Posts

Showing posts from December 21, 2008

Check Point宣佈收購Nokia資訊安全設備業務

Image
2008.12.26 下午 12:55:12 Check Point宣佈收購Nokia資訊安全設備業務 林蔚文/編輯整理 Check Point軟體技術有限公司宣佈,與Nokia簽署協議收購其資訊安全設備(security appliance)部門。Check Point與Nokia已合作長達十年之久,並共同致力研發領導產業的企業安全解決方案。透過此次收購,Check Point將可增強其在資安硬體設備的支援和發展,擴大其在全球資安市場的版圖。 Check Point軟體技術有限公司首席執行長Gil Shwed表示,Nokia的資訊安全設備部門一直是Check Point重要的策略合作夥伴,更曾協助Check Point早一步成為安全設備的領導者。把Nokia深受市場肯定的資訊安全設備,整合到Check Point的強大安全解決方案中,是雙方長期合作下來必然的結果。 Check Point與Nokia長期提供客戶在關鍵環境中,擁有最高效能的資安解決方案。Nokia的資訊安全設備,為Check Point的防火牆、虛擬私人網路(VPN)和統一威脅管理系統(UTM),提供最有效的安全平台。目前財星雜誌500大企業中已有85%購買Nokia安全設備,超過220,000個Nokia安全設備,被全球逾23,000個客戶安裝使用。 而Check Point擁有多樣的安全閘道解決方案,如Check Point UTM-1 appliances和Check Point Power-1 appliances等,能夠帶給小型公司及大型企業完整的資料保護。目前,已有超過700,000個Check Point安全閘道授權給全球逾100,000個企業使用,Check Point客戶群包含100%的財星雜誌前100大企業,及98%的財星雜誌500大企業。 Check Point與Nokia的收購案,預計2009年第一季完成所有交易程序;詳細交易資料將不對外公開。 Check Point台灣區總經理簡淑真表示,Check Point期盼透過此次收購案,除拓展全球的資安市場外,Check Point也將繼續在台提供企業客戶與合作夥伴們優質的服務,及安全設備產品。

QoS Bandwidth/Priority Remaining Percent 保留頻寬計算

Image
很多人在學習QoS LLQ & CBWFQ的時候,遇到了頻寬保留分配問題都會有一些不太確定的感覺,因為Cisco在課程中並沒有非常詳細的說明不同的指令參數之間的搭配,會得到什麼樣的後果,所以我把這個問題在這邊提出來(這要感謝課堂上的同學問我這個問題,也順便釐清了這個不確定因素)。 假設我們現在在P1R1上有一路Serial頻寬為512k,現在我們要進行頻寬分配,分配的條件如下: Class TEST1使用LLQ(10%) Class TEST2使用CBWFQ剩下可用頻寬的(30%) Class TEST3使用CBWFQ剩下可用頻寬的(20%) 這個問題看似簡單,但是如果從來沒有認真去注意到的話就可以會有不同的解讀,到底TEST3可以使用多少的保留頻寬? 正確答案是: Class TEST1 LLQ使用頻寬上限=512k * 10%=51.2k Class TEST2 CBWFQ保留頻寬 = [(512k * 75%預設最大可分配的頻寬) - 51.2k] * 30% Class TEST3 CBWFQ保留頻寬 = [(512k * 75%預設最大可分配的頻寬) - 51.2k] * 20% 也就是說最後所有使用bandwidth percent remaining指令的總和不得超過100% 還有一點很重要的是,在這邊所謂的remaining並非指interface上現在實際流量的剩餘頻寬,Cisco QoS的指令在MQC中沒有這麼厲害可以隨時去監控現行使用流量來進行等比例的動態保留(maybe in the future) 為了證明真的是這個樣子,我進行了以下的實驗: P1R1(config)#policy-map TEST P1R1(config-pmap)#class TEST1 P1R1(config-pmap-c)#priority percent 10 P1R1(config-pmap-c)#class TEST2 P1R1(config-pmap-c)#bandwidth remaining percent 30 P1R1(config-pmap-c)#class TEST3 P1R1(config-pmap-c)#bandwidth remaining percent 80 Sum total of class bandwidths excee

Management Plane Protection(MPP)

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device. Restricting management packets to designated interfaces provides greater control over management of a device, providing more security for that device. Other benefits include improved performance for data packets on nonmanagement interfaces, support for network scalability, need for fewer access control lists (ACLs) to restrict access to a device, and management packet floods on switching and routing interfaces are prevented from reaching the CPU. I

The Steps of QoS Preclassification Configuration with IPSec and GRE

The  qos pre-classify  mechanism allows Cisco routers to make a copy of the inner IP header and to run a QoS classification before encryption based on fields in the inner IP header. Without this feature, the classification engine sees only a single encrypted and tunneled flow since all packets that traverse across the same tunnel have the same tunnel header and receive the same treatment in the event of congestion. If your classification policy matches with the ToS byte, you do not need to use the  qos pre-classify  command since the ToS value is copied to the outer header by default. You can create a simple QoS policy which sorts traffic into classes based on IP precedence. However, to differentiate traffic within a class and to separate it into multiple flow-based queues, the  qos pre-classify  command is required. Note:  ToS byte copying is done by the tunneling mechanism and not by the  qos pre-classify  command. The  qos pre-classify  command can be applied at various points in yo