which are multi-function security appliances aimed primarily at the branch and remote office environment, adding a routing capability to offer what some analysts are calling a branch-in-a-box, or BiaB, product: its Integrated Security Gateway portfolio. The products compete directly with Cisco's Integrated Services Router and Adaptive Security Appliance product lines, which use some perimeter security functionality from Symantec competitor Trend Micro.
Meanwhile, Symantec last year acquired Sygate, taking the AV heavyweight into endpoint security where Cisco has its Network Admission Control offering and Juniper its Unified Access Control.
However, rather than continuing to compete in isolation against the networking giant, the two are now pooling their NAC technologies and working within the context of the standards-based approach by the Trusted Computing Group, based on its Trusted Network Connect spec, which they both want to drive to avoid Cisco dominance of this emerging space.
Equally, Cisco has just unveiled a collaboration with Microsoft Corp to make its NAC interoperate with the Microsoft's Network Access Protection technology that is due to appear in Vista and Longhorn. This clearly behoves Symantec and Juniper to drive TNC-based NAC harder now before it is rendered irrelevant by a de facto standard represented by the Cisco NAC/Microsoft NAP coupling.
Another recent development that is also a factor here is EMC's June $2.1bn acquisition of authentication vendor RSA. Market rumors suggested EMC swooped on RSA before another major player got there, with Symantec the name most commonly bandied about. Since its merger/acquisition of storage software heavyweight Veritas last year, Symantec has been butting heads directly with EMC's own software division. Industry insiders say that with RSA providing some encryption technology used in EMC's arrays, the prospect of the token authentication vendor falling into the hands of Symantec was unpalatable.
However, that move also left Symantec in edge security (anti-X, content filtering, firewall/VPN, and IDS/IPS) with a play in the core (NAC), but needing to beef up its offering in the latter, which is one of the areas the alliance with Juniper seeks to address.
While Juniper has been getting into UTM this year, Symantec a couple of month ago made a hazy announcement that it was exiting, or at least de-emphasizing the appliance market, a move which the announcement with Juniper throws into a new light. Rather than go it alone on UTM box development, Symantec sees benefits to riding in with its technology on Juniper's hardware, leveraging both their channels to get to market.
On the back end, both companies have research teams sitting in network operation centers around the world, monitoring screens for threats and exploits. Juniper has its J-Security Team and Symantec the Global Intelligence Network, collaboration between which should in theory enable more a comprehensive service of security info feeds to common customers.
Symantec is already a significant security services player, and another recent relevant development is that IBM's Global Services arm recently acquired IDS/IPS pioneer ISS, whose recent business strategy had been all about populating its customer's networks with its Proventia security appliances, then selling the info feeds to them as part of an overall services play.
The Symantec/Juniper partnership looks similar in approach, at least in terms of the U and IPS strains of the announcement, while the NAC part appears to be a way of gaining mindshare and market share to compete with Cisco. Joint developments in all three areas will give the partners a portfolio to rival that of Cisco in security, even though neither company is currently in Ethernet switching, which is still the largest single contributor to the networking giant's $29bn annual revenue. However, there are persistent rumors of a project deep within Juniper to develop a low-cost switching line based on Marvell silicon for launch in the second half of 2007.
The two Californian companies, Juniper from Sunnyvale and Symantec from Cupertino, recently announced what they call "a broad strategic partnership" in security, involving joint development of unified threat management (UTM) appliances, intrusion-prevention systems, and network access control.
The two are heavyweights in their respective areas, and though they compete today in firewall/VPN, NAC and IDS/IPS, they are both major competitors to Cisco, a factor that clearly forms the backdrop to this alliance.
Depending on the analyst firm, Juniper is either number two or three in the carrier routing market behind Cisco. The other player is Alcatel, which some analysts rank above Juniper whose efforts to break into the enterprise market with its J-Series routers had a tepid reception, so two years ago it adopted a different tack, and spent $4bn to acquire firewall/VPN, SSL VPN and IDS/IPS upstart NetScreen.
Earlier this year it began to move into UTM appliances, which are multi-function security appliances aimed primarily at the branch and remote office environment, adding a routing capability to offer what some analysts are calling a branch-in-a-box, or BiaB, product: its Integrated Security Gateway portfolio. The products compete directly with Cisco's Integrated Services Router and Adaptive Security Appliance product lines, which use some perimeter security functionality from Symantec competitor Trend Micro.
Meanwhile, Symantec last year acquired Sygate, taking the AV heavyweight into endpoint security where Cisco has its Network Admission Control offering and Juniper its Unified Access Control.
However, rather than continuing to compete in isolation against the networking giant, the two are now pooling their NAC technologies and working within the context of the standards-based approach by the Trusted Computing Group, based on its Trusted Network Connect spec, which they both want to drive to avoid Cisco dominance of this emerging space.
Equally, Cisco has just unveiled a collaboration with Microsoft Corp to make its NAC interoperate with the Microsoft's Network Access Protection technology that is due to appear in Vista and Longhorn. This clearly behoves Symantec and Juniper to drive TNC-based NAC harder now before it is rendered irrelevant by a de facto standard represented by the Cisco NAC/Microsoft NAP coupling.
Another recent development that is also a factor here is EMC's June $2.1bn acquisition of authentication vendor RSA. Market rumors suggested EMC swooped on RSA before another major player got there, with Symantec the name most commonly bandied about. Since its merger/acquisition of storage software heavyweight Veritas last year, Symantec has been butting heads directly with EMC's own software division. Industry insiders say that with RSA providing some encryption technology used in EMC's arrays, the prospect of the token authentication vendor falling into the hands of Symantec was unpalatable.
However, that move also left Symantec in edge security (anti-X, content filtering, firewall/VPN, and IDS/IPS) with a play in the core (NAC), but needing to beef up its offering in the latter, which is one of the areas the alliance with Juniper seeks to address.
While Juniper has been getting into UTM this year, Symantec a couple of month ago made a hazy announcement that it was exiting, or at least de-emphasizing the appliance market, a move which the announcement with Juniper throws into a new light. Rather than go it alone on UTM box development, Symantec sees benefits to riding in with its technology on Juniper's hardware, leveraging both their channels to get to market.
On the back end, both companies have research teams sitting in network operation centers around the world, monitoring screens for threats and exploits. Juniper has its J-Security Team and Symantec the Global Intelligence Network, collaboration between which should in theory enable more a comprehensive service of security info feeds to common customers.
Symantec is already a significant security services player, and another recent relevant development is that IBM's Global Services arm recently acquired IDS/IPS pioneer ISS, whose recent business strategy had been all about populating its customer's networks with its Proventia security appliances, then selling the info feeds to them as part of an overall services play.
The Symantec/Juniper partnership looks similar in approach, at least in terms of the U and IPS strains of the announcement, while the NAC part appears to be a way of gaining mindshare and market share to compete with Cisco. Joint developments in all three areas will give the partners a portfolio to rival that of Cisco in security, even though neither company is currently in Ethernet switching, which is still the largest single contributor to the networking giant's $29bn annual revenue. However, there are persistent rumors of a project deep within Juniper to develop a low-cost switching line based on Marvell silicon for launch in the second half of 2007.
Cisco adds NAC to ISR, updates endpoint recognition
Network access control (NAC) has been hyped as the network-based security to end 'em all, but NAC adoption has been somewhat stagnant because, many experts claim, it is quite complex or just too immature.
Cisco, however, hopes to change that. The networking giant announced today that it's releasing a Network Admission Control module for its widely popular Integrated Services Router (ISR) -- which has more than 3 million deployed to date -- in hopes of getting NAC into more locations, namely branch offices.
The Cisco NAC Network Module for ISRs is a modular security solution that is integrated into the network infrastructure. It authenticates, authorizes, evaluates and remediates remote user machines connected via wired or wireless links, prior to granting them access to corporate networks. The NAC module for the ISR, designed for branch offices, thwarts potential threats and vulnerabilities locally before they're sent over the WAN to prevent them from entering the network, said Fred Kost, director of security solutions for Cisco.
The module includes all of the features of the Cisco NAC Appliance Server and is supported by the Cisco 2800 and 3800 Series ISRs. It enforces security policy on networked devices such as Windows, Mac and Linux machines; laptops; desktops; PDAs; printers; and IP phones.
The NAC module works in concert with firewalls, intrusion-prevention systems and VPNs to round out the security offered in the ISR, giving branches a secure infrastructure.
Kost said the module is designed for branches and office locations that don't have the time or resources to manage separate security solutions in addition to the routing infrastructure.
According to Ladi Adefala, security practice manager with systems integrator and Cisco partner World Wide Technologies, adding the NAC module to the ISR has the potential to give branches more bang for their buck when they are working with limited management and financial resources.
"From the administrator standpoint, the user is empowered with that all-in-one solution for the branch office," Adefala said. "You get the same level of security on the endpoints, and you get it with something less complex."
A modular NAC approach eliminates the need to devise new solutions around how to centralize management of security at a time when a lot of enterprises are focusing on centralization, he said.
"Aside from streamlining our management, the NAC ISR module allows us to concentrate our security efforts within the network itself," Adefala said. "It gives us an opportunity to offer our customers more synergy between their network and security as well."
Moreover, he added, eliminating the complexity should make NAC as a whole more marketable and affordable.
"You want to make sure whatever level of security you have at headquarters is carried over to branch offices, and this does that," he said.
Andrew Braunberg, research director with Current Analysis, agreed that putting NAC capabilities in the ISR brings more visibility to the edge, where it's needed most.
"The fact that they're going to be able to push NAC capabilities out to the branch makes sense," he said. "Logically and physically it makes sense to put them together."
Braunberg said he questions whether or not the NAC module for ISR is a step toward or away from Cisco's trying to marry both the NAC appliance and the CNAC framework, which has been rumored to be in the works for more than a year.
Along with the ISR module, Cisco enhanced its NAC Appliance Server by offering the Cisco NAC Profiler, an endpoint-recognition technology that keeps an inventory of networked devices so they can be evaluated before and during sessions on the network. The Profiler boosts the ability of networked devices that aren't associated with particular users to be identified, authenticated and then granted or denied network access. Devices that are unassociated with a particular user include printers, IP phones, wireless access points, sensors and medical devices. The Profiler also performs continuous behavioral assessments for post-admission access control.
"The Cisco NAC Profiler arrives at a time when businesses are supporting growing numbers of devices critical to operations and productivity," said a Cisco statement. "The NAC Profiler addresses the growing complexity of protecting an increasingly diverse array of networked devices by taking an in-depth and automated inventory and enabling actions to be taken based on their behavior."
NAC Profiler, which stems from an OEM agreement with Great Bay Software, consists of a software update on the NAC Appliance Server, and the NAC Profiler Server pulls information from the NAC Appliance Server and sends it to the management console, according to Brendan O'Connell, Cisco's NAC product marketing manager.
"It's about making sure a device is what it claims to be," O'Connell said, adding that in the past, devices like printers, copiers and other IP-addressed devices weren't assessed by NAC tools. "It's gathering information about the networked endpoint to ensure it's doing what it should be doing."
Braunberg agreed. "This does all of the heavy lifting of making sure there's an updated list of these non-responsive hosts," he said. "Since it can look at the behavior from a particular address, you can know what that device is supposed to be and what it's supposed to be doing. That can help considerably."
The Cisco NAC Network Module for ISRs is a modular security solution that is integrated into the network infrastructure. It authenticates, authorizes, evaluates and remediates remote user machines connected via wired or wireless links, prior to granting them access to corporate networks. The NAC module for the ISR, designed for branch offices, thwarts potential threats and vulnerabilities locally before they're sent over the WAN to prevent them from entering the network, said Fred Kost, director of security solutions for Cisco.
The module includes all of the features of the Cisco NAC Appliance Server and is supported by the Cisco 2800 and 3800 Series ISRs. It enforces security policy on networked devices such as Windows, Mac and Linux machines; laptops; desktops; PDAs; printers; and IP phones.
The NAC module works in concert with firewalls, intrusion-prevention systems and VPNs to round out the security offered in the ISR, giving branches a secure infrastructure.
Kost said the module is designed for branches and office locations that don't have the time or resources to manage separate security solutions in addition to the routing infrastructure.
According to Ladi Adefala, security practice manager with systems integrator and Cisco partner World Wide Technologies, adding the NAC module to the ISR has the potential to give branches more bang for their buck when they are working with limited management and financial resources.
"From the administrator standpoint, the user is empowered with that all-in-one solution for the branch office," Adefala said. "You get the same level of security on the endpoints, and you get it with something less complex."
A modular NAC approach eliminates the need to devise new solutions around how to centralize management of security at a time when a lot of enterprises are focusing on centralization, he said.
"Aside from streamlining our management, the NAC ISR module allows us to concentrate our security efforts within the network itself," Adefala said. "It gives us an opportunity to offer our customers more synergy between their network and security as well."
Moreover, he added, eliminating the complexity should make NAC as a whole more marketable and affordable.
"You want to make sure whatever level of security you have at headquarters is carried over to branch offices, and this does that," he said.
Andrew Braunberg, research director with Current Analysis, agreed that putting NAC capabilities in the ISR brings more visibility to the edge, where it's needed most.
"The fact that they're going to be able to push NAC capabilities out to the branch makes sense," he said. "Logically and physically it makes sense to put them together."
Braunberg said he questions whether or not the NAC module for ISR is a step toward or away from Cisco's trying to marry both the NAC appliance and the CNAC framework, which has been rumored to be in the works for more than a year.
Along with the ISR module, Cisco enhanced its NAC Appliance Server by offering the Cisco NAC Profiler, an endpoint-recognition technology that keeps an inventory of networked devices so they can be evaluated before and during sessions on the network. The Profiler boosts the ability of networked devices that aren't associated with particular users to be identified, authenticated and then granted or denied network access. Devices that are unassociated with a particular user include printers, IP phones, wireless access points, sensors and medical devices. The Profiler also performs continuous behavioral assessments for post-admission access control.
"The Cisco NAC Profiler arrives at a time when businesses are supporting growing numbers of devices critical to operations and productivity," said a Cisco statement. "The NAC Profiler addresses the growing complexity of protecting an increasingly diverse array of networked devices by taking an in-depth and automated inventory and enabling actions to be taken based on their behavior."
NAC Profiler, which stems from an OEM agreement with Great Bay Software, consists of a software update on the NAC Appliance Server, and the NAC Profiler Server pulls information from the NAC Appliance Server and sends it to the management console, according to Brendan O'Connell, Cisco's NAC product marketing manager.
"It's about making sure a device is what it claims to be," O'Connell said, adding that in the past, devices like printers, copiers and other IP-addressed devices weren't assessed by NAC tools. "It's gathering information about the networked endpoint to ensure it's doing what it should be doing."
Braunberg agreed. "This does all of the heavy lifting of making sure there's an updated list of these non-responsive hosts," he said. "Since it can look at the behavior from a particular address, you can know what that device is supposed to be and what it's supposed to be doing. That can help considerably."
Monday, September 10, 2007
Huawei constructs All IP Network for QSC in Germany
Carrier deploys Huawei's award-winning Multi-Service Control Gateway ME60
[Berlin, Germany 28 August 2007] Huawei Technologies Co., Ltd. (Huawei), a leader in providing next generation telecommunications network solutions for operators around the world, today announced that it has accomplished the installation of its multi-service control gateways (MSCG) ME60, in the All IP network of German leading telecommunications provider QSC AG.
The ME60 is a next-generation multi-service edge solution designed to meet the challenges in the transformation toward a customer-centric All IP architecture network for multi-play applications. The ME60 offers a perfect QoS mechanism to help QSC deploy services more quickly at highly reliable levels and achieve intensive service operations. It also provides QSC with a unified operation platform for services and applications, reducing the capital and operational expenditure of its broadband network. After a strict test and selection process, QSC chose Huawei as a partner to build up its All IP network.
QSC is one of the leading fixed network carriers in Germany. Its broadband network is accessible nationwide in Germany and offers voice and data services to business- and private customers. QSC also provides other carriers and internet service providers with wholesale services.
In 2006 QSC has founded Plusnet GmbH & Co. KG. This "network manufactory", now a joint venture between QSC and TELE2, plans, builds and operates QSC's next generation network.
"Huawei owns advanced technologies and rich experiences in telecoms market in data communication field, our cooperation with Huawei on MSCG is a good start. We will join hands with Huawei to provide higher-quality service experience for our users." said Mr. Eivind Dugstad, Managing Director Plusnet GmbH & Co KG.
"We are pleased to see Huawei MSCG devices recognized by leading European carriers such as QSC," commented Chen Junhua, president of Huawei's data communications product line. "Huawei's data communications product line has always been devoted to serving the needs of carrier markets by offering its vast technology resources and extensive network construction experience to customers. Huawei will continue to focus on customers' demands and help QSC build up operable, maintainable and manageable broadband networks."
Huawei ME60 was awarded the 2006 InfoVision Award by the International Engineering Consortium for its innovative contribution to the industry. The ME60 has been successfully rolled out across the networks of over 70 carriers in more than 30 countries, such as China Telecom, Vodafone New Zealand, and provides over 60 million users worldwide with communications services.
[Berlin, Germany 28 August 2007] Huawei Technologies Co., Ltd. (Huawei), a leader in providing next generation telecommunications network solutions for operators around the world, today announced that it has accomplished the installation of its multi-service control gateways (MSCG) ME60, in the All IP network of German leading telecommunications provider QSC AG.
The ME60 is a next-generation multi-service edge solution designed to meet the challenges in the transformation toward a customer-centric All IP architecture network for multi-play applications. The ME60 offers a perfect QoS mechanism to help QSC deploy services more quickly at highly reliable levels and achieve intensive service operations. It also provides QSC with a unified operation platform for services and applications, reducing the capital and operational expenditure of its broadband network. After a strict test and selection process, QSC chose Huawei as a partner to build up its All IP network.
QSC is one of the leading fixed network carriers in Germany. Its broadband network is accessible nationwide in Germany and offers voice and data services to business- and private customers. QSC also provides other carriers and internet service providers with wholesale services.
In 2006 QSC has founded Plusnet GmbH & Co. KG. This "network manufactory", now a joint venture between QSC and TELE2, plans, builds and operates QSC's next generation network.
"Huawei owns advanced technologies and rich experiences in telecoms market in data communication field, our cooperation with Huawei on MSCG is a good start. We will join hands with Huawei to provide higher-quality service experience for our users." said Mr. Eivind Dugstad, Managing Director Plusnet GmbH & Co KG.
"We are pleased to see Huawei MSCG devices recognized by leading European carriers such as QSC," commented Chen Junhua, president of Huawei's data communications product line. "Huawei's data communications product line has always been devoted to serving the needs of carrier markets by offering its vast technology resources and extensive network construction experience to customers. Huawei will continue to focus on customers' demands and help QSC build up operable, maintainable and manageable broadband networks."
Huawei ME60 was awarded the 2006 InfoVision Award by the International Engineering Consortium for its innovative contribution to the industry. The ME60 has been successfully rolled out across the networks of over 70 carriers in more than 30 countries, such as China Telecom, Vodafone New Zealand, and provides over 60 million users worldwide with communications services.
Sunday, May 27, 2007
Cisco Infrastructure for i-City
NETWORK solutions provider Cisco Malaysia Sdn Bhd will hook up the i-City commercial development project in Shah Alam with a complete information technology infrastructure.
Residents and businesses in i-City, touted as Selangor's first Multimedia Super Corridor Cybercentre, will enjoy a variety of IT services.
These range from datacentres to wireless networks to high-end videoconferencing facilities; the first phase of the project will be completed by year end.
Kumaran Singaram, managing director of Cisco Malaysia, said companies planning to have their business premises in i-City would not have to build their own IT infrastructure from scratch. Everything they need will be at their disposal as soon as they move in.
“IT services will be available to every building,” he said, adding that in i-City, IT services would be as available as basic utilities such as running water and electricity.
Eu Hong Chew, chief executive officer of I-Berhad which is developing i-City, said the company's objective is to build an IT hub in Selangor.
He said Shah Alam was chosen because it is a well-known spot for industries. “Industries here will be able to use i-City to support their R&D clusters,” he said.
Residents and businesses in i-City, touted as Selangor's first Multimedia Super Corridor Cybercentre, will enjoy a variety of IT services.
These range from datacentres to wireless networks to high-end videoconferencing facilities; the first phase of the project will be completed by year end.
Kumaran Singaram, managing director of Cisco Malaysia, said companies planning to have their business premises in i-City would not have to build their own IT infrastructure from scratch. Everything they need will be at their disposal as soon as they move in.
“IT services will be available to every building,” he said, adding that in i-City, IT services would be as available as basic utilities such as running water and electricity.
Eu Hong Chew, chief executive officer of I-Berhad which is developing i-City, said the company's objective is to build an IT hub in Selangor.
He said Shah Alam was chosen because it is a well-known spot for industries. “Industries here will be able to use i-City to support their R&D clusters,” he said.
Sunday, May 6, 2007
Cisco IP Telephony Solution Wins Voice Industry's Premier IP PBX Competition
In a head to head comparison with solutions from other leading IP Telephony solution vendors (Alcatel, Avaya, and Nortel Networks) of large-scale IP PBX systems capable of supporting 1,000 or more users, the Cisco solution emerged as the clear winner.
The test was run by Miercom, a leading network consultancy and product test center. Miercom tested the IP PBX systems by rating each of the four vendors' products in six categories: architecture, endpoints, management and administration, features, performance and security.
Cisco took first place in the phones, management and administration, and performance categories ensuring first place overall. Cisco also attained second place in architecture and security and third in the features category.
The complete results of the review are available now in the January edition of Business Communications Review (BCR) magazine: Miercom IP PBX Review.
"Cisco took the lead in the (endpoints) category thanks to the breadth of its offerings, as well as some notable features and excellent phone design," according to the BCR report. In the management and administration category, the article states: "Cisco took the gold in this category. It's clear that the vendor has been doing its homework, and its management application has become one to beat in this market."
In the performance category, the Cisco solution was the only one which managed 100% call completion. This was measured over a nine-hour period in which the Cisco PBX handled thousands of repeated setups and tear-downs.
Marthin De Beer, vice president and general manager of Cisco's IP Communications business Unit, said "We have won what is widely considered the industry's top award for enterprise-class IP PBX systems. It is a tremendous achievement and a testament to the overall quality and performance of our system developed by the seasoned voice team we have in place at Cisco."
The test was run by Miercom, a leading network consultancy and product test center. Miercom tested the IP PBX systems by rating each of the four vendors' products in six categories: architecture, endpoints, management and administration, features, performance and security.
Cisco took first place in the phones, management and administration, and performance categories ensuring first place overall. Cisco also attained second place in architecture and security and third in the features category.
The complete results of the review are available now in the January edition of Business Communications Review (BCR) magazine: Miercom IP PBX Review.
"Cisco took the lead in the (endpoints) category thanks to the breadth of its offerings, as well as some notable features and excellent phone design," according to the BCR report. In the management and administration category, the article states: "Cisco took the gold in this category. It's clear that the vendor has been doing its homework, and its management application has become one to beat in this market."
In the performance category, the Cisco solution was the only one which managed 100% call completion. This was measured over a nine-hour period in which the Cisco PBX handled thousands of repeated setups and tear-downs.
Marthin De Beer, vice president and general manager of Cisco's IP Communications business Unit, said "We have won what is widely considered the industry's top award for enterprise-class IP PBX systems. It is a tremendous achievement and a testament to the overall quality and performance of our system developed by the seasoned voice team we have in place at Cisco."
Wednesday, April 25, 2007
Cisco VPN Client and Aladdin eToken Access Solution Suite
The Access Solution Suite includes secure remote access solutions for Cisco VPN Client combined with Aladdin eToken for strong authentication. Optionally, each solution is integrated with eToken Management System (TMS) for eToken enrolment and full life-cycle management. Each solution within the suite helps organizations establish trusted access to employees, customers, suppliers and partners. The solution provides interoperability among different remote access solutions such as VPN & Wireless and various authentication methods such as digital certificate (PKI) and One-Time Password (OTP).
Cisco Integrated Services Router – Security Practices with Aladdin eToken
The Cisco IOS® Software-level integration of Aladdin eToken drivers provides partners and customers with enhanced security router practices:
1. Secure Provisioning of Cisco Router Configurations: Combining eToken drivers with Cisco integrated services routers helps Cisco partners mount router configuration on eToken and securely send them to end customers.
2. Portable Credential Storage for Cisco VPN: VPN credential storage on eToken provides off-platform generation and secure storage of VPN credentials. Encryption keys are loaded when eToken is plugged in, and removed when eToken is removed.
Monday, April 9, 2007
MPLS VPNs: What's Next (webinar)
MPLS VPNs create a robust platform for converged services allowing for cost-effective, any-to-any connectivity. As convergence moves to the next stage, distinctions between wireless and wired networks are blurring, and collaboration is becoming part of the holistic networking environment. Attend this webcast to learn how the network is becoming more intelligent and application-aware, reaching toward a dynamic, unified IT environment that will be more cost effective, agile, and high-performing.
Wednesday, March 21, 2007
Static NAT to a range tcp ports
Question: I want to map a range of tcp ports to an internal host from the internet. I could use the ip nat inside static tcp command for mapping an specific port, but what if I want to map the tcp port range from 8000 to 8050?, Is there a way to do that with a single command?
Answer
1.create static translation:
ip nat inside source static 192.168.60.10 172.16.181.195 route-map MAP extendable
ip nat inside source static tcp 192.168.1.2 80 172.17.181.195 80 extendable
2. Define the port range
access-list 101 permit tcp host 192.168.60.10 range 8000 8050 any
route-map MAP permit 10
match ip address 101
Answer
1.create static translation:
ip nat inside source static 192.168.60.10 172.16.181.195 route-map MAP extendable
ip nat inside source static tcp 192.168.1.2 80 172.17.181.195 80 extendable
2. Define the port range
access-list 101 permit tcp host 192.168.60.10 range 8000 8050 any
route-map MAP permit 10
match ip address 101
frame-relay static route problem
FAQ
the problem occur when two routers connected via frame-relay switch (2522 router), the configuration on switch is correct as well as on both routers, the loop back interface has been made on RB router i.e RB has 20.0.0.0/8, while at RA router the static router is defined as
ip route 20.0.0.0 0.255.255.255 serial 0
it was not able to send packets to 20.0.0.0/8 when run debug, it got error like encapsulation failed, now when it replaced the static route with next hop ip it was working fine, why ????
When a layer3 packet is going to be sent out, the router must know the layer 2 header to encapsulate the Layer3 packet.In this case, it must know which dlci number (as well as other layer2 information) to encap the IP packet. If you only indicate a connected interface for the static route, and there are many dlci numbers on this interface, the router will not know which dlci number to use and thus gives you a encapsulation failure message.
On the other hand, if you indicate a next-hop address on the static route and there is a frame-relay map which maps a dlci number to this next-hop address , the router will know the exact dlci number to encapsulate the ip packet and the packet will be sent out successfully.
the problem occur when two routers connected via frame-relay switch (2522 router), the configuration on switch is correct as well as on both routers, the loop back interface has been made on RB router i.e RB has 20.0.0.0/8, while at RA router the static router is defined as
ip route 20.0.0.0 0.255.255.255 serial 0
it was not able to send packets to 20.0.0.0/8 when run debug, it got error like encapsulation failed, now when it replaced the static route with next hop ip it was working fine, why ????
When a layer3 packet is going to be sent out, the router must know the layer 2 header to encapsulate the Layer3 packet.In this case, it must know which dlci number (as well as other layer2 information) to encap the IP packet. If you only indicate a connected interface for the static route, and there are many dlci numbers on this interface, the router will not know which dlci number to use and thus gives you a encapsulation failure message.
On the other hand, if you indicate a next-hop address on the static route and there is a frame-relay map which maps a dlci number to this next-hop address , the router will know the exact dlci number to encapsulate the ip packet and the packet will be sent out successfully.
Review from the Cisco's end user
The posted reviewed is based on my experience managing dan configuring cisco product such as access switch, router, core switch etc.
Subscribe to:
Posts (Atom)