sábado, 15 de julho de 2017

IPSec Crypto-maps em routers Cisco

Pessoal, nesse post vou falar um pouco sobre IPSec em roteadores Cisco, como hoje em dia os firewalls de nova geração tratam a criação/manutenção de VPNs de forma mais simples, muitas vezes os analistas acabam criando e mantendo ambientes sem ao menos entender o que ele está fazendo na GUI (sou um exemplo disso, pois aprendi um pouco mais fazendo na CLI).

Pra começar vamos falar um pouco de conceitos de VPN e IPSec além de  algumas observações.

- VPN (Virtual Private Network) - é uma extensão da rede privada sobre a rede pública (internet) em geral provendo:
   - Autenticação de dados (garantir a identidade de quem envia os dados);
   - Integridade de dados (garantir que os dados não foram alterados até o destino);
   - Confiabilidade de dados (garantir privacidade nos dados);
   - Anti-replay de dados;
 
   - IPsec é um protocolo de criptografia de tunelamento na camada 3 (muitos se confundem com o SSL), criado para manter alguns padrões em cima dos itens citados acima;
      - Possuí 2 modos:
         - Tunnel: o pacote inteiro é criptografado;
- Transport: somente o payload é criptografado;

      - Utiliza 2 estruturas para construir o túnel:
         - SA (Security Association)- Mantém os parametros IPSec em acordo, além da criptografia e autenticação;
         - SPI (Security Parameter Index) - Campo do headear para selecionar o SA em quem recebe o tráfego (receiver), parecido com o header de vlan nos labels MPLS;

 - Protocolos de negociação : ISAKMP/IKE:
         - ISAKMP (Internet Security Association and Key Management Protocol) - framework de configuração que mantem os padrões de autenticação e troca de  keys;
         - IKE ( Internet Key Exchange) - Implementação atual que é composta de 3 suites de protocolos (ISAKMP, Oakley e SKEME), é usado para distribuição e criação de chaves públicas;
 - Utilizam PSK (Preshared key) ou PKI (certificados) para autenticação;
      - DH (Difie-Hellman) - método de troca de chaves criptografadas;
 - Algoritimos de criptografia (DES, 3DES, AES-128, AES-256);
 - IKE Hashing - IKEv1, MD5, SHA1, IKEv2, SHA-256, SHA-384;

- Phase 1 e Phase2:
 - Negociação do IPSec SAs:
    - Security Protocol (ESP ou AH);
- Encapsulation mode (tunnel ou transport);
- Encryption (DES, 3DES, AES);
- Authentication (MD5, SHA, SHA256, SHA512);

Observações:
- AH vs ESP:
  - AH (Authentication Header) - encrptação do header na origem do pacote (número de protocolo 51);
      - Garante integridade;
  - ESP (Encapsulation Security Payload) - encriptação do pacote inteiro (protocolo 50);
           - Garante integridade, confidencialidade e anty-replay;

  - IPSec Control Plane vs Data Plane:
   - Todo tráfego é unicast IPv4/IPv6;
- Control Plane ISAKMP:
  -UDP 500;
  -UDP 4500 se for utilizar NAT;
   - IPSec Data plane:
  - ESP(50) ou AH (51);
  - ESP na porta 4500 se for utilizar NAT;

 - Passos para configurar IPSec:
       - Defina Phase 1 ISAKMP policy;
       - Defina Phase 2 IPSec policy;
       - Permita o tráfego origem/destino nos routers (ACL);
       - Aplique a crypto map ou o IPsec protect no túnel ou na interface;
       - Crie tráfego para dar up no tunel;
  - Who? (peer address, hostname ou FQDN);
  - What? (proxy ACL);
  - How? (Defina o transform-set);

LAB:

Para o lab vou utilizar 3 roteadores IOU (I86BI_LINUX-ADVENTERPRISEK9-M)), porém você pode utilizar diveros outros modelos que suportem IPsec (7200 no GNS3 por exemplo).

-Configuração básica do LAB:

R1#interface Loopback100
 ip address 200.0.0.1 255.255.255.255
 interface Ethernet0/1.12
 encapsulation dot1Q 12
 ip address 192.168.12.1 255.255.255.0
R1#ip route 0.0.0.0 0.0.0.0 192.168.12.2

R2# interface Loopback100
 ip address 200.0.0.2 255.255.255.255
 interface Ethernet0/1.12
 encapsulation dot1Q 12
 ip address 192.168.12.2 255.255.255.0
  interface Ethernet0/1.23
 encapsulation dot1Q 23
 ip address 192.168.23.2 255.255.255.0

R3# interface Loopback100
 ip address 200.0.0.3 255.255.255.255
  interface Ethernet0/1.23
 encapsulation dot1Q 23
 ip address 192.168.23.3 255.255.255.0
R3#ip route 0.0.0.0 0.0.0.0 192.168.23.2

 - Configurar a fase 1 ISAKMP policy:
- Nessa etapa você deverá configurar a policy do ISAKMP com os seguintes parâmetros:

  #R1(config)crypto isakmp policy 10
  #R1(config-isakmp)authentication pre-share  (definir PSK como chave)
  #R1(config-isakmp)encryption aes 128 (criptografia, pode ser 3des, AES e DES, além do tamanho da key em bit)
  #R1(config-isakmp)hash md5  (definir a hash)
  #R1(config-isakmp)group 5 (definir o Diffie-Hellman group)
  #R1(config-isakmp)lifetime 86400

  #R3(config)crypto isakmp policy 10
  #R3(config-isakmp)authentication pre-share
  #R3(config-isakmp)encryption aes 128
  #R3(config-isakmp)hash md5
  #R3(config-isakmp)group 5
  #R3(config-isakmp)lifetime 86400

Obs. essas opções são variáveis e se diferenciam no nível de segurança que você quer o seu túnel IPsec (quanto maior a chave mais seguro, porém consome mais processamento do router).

- Agora devemos criar a PSK para poder acontecer a troca de chaves:

  #R1(config)crypto isakmp key CAFE address 192.168.23.3 (chave CAFE kkkk)

  #R3(config)crypto isakmp key CAFE address 192.168.12.1

- Vamos criar a access-list com o tráfego que será permitido no túnnel:

  R1(config)#access-list 100 permit ip 192.168.23.0 0.0.0.255 192.168.12.0 0.0.0.255
  R1(config)#access-list 100 permit ip host 200.0.0.3 host 200.0.0.1
  R1(config)# access-list 100 permit ip host 200.0.0.1 host 200.0.0.3

  R3(config)#access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
  R3(config)#access-list 100 permit ip host 200.0.0.1 host 200.0.0.3
  R3(config)#access-list 100 permit ip host 200.0.0.3 host 200.0.0.1

Obs. estou colocando o tráfego interessante como a comunicação entres as loopbacks para simular 2 lans se comunicando.

- Agora passando pra fase 2, vamos configurar os parâmetros do Crypto-Map:
 
   #R1(config)crypto ipsec transform-set TESTE esp-aes esp-sha-hmac
   #R1(cfg-crypto-trans)#mode tunnel
   #R1(config)#crypto map R1_R3 10 ipsec-isakmp
   #R1(config-crypto-map)#set peer 192.168.23.3
   #R1(config-crypto-map)#match address 100
   #R1(config-crypto-map)#set transform-set TESTE

   #R3(config)crypto ipsec transform-set TESTE esp-aes esp-sha-hmac
   #R3(cfg-crypto-trans)#mode tunnel
   #R3(config)#crypto map R3_R1 10 ipsec-isakmp
   #R3(config-crypto-map)#set peer 192.168.12.1
   #R3(config-crypto-map)#match address 100
   #R3(config-crypto-map)#set transform-set TESTE

-  Aplique o a crypto-map na interface de saída dos túneis:

#R1
interface Ethernet0/1.12
 encapsulation dot1Q 12
 ip address 192.168.12.1 255.255.255.0
 crypto map R1_R3
end

#R3
interface Ethernet0/1.23
 encapsulation dot1Q 23
 ip address 192.168.23.3 255.255.255.0
 crypto map R3_R1
end

- Se tudo estiver correto, agora basta gerar tráfego no túnel para ele subir:

R1#ping 200.0.0.3 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.3, timeout is 2 seconds:
Packet sent with a source address of 200.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

- Para verificar as configurações de crypto isakmp e ipsec utilize:

R1#sh crypto isakmp sa      
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.23.3    192.168.12.1    QM_IDLE           1006 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa

interface: Ethernet0/1.12
    Crypto map tag: R1_R3, local addr 192.168.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (200.0.0.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (200.0.0.3/255.255.255.255/0/0)
   current_peer 192.168.23.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1.12
     current outbound spi: 0x58895A2A(1485396522)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9A4EAE32(2588847666)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 993, flow_id: SW:993, sibling_flags 80004040, crypto map: R1_R3
        sa timing: remaining key lifetime (k/sec): (4349587/1716)
        IV size: 16 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x58895A2A(1485396522)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 994, flow_id: SW:994, sibling_flags 80004040, crypto map: R1_R3
        sa timing: remaining key lifetime (k/sec): (4349587/1716)
        IV size: 16 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)
       
     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (200.0.0.3/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (200.0.0.1/255.255.255.255/0/0)
   current_peer 192.168.23.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1.12
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
       
     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
   current_peer 192.168.23.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1.12
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

- Verifique os matchs na access-list criada:

 R1# sh access-lists 100
Extended IP access list 100
    10 permit ip 192.168.23.0 0.0.0.255 192.168.12.0 0.0.0.255 (15 matches)
    20 permit ip host 200.0.0.3 host 200.0.0.1
    30 permit ip host 200.0.0.1 host 200.0.0.3 (24 matches)

- Teste também o tráfego por outras interfaces (simulando outras redes):

 R1#ping 200.0.0.3 source lo0
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 200.0.0.3, timeout is 2 seconds:
 Packet sent with a source address of 150.1.1.1
 .....
 Success rate is 0 percent (0/5)

Abraços pessoal

quinta-feira, 13 de julho de 2017

Coleção de livros Microsoft para download

Galera, essa semana o diretor de vendas Eric Ligman liberou para download a mais vasta coleção de livros da Microsoft para donwload:

https://blogs.msdn.microsoft.com/mssmallbiz/2017/07/11/largest-free-microsoft-ebook-giveaway-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepo/

Lista:

Category Title Format
Azure Introducing Windows Azure™ for IT Professionals
Azure Microsoft Azure Essentials Azure Automation
Azure Microsoft Azure Essentials Azure Machine Learning
Azure Microsoft Azure Essentials Fundamentals of Azure
Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition
Azure Microsoft Azure Essentials Fundamentals of Azure, Second Edition  le
Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure –  le
Azure Microsoft Azure Essentials Migrating SQL Server Databases to Azure 8.5X11
Azure Microsoft Azure ExpressRoute Guide
Azure Overview of Azure Active Directory
Azure Rapid Deployment Guide For Azure Rights Management
Azure Rethinking Enterprise Storage: A Hybrid Cloud Model

BizTalk BizTalk Server 2016 Licensing Datasheet
BizTalk BizTalk Server 2016 Management Pack Guide

Cloud Enterprise Cloud Strategy
Cloud Enterprise Cloud Strategy –  le

Developer .NET Microservices: Architecture for Containerized .NET Applications
Developer .NET Technology Guidance for Business Applications
Developer Building Cloud Apps with Microsoft Azure™: Best practices for DevOps, data storage, high availability, and more
Developer Containerized  ker Application Lifecycle with Microsoft Platform and Tools
Developer Creating  le Apps with Xamarin.Forms, Preview Edition 2
Developer Creating  le Apps with Xamarin.Forms: Cross-platform C# programming for iOS, Android, and Windows
Developer Managing Agile Open-Source Software Projects with Microsoft Visual Studio Online
Developer Microsoft Azure Essentials Azure Web Apps for Developers
Developer Microsoft Platform and Tools for  le App Development
Developer Microsoft Platform and Tools for  le App Development –  le
Developer Moving to Microsoft® Visual Studio® 2010 XPS
Developer Programming Windows 8 Apps with HTML, CSS, and JavaScript
Developer Programming Windows Store Apps with HTML, CSS, and JavaScript, Second Edition
Developer Programming Windows® Phone 7 (Special Excerpt 2) XPS
Developer Team Foundation Server to Visual Studio Team Services Migration Guide

Dynamics 5 cool things you can do with CRM for tablets
Dynamics Create Custom Analytics in Dynamics 365 with Power BI
Dynamics Create of Customize System Dashboards
Dynamics Create Your First CRM Marketing Campaign
Dynamics CRM Basics for Outlook basics
Dynamics CRM Basics for Sales Pros and Service Reps
Dynamics Give Great Customer Service with CRM
Dynamics Go  le with CRM for Phones – Express
Dynamics Go  le with CRM for Tablets
Dynamics Import Contacts into CRM
Dynamics Introducing Microsoft Social Engagement
Dynamics Introduction to Business Processes
Dynamics Meet Your Service Goals with SLAs and Entitlements
Dynamics Microsoft Dynamics CRM 2016 Interactive Service Hub User Guide
Dynamics Microsoft Dynamics CRM 2016 On-Premises Volume Licensing and Pricing Guide
Dynamics Microsoft Dynamics CRM for Outlook Installing Guide for use with Microsoft Dynamics CRM Online
Dynamics Microsoft Dynamics CRM Resource Guide 2015
Dynamics Microsoft Social Engagement for CRM
Dynamics Product Overview and Capability Guide Microsoft Dynamics NAV 2016
Dynamics RAP as a Service for Dynamics CRM
Dynamics Set Up A Social Engagement Search For Your Product
Dynamics Social is for Closers
Dynamics Start Working in CRM
Dynamics Your Brand Sux

General 10 essential tips and tools for  le working
General An employee’s guide to healthy computing
General Guide for People who have Language or Communication Disabilities
General Guide for People who have Learning Disabilities

Licensing Introduction to Per Core Licensing and Basic Definitions
Licensing Licensing Windows and Microsoft Office for use on the Macintosh
Licensing VLSC Software Assurance Guide
Licensing Windows Server 2016 and System Center 2016 Pricing and Licensing FAQs

Office Access 2013 Keyboard Shortcuts
Office Azure AD/Office 365 seamless sign-in
Office Content Encryption in Microsoft Office 365
Office Controlling Access to Office 365 and Protecting Content on Devices
Office Customize Word 2013 Keyboard Shortcuts
Office Data Resiliency in Microsoft Office 365
Office Excel 2013 Keyboard Shortcuts
Office Excel 2016 keyboard shortcuts and function keys
Office Excel Online Keyboard Shortcuts
Office File Protection Solutions in Office 365
Office First Look: Microsoft® Office 2010 XPS
Office Get Started With Microsoft OneDrive
Office Get Started With Microsoft Project Online
Office Getting started with MyAnalytics
Office How To Recover That Un-Saved Office  ument
Office InfoPath 2013 Keyboard Shortcuts
Office Keyboard shortcuts for Microsoft Outlook 2013 and 2016
Office Keyboard shortcuts for Microsoft Word 2016 for Windows
Office Licensing Microsoft Office 365 ProPlus Subscription Service in Volume Licensing
Office Licensing Microsoft Office software in Volume Licensing
Office Microsoft Access 2013 Quick Start Guide
Office Microsoft Classroom Deployment
Office Microsoft Excel 2013 Quick Start Guide
Office Microsoft Excel 2016 for Mac Quick Start Guide
Office Microsoft Excel 2016 Quick Start Guide
Office Microsoft Excel  le Quick Start Guide
Office Microsoft Excel VLOOKUP Troubleshooting Tips
Office Microsoft OneNote 2013 Quick Start Guide
Office Microsoft OneNote 2016 for Mac Quick Start Guide
Office Microsoft OneNote 2016 Quick Start Guide
Office Microsoft OneNote 2016 Tips and Tricks
Office Microsoft OneNote  le Quick Start Guide
Office Microsoft Outlook 2013 Quick Start Guide
Office Microsoft Outlook 2016 for Mac Quick Start Guide
Office Microsoft Outlook 2016 Quick Start Guide
Office Microsoft Outlook 2016 Tips and Tricks
Office Microsoft Powerpoint 2013 Quick Start Guide
Office Microsoft PowerPoint 2016 for Mac Quick Start Guide
Office Microsoft PowerPoint 2016 for Mac Quick Start Guide
Office Microsoft PowerPoint  le Quick Start Guide
Office Microsoft Project 2013 Quick Start Guide
Office Microsoft Publisher 2013 Quick Start Guide
Office Microsoft Visio 2013 Quick Start Guide
Office Microsoft Word 2013 Quick Start Guide
Office Microsoft Word 2016 for Mac Quick Start Guide
Office Microsoft Word 2016 Quick Start Guide
Office Microsoft Word  le Quick Start Guide
Office Microsoft® Office 365: Connect and Collaborate Virtually Anywhere, Anytime
Office Monitoring and protecting sensitive data in Office 365
Office Office 365 Dedicated Platform vNext Service Release
Office Office 365 Licensing Brief
Office OneNote 2013 Keyboard Shortcuts
Office OneNote Online Keyboard Shortcuts
Office Outlook 2013 Keyboard Shortcuts
Office Outlook Web App Keyboard Shortcuts
Office Own Your Future: Update Your Skills with Resources and Career Ideas from Microsoft® XPS
Office PowerPoint Online Keyboard Shortcuts
Office Project 2013 Keyboard Shortcuts
Office Publisher 2013 Keyboard Shortcuts
Office Security and Privacy For Microsoft Office 2010 Users
Office Security Incident Management in Microsoft Office 365
Office SharePoint Online Dedicated & OneDrive for Business Dedicated vNext Service Release
Office Skype for Business User Tips & Tricks for Anyone
Office Switching from Google Apps to Office 365 for business
Office Tenant Isolation in Microsoft Office 365
Office Visio 2013 Keyboard Shortcuts
Office Windows 10 Tips and Tricks
Office Word 2013 Keyboard Shortcuts
Office Word Online Keyboard Shortcuts
Office Working with SmartArt Graphics Keyboard Shortcuts

Power BI Ask, find, and act—harnessing the power of Cortana and Power BI
Power BI Bidirectional cross-filtering in SQL Server Analysis Services 2016 and Power BI Desktop
Power BI Configuring Power BI  le apps with Microsoft Intune
Power BI Getting started with the Power BI for Android app
Power BI Getting Started with the Power BI for iOS app
Power BI How to plan capacity for embedded analytics with Power BI Premium
Power BI Introducing Microsoft Power BI
Power BI Introducing Microsoft Power BI –  le
Power BI Microsoft Power BI Premium Whitepaper
Power BI Power BI  le apps—enabling data analytics on the go
Power BI Propelling digital transformation in manufacturing operations with Power BI
Power BI Using Power BI to visualize data insights from Microsoft Dynamics CRM Online

PowerShell Microsoft Dynamics GP 2015 R2 PowerShell Users Guide
PowerShell PowerShell Integrated Scripting Environment 3.0
PowerShell Simplify Group Policy administration with Windows PowerShell
PowerShell Windows PowerShell 3.0 Examples
PowerShell Windows PowerShell 3.0 Language Quick Reference
PowerShell WINDOWS POWERSHELL 4.0 LANGUAGE QUICK REFERENCE
PowerShell Windows PowerShell 4.0 Language Reference Examples
PowerShell Windows PowerShell Command Builder User’s Guide
PowerShell Windows PowerShell Desired State Configuration Quick Reference
PowerShell WINDOWS POWERSHELL INTEGRATED SCRIPTING ENVIRONMENT 4.0
PowerShell Windows PowerShell Web Access
PowerShell WMI in PowerShell 3.0
PowerShell WMI in Windows PowerShell 4.0

SharePoint Configuring Microsoft SharePoint Hybrid Capabilities
SharePoint Configuring Microsoft SharePoint Hybrid Capabilities –  le
SharePoint Deployment guide for Microsoft SharePoint 2013
SharePoint Microsoft SharePoint Server 2016 Architectural Models
SharePoint Planning and Preparing for Microsoft SharePoint Hybrid – 8.5 X 11
SharePoint Planning and Preparing for Microsoft SharePoint Hybrid –  le
SharePoint RAP as a Service for SharePoint Server
SharePoint SharePoint Online Dedicated Service Description
SharePoint SharePoint Products Keyboard Shortcuts
SharePoint SharePoint Server 2016 Databases – Quick Reference Guide
SharePoint SharePoint Server 2016 Quick Start Guide

SQL Server 5 Tips For A Smooth SSIS Upgrade to SQL Server 2012
SQL Server Backup and Restore of SQL Server Databases
SQL Server Data Science with Microsoft SQL Server 2016
SQL Server Deeper insights across data with SQL Server 2016 – Technical White Paper
SQL Server Deploying SQL Server 2016 PowerPivot and Power View in a Multi-Tier SharePoint 2016 Farm
SQL Server Deploying SQL Server 2016 PowerPivot and Power View in SharePoint 2016
SQL Server Guide to Migrating from Oracle to SQL Server 2014 and Azure SQL Database
SQL Server Introducing Microsoft Azure™ HDInsight™
SQL Server Introducing Microsoft Data Warehouse Fast Track for SQL Server 2016
SQL Server Introducing Microsoft SQL Server 2012
SQL Server Introducing Microsoft SQL Server 2014
SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2
SQL Server Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud, Preview 2 –  le
SQL Server Introducing Microsoft Technologies for Data Storage, Movement and Transformation
SQL Server Introducing Microsoft® SQL Server® 2008 R2 XPS
SQL Server Microsoft SharePoint Server 2016 Reviewer’s Guide
SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Data Mining Step-by-Step
SQL Server Microsoft SQL Server 2012 Tutorials: Analysis Services – Multidimensional Modeling Step-by-Step
SQL Server Microsoft SQL Server 2012 Tutorials: Reporting Services Quick Step-by-Step
SQL Server Microsoft SQL Server 2012 Tutorials: Writing Transact-SQL-Statements
SQL Server Microsoft SQL Server 2014 Licensing Guide
SQL Server Microsoft SQL Server 2016 Licensing Datasheet
SQL Server Microsoft SQL Server 2016 Licensing Guide
SQL Server Microsoft SQL Server 2016 Mission-Critical Performance Technical White Paper
SQL Server Microsoft SQL Server 2016 New Innovations
SQL Server Microsoft SQL Server 2016 SP1 Editions
SQL Server Microsoft SQL Server In-Memory OLTP and Columnstore Feature Comparison
SQL Server RAP as a Service for SQL Server
SQL Server SQLCAT’s Guide to: Relational Engine
SQL Server Xquery Language Reference

Surface Surface Book User Guide
Surface Surface Pro 4 User Guide

System Center Guide to Microsoft System Center Management Pack for SQL Server 2016 Reporting Services (Native Mode)
System Center Guide to System Center Management Pack for Windows Print Server 2016
System Center Introducing Microsoft System Center 2012 R2
System Center Microsoft System Center Building a Virtualized Network Solution, Second Edition
System Center Microsoft System Center Data Protection for the Hybrid Cloud
System Center Microsoft System Center Deploying Hyper-V with Software-Defined Storage & Networking
System Center Microsoft System Center Extending Operations Manager Reporting
System Center Microsoft System Center Introduction to Microsoft Automation Solutions
System Center Microsoft System Center Operations Manager Field Experience
System Center Microsoft System Center Software Update Management Field Experience
System Center Microsoft System Center: Building a Virtualized Network Solution
System Center Microsoft System Center: Cloud Management with App Controller
System Center Microsoft System Center: Configuration Manager Field Experience
System Center Microsoft System Center: Designing Orchestrator Runbooks
System Center Microsoft System Center: Integrated Cloud Platform
System Center Microsoft System Center: Network Virtualization and Cloud Computing
System Center Microsoft System Center: Optimizing Service Manager
System Center Microsoft System Center: Troubleshooting Configuration Manager
System Center What’s new in System Center 2016 White Paper

Virtualization Understanding Microsoft Virtualizaton R2 Solutions XPS

Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager
Windows Client Deploying Windows 10: Automating deployment by using System Center Configuration Manager –  le
Windows Client Getting the most out of Microsoft Edge
Windows Client Introducing Windows 10 for IT Professionals
Windows Client Introducing Windows 10 for IT Professionals, Preview Edition
Windows Client Introducing Windows 8.1 for IT Professionals
Windows Client Introducing Windows 8: An Overview for IT Professionals
Windows Client Licensing Windows desktop operating system for use with virtual machines
Windows Client Protecting your data with Windows 10 BitLocker
Windows Client RAP as a Service for Windows Desktop
Windows Client Shortcut Keys for Windows 10
Windows Client Use Reset to restore your Windows 10 PC
Windows Client Volume Licensing Reference Guide Windows 10 Desktop Operating System
Windows Client Windows 10 IT Pro Essentials Support Secrets
Windows Client Windows 10 IT Pro Essentials Top 10 Tools
Windows Client Windows 10 IT Pro Essentials Top 10 Tools –  le
Windows Client Work Smart: Windows 8 Shortcut Keys

Windows Server Automating Windows Server 2016 configuration with PowerShell and DSC
Windows Server Introducing Windows Server 2008 R2 XPS
Windows Server Introducing Windows Server 2012
Windows Server Introducing Windows Server 2012 R2
Windows Server Introducing Windows Server 2016
Windows Server Introducing Windows Server 2016 –  le
Windows Server Introducing Windows Server 2016 Technical Preview
Windows Server Introducing Windows Server 2016 Technical Preview –  le
Windows Server Introducing Windows Server® 2012 R2 Preview Release
Windows Server Offline Assessment for Active Directory
Windows Server RAP as a Service for Active Directory
Windows Server RAP as a Service for Failover Cluster
Windows Server RAP as a Service for Internet Information Services
Windows Server RAP as a Service for Windows Server Hyper-V
Windows Server Windows Server 2016 Licensing

Abraços

terça-feira, 11 de julho de 2017

IX PTT Fórum Regional (SP)




Pessoal, agora no dia 14/07 o Nic.BR irá realizar o encontro dos sistemas autônomos do Brasil, um evento realizado anualmente que trás diversas palestras e conteúdos para galera de provedores, órgãos públicos, entidades acadêmicas, associações, entre outros importantes atores envolvidos com a Internet, inclusive para quem se conecta ou quer trocar tráfego com o PTT SP.

Segue a agenda:


Link:
http://regional.forum.ix.br/5-sao-paulo/

Vale a pena participar, abraços pessoal.

sexta-feira, 30 de junho de 2017

Vulnerabilidade SNMP nos switches Cisco


Pessoal, a Cisco anunciou um boletim de segurança informando diversas falhas críticas no serviço de SNMP dos sistemas IOS e IOS XE, permitindo possíveis exploits para conseguir o controle dos sistemas informados.



O problema dessa falha é que ela afeta todas as versões SNMP (1, 2c e 3)  podendo causar buffer overflow na caixa  (na versão 2 basta saber a comunity, ja na v3 tem que ter credenciais válidas) e também afeta todos os equipamentos que não forem atualizados com o hotfix que a Cisco irá disponibilizar nos próximos dias, segue algumas MIBs vulneráveis:

ADSL-LINE-MIB
ALPS-MIB
CISCO-ADSL-DMT-LINE-MIB
CISCO-BSTUN-MIB
CISCO-MAC-AUTH-BYPASS-MIB
CISCO-SLB-EXT-MIB
CISCO-VOICE-DNIS-MIB
CISCO-VOICE-NUMBER-EXPANSION-MIB
TN3270E-RT-MIB

Uma solução de contorno até o momento é desabilitar as MIBs informadas, porém a solução definitiva é a instalação do release mesmo.

Link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp

Pra quem acompanha o blog vai perceber que já é a terceira falha grave de segurança nos equipamentos Cisco, eles já podem pedir música no Fantástico kkkk

Abraços

segunda-feira, 22 de maio de 2017

FRRouting project



Fala galera beleza?

Em abril, foi lançado o primeiro release official do projeto FRRouting, que na verdade é um roteador Open-source baseado no Quagga e é desenvolvido/suportado pelos grandes players Open-Source e grandes comunidades linux da web (além do Linux Foundations):



 O roteador suporta diversos protocolos de roteamento (RIP, OSPF, ISIS, BGP, LDP etc.) além de diversas features de um roteador comum (route-map, ACLs, SNMP,  Zebra, Route-Server etc.) na versão atual, porém a equipe está trabalhando na compatibilidade com o protocolo MPLS para o próximo release:



 A CLI do roteador é baseada na IOS da Cisco, tornando muito mais simples a migração para essa nova plataforma:

 % telnet localhost 2601
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Hello, this is frr (version 2.0)
Copyright © 1999-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password: XXXXX
Router> ?
  enable            Turn on privileged commands
  exit              Exit current mode and down to previous mode
  help              Description of the interactive help system
  list              Print command list
  show              Show running system information
  who               Display who is on a vty
Router> enable
Password: XXXXX
Router# configure terminal
Router(config)# interface eth0
Router(config-if)# ip address 10.0.0.1/8
Router(config-if)# ^Z
Router#

Link:
https://frrouting.org/

Download:
https://github.com/FRRouting/frr/releases/tag/frr-2.0

O projeto é bem interessante e vale a pena conferir, até porque daqui a algum tempo provavelmente você irá se deparar com ele em algum roteador por ai, além da provável integração com redes SDN que ele irá trazer.

Abraços Pessoal

terça-feira, 9 de maio de 2017

Próximos cursos Nic.BR


Fala galera, o Nic.BR está abrindo inscrições para os cursos de Boas Práticas Operacionais para Sistemas Autônomos (final de Maio) e  também o curso de Curso Intensivo da Escola de Governança da Internet no Brasil (Agosto):

Conteúdo:
Introdução à Internet e aos Sistemas Autônomos
Governança
Endereços e plano de endereçamento
Introdução ao roteamento
Boas práticas para o roteamento
Tópicos avançados de roteamento
Gerenciamento de redes
Segurança
IX Fórum Regional

Um dos principais desafios do Curso Intensivo é a definição do programa. Com o avanço da Internet nas mais diversas atividades do nosso cotidiano a amplitude dos temas relacionados à Governança da Internet tem crescido e se complexificado. Para facilitar a abordagem desse extenso rol de conteúdos, o programa prevê um momento de atividades prévias, em que os alunos já terão acesso, por meio de ambiente online, a um conjunto de materiais e atividades estruturados com o objetivo de embasá-los para o acompanhamento da etapa presencial. As atividades prévias serão realizadas nas três semanas anteriores ao momento presencial.

Atividades prévias:

Consistem em um grupo de atividades a serem realizadas a distância abrangendo:

Leitura de bibliografia recomendada;
Acompanhamento de vídeo aulas sobre os assuntos a serem abordados no curso;
Aulas virtuais com os instrutores do curso para esclarecimento de dúvidas e debates orientados das leituras.
As atividades prévias são obrigatórias para todos os alunos.

As atividades prévias permitirão aos alunos terem acesso, por meio de ambiente online, a um conjunto de materiais e atividades estruturados com o objetivo de preparar os participantes para o acompanhamento da etapa presencial. As atividades prévias são obrigatórias para todos os alunos.

Momento presencial:

Estruturado com aulas expositivas, painéis, debates e outras atividades planejadas e preparadas pelo Corpo Docente e pela Equipe da Assessoria ao CGI.br. A carga horária, de 40 horas, compreende a realização do curso em uma semana.


Link:
https://cursoseventos.nic.br/turmas/

Já realizei o curso de boas práticas, vale a pena galera, o de governança também tenho ótimas recomendações.

Atualizando pessoal, abriram também inscrições para o curso à distância de IPv6 com ínicio no dia 25/05:

http://saladeaula.nic.br/courses/course-v1:NIC.br+IPV6-001+T001/about

Abraços pessoal.

quarta-feira, 3 de maio de 2017

GNS3 2.0 Stable release



Fala galera beleza?

O GNS3 acaba de lançar a atualização da sua versão estável do GNS3 com algumas mudanças interessantes como o  “save as you go” que salva automaticamente os seus projetos enquanto trabalha, smart packet capture, VPCS/clouds/switches templates, um novo  "cloud node", um novo  NAT node e muito mais, além dos novos vendors que a ferramenta suporta: Arista vEOS, Cumulus VX, Brocade Virtual ADX, Checkpoint GAiA, A10 vThunder, Alcatel 7750, NetScaler VPX, F5 BIG-IP LTM VE, MikroTik CHR, Juniper vMX e mais.

Acredito que o pessoal do GNS3 esteja correndo atrás do projeto EVE (os dois parecem competir a cada novo release qual o melhor emulador de redes), então segue as atualizações da nova versão:


What’s new in GNS3 version 2.0

Version 2.0 is a new major release of GNS3 which brings major architectural changes and also  new features.

GNS3 was only a desktop application from the first version up to version 0.8.3. With the more recent 1.x versions, GNS3 has the possibility to use remote servers. Now, in version 2.0, multiple clients could control GNS3 at the same time, also all the “application intelligence” has  been moved to the GNS3 server.

What does it mean?

Third parties can make applications controlling GNS3.
Multiple users can be connected to the same project and see each other modifications in real time.
No need to duplicate your settings on different computers if they connect to the same central server.
Easier to contribute to GNS3, the separation between the graphical user interface and the server/backend is a lot clearer.
All the complexity of connecting multiple emulators has been abstracted in what we call the controller (part of GNS3 server). From a user point of view, it means that it is possible to start a packet capture on any link, connect anything to a cloud etc.

Finally, by using the NAT object in GNS3, connections to Internet work out of the box. Please note this is only available with the GNS3 VM or a Linux OS with libvirt installed.

NEW FEATURES

Save as you go

Your projects are automatically saved as you make changes to them, there is no need to press any save button anymore. An additional benefit is this will avoid synchronisation issues between the emulators’ virtual disks and projects.

Multiple users can be connected to the same project

Multiple user can be connected to the same project and see each other changes in real time and collaborate. If you open a console to a router you will see the commands send by other users.

Smart packet capture



Now starting a packet capture is just as easy as clicking on a link and asking for new capture. GNS3 will guess the pick the best interface where to capture from.

The packet capture dialog has also been redesigned to allow changing the name of the output file or to prevent automatically starting Wireshark:

Capture on any link between any nodes

There is no longer any restriction on what kind of node can be used for a packet capture. Previously VPCS and Qemu were not supported.

Select where to run a VPCS node

Like for hubs and switches, it is possible to select which server to use when VPCS node is dropped into a project .

Delete a project from the GUI



Now you can delete a project from the file menu. All files will be deleted from your hard drive and remote servers.

Or via the project dialog



Project options

There are now multiple options allowing you to load a project with GNS3 in background and even to auto start the nodes.



The cloud is a real node

In previous versions of GNS3, the cloud was in fact a direct usage of the emulator capabilities to connect to external networks. In version 2.0, the cloud is a real node, this means:

Possibility to connect anything to any cloud
All links to a cloud support packet capture
There is no need to run emulators as root to connect to a cloud (only uBridge requires admin permission).
Cloud templates

You can create cloud templates with your favorite interfaces and symbols.

New cloud interface

The cloud interface is simpler with a unique select dialog for ethernet interfaces. We also merged host object into the cloud since the difference between the 2 objects was not clear for most users.



VPCS / Ethernet Switch / Ethernet Hub templates

You can create template for these nodes just like other nodes.

Search OS images in multiple locations

OS images can be stored in selected folder and used without providing the full path. GNS3 will scan these folders in order to find the correct images.



VM wizards offer a list of images available locally or remotely. GNS3 will upload an image for you if it can only be found locally.

Periodic extraction of startup configs for Dynamips and IOU

Startup configs are extracted at regular interval to avoid configuration loss if Dynamips or IOU crashes.

Custom cloud, Ethernet hub and Ethernet switch templates

It is possible to create custom templates (symbol, name format etc.)

Snap to grid for all objects

In version 1.5, we introduced the snap to grid feature. Now you can use it for rectangles, ellipses, images etc.

Synchronize the node templates when using multiple GUI

Node templates are sync between all the GUIs.

Link label style

The style of link labels can be changed just like labels for nodes (color, font, orientation etc.)

New place holders in command line for opening consoles

%I WILL BE REPLACED BY THE PROJECT UUID

When you open a console to a node you can pass %i to the console command line, this will be replaced by the project UUID allowing scripts to interact with your project.

%C WILL BE REPLACED BY THE CONNECTION STRING

When you open a console to a node you can pass %c to the console command line, this will be replaced by the connection string to the GNS3 server allowing your scripts to know how to connect to the GNS3 API.

Export a portable project from multiple remote servers

It is possible to export a project and reimport it to a single GNS3 VM if you a have a project running on multiple remote servers.

Note: You cannot re-import a project to the original multiple remotes or non GNS3 VM server. This a limitation of the export file format.

New save as

The old “save as” has been replaced by a project duplication feature. This feature will duplicate not just the .gns3 but also the disk data from all GNS3 servers.

With evolution of emulators, the complexity of the tasks to duplicate was bigger and we could no longer just duplicate the raw data. Behind the scene the import / export system introduced in version 1.5 using .gns3project extension is now used for duplicated projects.

Snapshots with remote servers

Snapshots are not supported when using remote servers. Behind the scene the import / export system introduced in version 1.5 is used for snapshots.

Better start / stop / suspend all nodes

Start / stop / suspend all nodes feature will limit the amount of process starting at the same time to optimize CPU usage.

Edit config

Dynamips, VPCS and IOU nodes support configuration editing from within GNS3. Note: this feature doesn’t automatically reload the config in the node.

NAT node

NAT node can be used to connect GNS3 nodes to the Internet without any configuration, this requires the GNS3 VM or Linux. This node uses the libvirt nat interface.

This also replaces the Internet VM, the conversion will be automatic for internet VM users. An additional benefit is that this will consume less RAM and CPU.

Support for colorblind users

The stop symbol is now a square in order to help colorblind users to see the differences with running devices.



Support for non local server

In previous version, disabling the local server was not officially supported.

Now if you disable the local server you can put settings for a remote server that will replace your local server.

Support for profiles

GNS3 can be started with the parameter --profile PROFILNAME in order to have different settings applied. This can be useful if one needs different settings for different usage of GNS3 (home vs office).

Or enable a dialog at startup



Suspend the GNS3VM when closing GNS3

For fastest exit and restart of GNS3 you can now suspend the VM. This works well with an SSD disk. For instance, it takes less than 4 seconds on an old macbook when previously the start time was 30 seconds.

Edit the scene size

The scene size can be changed if your project is bigger than the standard one.

IOU licence improved

Instead of the old licence file system. Now you can import the IOU licence and it will be sync across your devices.

BIOS image support for Qemu

You can now use custom bios image when running Qemu machines. This allow to use appliance with custom UEFI bios.

NEW API

Developers can find out how to control GNS3 using an API here: http://api.gns3.net/en/2.0/

Thanks to our controller, it is no longer required to deal with multiple GNS3 servers since most of the information is available in the API.

All the visual objects are exposed as SVG.

This API is quite complete, the only major missing part at the moment is creation and use of node templates.