Network Security

RSS feed for this section
This category contains 34 posts


Application Control Next Generation Firewalls

By April 21, 2011 Post a comment

Checkpoint introduced Application control policies in their R75 version recently, while traditional firewalls like ASA and SRX perform control based on protocols, ports and IP, the new next generation firewalls in addition provides granular control by application and users using these applications.

The only other vendor doing this in the security space is a new company called Paloalto networks which appears to have initiated this concept for good.

The checkpoint App wiki is a great resource to see what application controls are possible.

http://appwiki.checkpoint.com/appwikisdb/public.htm

This is a preview of Application Control Next Generation Firewalls. Read the full post (116 words, 2 images, estimated 28 secs reading time)

Why use Cisco switch port command spanning-tree portfast?

By April 4, 2011 Post a comment
Typical STP convergence time is around 50 secs by default, so basically every port takes around 50 secs to initialize and be in say forwarding state, this is a lot of time and is not needed to be spent to check for loops in your network especially if you know there wont be any network look through that port.
For example if the server connected to the port is a radius server. For such ports you can use the portfast command to disable STP check.
cisco3560#config t
cisco3560#int fa0/24
cisco3560(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges,
etc… to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
%Portfast has been configured on FastEthernet0/24 but will only have effect when the interface is in a non-trunking mode.

The warning is to carefully apply portfast in ports that we are sure it will not create network loops.
Permanent link to this post (159 words, estimated 38 secs reading time)

Why use a switch port as 802.1q trunk port?

By March 6, 2011 Post a comment

One would think this question is very straightforward and easy for someone in networking profession to answer but if you did’nt know why use a switch port as 802.1q trunk port then remember this

1. dot1q trunk port will carry traffic from all vlans across that port.

2. dot1q trunk will tag that traffic as received frame from vlan x when it sends it to the trunk port of the switch on the other side where will it get untagged and sent to the destination.

Thanks to Keith for posting this very easy to understand video.

This is a preview of Why use a switch port as 802.1q trunk port?. Read the full post (99 words, estimated 24 secs reading time)

Understanding Cisco firmware versions such as T,M,ED,GD etc

By January 14, 2011 Post a comment

For any network engineer working on Cisco products its a challenge initially to understand how to read Cisco firmware version. We have so many version information out there that it can get confusing even for an experienced engineer.

Below is a quick summary for reference:

Cisco IOS Firmware images would almost always match the following format:

Major.Version(MaintenanceVersion)<minorUpdate><T/E/S/XA/XB><ED/GD/LD/DF/Interim>

example:

IOS – 12.4(15)T4

ASA – 8.1(0)GD

IPS -  7.0(4)E4

where:

Major Version => usually involves drastic change in code compared to previous versions.

MaintenanceVersion => as the name suggests it’s a maintenance release which are usually bug fixes.

This is a preview of Understanding Cisco firmware versions such as T,M,ED,GD etc. Read the full post (231 words, estimated 55 secs reading time)

« PreviousNext »