BYOD - Size Does Not Matter

We all know the wonderful term BYOB. We also know the term BYOD. While the acronym BYOD is only one letter different, it’s not nearly as fun yet it’s equally as necessary.

Let’s discuss the current state and movement of the IT industry. Over the past few years tablets have grown to become an additional necessity to our lives, smartphones have gotten bigger and smarter, and operating systems that once catered to the workstation lifestyle now cater to the mobile device lifestyle. The once known “personal computer” is slowly evolving to become the “personal device”. Today, we do still have a line between smartphone, tablet and PC but that line is extremely blurry. Only one day a week when the moon and sun align just right can we see that this line exists. 

What’s the problem with that? We all love our big screens and skinny tablets. The problem comes when attempting to write any sort of BYOD policy for a company. This blurry line does not line up well with the well-defined, black and white line that policies draw in the sand. This device evolution makes the attempt to declare what a device is, and how you can use it in the enterprise more difficult every day… or does it? 

A common thought is that a smartphone poses less risk than a tablet, and a tablet poses less risk than a laptop. Why do we think this and where did it come from? Size. Our subconscious makes us think that “hey, this little thing in my hand is so tiny, it’s not nearly as powerful of a device as that laptop sitting over there… you can do ANYTHING with that laptop, this phone is limited”. Organizations need to understand that in order to keep ahead of this we need to be more vague and encompassing in our policies. No matter what electronic device: smartphone, laptop, tablet, smartablet, laphone, tabletop… you get the idea; it is in the end, a device. Size does not matter. A smartphone can be loaded with all the hacker tools that a laptop can. In fact, maybe we should consider smartphones a larger risk than laptops. Who’s going to stop a stranger looking down at their smartphone walking around your building? How about a laptop? Yeah, that’s right… the laptop looks more suspicious.

Let’s go back to how the evolution in mobile devices makes writing policies more difficult. A lot of the time people go at this from the wrong angle. They ask the question: “What kind of devices do we want to address? Smartphones and tablets? Only laptops?” What we need to be doing is classify devices not by what they are or who owns them but what do we know about them? If we take the policy and instead of making tons of classification buckets (personal phone, company phone, personal tablet, company tablet, personally purchased company tablet… etc…) we make two: managed and unmanaged. Stop trying to quantify the risk differences in these devices and keep them all under the same tree as a “device”. This in fact is why it’s called “BYOD” and not BYOPC, BYOT, BYOSP, BYOLT. 

If we stop thinking about the risk associated with your smartphones and instead think about the risk associated with unmanaged devices it will put us in a position to weather the mobile device evolution. If someone wants to bring in their own device and gain access to your network; that device must be moved from the unmanaged classification to the managed classification. You and your company’s requirements determine what those two categories mean.

Quick Update

I've taken a break from posting for a while but I'm back at it, starting... Now. I’ll provide an update, after achieving my CCNP a couple months ago (wow, time flies) I decided to sit back and chillax a bit. I hadn’t planned on finishing my CCNP until March 2013, but I realized after CCNP Route that I was pretty solid on Switch and even more so on Troubleshoot. Anyways, I’ve been doing some reading:

-          Network Warrior v3 (Gary A. Donahue)

o   Had time to finally finish it. This book is fantastic. It is the “fill in the gaps” network book for the real thing, every day knowledge that you need as a network administrator. It covers from Telco jargon to how the Cisco Nexus 7K chassis directs airflow. I highly recommend this book.

-          Wireshark Network Analysis (Laura Chappell)

o   I’ve always wanted to have better knowledge down to the nitty network gritty and this book does just that. It goes through how to analyze network traffic and how to quickly spot if there’s a problem.

-          Developing the Leader Within You (John Maxwell)

o   One thing I decided to do in the past few months was to read something non-technical. This book was very insightful and motivating.

-          Just starting: Top-Down Network Design (Priscilla Oppenheimer)

o   I’m only about 1/3 of the way through this book but I already love it. The first part of this book focuses mostly on the project side of designing a network. We all get excited when we get to talk about the technical stuff, so much so that we tend to overlook the customer’s needs. Excellent book so far.

-          Next up: Cisco QoS (Odom and Cavanaugh)

o   Why this book? Frankly, QoS is daunting to me… there is so much to it that I decided I wanted to learn more. It’s a weak point for me and I know it… This book is fat, but it has great reviews. We shall see how it goes!

Wow, I didn’t realize how much reading I actually have done this past couple months. That’s quite a bit. So that’s really what I’ve been up to with regards to continual learning goes. My next plan is to obtain my CISSP this year (2013). Once I get that under my belt (probably will take 3-4 months), if it all works out I’m going to look at starting my MBA in IT management. No plans for CCIE at this point, although for fun I might go and get my CCDA and then CCDP if I have some free time. CCDA I’ve heard is mostly theory but the real juicy material is when you get to the CCDP (Arch). I’ll be doing it so I can mainly get into the CCDP material. Off to the races my friends.

Leadership Development - Pareto Principle

While I have decided to take a brief break in my studies on the technical side I have found that it has given me a chance to develop other skills. Leadership is something that I have always felt that I am passionate about but I also know that I am lacking in this area.

With my new found free time (for the time being) I picked up a book called "Developing the Leader Within You" by John Maxwell. It's been a fascinating read so far. I really enjoy how it's broken down into 5 steps of leaders. You start from step 1, and move on from there. I won't go into the steps at this point but the most intriguing thing I read was his explanation of the Pareto principle (aka 20/80 rule).

The Pareto principle states that the top 20% of your priorities will end up giving you 80% of your production, as long as you invest your time/money/efforts into that top 20%.

Ok so you're thinking "yeah, that's great... yet another buzz word". While this is true, it could be considered a "buzz word" (which in turn is a buzz word in itself... o.O), it's something that made me think last night.

Imagine two people, each with the same to do list of 10 things. What this principle states is that if person #1 takes the top 2 priorities on the list and puts forth the most effort on those they will get an 80% return on their efforts. Person #2 takes the bottom 8 things on the to do list and focuses their efforts, they will get only a 20% return.

In the book, it gives examples for how this principle applies to different fields. The easiest one for me to understand is for anyone working in customer service:
20% of the people will take up 80% of our time.



What I take away from this is to be sure to not spread yourself too thin. I tend to jump around on my to do list quite a bit and when I do this, I feel like I barely got anywhere at all. By applying this principle, I hope to be able to accomplish more and feel like I've made more of a difference.

I'm now a CCNP! Here's my story.

It's been a long road for this certification but I have finally arrived. I have passed all three CCNP exams and am now officially a Cisco Certified Network Professional.

To start this story I should say that in order to really understand the material in these exams, I absolutely needed my past experience. I can't say that I was ready for this certification 2 years ago.

My first "real" job was a Network Technician/Administrator at a local hospital system. I obtained my CCNA before this job, which helped me immensely from the start. While I was there I grew into being the go-to IT person for pretty much everything IT related regarding: servers, backups, SAN (storage), network (routers, switches and firewalls). I maintained the 30 site network as well as the VMware infrastructure. After while I realized that I wasn't growing much anymore, if at all. I had graduated with my Bachelor's and was no longer going to school full time and working full time. This pushed me to strive for a job that was more demanding and thus a fast paced learning environment. While at the hospital system for 4 years, I put my CCNA to good use with configuring VLANs, VPNs (Site-to-Site and remote access), Cisco ASAs, HP Procurve switches, and Cisco 3750 L3 switches. I also renewed my CCNA by getting my CCNA Security.

Here, I had the opportunity to join a consulting/managed services company. This company supports customers in the Bay Area. Having customers from California, you also get the California mindset.. GO GO GO, NOW NOW NOW. It's because of this I received lots of stress, hours and experience. While I don't regret it, I was pretty much ready to get out of there after 9 months. In those 9 months I had gained hands-on experience with many networks and different network equipment (including load balancers).

Towards the end of that position I started studying (loosely) for my CCNP route. This was the beginning of 2012. I purchased the training materials (books and CBT) and started studying. I didn't have much time though because of how demanding my work was. I had barely scratched the surface of multi-area OSPF when I had the opportunity to change jobs and get away from 60 hour weeks.

Here we are now at March of this year. This year I had the opportunity to join a large enterprise. When I started, my job responsibilities switched to administering Juniper firewalls. This put my CCNP on hold because I needed to get up to speed on Junos and the differences with Cisco IOS. I took a training course and ended up getting two Juniper certifications, JNCIA-Junos and JNCIS-Security. These are basically the Cisco equivalent CCNA and CCNA-Security.

After while, I realized that I wanted to pick back up my CCNP studies. My job had died down a bit and I was feeling comfortable with where I was at. In August, I literally dusted off my CCNP route material and started studying HARDCORE. I scheduled CCNP route for September and went for it. Using GNS3 for virtualizing my lab with routers and reading all the Cisco Press books.

The CCNP route exam was very hard for me. Up until this point in my career my hands-on experience with routing protocols was limited. Anything automated scares me unless I can predict exactly what it does. Up till these studies I could not do that, I couldn't tell you exactly what the routing protocol would do and the exact differences between the protocols. I had seen them in action, sure! I even configured them quite a few times. I just didn't know the backend. After 2 solid months (weekday evenings and most of every weekend) of reading/labbing/studying I took the CCNP route and passed.

After the initial excitement wore off, three days later I scheduled CCNP Switch for November 20. This gave me about 2 months for studying the switch exam. I bought a lab (2 3550s and 2 2950s) and the study materials and went to work again weekday evenings and weekends. As time progressed I realized my month of November was getting crazy, two weeks of travel for work and right smack in between those weeks was Thanksgiving and this exam. After thinking about it, I rescheduled it to be November 5th. On top of that, I was feeling myself start to burn out so I scheduled Tshoot for that Friday (Nov 9).

After a few weeks of sitting on that i realized that November 5th was still too far away. So I sat down on Wednesday October 30 (a Tuesday) and realized... "I really don't want to study another weekend. I have nothing else to study, I just want to go for it". I then looked to schedule it for that same week, "can I do Friday? no... I have a meeting, Thursday? I could... but what would I even do on Wednesday? Alright then, I'm going to take it tomorrow, Wednesday."

After scheduling it for Wednesday I decidedly left Tshoot for a week after that giving myself some time in between.

Went in, took Switch and passed it. This exam was difficult, it was the most tricky exam I've ever taken from Cisco!

This leads me to Wednesday night, after passing the switch... I was just stewing on the Tshoot exam, the only thing that stood between me, and my CCNP credentials. Everything I had read told me that if I knew the material from the other exams, then I could pretty much rock the Tshoot exam. Again, I looked at my calendar and again I realized I had a meeting on Friday. Leaving me one option... To do it the next day. Yes, take the switch and tshoot exams back-to-back. It was a bit crazy, but my mindset was "I DON'T WANT TO STUDY ANOTHER WEEKEND!" It was because of this mindset that I was afraid, I was afraid that I would burn out and end up not finishing off the CCNP. *click* "HOOOLY CRAP I'M DOING IT TOMORROW". This was decided and scheduled at 8PM the night before.


There's not really much else to say but I went in, took it and got a 1000/1000 score. Starting and finishing my CCNP in about 2.5 months. I really didn't plan on doing it that fast, I had originally planned on finishing it by March of 2013, so like 6-7 months. Things change :) .

So at this point I'm going to take a few month break from any certifications. I took 5 exams, receiving 3 certifications in a matter of 9 months. Time to take a break... maybe I'll take up knitting?

But if you really want to know....

2013: CCDA/CCDP or CISSP

Really Freaking Cool Nexus Command - Equal Cost Load Balancing

SWEET!!!

So today I was troubleshooting some issues and wanted to take a look to see if a Nexus was actually load balancing across two routes. Today, it was specifically OSPF equal cost load balancing.

OSPF does do load balancing, the only caveat is that it's only equal cost. This means that the prefix length, cost and administrative distance all need to be the same in order for both of the routes to be put into the routing table.


Say you have one router receiving a route from two other routers for a destination. Those other two that are announcing these LSAs via OSPF have equal costs. If the stars align correctly (prefix, cost, AD) then both of the announcements will be put into the routing table. If you do a:
show ip route
They both will show up as valid routes. This shows that you are doing load balancing.


NOW HERE COMES THE COOL PART!

How is the router determining by packet where to send the data? Load sharing uses an algorithm to determine where to send the data. The trick is, you need a variable to throw into the algorithm. You can figure out what you are using for a variable by using this command:

show ip load-sharing








So as you can see under "load-sharing mode" that it's taking into account the address and port source and destination.

Next cool command:

Do you want to figure out where traffic will be going from a specific location, to a specific location? Well yes, of course you do.
 show routing hash [source ip] [destination ip]

This will spit out the routes that are in the routing table at the bottom, your load-sharing mode, and the path that it will take is shown as "Hashing to path: ___________". Essentially, you can determine where your traffic would go based on the source/destination IP address and the load-sharing mode you have it set to!

Fan...Freaking...Tastic.

Cisco ASA - AnyConnect - DAP - Host Scan - Posture Assessment - BYOD

Quite a long name for this post but all of the above are involved in what I'm going to talk about.

For the longest time I knew that the ASA was capable of doing posture assessments but never got a chance to play around with it.

     1.  It's expensive. You need to have Premium Anyconnect licenses in order to have access to the  Host Scan option
     2.  I always thought it was way too complex for what it did so I never looked too close at it.


Well I finally had the chance to look at it and it... is... AMAZING! So incredibly simple to setup and extremely powerful. 

The quick and dirty on how it goes down is:

1. Download Host Scan image
          a. You can get this from either the AnyConnect 3.0+ for Windows or from the Cisco Secure Desktop images
2. Open up ASDM and go to Configuration -> Remote Access VPN -> Host Scan Image

                                                
3. After you've uploaded your image to the ASA through either file management (or you can even do it from here by clicking the "Upload" button) you can hit Browse Flash and tell it where the image is at.

4. Once you've done that it'll require a restart of ASDM in order for it to add the "Secure Desktop Manager" portion to the Remote Access VPN screen.

5. If you want to scan the PC for antivirus, antispyware, etc... then you just need to go into Remote Access VPN -> Secure Desktop Manager -> Host Scan. In there enable "Endpoint Assessment" and click Apply All.

6. Once you've done that, your Endpoint ID options will show up so you can now go into Dynamic Access Policies (DAP) under Network (Client) Access.

7. Open up the DAP that you want to add posture assessment and click Add next to the Endpoint ID field.
                          
 8. Now you can add the attribute you want to mess with!
              
 9. Now that it's enabled and usable, have fun with it you can go into some incredible detail on this stuff...


The COOLEST thing I ran into was to be able to grant mobile devices different access than PCs. These days in the BYOD world it's important to know that as soon as you publish this and if you have the AnyConnect mobile license installed... people WILL be connecting with their iPhones, Androids and tablets. If you DO NOT have a MDM (mobile device management) in place, those devices are pretty much autonomous devices capable of installing anything.

So with that in mind you can filter by the Endpoint Attribute, AnyConnect, then Platform. You can specify Android and thenApple iOS as a second entry to the Endpoint Attribute field in order to encompass most of those lovely mobile devices.
           
I don't go into DAPs here but once you tell that DAP "hey, if it's an AnyConnect client on the Android/Apple iOS platform" you can do pretty much whatever you want (assign ACLs, etc...)