|
I also feel like networking is a bit safer of a career than traditional sysadmin work in the long term, though I also think the demise of sysadmin work in general is over exaggerated.
|
#
?
Sep 22, 2020 18:50
|
|
|
|
| # ? Apr 25, 2024 18:50 |
|
|
BaseballPCHiker posted:I also think the demise of sysadmin work in general is over exaggerated. I've heard too many managers say, "I care more about jobs, I won't move that to the cloud", to think that.
|
|
#
?
Sep 22, 2020 18:58
|
|
|
I can't wait for No Code to kill every devops/cloud/learn to code  job
|
|
#
?
Sep 22, 2020 19:04
|
|
|
Please redirect me if this is the wrong thread, but, those of you working in networking, how did you get past the "2-3 years of enterprise experience" requirement for a Junior Network Engineer position? Would Bachelors in a relevant field (cybersecurity with a networking focus) and CCNA get me past that hoop? I work full-time so I'd love to avoid the unpaid intern route.. I'm hoping my 3 years of management of a technical-ish team counts for something too....
|
|
#
?
Sep 22, 2020 20:14
|
|
|
Famethrowa posted:Please redirect me if this is the wrong thread, but, It might depending on who's doing the hiring. I got the initial experience part in the helpdesk/MSP mines
|
|
#
?
Sep 22, 2020 20:22
|
|
|
Just get hired at some shitshow dumpster fire of a MSP or something and deal with peoples ancient, crap, setups. Do that for a bit, get your CCNA, and then move on up. I usually advocate against degrees specifically for IT. Certs are such a better bang for your buck value, and if you actually learn the material instead of just learning to pass a test I think you'll be in a much better position as a network engineer then if you went to school for some generic IT degree.
|
|
#
?
Sep 22, 2020 20:22
|
|
|
BaseballPCHiker posted:Just get hired at some shitshow dumpster fire of a MSP or something and deal with peoples ancient, crap, setups. Do that for a bit, get your CCNA, and then move on up. to tell you the truth, my degree is mostly for personal gratification (see ma, told you I could do it) and to make use of the 2 years of college credit I got when I was 20 and dumb as hell. I'm determined as all hell to finish this piece of poo poo. CCNA will happen without a doubt, and thankfully my university will pay for it, so why not. I'm mostly afraid of going help desk/MSP because of the entry level pay cut, but if thats inevitable... 
|
|
#
?
Sep 22, 2020 20:34
|
|
|
Famethrowa posted:I'm mostly afraid of going help desk/MSP because of the entry level pay cut, but if thats inevitable... Thats a tough situation and I'm not sure if there is a way around it, maybe some others here have made a similar mid career jump. All of the places I've worked as a network engineer wouldnt let someone new with just a CCNA do to much. You really need to get your feet wet somewhere to get started and get a good feel. That said, I've never worked for a BIG company or for a provider, they may be more inclined to just throw you to the wolves as a new person.
|
|
#
?
Sep 22, 2020 20:38
|
|
|
Nuclearmonkee posted:It might depending on who's doing the hiring. I got the initial experience part in the helpdesk/MSP mines Yes. NOC at MSP/ISP and then getting my CCNA got me the network engineer interview. Changed companies twice for the experience and new job salary boost. 10 years later I’m doing the degree for personal reasons and to be able to get into industries where it is sometimes a hard requirement.
|
|
#
?
Sep 23, 2020 00:40
|
|
|
OmniCorp posted:Yes. NOC at MSP/ISP and then getting my CCNA got me the network engineer interview. Changed companies twice for the experience and new job salary boost. 10 years later I’m doing the degree for personal reasons and to be able to get into industries where it is sometimes a hard requirement. That sounds like my jam. How hard is it to get into an ISP entry level?
|
|
#
?
Sep 23, 2020 01:02
|
|
|
I'm curious, does anyone here run a network for fun/learning or just do practice labs/old hardware/etc? If you're European you can get started for about 25-50 euros for your own ASN and some IPv6 blocks, there are a number of nonprofit assocations/clubs that support this like CommunityRack in Switzerland, grifon.fr in France, Coloclue in NL, etc - routed onto the public DFZ. I found this to be a lot more fun than a lab with a bunch of virtual Ciscos.
|
|
#
?
Sep 23, 2020 01:16
|
|
|
Biowarfare posted:I'm curious, does anyone here run a network for fun/learning or just do practice labs/old hardware/etc? If you're European you can get started for about 25-50 euros for your own ASN and some IPv6 blocks, there are a number of nonprofit assocations/clubs that support this like CommunityRack in Switzerland, grifon.fr in France, Coloclue in NL, etc - routed onto the public DFZ. I found this to be a lot more fun than a lab with a bunch of virtual Ciscos. No I actually try to spend as little time as possible doing computer things if I'm not being paid for it.
|
|
#
?
Sep 23, 2020 01:37
|
|
|
Famethrowa posted:That sounds like my jam. How hard is it to get into an ISP entry level? It wasn’t too hard(but still always checking and sending resumes) to get into a small regional ISP with decent troubleshooting skills and doing some hard time at Best Buy. MSPs would be the place to be now as many have moved out of owning/leasing MAN and WAN. My dialup and DSL support skills also seem less in demand.
|
|
#
?
Sep 23, 2020 03:01
|
|
|
Let's talk east/west firewalls. Let's say I have ~50 different one-off application servers with some exposure to the internet and I want to isolate them from the rest of my network. The traditional way (in my mind) to do this is to use DMZ networks off of whatever perimeter firewall and put the servers in there. But that seems to not scale well once you're talking about like 50 different applications all needing their own DMZ VLAN / having to trunk those VLANs around everywhere, etc. Some of these might also be the inverse of a DMZ, where I have servers where I want to restrict some access to them (e.g. normal users on my corpnet can't RDP to the payroll server or whatever), even server-to-server restrictions. What's the right way to do this? I feel like putting every server on its own zone / VLAN is cumbersome and puts a bottleneck on that firewall (if any of these servers are high-throughput) and it kind of sucks. Does VXLAN make this easier (no more trunking the VLANs around, they all get tunneled to the firewall)? I feel like host-based firewalling would be the only way to actually get this to be high-throughput without insane cost, but now I'm writing firewall rules for all of my servers. Just interested in any general discussion here. Buy some big speed/feed firewalls and put them between your users and your servers, and then use host-based firewalling for server-to-server restrictions? ~kubernetes~?
|
|
#
?
Sep 23, 2020 06:39
|
|
|
Don't depend on network level segmentation as a replacement for proper authn/authz for one. Hostbased firewalling is fine if you can put together an rbac model in ansible or chef. That's how I'd do it tbh rather than trying to maintain n vlans and then managing acls anyway.
|
|
#
?
Sep 23, 2020 07:23
|
|
|
There’s also the microsegmentation stuff offered in NSX
|
|
#
?
Sep 23, 2020 08:57
|
|
|
madsushi posted:Let's talk east/west firewalls. Let's say I have ~50 different one-off application servers with some exposure to the internet and I want to isolate them from the rest of my network. The traditional way (in my mind) to do this is to use DMZ networks off of whatever perimeter firewall and put the servers in there. But that seems to not scale well once you're talking about like 50 different applications all needing their own DMZ VLAN / having to trunk those VLANs around everywhere, etc. Some of these might also be the inverse of a DMZ, where I have servers where I want to restrict some access to them (e.g. normal users on my corpnet can't RDP to the payroll server or whatever), even server-to-server restrictions. PII/PCI segment for things like payments, payroll, etc and another zone for everything else, all applications use mTLS and client certificates for *all* traffic without exception; does not affect throughput in any way and you don't need 1024 VLANs for no reason - we have legacy applications secured this way by running linkerd/envoy/nginx/whatever else as a proxy that requires client certs for all traffic and then proxies it to localhost:whatever too. wrt k8s: I have huge kubies running for some projects, have everything do automatic mTLS and tcp proxying through abunch of load balancers and you should be fine - k8s pods should not even be exposing things like ssh, just running an application (check out the distroless base images for something to base off of, if new) Impotence fucked around with this message at 09:29 on Sep 23, 2020 |
|
#
?
Sep 23, 2020 09:26
|
|
|
Biowarfare posted:
|
|
#
?
Sep 23, 2020 15:39
|
|
|
Methanar posted:Don't depend on network level segmentation as a replacement for proper authn/authz for one. Most of the services have auth. The issue is closer to: how do I prevent users from having RDP/SSH access to a server while still allowing HTTPS, and how do I expose a server to the internet while also limiting the pivot opportunities if said exposed application sucks. Thanks Ants posted:There’s also the microsegmentation stuff offered in NSX Are you running this? Does it work? I am trying to avoid any NSX or ACI or any kind of "buy $solution from big vendor". Biowarfare posted:PII/PCI segment for things like payments, payroll, etc and another zone for everything else, all applications use mTLS and client certificates for *all* traffic without exception; does not affect throughput in any way and you don't need 1024 VLANs for no reason - we have legacy applications secured this way by running linkerd/envoy/nginx/whatever else as a proxy that requires client certs for all traffic and then proxies it to localhost:whatever too. SSL in all directions definitely makes sense. I'm trying to figure out the other ports. Like if all of my Linux VMs have SSH running, how do I limit access to SSH to only approved hosts? Or how do I limit outbound access from a server that is exposed to the internet? Like if I have to expose some random app to the internet on HTTPS, how do I isolate that server so that you can't pivot from there to the rest of my stuff? I can't trust the host itself to restrict its own outbound traffic.
|
|
#
?
Sep 23, 2020 19:30
|
|
|
madsushi posted:Most of the services have auth. The issue is closer to: how do I prevent users from having RDP/SSH access to a server while still allowing HTTPS, and how do I expose a server to the internet while also limiting the pivot opportunities if said exposed application sucks. Route all RDP/SSH/etc traffic through a gateway of some sort per zone (region, whatever, onprem dc, building?). Use this gateway to manage keys, who has the ability to ssh to what, issue short-lived keys instead of allowing any user to connect directly. This also produces an audit log. On AWS, we disable all ssh access and use ssm-agent instead (proxy that logs all commands authenticated via IAM) You can look at something like https://github.com/gravitational/teleport (community edition is licenced Apache 2, so should be fine for most corp bs - no GPL) quote:Like if I have to expose some random app to the internet on HTTPS, how do I isolate that server so that you can't pivot from there to the rest of my stuff? I can't trust the host itself to restrict its own outbound traffic. If you are running something like istio or other service mesh with mTLS, they will handle mTLS for you all the way through based on defined rules. If your random $app1 is compromised, but only is configured to be allowed access to, say, "$app1's REST API at x requests per second", even if you don't have firewall rules set up on $app1, it's not possible for it to directly connect to any database, other APIs, act as a jumpbox for RDP, etc. Your application basically gets sent through the mesh proxy first which will be all "no, what is this" and page you. Think of it as "app1 -> local_app1_proxy" + "local_app1_proxy -> remote_rest_api_proxy" + "remote_rest_api_proxy -> rest_api" with checkpoints at every part of it. Impotence fucked around with this message at 19:53 on Sep 23, 2020 |
|
#
?
Sep 23, 2020 19:45
|
|
|
Biowarfare posted:If you are running something like istio or other service mesh with mTLS Yeah, that makes sense, if I'm putting all of my traffic through software, then there are opportunities to restrict the traffic based on config / intent / whatever. I'm thinking more along the lines of traditional networking and an on-prem config where there's no mesh / fabric / orchestration layer to hand this off to. If I was running all of this in EC2 then I could just use security groups, but what are ways to do this on-prem?
|
|
#
?
Sep 23, 2020 19:59
|
|
|
madsushi posted:Yeah, that makes sense, if I'm putting all of my traffic through software, then there are opportunities to restrict the traffic based on config / intent / whatever. I'm thinking more along the lines of traditional networking and an on-prem config where there's no mesh / fabric / orchestration layer to hand this off to. If I was running all of this in EC2 then I could just use security groups, but what are ways to do this on-prem? This is problematic because: - You don't want/have to use a hardware vendor's firewall solution but you basically are asking for SDN and not layer 7 (see next point) - You don't want/have to use layer 7 software solutions[?] (you can run istio, k8s, etc onprem too) - Security groups are not a replacement for authn/authz/mtls/rate limiting/etc Methanar posted:Are you using istio service meshes are a kink
|
|
#
?
Sep 23, 2020 20:08
|
|
|
madsushi posted:Yeah, that makes sense, if I'm putting all of my traffic through software, then there are opportunities to restrict the traffic based on config / intent / whatever. I'm thinking more along the lines of traditional networking and an on-prem config where there's no mesh / fabric / orchestration layer to hand this off to. If I was running all of this in EC2 then I could just use security groups, but what are ways to do this on-prem? There's a bunch of vendors who sell network micro-segmentation tools to get you over to a zero trust network security model. Do not attempt doing this with hand made ACLs and VLAN segmentation. That way madness lies.
|
|
#
?
Sep 23, 2020 20:08
|
|
|
Biowarfare posted:This is problematic because: Most of the issue is that I don't control the applications or the platform, so I can't enforce layer 7 everywhere. I can't make the owners of $random_third_party_cms_app run it in a container. I'm fine with a hardware solution, I'm just trying to make sure I'm not missing something. Also, I'm not concerned about authn/authz/mtls whatever. I'm concerned about the traffic that isn't part of the application (like all of the default ports that are normally open on servers). Teleport seems like an interesting way to address SSH, is there something like that for RDP? Nuclearmonkee posted:There's a bunch of vendors who sell network micro-segmentation tools to get you over to a zero trust network security model. Do not attempt doing this with hand made ACLs and VLAN segmentation. That way madness lies. Have you used any of these vendors or have a recommendation? Maybe the better way to have phrased my original point: I have to allow a bare-metal externally-exposed Wordpress install in my datacenter. Now what? I feel like I'm stuck putting it on a VLAN, sending that to a firewall via VXLAN (so I'm not trunking L2 everywhere), and then doing the "madness" step of defining what the traffic requirements are.
|
|
#
?
Sep 23, 2020 20:27
|
|
|
madsushi posted:Most of the issue is that I don't control the applications or the platform, so I can't enforce layer 7 everywhere. I can't make the owners of $random_third_party_cms_app run it in a container. I've worked with Cisco ACI, their new DNA SDN center thing, and in my current role mostly dealing with SCADA systems and controls networks, Industrial Network Director which does an ok job. ACI works and you can integrate it with Palo Alto firewalls or whatever. But really for any of them there is a degree of management overhead so don't even attempt going any further beyond basic NAC and profiling without a commitment that yes the company gives a poo poo about security and is going to have some number of bodies to support the initiative. As of 9 months ago, avoid DNA center as it's a buggy piece of poo poo and you are the beta testing team. madsushi posted:Most of the issue is that I don't control the applications or the platform, so I can't enforce layer 7 everywhere. I can't make the owners of $random_third_party_cms_app run it in a container. Yeah you need some kind of layer 7 firewall or tool in there so you can either tell it "this is a shitbad wordpress host, it talks to X and Y and does Z, and nothing else". If it's in VMWare NSX can do this pretty easily for $$$, you can stick your favorite virtual application firewall in there or you could just spin up istio on prem and let it do the work. It's much easier to to this in a controlled data center with servers/vms/containers if you aren't worried about the access layer and are just trying to protect horribly made and secured systems from themselves/eachother. edit: Oh and if you don't have a co-operative dev team who's treating securing this stuff as a team effort, most of these tools can be placed in learning mode, learn what "normal" looks like, and then you approve the generated access controls and change it to enforce. It's mostly used to integrate it into legacy systems smoothly but you can use the tool as you please. Nuclearmonkee fucked around with this message at 20:46 on Sep 23, 2020 |
|
#
?
Sep 23, 2020 20:40
|
|
|
I've got a couple dozen Cisco devices that I need to regularly back configs up for but can't change the configs on to have them automatically push their configuration anywhere. Does anyone know of a tool or expect scripts or something that I can just drop into a cron job that'll basically ssh in, show running-config, and copy the output to a file?
|
|
#
?
Sep 23, 2020 22:10
|
|
|
Kazinsal posted:I've got a couple dozen Cisco devices that I need to regularly back configs up for but can't change the configs on to have them automatically push their configuration anywhere. Does anyone know of a tool or expect scripts or something that I can just drop into a cron job that'll basically ssh in, show running-config, and copy the output to a file? If you can enable scp on them, you can automate pulling the running or startup config from them in any way you please
|
|
#
?
Sep 23, 2020 22:14
|
|
|
uhhhhahhhhohahhh posted:If you can enable scp on them, you can automate pulling the running or startup config from them in any way you please Not an option unfortunately  Some of them are too old to handle SCP properly, and we're not really supposed to touch the configs on these at all for business reasons I won't get into.
|
|
#
?
Sep 23, 2020 22:16
|
|
|
Didn't you look in to RANCID? That's literally what it does, SSH or telnet or whatever in yo it, grab config, save to a revision control system.
|
|
#
?
Sep 23, 2020 22:39
|
|
|
falz posted:Didn't you look in to RANCID? That's literally what it does, SSH or telnet or whatever in yo it, grab config, save to a revision control system. Gah. I knew there was a tool for it, I just couldn't remember what it was called!  thanks!
|
|
#
?
Sep 23, 2020 22:45
|
|
|
i use Oxidized for a bunch of switches/routers/firewalls/WLCs, set up to commit config changes to a private github repo, and it rocks. i seem to recall people saying Oxidized is a more modern version of RANCID when i did the research you're currently doing, but i don't remember what the material differences between the two are
|
|
#
?
Sep 24, 2020 02:40
|
|
|
uniball posted:i use Oxidized for a bunch of switches/routers/firewalls/WLCs, set up to commit config changes to a private github repo, and it rocks. i seem to recall people saying Oxidized is a more modern version of RANCID when i did the research you're currently doing, but i don't remember what the material differences between the two are I run both RANCID and Oxidized (in different environments). Oxidized is a lot newer and cleaner and easier to make models for. RANCID is a bunch of `expect` scripting while Oxidized is based in Ruby.
|
|
#
?
Sep 24, 2020 02:51
|
|
|
You can also roll your own: https://github.com/ipspace/ansible-examples/tree/master/Config-to-Git
|
|
#
?
Sep 24, 2020 03:19
|
|
|
tortilla_chip posted:You can also roll your own: .. if you also want to set up ansible. It's just using NAPALM's `get_config` function, which honestly is a trivial half dozen lines of code if you did want to dabble: https://napalm.readthedocs.io/en/latest/support/index.html However, it helps in no way to merge it in to a revision control system, deal with cron, creating diffs, emailing them out, and so on. I don't know why I'd want to go down that slippery road from scratch. I'd still probably just do RANCID because Oxidized is ruby and gently caress ruby. Also ytti is looking for another maintainer, so IDK how active it is. RANCID is a huge hot mess of expect scripts, but at least heasley is super active in updating it.
|
|
#
?
Sep 24, 2020 21:30
|
|
|
I think RANCID is good enough for what it does. clogin into device, run list of commands, save output of commands into SVN/GIT; done. All scheduled via cron.
|
|
#
?
Sep 25, 2020 07:19
|
|
|
I don’t know, Ruby feels like a major upgrade over rancid’s shambling horror of Perl and expect scripts  It’s a codebase straight out of the 90s. That said, it works great.
|
|
#
?
Sep 25, 2020 13:22
|
|
|
We're building out a small prototype system and have been looking at second hand Dells for our compute, which looks good. Most seem to have 10GB SFP+ networking, which is good because our application needs fast networking. We need two stacks of switches, and I'm trying to find something that can give us redundancy, has all SFP+ ports if possible and can be managed over ssh/Ansible. Reasoning for SFP+ is because we have access to a bunch of DACs/SFP modules already. For now we're only concerned about ever having one rack in our Colo. We're trying to do our prototype second hand (if possible) and then upgrade to new equipment when we do an installation of the system next year. e: I should mention, our budget I'm trying to stick to is around $15-20k USD. I was looking at https://www.amazon.com/Nexus-3064-X-48-SFPP-FD/dp/B00A4SHODO or something like it - would this work if I just got 4 of these type of models, only in SFP+? Not sure if I should look at Aruba or FS or something else like that for our budget range. Gyshall fucked around with this message at 16:57 on Oct 28, 2020 |
|
#
?
Oct 28, 2020 16:52
|
|
|
Gyshall posted:We're building out a small prototype system and have been looking at second hand Dells for our compute, which looks good. Most seem to have 10GB SFP+ networking, which is good because our application needs fast networking. Those switches are going EOL as of 2017 with EOS in 2022 but if that's not a concern and you can get them for 900 bux, either nexus or catalyst stuff with SFP+ will easily work for the purpose. If you are doing FCoE you will have to go with the nexus naturally. Any semi-respectable piece of networking hardware will be manageable via ansible if it has a functional CLI.
|
|
#
?
Oct 28, 2020 22:52
|
|
|
Great. Thank you. It's not a mission critical system by any means and we'll upgrade on our series B
|
|
#
?
Oct 28, 2020 23:28
|
|
|
|
| # ? Apr 25, 2024 18:50 |
|
|
Gyshall posted:Great. Thank you. It's not a mission critical system by any means and we'll upgrade on our series B Put this on the tombstone of the guy who has to troubleshoot a huge production outage caused by this gear in 2027
|
|
#
?
Oct 29, 2020 16:23
|
|