Sometimes in networking and security it becomes necessary to do lookups of location data on IP addresses and prefixes. On my Mac I use homebrew to manage packages, but most of these tools are available with thetypocal apt, yum and port package management systems. For this post, I’m going to shift gears and show the install on my mac:``` sliver:~ buraglio$ brew install geoip ==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/geoip-1.6.3.mavericks.bottle.tar.gz ######################################################################## 100.0% ==> Pouring geoip-1.

[Ryan Harden]( “ancker@ancker.net”) - Oct 3, 2014 I whipped up something in bash. It isn’t as automated, but works if you have a list of hostnames/IPs you want to check. #!/bin/sh for i in host1.blah.net host2.blah.net do echo $i echo Q | openssl s_client -connect $i:443 -ssl3 2> /dev/null | grep Protocol done

With the recent release of the POODLE SSLv3 vulnerability, folks are scrambling around trying to figure out what runs what and where. Running a handful of things that do SSL, I was obligated, both personally and professionally, to figure out an easy way to drill down and figure out what does what and then fix the vulnerable services. When there are a lot of devices, this can seem like a daunting task, and it is if you’re trying to do it manually.

I was wanting to do a few quick mock-ups with OpenvSwitch and OpenDayLight and wanted to use CentOS since I have templates for it that I replicate. Just like with the debian stuff I had been doing, I wasn’t able to find any in some quick searches. I stumbled upon This site, which had a great how to for building them, so I just used that. Seeing as that the debian packages actually got downloaded a lot, I figured I’d post these RPMs as well.

Big Switch Labs for SDN Learning: A Sneak Peek! - Sep 1, 2014 […] Big Switch Labs for SDN Learning: A Sneak Peek! […]

I was recently granted access to the beta BigSwitch Networks lab site, a purpose built classroom in the cloud focused on teaching the BigSwitch SDN environment. I had seen some of the BSN offerings in the past and always held them in high regard, but I was thoroughly impressed with both the completeness of the lab and how polished the controller environment was.At the time of this writing, the lab consists of 3 modules: Building cloud fabric, monitoring fabric and dynamic provisioning of monitoring fabric.

[Les Begnaud]( “lesbegnaud@gmail.com”) - Dec 4, 2014 Hi there, I just implemented your set of scripts and had a couple comments: 1) seems to work just fine on an NSA 3600 2) have you attempted to rebuild a sonicwall based on the output of ‘show current-config’? 3) any luck with getting the ever-changing passwords to behave themselves? I am not a fan of constant diffs… defeats the purpose of diffs 4) your github sonrancid script references clogin, and not sonlogin 5) Thanks so much for doing this!

I know, I know, I’m always saying that you don’t need a firewall. That’s mostly to get your attention to push my agenda of sane security architecture, I do actually believe that firewalls are appropriate in a great many use cases and I’ve managed them big and small ranging from Juniper SRX 5800 clusters to tiny purpose built BSD distros on custom hardware. I even managed Checkpoint and gauntlet firewall back in the 1990s.

[cryptochrome]( “sascha@picchiantano.de”) - Sep 1, 2014 Wow. I completely disagree. Just because a firewall can give you some headaches in your network environment it shouldn’t be a reason to just dump it. A very dangerous proposition, and your “alternatives” will not be enough. Fix your firewall if it causes issues. Nick Buraglio - Sep 1, 2014 Like I said, it’s not for everyone, but there are very real use cases where there is no hardware firewall that does what is necessary.

I admit that the title was meant to be inflammatory. However, there are use cases that aren’t terribly uncommon where an in-line security appliance is just not the correct tool for the job. Someone once told me “a firewall protects a network like a fuse protects an electrical circuit”, and it’s mostly a correct statement. Firewall vendors will probably argue this and enterprise folks may discount this as heresy and call for burning me at the stake.