aviate, navigate, communicate

deploy remote access VPN at scale

due to CORVID-19 outbreak, we’ve been flooded with request to provide assistance with deploying secure connectivity for remote workers. in some organizations number of remote workers grown from 0 to 7000-10000 in week. some others are serving today over 30000, and here at Cisco, we’re working mostly out of home those days (over 100k people!). thanks to help from my fellow engineers and specialists, we were able to publish following guides, related to building and scaling out VPN headends - both hardware and virtual: Read more →

use keys, not passwords

it’s subject old as world (password-protected world, that is). i had to do some of cleanup on my devices and i hit a problem with 4096 bit keys. so, just as a reference that may be helpful somewhere for someone - you import keys to Cisco IOS without any special problems: router#conf t Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip ssh pubkey-chain router(conf-ssh-pubkey)#username TEST router(conf-ssh-pubkey-user)#key-string router(conf-ssh-pubkey-data)#AAAAB3NzaC1yc2EAAAADAQABAAACAQDCiLBaopUwsFb9YJNhGqVYqBajlrH S/zwD6/yR6N8VcRzrpqMMNCFXe1q5GMGM[...]ANWInd9GHBjTzbJWVwavxy1ooQewii8ErofZuv1l/SXSdXLzfL p0zMoZ0L+BNPS0j4XBS0N3t8Vl8oVixqIeG2BNTCNaDDt6hx2Q== lukasz@bromirski. Read more →

deploy SIDR

google again dropped out of the internet because of failure to filter prefixes. SIDR configuration on Cisco gear is really simple - for IOS-XE, IOS-XR. if you have Juniper it takes like half a second of searching. of course configuring is one thing, visiting RIPE and cerfifying your own resources is another thing. then it’s all done. every prefix signed, and every autonomous system checking for certification data is helping. every single one. Read more →

ASA 9.2(1)

…supports BGP and it’s already out. do you like BGP on your firewalls? I don’t. should we have the tool in hand, just in case? well, sometimes it’s handy. but going back again - do you like BGP on your firewalls? ;) Read more →

Aegis at UW

Maciej Broniarz invited us to take part in new security focused conference. Aegis (just like Aegis - American integrated naval weapons system) will take place on 2nd and 3rd July at University of Warsaw. i hope that most of you will decide to take part of it, as judging from agenda. together with Maciej we’d like to also have a panel on DDoS attacks, and then we’ll deliver session together - ‘security by duct tape’. Read more →

network neutrality?

i highly recommend this article from Wired - while we have to live with situation where such wealthy people like Kaspersky himself can influence ITU decisions, we have to have strenght to stand up and work to make internet free and independent. it’s kind of naive of course, but consequences of having too much money and power - scare me again every day. Read more →

net neutrality

there’s a lot of discussions around the net neutrality, as obviously the subject is currently still pretty hot. from the one side we have enormous amount of money from advertising business, spend in interesting, devious and - tempting way. from the other side, we have the ideal information society, in which all information are free from filtering, and available for all willing to read. we point to China, Iran or Saudi Arabia as bad examples, filtering all that their citizens can view using the Internet - but we all use google. Read more →