Tuesday, January 5, 2016

auto login

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed.
https://technet.microsoft.com/en-us/library/cc939702.aspx

  • Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName"="Administrator"
"DefaultPassword"="Password"
"AutoAdminLogon"="1"
"ForceAutoLogon"="1"
https://stackoverflow.com/questions/21379759/how-to-automatically-logon-to-windows-7-using-a-password

  • Autologon for Windows v3.01
https://technet.microsoft.com/en-us/sysinternals/bb963905.aspx

linux certification

  • The Linux Essentials Professional Development Certificate validates a demonstrated understanding of:

    FOSS, the various communities, and licenses
    knowledge of open source applications in the workplace as they relate to closed source equivalents
    basic concepts of hardware, processes, programs and the components of the Linux Operating System
    how to work on the command line and with files
    how to create and restore compressed backups and archives
    system security, users/groups and file permissions for public and private directories
    how to create and run simple scripts
https://www.lpi.org/certification/linux-essentials/

  • LPIC-1: Linux Server Professional Certification

    Work at the Linux command line
    Perform easy maintenance tasks: help users, add users to a larger system, backup and restore, shutdown and reboot
    Install and configure a workstation (including X) and connect it to a LAN, or a standalone PC to the Internet
https://www.lpi.org/certification/get-certified-lpi/lpic-1-linux-server-professional/



  •     Administer a small to medium-sized site
    Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
        LAN server (Samba, NFS, DNS, DHCP, client management)
        Internet Gateway (firewall, VPN, SSH, web cache/proxy, mail)
        Internet Server (web server and reverse proxy, FTP server)
    Supervise assistants
    Advise management on automation and purchases

https://www.lpi.org/certification/get-certified-lpi/lpic-2-linux-network-professional/
   
   
  •     300: Mixed Environment
    303: Security
    304: Virtualization and High Availability
https://www.lpi.org/certification/get-certified-lpi/lpic-3-linux-enterprise-professional/

The cross-functional team

  • The cross-functional team is a group of people who collectively represent the entire organization’s interests in a specific product or product family. This team provides benefits for the individuals on the team, the product and its customers, and the organization at large.
http://pragmaticmarketing.com/resources/enabling-cross-functional-teams-a-leadership-role-for-product-managers

Search domain

Search domain means the domain that will be automatically appended when you only use the hostname for a particular host or computer. This is basically used in a local network.
Lets say you have a domain name like xyz.com (it may be available globally or may be local only) and you have 100 computers in the LAN.
Now you want this domain name to be automatically appended when you look for any computer by just hostname of the computer

NAC solutions

  • Your private path to access network resources and services securely
https://openvpn.net/

  • Linux Notes (without RPM)


If you are using Debian, Gentoo, or a non-RPM-based Linux distribution, use your distro-specific packaging mechanism such as apt-get on Debian or emerge on Gentoo.

It is also possible to install OpenVPN on Linux using the universal ./configure method. First expand the .tar.gz file:

tar xfz openvpn-[version].tar.gz
Then cd to the top-level directory and type:

./configure
make
make install

OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

https://openvpn.net/index.php/open-source/documentation/howto.html#install


  • What is openNAC
Open source Network access control that provide secure access for LAN/WAN. Allows to apply flexible access policies based on rules.
http://www.opennac.org/opennac/en.html

  • FreeNAC provides Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones ..), live network end-device discovery
http://jafsec.com/Network-Access-Control/free-nac.html

  • PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices
http://packetfence.org/

  • What is Packetfence? Simply put, it's a Network Access Control (NAC) solution. In other words, if you want to control what devices are allowed on your network, you should consider a NAC

    Captive-portal for registration and remediation
    Centralized wired and wireless management
    802.1X support
    Layer-2 isolation of problematic devices
    Integration with the Snort IDS and the Nessus vulnerability scanner
https://www.techrepublic.com/article/how-to-install-packetfence-on-centos-7/



  • PacketFence reuses many components in an infrastructure. Nonetheless, it will install the following ones and manage them itself:


    database server (MariaDB)
    web server (Apache)
    DHCP server (PacketFence)
    RADIUS server (FreeRADIUS)
    firewall (iptables)


3.2. Minimum Hardware Requirements

The following provides a list of the minimum server hardware recommendations:

    Intel or AMD CPU 3 GHz, 2 CPU cores
    12 GB of RAM (16 GB recommended)
    100 GB of disk space (RAID-1 recommended)
    1 network card (2 recommended)


3.3. Operating System Requirements

PacketFence supports the following operating systems on the x86_64 architecture:

    Red Hat Enterprise Linux 7.x Server
    Community ENTerprise Operating System (CentOS) 7.x
    Debian 9.0 (Stretch)


https://packetfence.org/doc/PacketFence_Installation_Guide.html



  •     Captive portal: Can be used to require users to login before using the network or to present instructions to a user on a web page, blocking all other network traffic, when a problem is detected.

    Malware detection and alerting: Along with internal features, PacketFence can work with remote sensors like from Snort.
    Vulnerability scans with Nessus: Can use the external Nessus program to periodically run vulnerability scans.
    Isolation of problematic devices: One of the several isolation techniques PacketFence support is VLAN isolation (with VoIP support), where problematic clients would be moved to a designated VLAN. Switches from many vendors are supported.
    DHCP fingerprinting: Used to automatically allow or disallow specific device types (such as VoIP phones or Wi-Fi equipped game systems).
http://www.practicallynetworked.com/security/packet_fence_tutorial.htm
  • What is geo-fencing?
Geo-fencing enables software administrators to define geographical boundaries. They draw a shape around the perimeter of a building or area where they want to enforce a virtual barrier.  It is really that easy. The administrator decides who can access what within that barrier, based on GPS coordinates.differentiate between geo-location and geo-fencing. Because geo-location uses your IP it can be easily spoofed or fooled and is not geographically accurate. However, geo-fencing is based on GPS coordinates from satellites tracking latitude and longitude.
https://blog.microfocus.com/research/geo-fencing-securing-authentication/4275/

  • Network Policy Server (NPS)
 NPS is installed when you install the Network Policy and Access Services (NPAS) feature in Windows Server 2016 and Server 2019.
 Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for connection request authentication and authorization.

You can also configure NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a remote NPS or other RADIUS server so that you can load balance connection requests and forward them to the correct domain for authentication and authorization.

RADIUS server 
NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) 
connections
When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS.
You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database

RADIUS proxy
RADIUS proxy. When you use NPS as a RADIUS proxy, you configure connection request policies that tell the NPS which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group

RADIUS accounting. You can configure NPS to log events to a local log file or to a local or remote instance of Microsoft SQL Server.

You can configure NPS with any combination of these features. For example, you can configure one NPS as a RADIUS server for VPN connections 
and also as a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain.

You can use NPS as a RADIUS server when:

    You are using an AD DS domain or the local SAM user accounts database as your user account database for access clients.
    You are using Remote Access on multiple dial-up servers, VPN servers, or demand-dial routers and you want to centralize both the configuration of network policies and connection logging and accounting.
    You are outsourcing your dial-up, VPN, or wireless access to a service provider. The access servers use RADIUS to authenticate and authorize connections that are made by members of your organization.
    You want to centralize authentication, authorization, and accounting for a heterogeneous set of access servers.


RADIUS server and RADIUS proxy configuration examples

NPS as a RADIUS server. In this example, NPS is configured as a RADIUS server, the default connection request policy is the only configured policy, and all connection requests are processed by the local NPS. The NPS can authenticate and authorize users whose accounts are in the domain of the NPS and in trusted domains.

 










NPS as a RADIUS proxy. In this example, the NPS is configured as a RADIUS proxy that forwards connection requests to remote RADIUS server groups in two untrusted domains.




NPS as both RADIUS server and RADIUS proxy. In addition to the default connection request policy, which designates that connection requests are processed locally, a new connection request policy is created that forwards connection requests to an NPS or other RADIUS server in an untrusted domain. This second policy is named the Proxy policy. In this example, the Proxy policy appears first in the ordered list of policies. If the connection request matches the Proxy policy, the connection request is forwarded to the RADIUS server in the remote RADIUS server group. If the connection request does not match the Proxy policy but does match the default connection request policy, NPS processes the connection request on the local server. If the connection request does not match either policy, it is discarded.

NPS as a RADIUS server with remote accounting servers. In this example, the local NPS is not configured to perform accounting and the default connection request policy is revised so that RADIUS accounting messages are forwarded to an NPS or other RADIUS server in a remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the local NPS performs these functions for the local domain and all trusted domains.

NPS with remote RADIUS to Windows user mapping. In this example, NPS acts as both a RADIUS server and as a RADIUS proxy for each individual connection request by forwarding the authentication request to a remote RADIUS server while using a local Windows user account for authorization. This configuration is implemented by configuring the Remote RADIUS to Windows User Mapping attribute as a condition of the connection request policy. (In addition, a user account must be created locally on the RADIUS server that has the same name as the remote user account against which authentication is performed by the remote RADIUS server.)

NPS logging is also called RADIUS accounting. Configure NPS logging to your requirements whether NPS is used as a RADIUS server, proxy, or any combination of these configurations.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

  • Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server
RADIUS is often the back-end of choice for 802.1X authentication

Authentication and authorization

The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials.
The credentials are passed to the NAS device via the link-layer protocol;for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form. 

In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.
This request includes access credentials, typically in the form of username and password or security certificate provided by the user.
Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS. 

The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP.
The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges
RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers—to verify the user's credentials

The RADIUS server then returns one of three responses to the NAS: 1) Access Reject, 2) Access Challenge, or 3) Access Accept

 For example, the following authorization attributes may be included in an Access-Accept:

    The specific IP address to be assigned to the user
    The address pool from which the user's IP address should be chosen
    The maximum length of time that the user may remain connected
    An access list, priority queue or other restrictions on a user's access
    L2TP parameters
    VLAN parameters
    Quality of Service (QoS) parameters
Accounting
Accounting is described in RFC 2866. 

Packet structure
RADIUS is transported over UDP/IP on ports 1812 and 1813.

Attribute value pairs
The RADIUS Attribute Value Pairs (AVP) carry data in both the request and the response for the authentication, authorization, and accounting transactions.

Vendor-specific attributes
many vendors of RADIUS hardware and software implement their own variants using Vendor-Specific Attributes (VSAs).

https://en.wikipedia.org/wiki/RADIUS

  • FreeRADIUS is a modular, high performance free RADIUS suite
The FreeRADIUS Suite includes a RADIUS server, a BSD-licensed RADIUS client library, a PAM library, an Apache module, and numerous additional RADIUS related utilities and development libraries
In most cases, the word "FreeRADIUS" refers to the free open-source RADIUS server from this suite.
It supports all common authentication protocols, and the server comes with a PHP-based web user administration tool called dialupadmin
It is the basis for many commercial RADIUS products and services, such as embedded systems, RADIUS appliances that support Network Access Control, and WiMAX
It is also widely used in the academic community, including eduroam.
Modules included with the server core support LDAP, MySQL, PostgreSQL, Oracle, and many other databases. 
It supports all popular EAP authentication types, including PEAP and EAP-TTLS. More than 100 vendor dictionaries are included, ensuring compatibility with a wide range of NAS devices
https://en.wikipedia.org/wiki/FreeRADIUS

The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4 DHCPv6, TACACS+ and VMPS.
FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dialup, PPPoE, VPN's, VoIP, and many others. 
https://github.com/FreeRADIUS/freeradius-server

  • Network access control is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.
A basic form of NAC is the 802.1X standard
Network access control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. 

https://en.wikipedia.org/wiki/Network_Access_Control

  • NAC is an appliance or virtual machine that controls device access to the network. It began as a
network authentication and authorization method for devices joining the network, which
follows the IEEE 802.1X standards

The authentication method involves three parties—
the Client device
the Authenticator
and the Authentication server

The authenticator could be a Network switch or Wireless access point that demarks the
protected network from the unprotected network. The client provides credentials in the form
of a Username and password, Digital certificate, or some other means, to the authenticator,
which forwards these credentials to the server. Pending on the outcome of authentication, the
authenticator will either block the device or allow it access to the network

Another method to
control access to a network, especially a publicly available network, is a Captive portal. If you’ve
ever connected to a network in an airport, hotel, or coffee shop, you might remember
interacting with a web page that asked you to agree to legal terms before granting access.

NAC evolved to accommodate:
Guest access
Bring Your Own Device BYOD
and the Internet of Things IoT

BYOD and IoT devices introduced new security challenges. One, BYODs
are personally owned, not assets of an organization
MIS does not control what runs on
these devices, for example, antivirus software or unsafe applications

IoT devices are hardware with a sensor that transmit data from one place to another over the internet,
dramatically expanding the attack surface

Organizations buy IoT-enabled devices from other
vendors, and these devices connect back to vendor networks to provide information about
product use and maintenance needs. Organizations tolerate this situation because IoT devices
save them time and money
For example, if a printer is low on toner, the vendor could notify
the network administrator by email, or even deliver new toner cartridges automatically. In a
smart home, IoT devices regulate heat and humidity, remotely control the locks on doors,
monitor what’s in the fridge, and even help with your grocery list

the variety of devices, the lack of standards, and the inability to secure these devices
make them a potential conduit for contagion to enter the network. 

Many IoT devices lack the
CPU cycles or memory to host authentication and security software. They identify themselves
using a shared secret or unique serial number, which is inserted during manufacturing. But this
authentication scheme is very limited—should the secret become known, there is likely no way
to reset it, and without the ability to install security software, there is little visibility into those
devices

 NAC evolved to solve these weaknesses
 When MIS introduces NAC into a network, the first thing NAC does is create profiles of all
connected devices. NAC then permits access to network resources based on the device profile,
which is defined by function. This is similar to granting individuals access to sensitive
information based on their need to know. For example, NAC would permit an IP camera
connection to a network video recorder (NVR) server, but would prevent it from connecting to
a finance server. Based on its profile, an NVR has no business communicating with a finance
server. When access is granted this way, the network becomes segmented by device function. If
a device is compromised, malware can infect only those objects that the device is permitted to
connect to. So, the compromised IP camera from the earlier example could infect the NVR
server, but not the finance server

https://training.fortinet.com/pluginfile.php/1625583/mod_scorm/content/1/story_content/external_files/NSE%202%20NAC%20Script_EN.pdf

Business Process Management

  • Build highly personalized, process-based applications today, for free, with our open source
Community edition
http://www.bonitasoft.com/downloads-v2


  • Activiti is a light-weight workflow and Business Process Management (BPM) Platform targeted at business people, developers and system admins
http://activiti.org/

  • Intalio|bpms provides a comprehensive enterprise-class platform to design, deploy, and manage the most complex business processes
http://www.intalio.com/products/bpms/overview/


  •     Business Process Model and Notation (BPMN) is a graphical representation for specifying business processes in a business process model. It was previously known as Business Process Modeling Notation.

http://en.wikipedia.org/wiki/Business_Process_Model_and_Notation



  •     jBPM
    jBPM is a flexible Business Process Management (BPM) Suite. It makes the bridge between business analysts and developers. Traditional BPM engines have a focus that is limited to non-technical people only. jBPM has a dual focus: it offers process management features in a way that both business users and developers like it.

http://www.jbpm.org/



  •     Perfect tool for occasional users and beginners in Business Process Management.

http://www.ariscommunity.com/aris-express 


  • Event storming is a workshop-based method to quickly find out what is happening in the domain of a software program.Compared to other methods it is extremely lightweight and intentionally requires no support by a computer.The result is expressed in sticky notes on a wide wall.Event storming can be used as a means for business process modeling and requirements engineering.

https://en.wikipedia.org/wiki/Event_storming



Set Operations

  • Set Operations - Union, Intersect, Minus
This video discusses how to combine two sets of results together in SQL. The following SQL keywords are covered: UNION, UNION ALL, INTERSECT, MINUS, and EXCEPT.
The MINUS and EXCEPT commands are the same. Some databases use MINUS while other databases use EXCEPT.
http://www.1keydata.com/sql/union-intersect-minus-video.html

  •  difference between union,union all,intersect,minus
The purpose of the SQL UNION ALL command is to combine the results of two queries together
UNION vs UNION ALL
UNION and UNION ALL both combine the results of two SQL queries. The difference is that, while UNION only selects distinct values, UNION ALL selects all values.
http://www.1keydata.com/sql/sqlunionall.html

  • The purpose of the SQL UNION query is to combine the results of two queries together. In this respect, UNION is somewhat similar to JOIN in that they are both used to related information from multiple tables. One restriction of UNION is that all corresponding columns need to be of the same data type. Also, when using UNION, only distinct values are selected
http://www.1keydata.com/sql/sqlunion.html

  • Similar to the UNION command, INTERSECT also operates on two SQL statements. The difference is that, while UNION essentially acts as an OR operator (value is selected if it appears in either the first or the second statement), the INTERSECT command acts as an AND operator (value is selected only if it appears in both statements).
http://www.1keydata.com/sql/sql-intersect.html

  • The MINUS command operates on two SQL statements. It takes all the results from the first SQL statement, and then subtract out the ones that are present in the second SQL statement to get the final answer. If the second SQL statement includes results not present in the first SQL statement, such results are ignored.
http://www.1keydata.com/sql/sql-minus.html

Cold storage

  • Cold storage is the retention of inactive data that an organization rarely, if ever, expects to access.
http://searchstorage.techtarget.com/definition/cold-storage

  • Two Facebook data centers designed and built specifically to store copies of all user photos and videos started serving production traffic. Because they were optimized from the ground up to act as “cold storage” data centers for a very specific function, Facebook was able to substantially reduce its data center energy consumption and use less expensive equipment for storage.
http://www.datacenterknowledge.com/archives/2015/05/08/cold-storage-the-facebook-data-centers-that-back-up-the-backup/

  • Under the hood: Facebook’s cold storage system
Two billion photos are shared daily on Facebook services. Many of these photos are important memories for the people on Facebook and it's our challenge to ensure we can preserve those memories as long as people want us to in a way that's as sustainable and efficient as possible. As the number of photos continued to grow each month, we saw an opportunity to achieve significant efficiencies in how we store and serve this content and decided to run with it.
https://code.facebook.com/posts/1433093613662262/-under-the-hood-facebook-s-cold-storage-system-/

  • First Look: Facebook’s Oregon Cold Storage Facility
http://www.datacenterknowledge.com/archives/2013/10/16/first-look-facebooks-oregon-cold-storage-facility/

  • What Happens in an Internet Minute?
https://www-ssl.intel.com/content/www/us/en/communications/internet-minute-infographic.html

JOVIAL


  • JOVIAL is a high-level computer programming language similar to ALGOL, but specialized for the development of embedded systems (specialized computer systems designed to perform one or a few dedicated functions, usually embedded as part of a complete device including mechanical parts).
https://en.wikipedia.org/wiki/JOVIAL

MPLS

  • Multiprotocol Label Switching (MPLS) is a mechanism in high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS can encapsulate packets of various network protocols.
https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching

Multi Protocol Label Switching (MPLS) links are being used more and more in the telecom design of many organizations with multiple locations.
http://www.loadbalancersolutions.com/elfiq/mpls.aspx
  •  Multiprotocol Label Switching (MPLS) is a technology used within computer network genesis to regulate data traffic and speed up the time that data packet takes to flow from one node to another. In conventional routed IP networks, whenever a packet arrives, the router makes an independent forwarding decision thus making the process complex and slow. On the other hand, MPLS provides a unified data carrying service for packet switching and circuit-based clients. The MPLS architecture can be installed seamlessly over any existing structural design such as IP, Frame Relay, Asynchronous Transfer Mode (ATM), or Ethernet.

Benefits of MPLS

MPLS is especially beneficial when it comes to wide area networks (WANs). The robustness of the MPLS architecture makes data transfer simpler by managing large routed networks which in turn makes WAN router/engineers’ work easier. For companies that are depending upon voice and video output, MLPS provides a structure to support Quality of Support (QoS). The technology’s protocol-agnostic nature manages different types of traffic without regard to what type of traffic it is. It increases the reliability and predictability of traffic because the label switch paths are fixed which ultimately allows the packets to travel along designated paths
https://whatis.ciowhitepapersreview.com/definition/multiprotocol-label-switching/

  • Combining IPSec and MPLS

From a customer perspective, it is impossible to control the whole network; the SP must be trusted to some extent. If the MPLS core is not properly configured with the necessary security measures, the connected VPNs will be exposed to some forms of attack. IPSec offers additional security over an MPLS network.

IPSec can be run on the CE routers, or on devices further away from the core. If the CE router is under control of the customer, this could be an obvious choice. If the SP controls the CEs as part of the service, the customer has to decide whether to trust the SP to configure IPSec for him/her on the CE routers, or whether to maintain control over the IPSec in additional equipment outside the SP's scope.

All options below are based on an MPLS core network with VPN services. The basic assumption for all the scenarios is that the MPLS core is configured and managed in a secure fashion.

Summary of Configuration Options
Option 1: Dynamic versus Static Routing between CEs and PEs
Option 2: Internet Service
Option 3: Running IPSec over the MPLS Cloud
Option 4: Including the CE Router in the SP Management


Conclusions
MPLS provides full address and routing separation as in traditional Layer 2 VPN services. It hides addressing structures of the core and other VPNs, and it is in today's understanding not possible from the outside to intrude into the core or other VPNs abusing the MPLS mechanisms. It is also not possible to intrude into the MPLS core if it is properly secured. However, there is a significant difference between MPLS-based VPNs and, for example, FR- or ATM-based VPNs: The control structure of the core is on Layer 3 in the case of MPLS. This fact has caused significant scepticism in the industry toward MPLS, because this setup might open the architecture to DoS attacks from other VPNs or the Internet (if connected).

As shown in this paper, it is possible to secure an MPLS infrastructure to the same level of security as a comparable ATM or FR service. It is also possible to offer Internet connectivity to MPLS VPNs in a secure manner, and to interconnect different VPNs via firewalls

With regard to attacks from within the MPLS core, all VPN classes (MPLS, FR, ATM) have the same problem: If an attacker can install a sniffer, he/she can read information in all VPNs, and if the attacker has access to the core devices, he/she can execute a large number of attacks, from packet spoofing to introducing a new peer router. Numerous precaution measures that an SP can use to tighten security of the core are outlined above, but the security of the MPLS architecture depends on the security of the SP. If the SP is not trusted, the only way to fully secure a VPN against attacks from the "inside" of the VPN service is to run IPSec on top, from the CE devices or beyond.

The end result of the report is that MPLS is at least as secure as Frame Relay and ATM networks
https://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp30332

  • MPLS Security is a cross-functional area covering data and control plane protection mechanisms for all main MPLS areas, including Layer 2 and Layer 3 VPNs, Traffic Engineering, and GMPLS.
https://www.cisco.com/c/en/us/products/ios-nx-os-software/mpls-security/index.html

  • MPLS works by prefixing packets with an MPLS header, containing one or more labels. This is called a label stack. Each label stack entry contains four fields
http://akashphoenix.blogspot.com/2012/05/multiprotocol-label-switching-mpls.html


  • Early networks were deployed in a flat topology
Hubs and switches were added as more devices needed to be connected. A flat network design provided little opportunity to control broadcasts or to filter undesirable traffic. As more devices and applications were added to a flat network, response times degraded, making the network unusable

A hierarchical network design involves dividing the network into discrete layers. Each layer, or tier, in the hierarchy provides specific functions that define its role within the overall network. This helps the network designer and architect to optimize and select the right network hardware, software, and features to perform specific roles for that network layer. Hierarchical models apply to both LAN and WAN design.

The benefit of dividing a flat network into smaller, more manageable blocks is that local traffic remains local. Only traffic that is destined for other networks is moved to a higher layer.

A typical enterprise hierarchical LAN campus network design includes the following three layers:

    Access layer: Provides workgroup/user access to the network
    Distribution layer: Provides policy-based connectivity and controls the boundary between the access and core layers
    Core layer: Provides fast transport between distribution switches within the enterprise campus






Notice that each building is using the same hierarchical network model that includes the access, distribution, and core layers.


There are no absolute rules for the way a campus network is physically built. While it is true that many campus networks are constructed using three physical tiers of switches, this is not a strict requirement. In a smaller campus, the network might have two tiers of switches in which the core and distribution elements are combined in one physical switch. This is referred to as a collapsed core design.

the access layer for a small business network generally incorporates Layer 2 switches and access points providing connectivity between workstations and servers.
The three-tier hierarchical design maximizes performance, network availability, and the ability to scale the network design.
However, many small enterprise networks do not grow significantly larger over time. Therefore, a two-tier hierarchical design where the core and distribution layers are collapsed into one layer is often more practical. A “collapsed core” is when the distribution layer and core layer functions are implemented by a single device. The primary motivation for the collapsed core design is reducing network cost, while maintaining most of the benefits of the three-tier hierarchical model

http://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4

Access Layer–provide a means of connecting devices to the network and controlling which devices are allowed to communicate on the networkDevices: PCs, printers, and IP phones, routers, switches, bridges, hubs, and wireless access points (AP)

Distribution Layer–aggregates the data received from the access layer switches before it is transmitted to the core layer for routing to its final destination. The distribution layer controls the flow of network traffic using policies and delineates broadcast domains by performing routing functions between virtual LANs (VLANs) defined at the access layer. Devices: high-performance switches to ensure reliability

Core Layer–high-speed backbone of the internetwork Devices: routers, switches capable of forwarding large amounts of data quickly
http://blog.router-switch.com/2014/04/network-design-with-examples-core-and-distribution/


MicroNugget: What is MPLS?
interface independence
Quality of Service,QoS

MicroNugget: What is Multi-Protocol Label Switching (MPLS)?
for packet forwarding decision MPLS uses labels,instead of using IP addresses or layer3 information
label is attached to every single packet
packet forwarding based on label takes less resources compared to IP addresses,
MPLS applications such as layer3 VPNs,Pseudowire 
building label based forwarding table
label swapping

MPLS Part 1: The Basics of Label Switching
high-performance forwarding 
QoS traffic engineering
e.g:retail sector, Point-Of-Sale(POS) devices sending data to data centers

Applications of MPLS within VPN
Point-to-Point: leased line over VPN, called pseudo-wire
Private LAN Service:interconnecting multiple LANs based in different sites

MPLS does not care what underlying protocol is used (e.g: PPP,DSL,PDH,ATM,SDH/SONET,Ethernet etc)
MPLS maps onto layer2 protocol and provides common fast divison transport method over packet-switched networks(PSN)
MPLS is in OSI between layer2 and layer3, "layer 2.5"

MPLS routers do two tasks
1-map onto any layer2 protocol
2-check IP packet above as it arrives at the transport network and sends it on own its way

difference between routing and switching
which network and which exit port? router asks
packet reference id ,input port id ? switch

MPLS:Switch if possible,Route if necessary
Label switch router(LSR), switch+router
Label Edge Router(LER),known as edge LSR,provider edge router(PER)
MPLS domain,LSR,


packet from IP domain arrives at Ingress LER,
Ingress LER checks layer3 information on the packet
Ingress LER checks its lookup table
Ingress LER finds a reference called forwarding equivalence class(FEC) for the incoming packet 
label for FEC added to packet which is a number
packer is forwarded to MPLS domain
label is held in shim header
shim header is between layer3(IP) and layer2
label swapping
packet arrives at egress LER,
egress LER pops/removes the label and forwards the packet to IP domain 

label switched path(LSP) is established by label distribution protocol(LDP) or Resource Reservation Protocol-Traffice Engineering (RSVP-TE)
LSPs are one-directional

label operations(push,swap,pop)
FEC does not change, label changes, label swapping  

  • Pseudowire ( sometimes spelled as "pseudo wire" or abbreviated as PW) is a mechanism for emulating various networking or telecommunications services across packet-switched networks that use Ethernet, IP, or MPLS. Services emulated can include T1 leased line, frame relay, Ethernet, ATM, TDM, or SONET/SDH. As defined in RFC 3985 ("Pseudo Wire Emulation Edge-to-Edge [PWE3] Architecture") a pseudowire delivers the bare minimum of functionality necessary to emulate a wire with some required degree of fidelity for some specific service definition.


Required functions for PWs
Encapsulating service-specific bit streams, cells, or protocol data units (PDUs) that appear at some ingress port, then ferrying them across some IP path or through an MPLS tunnel.
Occasionally managing order and timing of incoming PW traffic so as to properly emulate a service with the necessary fidelity (TDM and ATM are good examples where timing issues are very important).

Seen from the perspective of customer edge equipment (CE), a PW appears to be an unshared link or a circuit for some designated service.
https://searchnetworking.techtarget.com/definition/pseudowire

Pseudowires(PW) are used to provide end-to-end services across an MPLS network. They are the basic building blocks that can provide a point-to-point service as well as a multipoint service such as VPLS, which is practically a mesh of PWs used to create the bridge domain across which the packets flow.
https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/212007-Pseudowire-Concepts-and-troubleshooting.html

library vs framework vs architecture

  •     A Library is a reusable set of types/functions you can use from a wide variety of applications. The application code initiates communication with the library and invokes it.
    A Framework consists of one or more libraries, but the difference is that Inversion of Control applies. The application registers with the framework (often by implementing one or more interfaces), and the framework calls into the application, which may call back into the framework. A framework often exists to address a particular general-purpose Domain (such as web applications, or workflows, etc.).
    Architecture consists of the guiding principles behind a given application. It is not strongly tied to a particular framework or library.

Frameworks is a collection of classes and tools that help you developing great softwares ... like .net framework or Qt.
Architecture is entirely different : it refers to design pattern or how an application or a framework is organized. What are the modules that compose it and how they communicate together



Architecture is about style, abstract idea, flow, methodology, concept. Framework is something which implements the style, idea, concept etc..or makes it easier to implement it. example,

Architecture: Every component should have standard pluggable interfaces and it should be possible to connect any component to any other.

Framework: Then lego building blocks can be the framework.

Library: some readymade combinations of blocks that would work as the pillars.

Application: A building structure using the pillars and other building blocks(application).


http://stackoverflow.com/questions/2190625/what-is-the-difference-between-framework-and-architecture

The Internet of Things (IoT)

  • The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data
The Internet of Things allows objects to be sensed and controlled remotely across existing network infrastructure,
when IoT is augmented with sensors and actuators, the technology becomes an instance of the more general class of cyber-physical systems, which also encompasses technologies such as smart grids, smart homes, intelligent transportation and smart cities
https://en.wikipedia.org/wiki/Internet_of_Things

  • lora
Our members are collaborating together and sharing experience to drive the success of the LoRa protocol, LoRaWAN™, as the open global standard for secure, carrier-grade IoT LPWA connectivity. With a certification program to guarantee interoperability and the technical flexibility to address the multiple IoT applications be they static or mobile
https://www.lora-alliance.org/


  • sigfox
We power the IoT with the simplest communication solutions
http://www.sigfox.com/

  • What Is SigFox?
The low power, wide area (LPWA) network space, which is a subset of the Machine-to-Machine (M2M) market and is often referred to now as the Internet of Things (IoT).
Specifically, SigFox sets up antennas on towers (like a cell phone company), and receives data transmissions from devices like parking sensors or water meters
http://www.link-labs.com/what-is-sigfox/


  • NB-IOT, Accelerating Cellular IOT
NB-IOT provides better network coverage for thing-to-thing communications, supports more connections, and lowers power consumption. Therefore, NB-IOT meets the application requirements in industrial, public, personal, and home domains.
http://www.huawei.com/minisite/hwmbbf15/en/nb-iot-accelerating-cellular-iot.html

  • What is Weightless?
Weightless is both the name of a group, the Weightless Special Interest Group (SIG), and the technology.
Weightless technology delivers wireless connectivity for low power, wide area networks (LPWAN) specifically designed for the Internet of Things
http://www.weightless.org/about/what-is-weightless

  • IoT can be divided into 3 categories, based on usage and clients base:

    Consumer IoT includes the connected devices such as smart cars, phones, watches, laptops, connected appliances, and entertainment systems.
    Commercial IoT includes things like inventory controls, device trackers, and connected medical devices.
    Industrial IoT covers such things as connected electric meters, waste water systems, flow gauges, pipeline monitors, manufacturing robots, and other types of connected industrial devices and systems.
https://www.linkedin.com/pulse/three-major-challenges-facing-iot-ahmed-banafa/?trackingId=6R%2FhTv2o1HB39DNqv4s7Hg%3D%3D


  • The IoT platforms are suites of components those help to setup and manage the internet connected devices.
A person can remotely collect data, monitor and manage all internet connected devices from a single system.
https://www.how2shout.com/tools/best-opensource-iot-platforms-develop-iot-projects.html


  • ThingsBoard is an open-source IoT platform for data collection, processing, visualization, and device management.
ThingsBoard is licensed under Apache License 2.0, so you can use any it in your commercial products for free. You can even host it as a SaaS or PaaS solution.
https://thingsboard.io/

  • MindSphere is the open, cloud-based IoT operating system from Siemens that lets you connect your machines and physical infrastructure to the digital world. It lets you harness big data from billions of intelligent devices, enabling you to uncover transformational insights across your entire business.
https://www.siemens.com/global/en/home/products/software/mindsphere.html


  • intelligent device
An intelligent device is any type of equipment, instrument, or machine that has its own computing capability.
http://internetofthingsagenda.techtarget.com/definition/intelligent-device

  • Contiki is an open source operating system for the Internet of Things. Contiki connects tiny low-cost, low-power microcontrollers to the Internet. Contiki is a powerful toolbox for building complex wireless systems.
Cooja is the Contiki network simulator. Cooja allows large and small networks of Contiki motes to be simulated. Motes can be emulated at the hardware level, which is slower but allows precise inspection of the system behavior, or at a less detailed level, which is faster and allows simulation of larger networks.
http://www.contiki-os.org/start.html


  •  With Foren6, we propose a novel passive network analyser aimed specifically at sensor networks operating on emerging IoT standards, 6LoWPAN and RPL, which serves both the academic community and early adopters of 6LoWPAN and RPL.
 https://www.cetic.be/Demo-Abstract-Foren6-a-RPL-6LoWPAN

  • The iBeacon is simply a protocol that takes advantage of the new Bluetooth Low Energy technologies.
http://beekn.net/2015/02/tutorial-using-beacon-ibeacon-technologies-iphone-ipad/

  • Automotive Ethernet is a physical network that is used to connect components within a car using a wired network
AUTOSAR is an open and standardized automotive software architecture, jointly developed by automobile manufacturers, suppliers, and tool developers. AUTOSAR includes the automotive TCP/UDP/IP stack that is used in automobiles
https://support.ixiacom.com/sites/default/files/resources/whitepaper/ixia-automotive-ethernet-primer-whitepaper_1.pdf

  • Gateway Tier
On top of providing the transport, the gateway can also optionally provide functions such as data filtering, cleanup, aggregation and packet content inspection.

https://mobilebusinessinsights.com/2017/09/the-essential-building-blocks-of-an-iot-architecture/#.WbSDSG3tj4s.linkedin


  • Operational Technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.

OT is common in Industrial Control Systems (ICS) such as a SCADA System.
In the world of critical infrastructure, OT may be used to control power stations or public transportation.
For many years, industrial systems relied upon proprietary protocols and software, were manually managed and monitored by humans, and had no connection to the outside world.For this reason, they were a fairly insignificant target for hackers as there was no networked interface to attack and nothing to gain or destroy. The only way to infiltrate these systems was to obtain physical access to a terminal and this was no easy task. OT and IT integrated little and did not deal with the same kinds of vulnerabilities.
https://www.forcepoint.com/cyber-edu/ot-operational-technology-security


  • in-vehicle infotainment solution


One of the key technologies, which works as a focal point of all the modern automotive systems and integrates their functions to be controlled and monitored from one central unit, is “In-Vehicle Infotainment System”.

What is In-vehicle infotainment?
The IVI can be described as a combination of vehicle systems which are used to deliver entertainment and information to the driver and the passengers through audio/ video interfaces, control elements like touch screen displays, button panel, voice commands, and more
https://www.einfochips.com/blog/everything-you-need-to-know-about-in-vehicle-infotainment-system/

  • What is HIL Testing?

Hardware-in-the-Loop (HIL) simulation is a technique that is used for testing control systems. Carrying out a HIL simulation to test a control system is called HIL testing.
https://www.hil-simulation.com/home/hil-testing.html