Why Just Backing Up Your Router Config is the Wrong Thing To Do

One of the most fundamental best practices of any IT organization is to have a backup strategy and system in place for critical systems and devices. This is clearly needed for any disaster recovery situation and most IT departments have definitive plans and even practiced methodologies set in place for such an occurrence.

Why Just Backing Up Your Router Config is the Wrong Thing To DoHowever what many IT pros don’t always consider is how useful it is to have backups for reasons other than DR and the fact that for most network devices (and especially routers), it is not just the running configuration that should be saved. In fact, there are potentially hundreds of smaller pieces of information that when properly backed up can be used for help with ongoing operational issues.

First, let’s take a look at the traditional device backup landscape, and then let’s explore how this structure should be enhanced to provide additional services and benefits.

Unlike server hard drives, network devices like routers do not usually fall within the umbrella backup systems used for mass data storage. In most cases a specialized system must be put in place for these devices. Each network vendor has special commands that must be used in order to access the device and request / download the configurations.

When looking at these systems it is important to find out where the resulting configurations will be stored. If the system is simply storing the data into an on-site appliance, then it also critical to determine if that appliance itself is being backup into an offsite / recoverable system otherwise the backup are not useful in a DR situation where the backup appliance may also be offline.

It is also important to understand how many backups your system can hold i.e. can you only store the last 10 backups, or maybe only everything in the last 30 days etc. are these configurable options that you can adjust based on your retention requirements? This can be a critical component for audit reporting, as well as when rollback is needed to a previous state (that may not just have been the last state).

Lastly, does the system offer a change report showing what differences exist between selected configurations? Can you see who made the changes and when?

In addition to the “must haves” explored above, I also think there are some advanced features that really can dramatically improve the operational value of a device / router backup system. Let’s look at these below:

  • Routers and other devices are more than just their config files. Very often they can provide output which describes additional aspects of their operation. To use the common (cisco centric) terminology, you can also get and store the output of a “show” command. This may contain critical information about the devices hardware, software, services, neighbors and more that could not be seen from just the configuration. It can be hugely beneficial to store this output as well as it can be used to help understand how the device is being used, what other devices are connected to it and more.
  • Any device in a network, especially a core component such as a router should conform to company specific policies for things like access, security etc. Both the main configuration file, as well as the output from the special “show” commands can be used to check the device against any compliance policy your organization has in place.
  • All backups need to run both on a schedule (we generally see 1x per day as the most common schedule) as well as on an ad-hoc basis when a change is made. This second option is vital to maintaining an up to date backup system. Most changes to devices happen at some point during the normal work day. It is critical that your backup system can be notified (usually via log message) that a change was made and then immediately launch a backup of the device – and potentially a policy compliance check as well.

Long gone are the days where simply logging into a router, getting the running configuration, and storing that in a text file is considered a “backup plan”. Critical network devices need to have the same attention paid them as servers and other IT systems. Now is a good time to revisit your router backup systems and strategies and determine if you are implementing a modern backup approach, as you can see its not just about backing up your router config.

Why Just Backing Up Your Router Config is the Wrong Thing To DoThanks to NMSaaS for the article.


Videotron Tests 1Gbps Broadband

Quebec-based quadruple-play operator Videotron has confirmed plans to introduce broadband speeds of 1Gbps-plus on its cable network, up from its current top speed of 200Mbps. A press release said that Videotron is enabling households and businesses in the Greater Montreal area to reach ‘and even exceed’ 1Gbps, with testing of the new service ongoing in the city.

Thanks to TeleGeography for the article.

Encryption: The Next Big Security Threat

As is common in the high-tech industry, fixing one problem often creates another. The example I’m looking at today is network data encryption. Encryption capability, like secure sockets layer (SSL), was devised to protect data packets from being read or corrupted by non-authorized users. It’s used on both internal and external communications between servers, as well as server to clients. Many companies (e.g. Google, Yahoo, WebEx, Exchange, SharePoint, Wikipedia, E*TRADE, Fidelity, etc.) have turned this on by default over the last couple of years.

Unfortunately, encryption is predicted to become the preferred choice of hackers who are creating malware and then using encrypted communications to propagate and update the malware. One current example is the Zeus botnet, which uses SSL communications to upgrade itself. Gartner Research stated in their report “Security Leaders Must Address Threats From Rising SSL Traffic” that by 2017, 50% of malware threats will come from using SSL encrypted traffic. This will create a serious blind spot for enterprises. Gartner also went on to state that less than 20% of firewalls, UTM, and IPS deployments support decryption. Both of these statistics should be alarming to anyone involved in network security.

And it’s not just Zeus you need to look out for. There are several types of growing encrypted malware threats. The Gartner report went on to mention two more instances (one being a Boston Marathon newsflash) of encryption being misused by malware threats. Other examples exist as well: the Gameover Trojan, Dyre, and a new Upatre variant just found in April.

Another key point to understand is that “just turning on encryption” isn’t a simple, low-cost fix, especially when using 2048-bit RSA keys that have been mandated since January 1, 2014. NSS labs ran a study and found that the decryption capability in typical firewalls reduced the throughput of the firewalls by up to 74%. The study also found an average performance loss of 81% across all eight vendors that they evaluated. Turning on encryption/decryption capabilities will cost you—both in performance and in higher network costs.

And, it gets worse! Firewalls, IPS’ and other devices are usually only deployed at the edge of enterprise networks. The internal network communications between server to sever and server to client often go unexamined within many enterprises. These internal communications can be up to 80% of your encrypted traffic. Once the malware gets into your network, it uses SSL to camouflage its activities. You’ll never know about it—data can be exfiltrated, virus’ and worms can be released, or malicious code can be installed. This is why you need to look at internally encrypted traffic as well. Constant vigilance is now the order of the day.

One way to implement constant vigilance is for IT teams is to spot check their network data to see if there are hidden threats. Network packet brokers (NPBs) that support application intelligence with SSL decryption are a good solution. Application intelligence is the ability to monitor packets based on application type and usage. It can be used to decrypt network packets and dynamically identify the applications running (along with malware) on a network. And since the decryption is performed on out-of-band monitoring data, there is no performance impact.

An easy answer to gain visibility, especially for internally encrypted traffic, is to deploy the Ixia ATI Processor. The Ixia ATI Processor uses bi-directional, stateful decryption capability, and allows you to look at both encrypted internal and external communications. Once the monitoring data is decrypted, application filtering can be applied and the information can be sent to dedicated, purpose-built monitoring tools (like an IPS, IDS, SIEMs, network analyzers, etc.).

Ixia’s Application and Threat Intelligence (ATI) Processor, built for the NTO 7300 and also the NTO 6212 standalone model, brings intelligent functionality to the network packet broker landscape with its patent pending technology that dynamically identifies all applications running on a network. This product gives IT organizations the insights needed to ensure the network works—every time and everywhere. This visibility product extends past Layer 4 through to Layer 7 and provides rich data regarding the behavior and locations of users and applications in the network.

As new network security threats emerge, the ATI Processor helps IT improve their overall security with better intelligence for their existing security tools. The ATI Processor correlates applications with geography and can identify compromised devices and malicious activities such as Command and Control (CNC) communications from malicious botnet activities. IT organizations can now dynamically identify unknown applications, identify security threats from suspicious applications and locations, and even audit for security policy infractions, including the use of prohibited applications on the network or devices.

To learn more, please visit the ATI Processor product page or contact us to see a demo!

Additional Resources:

Application and Threat Intelligence (ATI) Processor

NTO 7300

NTO 6212

Solution Focus Category

Network Visibility

Thanks to Ixia for the article.

Sapling Introduces New Slim Line Analog Clocks!

Sapling Introduces New Slim Line Analog Clocks!

As a part of our commitment to innovation, Sapling is proud to introduce our new Slim Line Analog Clocks featuring a lower profile, ABS case. The Slim Line Analog Clocks are offered with a black case, a brushed aluminum finish, or a wooden case and are available with all four (IP, Wired, Wireless, and TalkBack) Sapling synchronized clock systems!

Sapling Introduces New Slim Line Analog Clocks!Highlights of the new Slim Line Analog Clocks include:

  • More case options!
  • Solid Wood Case with Cherry Finish
  • Brushed Aluminum Finish
  • New and easier wall mount installation
  • Available in 9″, 12″ and 16″ diameter
  • Black Slim Line Analog Clock and Brushed Aluminum Slim Line Analog Clock can be used with the new Sapling Time Zone Clock
  • Shatterproof polycarbonate crystal with flatter front design
  • Stylish dial and hands options

Sapling’s Slim Line Analog Clocks are expected to be available by the fourth quarter of 2015.

Thanks to Sapling for the article.

New GigaStor Portable 5x Faster

New GigaStor Portable 5x Faster

Set up a Mobile Forensics Unit Anywhere

On June 22, Network Instruments announced the launch of its new GigaStor Portable 10 Gb Wire Speed retrospective network analysis (RNA) appliance. The new portable configuration utilizes solid state drive (SSD) technology to stream traffic to disk at full line rate on full-duplex 10 Gb links without dropping packets.

“For network engineers, remotely troubleshooting high-speed networks used to mean leaving powerful RNA tools behind, and relying on a software sniffer and laptop to capture and diagnose problems,” said Charles Thompson, chief technology officer for Network Instruments. “The new GigaStor Portable enables enterprises and service providers with faster links to accurately and quickly resolve issues by having all the packets available for immediate analysis. Additionally, teams can save time and money by minimizing repeat offsite visits and remotely accessing the appliance.”

Quickly Troubleshoot Remote Problems

Without GigaStor Portable’s insight, engineers and security teams may spend hours replicating a network error or researching a potential attack before they can diagnose its cause. GigaStor Portable can be deployed to any remote location to collect and save weeks of packet-level data, which it can decode, analyze, and display. The appliance quickly sifts through data, isolates incidents, and provides extensive expert analysis to resolve issues.

Part of the powerful Observer Performance Management Platform, the GigaStor Portable 10 Gb Wire Speed with SSD provides 6 TB of raw storage capacity, and includes the cabling and nTAP needed to install the appliance on any 10 Gb network and start recording traffic right away.

Forensic capabilities are an important part of any network management solution. Learn more about GigaStor Portable and how RNA can help protect the integrity of your data.

Thanks to Network Instruments for the article.

NMSaaS Webinar – Stop paying for Network Inventory Software & let NMSaaS do it for FREE.

NMSaaS Webinar - Stop paying for Network Inventory Software & let NMSaaS do it for FREE.Please join NMSaaS CTO John Olson for a demonstration of our free Network Discovery, Asset & Inventory Solution.

Wed, Jul 29, 2015 1:00 PM – 1:30 PM CDT

Do any of these problems sound familiar?

  • My network is complex and I don’t really even know exactly what we have and where it all is.
  • I can’t track down interconnected problems
  • I don’t know when something new comes on the network
  • I don’t know when I need upgrades
  • I suspect we are paying too much for maintenance

NMSaaS is here to help.

Sign up for the webinar NOW > > >

In this webinar you will learn that you can receive the following:

  • Highly detailed complimentary Network Discovery, Inventory and Topology Service
  • Quarterly Reports with visibility in 100+ data points including:
    • Device Connectivity Information
    • Installed Software
    • VM’s
    • Services / Processes
    • TCP/IP Ports in use
    • More…
  • Deliverables – PDF Report & Excel Inventory List

Thanks to NMSaaS for the article.


CRTC Mandates Wholesale Fibre Broadband Access

The Canadian Radio-television and Telecommunications Commission (CRTC) yesterday announced new measures in the wholesale fixed broadband market, including a ruling forcing the country’s largest internet providers to open up their high speed fibre-based access networks to smaller rivals. The regulator said the measures are to foster competition and provide Canadians with more choice and innovative services at reasonable prices.

Following an extensive review, the CRTC found that: ‘the large incumbent companies [including Bell Canada/Bell Aliant, Rogers Communications, Shaw Communications, Videotron and Telus Communications] continue to possess market power in the provision of wholesale high speed access services’ and it is therefore requiring that they make their new-generation services such as fibre-to-the-premises (FTTP) available to competitors. The summary continued: ‘The demand by Canadians for higher speed services will only increase in the coming years … Large incumbent companies will now have to make their fibre facilities available to their competitors. This measure will ensure that Canadians have more choice for high speed Internet services and are able to fully leverage the benefits of the broadband home or business.’

Another aspect of the CRTC’s decision involves scrapping the currently mandated ‘aggregated’ wholesale high speed access (HSA), which has enabled smaller competitors to lease a package of both the access facilities they need to connect to customer locations, and transport facilities, from larger incumbents, without requiring the smaller players to invest substantially in their networks. Under the new policy decision, the CRTC stated that: ‘The large incumbent companies will continue to be required to provide access to wholesale high speed access services throughout their region and transition this access to a disaggregated architecture. The provision of wholesale high speed access services on a disaggregated basis will be implemented in phases across Canada, starting with Ontario and Quebec.’ The regulator indicated that it will take up to three years to phase out aggregated access.

Furthermore, under the policy decision (Telecom Regulatory Policy CRTC 2015-326), copper unbundled local loops (ULLs), which in Canada the CRTC considers ‘a legacy service used primarily to support retail competition for local phone services and lower-speed Internet access’, will no longer be mandated and will be phased out.

The regulator also confirmed that ‘Ethernet and high speed competitor digital network services’, which are primarily used to support retail competition in the business data services market, will remain forborne from price regulation and not mandated.

Currently mandated wholesale services (ahead of the decision):

  • ULLs
  • Incumbent local exchange carriers’ (ILECs’) aggregated wholesale HSA service
  • Cablecos’ aggregated wholesale HSA service (also known as TPIA) service
  • Interconnection services
  • Public good’ services

Wholesale services mandated as a result of this decision:

  • ILEC and cableco disaggregated wholesale HSA services
  • FTTP access facilities
  • Interconnection services
  • Public good services

Wholesale services that are no longer mandated or that remain forborne from price regulation:

  • ULLs
  • Ethernet access and transport services
  • High speed CDN access and transport services.

The CRTC noted that its next steps include hammering out the details for implementing the wholesale HSA/transport service disaggregation, and setting the costs for wholesale fibre access.

Thanks to TeleGeography for the article.