Menu
What's new
By:
Filters Better Search

AT&T 20 gig fiber to homes

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Tech Junky said:
GUI or CLI on Cisco still does the same thing. We're beating a dead horse here again. It doesn't matter because it's still the same crap. You can use ASDM on any security device Cisco offers. Just need to DL and put it on the flash to run it.

Enterprise vs SP is also a big difference in the types of equipment being deployed. I've run DC equipment SP equipment SMB equipment.... It's all the same just different price points. If you've touched one Cisco you've touched them all. Physically they're all different in size and capabilities but, they all run the same.

IDS/IPS is all marketing in my book. If you properly configure your rules you don't need either of them nor benefit from the bottlenecks they create. If you're worried about the crap they might alert you about then your IT policies are lacking on the prevention in the first place and you didn't lock things down properly to prevent users from introducing things to the network.

When you properly segregate the networks from each other so they can't cross communicate with each other directly it's not an issue.

40GE is nothing when it's actually 20x20. When you're used to running 100GE 100x100 and the transceiver alone is the size of the phone in your pocket you have something to worry about.
Click to expand...
I think you are mixed up. ASDM is monitoring software and ASM is firewall software.

There is a reason people pay 30 to hundred thousand dollars for one piece of Cisco enterprise hardware. I have used both. Cisco small business is not Cisco enterprise equipment. There is a difference.

IDS/IPS is not marketing. It really works. That is why it is so widely used. If it was all crap then it would not be used and it would not cost more. When you get to enterprise level it costs a lot. You can say what you will there is no way a Linux NAT box is going to replace a firewall at a large site, only at home sites like your home. I would not try to run one at my house. And besides I would like a little more than NAT. NAT can be done by a lot of consumer routers. No reason to do it from scratch on a Linux box unless you are having fun.

And I am not sure what you mean by this statement "When you properly segregate the networks from each other so they can't cross communicate with each other directly it's not an issue." In large networks the switches handle all the local network traffic, not firewalls or routers. So this statement makes no sense to me.

I think in large networks the only reason to run a router is if you run something like BGP. The other thing would be you might have one in front of your firewall for VPN connections. It depends on your firewall choice.
 
Last edited:
@coxhaus Listen buddy... I've managed national networks which would fall under your definition of "enterprise" or beyond that.

My box has NAT / IPTABLES and works great and can handle any speeds I decide to throw at it.

Enterprise level gear is fine. There's a reason why Cisco licenses using SW on a bare metal server for use instead of buying an appliance. ASA/ASDM/ASM/R whatever you want to call it is up to you.

In a core network you still have routers with switch blades inserted into them. ASR vs Nexus though is a different story but, same theory depending on the blades you put into the chassis.

From an operations standpoint dealing with gear daily is a bit different than your sales approach here. You work in theory and I just make things work when you break them.
 
I just think IDS/IPS is better than just using NAT. I worked with Cisco enterprise equipment and was Cisco certified in the old days, so I understand enterprise equipment. I managed about a 500 device Cisco network. We had about 50 total sites and about 20 were campuses. You can make fun of all the Cisco gear you want but they are a very large company selling a lot of equipment.
 
Last edited:
I'm not making fun of the gear. I'm pointing out the fact that they're not the only way to accomplish networking.

I've managed networks that are nationwide with multiple sites and DC's in each location not to mention switch sites for more than one carrier. I've also contracted out for other nationwide carriers to perform their core network upgrades. Cisco pays the bills along with Juniper and other vendors. If there's a device in the field I've probably touched it.

The point I'm making with you specifically is that there's more than one way to approach a network solution. More in point with this thread of getting 20GE service and not being applicable to most consumers due to the cost of equipment ATT surely won't be providing nor a consumer based option that will terminate a fiber connection at those speeds within most peoples budget. Not to mention the recurring costs associated with such connection.

The fact that you mentioned 40GE for a 20GE symmetric product shows something. The basis of the IOS code on Cisco is simply Linux with both a CLI and GUI overlay to make it simpler for non-networking people to configure them in the most basic way w/o knowing the intricacies of the underlying code. Yes, there are also macros when using the CLI on IOS.

Certification means different things to different people. There are those that are certified but have no practical knowledge and those that have all of the knowledge to fix issues those other people make. Certification makes for knowledge of theory but real world experience is where the value is. If you're able to look at the situation that's not covered by an exam and resolve the issue without having to wait on TAC to respond you earned your paycheck. Quickly resolving things becomes more important when you're on the clock during an FCC reportable outage. When you start dealing with things involving oversight from the government you better be on your game.

NAT vs IDS/IPS.... NAT is required to get beyond your local subnet and has nothing to do with either appliance. NAT is used to allow one subnet to talk to another.

IDS/IPS is inspecting the packets based on signatures for blocking potential infections or configured heuristics.

  • Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
  • Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.
https://hardforum.com/threads/how-is-ips-ids-src-dst-system-different-from-nat.2019479/ --- based on this using pattern matching / rate limiting statements within IPTables would accomplish the same thing if you're opening your network tot he ourside world for say a server being accessed from the WAN side.

iceburn.medium.com

IPTABLESâââRules and Commands

Saving Rules
iceburn.medium.com iceburn.medium.com
www.hackers-arise.com

Linux Firewalls: Creating an Application Layer IDS/IPS with fwsnort

Welcome back, my aspiring cyberwarriors! In a previous tutorial here, I introduced you to the Linux firewall, iptables. iptables enables you create a custom firewall for your network quickly and easily without the cost of the commercial firewalls. In this tutorial, we will build upon iptables to...
www.hackers-arise.com www.hackers-arise.com

Running / adding rules within IPT can accomplish the same as the appliances with lower overhead / impact to line speeds / processing when configured correctly. The issue with IDS/IPS is the time it takes to properly tune them and eliminate false alerts. They're time consuming to make them relevant when they send an alert out.
 
Well written. And yes, I know what NAT does and IDS/IPS as well as PAT. I am not a Linux person like you.

I can tell you over the years of running IDS/IPS just at home using Untangle it blocks a certain amount of malware. Every so often the reports are of a malware that has been blocked coming through the firewall for whatever reason. Something out there that is not safe.

I have had Untangle block outbound traffic because it was trying to send spam out the firewall on to the internet from someone over at my house. This kind of stuff is not going to be picked up by a Linux box running NAT. This is what IDS/IPS brings to the table. Yes, more things are being encrypted and it is harder to deal with.

It does take a lot of CPU power to make these kinds of scans. And some IDS/IPS systems are easier to setup and run than others. IDS/IPS does stuff that cannot be done with just a standard firewall setup. And don't confuse IDS/IPS with IP blocking. IPS is actively blocking based on rules. These IDS/IPS system may be changing daily. There is a certain automation to this on updating just like antivirus. IDS/IPS brings things to the table things that you are not going to have otherwise.

You can run an IDS/IPS system on your Linux firewall. I am sure you have the skills. I have never worked at ISP levels. I bet they do a lot of roll your own. They work with such large data streams. I am not sure ISPs are worried about protecting a PC as much as moving traffic fast.
 
Last edited:
coxhaus said:
I can tell you over the years of running IDS/IPS just at home
Click to expand...
I don't think I've ever encountered anyone doing this.

coxhaus said:
This kind of stuff is not going to be picked up by a Linux box running NAT.
Click to expand...
No, but using SNORT will. NAT has nothing to do with this conversation regarding malware.

coxhaus said:
And don't confuse IDS/IPS with IP blocking. IPS is actively blocking based on rules.
Click to expand...
I'm not confused about anything here. IPTABLES can be configured to trigger different options based on the traffic flow being presented.

I think you're confused on things because you keep bringing up NAT but, that's not the issue when discussing how to prevent malware on your network. For most people they would simply setup an isolated Guest network for friends and IOT devices to use to keep anything on their external devices from getting into their systems.

If you're paranoid about malware getting into your network then you are probably just clicking on everything w/o thinking about it or have children. For more of a CYA situation for businesses sure, it's a tool that can be used but, it's not the only option. My focus isn't security when it comes to networking but, I still have to deal with it as part of the equation. Dealing with security is like being dyslexic where everything gets reversed and the more complicated the rules the less I get interested in dealing with it. If I have an engineer from that side of the house that has an issue I can usually sort through it with dedicated focus and figure out where the issue is buried.

If a business / SMB needs this sort of solution due to customers using the same pipe as their internal systems which is likely with the way business internet is priced they provider typically splits off the guest network to prevent those devices from infecting the internal devices. Now, most SMB's won't be sitting and surfing the web with their systems and at least have AV installed on the system. Other device son the network are likely dumb systems that don't even have the ability to trigger something to download to them like a POS / printer / time clock / CCTV / etc.

Moving up from there though with offices full of PC's and people tethering their devices to WIFI and using USB drives.... Split to a guest network to keep internal data protected from outside devices as much as possible. Of course EE's can still figure out how to connect their personal devices to the network and this is where you can trigger base on MAC / certificate which VLAN to put them into and what sort of access they get when attaching to the network.

www.imperva.com

What is Role-Based Access Control | RBAC vs ACL & ABAC | Imperva

Role-based access control (RBAC) improves security & compliance. See how it compares to access control types and learn best practices for its implementation
www.imperva.com www.imperva.com
 
Tech Junky said:
No, but using SNORT will. NAT has nothing to do with this conversation regarding malware.
Click to expand...
If you are running SNORT then we are in total agreement. I consider SNORT to be in the IDS/IPS world. This is the first I have heard mention of SNORT from you.

SNORT will take more CPU power than running just iptables. I would say you are running IDS/IPS or at least IDS depends on what you are doing.

I am not sure why we had this conversation if you are running SNORT.
 
Last edited:
I've dealt with probably 50% of those or more. They're helpful until there's a backdoor some coder leaves in them for exploit.
 
Last edited:
coxhaus said:
Yes, there are problems with all software including Linux hopefully it will get patched.
Click to expand...
I do weekly kernel updates to close those holes as they get patched. The the issue arises for commercial users that don't patch as frequently and run older major releases. Or devices like consumer routers discussed here running really old kernels. This is what makes for frequent firmware updates being needed on them. Another reason not to use off the shelf devices that get corrupted firmware because they're closed source and not checked before being deployed to consumers. Even Cisco has this issue with iOS releases. Using the source for all networking devices helps mitigate the issues as they discovered in a timely manner.
 
I read about code updaters submitting Linux code with problems just to see if it would make it into the kernel. I think a university got banned for doing it. So, you can't even trust all the latest updates. Hopefully you have a good vendor that can keep up. It is not something I want to do.
 
Once again, weekly updates fix that issue. Proper blocking of packets with rules also mitigate the issue.

Of course, some would claim that open-source projects provide better security with an example comparing Windows and Linux. However, Windows has far more attacks and vulnerabilities due to its popularity while Linux barely makes up 5% of desktop operating systems. As such, hackers will target the largest platform to maximize their gains and time spent.

Anyway.... Limiting the scope of the machine vs a bloated install of tons of packages makes a difference in the potential impact of these submissions.

github.com

qiushiwu.github.io/papers/OpenSourceInsecurity.pdf at main · QiushiWu/qiushiwu.github.io

Contribute to QiushiWu/qiushiwu.github.io development by creating an account on GitHub.
github.com github.com

That's the paper / controversy in question. if you dig into it a bit there's more info pertaining to other sources of inadequate patches that maintainers circle around on the next point release to resolve. The commits go through a stringent auto test program that validates things automatically before it gets published for download. When there's an issue that the system picks up and fails the release then you have a week without an update. Conversely if something does slip through or is noticed there's a quick turn around on fixing it within the same release week.

If this was a huge issue less companies would be using Linux for their products. The internet wouldn't exist w/o Linux. Just about anything that's "smart" is running Linux. Sure as heck isn't running Windows.
 
9to5linux.com

Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched - 9to5Linux

Ubuntu users received a massive Linux kernel update that addresses more than 30 security vulnerabilities across all supported releases.
9to5linux.com 9to5linux.com

9to5linux.com

New Ubuntu Linux Kernel Security Updates Patch 17 Vulnerabilities - 9to5Linux

Canonical released new Linux kernel security updates for all supported Ubuntu releases to address a total of 17 vulnerabilities.
9to5linux.com 9to5linux.com

thehackernews.com

New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access

A newly discovered vulnerability in the Netfilter Firewall module of the Linux kernel could be exploited to gain root privileges on vulnerable systems
thehackernews.com thehackernews.com

All of this affected older kernels from 5.4 - 5.15 which are the basic kernel released with the lts package. Running manual updates on the latest kernel being 5.18 already fixed these holes.

looking at the cve's associated with the bugs require local access to the machine as well to run them.
 
What you are saying just proves you need a good vendor that will keep up and support their product and not leave you hanging. Cisco does a great job of this.
 
coxhaus said:
What you are saying just proves you need a good vendor that will keep up and support their product and not leave you hanging. Cisco does a great job of this.
Click to expand...
No, what I'm saying if security is your concern you need to take action yourself instead of relying on published updates. The only way to bypass the regular kernel updates to the most patched version is to go grab them and install them. Being accountable for your own security.

Cisco is still a manual process to install updates. If you're not keeping tabs on what's running you're prone to failure.
 
No I don't. I need to follow what my vendor does. It is the way it is.

If you are that concerned then you need to be writing the code updates so you will first as you are waiting for someone else to write your patches for you.
 
No I don't. You are getting boring and I am not going to change mind. You can't see the forest for all the trees.
 
You must log in or register to reply here.

Similar threads

A
Zyxel ZyWALL USG 20 Works Fine on Comcast Business Internet, but Has Poor Connection on Faster Fiber
Replies
3
Views
427
Tech Junky
T
H
Buy New Router or Keep Current Router and Revert to 1 Gig Internet?
Replies
10
Views
694
L&LD
L&LD
S
Help with IP Passthrough and Port Forwarding - AT&T Fiber HUMAX BGW320-500 with TP-Link AX11000 as Passthrough Device
Replies
1
Views
2K
Justinh
J
X
RT-AX58U sudden DNS problem - URGENT
Replies
14
Views
666
dave14305
dave14305
O
Advice on correct splitter / IDing cables for MOCA 2.5 setup
Replies
16
Views
1K
krkaufman
krkaufman
Similar threads
Thread starter Title Forum Replies Date
J Low UL throughput over WIFI on new fiber line.. Normal? Routers 70
A Zyxel ZyWALL USG 20 Works Fine on Comcast Business Internet, but Has Poor Connection on Faster Fiber Routers 3
Scooterit Att Fiber with Synology Router problem Routers 6
C Att Fiber bypass for pfsense Routers 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 822 (members: 20, guests: 802)
Top