Juniper Networks (JNPR) beat second quarter expectations and says it's more optimistic about the rest of the year.

The Sunnyvale, Calif.-based Internet gearmaker on Thursday posted earnings of $156.6 million or 28 cents a share in adjusted profit. That is up from the 20 cents in earnings recorded in the year-ago period. Analysts were looking for 27 cents on the bottom line.

The positive report comes as Juniper announced former that Kevin Johnson, Microsoft's (MSFT) Windows chief and head of online business, would take over as CEO. Kriens will stay on as chairman.

Sales for the second quarter were $879 million, up 32% over the last year at the same time. Analysts had anticipated revenue of $852 million for the quarter ended last month.

"We’re very pleased with the solid results we have delivered for the first half of 2008," CEO Scott Kriens said in a statement. Kriens added that demand for Juniper's new gear underscores "our improved outlook for the second half of the year."

With slightly improved operating margins, Juniper generated net cash from operations of $200.5 million, compared to $199.3 million for the same quarter of 2007.

Tech watchers see Juniper as a good indicator for Cisco's (CSCO) Internet router business. And the solid performance could help ease concerns of a big  turn down.

Cisco and Pearson VUE Launch Global Test Delivery Exam Security Enhancements
Cisco and its global testing provider, Pearson VUE, a business of Pearson Inc. are pleased to announce a series of security enhancements that will reinforce the integrity and value of its Career certification program.

The advanced security enhancements include the use of digital photographs for candidate-identity verification and forensic analysis of testing data. The new measures, to be implemented beginning on Aug. 1, will include:

• Photo on Score Report and Web – On completion of a certification exam at the test center, candidates will receive preliminary score reports imprinted with their photos and unique authentication codes. The authentication code can be used to access a candidate’s official score online at Pearson VUE’s website usually within 72 hours of the examination. The online score report will also display the candidate’s photo. Candidates may share access to their online records with employers or other third parties.
• Forensic Analysis – Exam results and other testing data will be continuously analyzed by forensic software to detect aberrant testing behavior and to flag suspect exams for further investigation.
• Preliminary Score Report – All paper score reports will be preliminary, pending the results of forensic analysis, until official exam scores are posted to the Web usually within 72 hours of exam completion.Once the exam scores are official, candidates may use the authentication codes on their score reports to access the Pearson VUE website for score and photo verification.

These new exam security measures are part of Cisco’s overall strategy to protect the value and integrity of its certifications. Other measures include simulation-based testing, dynamically generated questionsand emulations to help ensure that Cisco certified networking professionals continue to have the knowledge, skills, and credentials to perform well on the job.

To find out more about Cisco Career Certifications access the Cisco Learning Network at www.cisco.com/go/learnnetspace.

It looks like Cisco is getting more serious about the integrity of its certification testing.  Associating a photo with your test result will help to stop proxy test takers (those who sit an exam under a different person's name).  I'm not exactly sure what dynamically generated questions are, but my guess is that this is generating unique questions and answers based on changes in variables in a question.  For instance, you might memorize the answer to a CCNA subnetting question by reading a brain dump.  You may get the same question on the exam, but the IP address and subnet mask is changed as well as the order of the answers.  In that case you would need to actually know how to subnet rather than just know to click 176.18.242.0/18.

The most interesting aspect of the new security features is the inclusion of forensic analysis of certification testing.  Rick Gregory at TrainingIndustry.com has an excellent article that details some of the issues that Cisco's new security features are meant to combat and how they they do it.  The article also expands on some of the techniques mentioned in the email and what will happen to test takers who are suspected of cheating.  Here is a description of forensic analysis (again, emphasis mine):

Exam Data Forensics

During a Cisco certification exam, each keystroke is logged and a record is created that includes the length of the test period, how much time was spent on each question, whether an answer was changed, how much time was spent on the second answer, etc. After the exam is completed, but before the results are processed, each exam session is analyzed by forensic software that analyzes the session against established behaviors and suspect exams are flagged for investigation.

"When you analyze a testing program the size of Cisco's, you develop an extensive knowledge base of behaviors you expect to see at every level of the examination," said Trask. "We've broken the population down by age, sex, education, country, etc., and we know what to expect in almost every instance. We've established norms for behavior for an individual taking an exam for the first time, for taking an exam a second time after failing initially. We know how the distractors should be performing. We've amassed a wealth of knowledge for every test question."

When an exam is flagged, it is investigated by VUE psychologists and security teams. If they determine that there is a problem with the exam, the results are invalidated and the candidate is offered a free chance to retake the test. They are given a different form of the test and have the opportunity to validate that they understood the information and should have passed the test.

Program Data Forensics

Another layer of security examines a wide range of other program attributes to determine what is occurring within the program. "We're comparing testing center to testing center, and within a center, we are comparing one administrator to another administrator to see if inconsistencies emerge," Trask said. "We look at things like candidates who live in one country but test in another; we review financial information, credit card information; just a very wide range of information to see patterns and inconsistencies."

---Read The Rest Here---

This sounds like the most powerful weapon to combat cheating.  I won't pretend to know the details of a forensic algorithm, but if your zip though five CCNA subnetting questions in a matter of seconds, then it's pretty obvious that you're either fluent in binary or you are choosing answers that you've most likely seen before.  You may want to think twice before posting about getting 1000/1000 and finishing the exam in 15 minutes.  :-)

The last bit about using forensic analysis to monitor testing center results as well as individual test administrators will hopefully crack down on leaked exams. 

Gregory's article mentions test takers who take the exam in order to harvest questions.  That may be effective, but I have to imagine that slipping some cash to a testing center administrator would be a more effective way of stealing exam questions.  There are cameras all over the testing center.  How hard would it be for a person working at a testing center to simply copy questions by reading a test taker's screen?  It would be interesting to introduce variations on questions in certain test center's exams only and see if those questions appear on brain dumps.

Anyhoo...hopefully this will start to cut down on the number of exam cheaters and bring a little bit of the former prestige associated with the CCxA and CCxP certifications.  I also hope that this will mean that the tests themselves will concentrate more on core topics and less on out of left field questions meant to make the exams more difficult.

They have some servers with five, seven and even nine years uptime. Great, except the utilization is so low as to not warrant the electricity they've used. Rather than an uptime boast, these systems seem like a great opportunity for a green datacenter consolidation and save the electricity!

Hmm, I love the smell of virtualization in the morning. I emailed Tim Sipples, it will be interesting what the mainframe blog makes of this, I know that when I was new technology architect for System z they had some customers with uptime in the 3-4 year space, running millions of transactions per day and at 85%+ utilization. I never checked for Power Systems but I suspect there are many similar out there.

“Apart from becoming more and more unpleasant, recently business travel is also becoming far less necessary. With videoconferencing technologies improving and fuel prices rising, more businessmen and women seem to be choosing the option to stay put and use new technology to cut down on travel. Companies too are making an active effort to limit employees’ air travel for the duel-pronged benefits of cutting costs and being environmentally friendly. AT&T has reportedly reduced employee air miles by 15% through video conferencing and Web meetings, while Accenture plans to have 22 video conferencing rooms installed around the world by the end of this year. ” | Fast Company

Cisco has already tried to address this trend by using Pure's technology in its Linksys Easy Link Advisor program, which was introduced on Linksys routers in April and is aimed at making it easier to manage multiple PCs and equipment. Today's acquisition was driven, in part, by vendor and consumer satisfaction with those routers. It's also because Cisco is trying to drive its vision of an intelligent network as the hub of the connected digital home. Pure's software and HNAP protocol, which works with any IP network, from Wi-Fi to Ethernet, will underlie that intelligent network.

In contrast with Intel, which views the home network as a group of devices centered around a PC, Cisco's Chris Dobrec, director of worldwide strategy for Linksys, says networked devices can and should have the level of intelligence built into them to recognize and talk to one another without using the PC as an intermediary. That's a common enough vision, one that would allow you to take a photo with a digital camera and easily send it to your friend's camera without ever using a PC. The days of standing there for 8 minutes at a family reunion while 10 people pass along their cameras to snag a shot would be over.

The problem with that scenario is that intelligence in devices doesn't come cheap. In addition to a networking chip, certain protocols require a lot of CPU power or memory in order to identify and disclose themselves to a network. Dobrec says the HNAP protocol is light enough that it doesn't need additional chips and could easily be embedded on existing hardware. Cisco plans to push the HNAP protocol as a standard and get device makers on board.

Eliminating the PC as a middleman won't be easy with Intel pushing its own consumer networking technology, Cliffside, which uses Wi-Fi to connect devices and is scheduled to be introduced next year. The capability is already built into Intel's Centrino chips, and will be activated with a software update in about eight months. Both HNPA and Intel's Cliffside project will network Internet-connected devices as well as those that aren't connected to the Internet.

Next_Hop

Category: well-known mandatory
Preference: shortest path or IGP metric

This attribute defines the next hop in the BGP path which a router has to use. But this does not have to be the direct neighbours address. The following rules apply:

1. If the advertising and receiving router are in the same AS (iBGP Peers) and the route belongs to the same AS, the Next_Hop address is set to the originating routers interface.
2. If the advertising and receiving router are not in the same AS (eBGP Peers), the Next_Hop address is set to the eBGP Peers interface.
3. If the advertising and receiving router are in the same AS, but the route belongs to a different AS, the Next_Hop address is set to the external Routers IP over which the route originally has been advertised into the AS.

If two iBGP peers are no direct neighbors, they will have to do a recursive lookup for every routing update to find their own next hop towards the neighbor router. To do this, the routers have to consult their IGP table. The same happens with external routes, because the external routes Next_Hop is set to the external routers interface over which the AS has learned the route. The recursive lookup will fail if this Next_Hop address is not known by the IGP. To solve this problem you could either expand the IGP so it knows the interface (e.g. passive interface towards that connection), create static routes, redistribute or use the BGP neighbor command next-hop-self.

Next_Hop configuration

Based on the above network diagram the configuration for the routers is straight forward, except that R1 is the route-reflector for R4 to not have to create a full meshed iBGP:

R1#sh run | sec router bgp
router bgp 124
no synchronization
bgp log-neighbor-changes
network 99.99.1.0 mask 255.255.255.0
neighbor 116.1.12.2 remote-as 124
neighbor 116.1.14.4 remote-as 124
neighbor 116.1.14.4 route-reflector-client
no auto-summary

R2#sh run | sec router bgp
router bgp 124
no synchronization
bgp log-neighbor-changes
network 99.99.2.0 mask 255.255.255.0
neighbor 116.1.12.1 remote-as 124
neighbor 116.1.23.3 remote-as 3
no auto-summary

R3#sh run | sec router bgp
router bgp 3
no synchronization
bgp log-neighbor-changes
network 99.99.3.0 mask 255.255.255.0
neighbor 116.1.23.2 remote-as 124
no auto-summary

R4#sh run | sec router bgp
router bgp 124
no synchronization
bgp log-neighbor-changes
network 99.99.4.0 mask 255.255.255.0
neighbor 116.1.14.1 remote-as 124
no auto-summary

Rule 1 applies for all AS124 based loopback addresses and routers. The Next_Hop address for routes and routers in the same AS is set to the originating routers interface:

R1#sh ip bgp | e 99.99.3.0
BGP table version is 4, local router ID is 99.99.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 99.99.1.0/24     0.0.0.0                  0         32768 i
*>i99.99.2.0/24     116.1.12.2               0    100      0 i
*>i99.99.4.0/24     116.1.14.4               0    100      0 i

R2#sh ip bgp | e 99.99.3.0
BGP table version is 5, local router ID is 99.99.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i99.99.1.0/24     116.1.12.1               0    100      0 i
*> 99.99.2.0/24     0.0.0.0                  0         32768 i
*>i99.99.4.0/24     116.1.14.4               0    100      0 i

R4#sh ip bgp | e 99.99.3.0
BGP table version is 4, local router ID is 99.99.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i99.99.1.0/24     116.1.14.1               0    100      0 i
*>i99.99.2.0/24     116.1.12.2               0    100      0 i
*> 99.99.4.0/24     0.0.0.0                  0         32768 i

Rule 2 says that the Next_Hop address of eBGP Peers has to be the eBP Peers address:

R2#sh ip bgp
BGP table version is 5, local router ID is 99.99.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i99.99.1.0/24     116.1.12.1               0    100      0 i
*> 99.99.2.0/24     0.0.0.0                  0         32768 i
*> 99.99.3.0/24     116.1.23.3               0             0 3 i
*>i99.99.4.0/24     116.1.14.4               0    100      0 i

R3#sh ip bgp
BGP table version is 5, local router ID is 99.99.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 99.99.1.0/24     116.1.23.2                             0 124 i
*> 99.99.2.0/24     116.1.23.2               0             0 124 i
*> 99.99.3.0/24     0.0.0.0                  0         32768 i
*> 99.99.4.0/24     116.1.23.2                             0 124 i

R2 has R3's address set as Next_Hop for R3's loopback interface, while R3 uses R2's address for every route from AS124. R3 validates (valid > ) all routes from R2 because R3 knows the way to its Next_Hop address over the IGP table. The same applies for R3's loopback interface on R2, but R1 does not have an entry in its IGP table to find a way to R3's address 116.1.23.3:

R1#sh ip bgp
BGP table version is 4, local router ID is 99.99.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 99.99.1.0/24     0.0.0.0                  0         32768 i
*>i99.99.2.0/24     116.1.12.2               0    100      0 i
* i99.99.3.0/24     116.1.23.3               0    100      0 3 i
*>i99.99.4.0/24     116.1.14.4               0    100      0 i
 
R1#sh ip bgp 99.99.3.0
BGP routing table entry for 99.99.3.0/24, version 0
Paths: (1 available, no best path)
  Not advertised to any peer
  3
    116.1.23.3 (inaccessible) from 116.1.12.2 (99.99.2.2)
      Origin IGP, metric 0, localpref 100, valid, internal

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     116.0.0.0/24 is subnetted, 2 subnets
C       116.1.12.0 is directly connected, FastEthernet0/0
C       116.1.14.0 is directly connected, FastEthernet1/0
     99.0.0.0/24 is subnetted, 3 subnets
C       99.99.1.0 is directly connected, Loopback0
B       99.99.2.0 [200/0] via 116.1.12.2, 00:30:23
B       99.99.4.0 [200/0] via 116.1.14.4, 00:30:28

R1 does not advertise R3's loopback interface to R4 since it does not have a valid path to R3's loopback interface:

R4#sh ip bgp
BGP table version is 4, local router ID is 99.99.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i99.99.1.0/24     116.1.14.1               0    100      0 i
*>i99.99.2.0/24     116.1.12.2               0    100      0 i
*> 99.99.4.0/24     0.0.0.0                  0         32768 i

To solve this problem, we configure the next-hop-self command on R2 so that every route R2 advertises into AS124 will have its address set as Next_Hop address:

R2#sh run | sec router bgp
router bgp 124
no synchronization
bgp log-neighbor-changes
network 99.99.2.0 mask 255.255.255.0
neighbor 116.1.12.1 remote-as 124
neighbor 116.1.12.1 next-hop-self
neighbor 116.1.23.3 remote-as 3
no auto-summary

R2 now is the default Next_Hop for its and R3's loopback interface. R1 and R4 do now have a valid path to the Next_Hop address of R2 and will validate the route to 99.99.3.0 in their BGP tables:

R1#sh ip bgp
BGP table version is 5, local router ID is 99.99.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 99.99.1.0/24     0.0.0.0                  0         32768 i
*>i99.99.2.0/24     116.1.12.2               0    100      0 i
*>i99.99.3.0/24     116.1.12.2               0    100      0 3 i
*>i99.99.4.0/24     116.1.14.4               0    100      0 i

R4#sh ip bgp
BGP table version is 5, local router ID is 99.99.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i99.99.1.0/24     116.1.14.1               0    100      0 i
*>i99.99.2.0/24     116.1.12.2               0    100      0 i
*>i99.99.3.0/24     116.1.12.2               0    100      0 3 i
*> 99.99.4.0/24     0.0.0.0                  0         32768 i

After that configuration R1 and R4 are also able to ping R3's loopback interface, as long as the ping's source address is one of their loopback addresses, because R3 only knows the loopback routes out of AS124:

R4#ping 99.99.3.3 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 99.99.3.3, timeout is 2 seconds:
Packet sent with a source address of 99.99.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/76/124 ms

By Jon Fortt, Fortune senior writer

HALF MOON Bay, Calif. - Sustainability will influence the next generation of Internet technology, according to Cisco (CSCO) chief technology office Padmasree Warrior.

At Fortune's Brainstorm Tech conference on Tuesday, Warrior and technology visionaries from Nokia and Xerox sat down with Strategic News Service's Mark Anderson Tuesday to talk about dealing with information overload, mobile innovation, and the major tech transitions ahead.

One idea that's likely to get a lot more attention, Warrior said, is doing more while consuming fewer resources. "Sustainability is going to be a great driver," she noted. "It's actually innovating for constraints that will drive the next generation of technology."

Warrior said some of the major innovation trends she's watching are the Internet's transition into an entertainment platform, the emergence of communities as a driving force in communication, the power of video as a business tool and the rise of new global economic powers like China and India.

Xerox (XRX) CTO Sophie Vandebroek talked about software her company is cooking up that sifts through oceans of digital information and serves up bits that are most likely to be relevant to the task at hand. For instance, for a law firm it could plow through digitized legal files and pull out information about people and events that are most likely to have an impact on a given case. It's an attempt to help knowledge workers who are drowning in data. "It's like food – we have too much food with these all you can eat buffets," Vandebroek said. "You have to control yourself."

Nokia (NOK) CTO Bob Iannucci said mobile technology is transitioning from a focus on hardware – handsets, towers and the like – to a focus on software and services. He said mainframes, mini computers and PCs all went through the same changes, and the implications were profound. One of the resulting challenges he's pondering in a service-oriented mobile world: How do you harness the value of people's personal information in a way that doesn't freak them out? Can companies like Nokia give customers access to their data in a way that helps them answer questions and make purchases?

From the audience, Google (GOOG) Chief Internet Evangelist (and Internet pioneer) Vint Cerf pointed out that the way people are beginning to use the mobile Internet is fundamentally different. More than with the PC based Internet, mobile users are likely to get online for information related to where they are and what they're doing at that moment. Warrior agreed that the tech world will have to pay more attention to that shift: "Context and location awareness will become really important," she said.

To frame the themes of this year's powwow -- which opened Monday afternoon with Michael Dell (DELL) and Amazon (AMZN) CEO Jeff Bezos (pictured right) -- my colleague David Kirkpatrick asked participants what is the most exciting technology innovation of the last 12 months. The most popular answer: the iPhone. That probably doesn't surprise you, but the interesting thing is how Apple's (APPL) iPhone and its seemingly simple user interface fits the trend of the best and latest technologies. As one Brainstorm participant, Mitel CEO Don Smith, says about the iPhone, the Nintendo Wii and other recent innovations: "The most exciting trend has been towards simplicity in many areas of technology. Simplicity is essential if our society is to reap the full potential of technology."

This idea that simplicity is increasingly the key to success keeps coming up here at Brainstorm. In an interview with David K., Jeff Bezos said that as Amazon developed the Kindle, the electronic reader that came out last November, it set a simple goal: to improve upon the book. "It was an audacious goal bordering on arrogance," he noted, adding that the book has remained so unchanged for 500 years that Gutenberg would recognize it today.

The Kindle would succeed, Bezos explained, only if "the container of the book gets out of the way. That's not easy." He mentioned that he once had a microwave oven that beeped every minute after cooking was done, until you opened the oven door. "I called it the self-important device" -- and that's what he didn't want the Kindle to be.

Turns out, Amazon designed quite an elegant and unobtrusive machine. "It's not easy to make a device that disappears," Bezos said, sounding almost Steve Jobs-ian. I haven't used a Kindle, yet. But after nasty supply shortages the first few months, I can get one -- and just might. Keith Reinhard, the former CEO of advertising giant DDB, told me this morning that he bought one, not expecting to love it. But he loves it. "I'm reading five books at one time," he told me. (Reinhard started in the ad business in 1962, but he knows how to multitask like a gen-Yer!)

Of course, globalization's evolution -- with ever-increasing focus on emerging markets -- calls for simple solutions. Joost CEO Mike Volpi, who once headed strategy at Cisco (CSCO), says he thinks the most innovative new technology is One Laptop per Child. That is Nicholas Negroponte's program to spread computers across the developing world. "There is not amazing new technology in this computer, but cutting-edge technologies and open-source computing are intelligently packaged together to provide incredible value to the world's poorest children," Volpi says.

Nick Negroponte is on stage next. Gotta run!

I ventured down to the training room around 7:30 am and found a handful of people seated there.  I asked if this was the Mock Lab Workshop and was told that it was.  It turns out that Internetwork Expert was running a 12-day boot camp which is a the 5-day boot camp plus weekend sessions plus the Mock Lab Workshop.  That explained the "Routing and Switching Boot Camp" sign in the hall.

I got settled in and tested the wireless connection.  I had installed Ubuntu on my laptop during a layover on my outbound flight (my XP CD was too scratched to work) and had not been able to verify the wireless.  I'm happy to say that the Hardy Heron worked fine sans wires.  It's a good thing too, because my backup laptop had an old B radio card in it.  I don't think that anyone would appreciate me dropping the connection to 11Mbps.  :-)

The room was catered with fruit, juice, coffee, and pastries each morning.  After lunch the breakfast items were removed and a selection of sodas were made available.  For those who need their energy drink fix, there is a gift shop on the main floor of the hotel which stocks Red Bull and Rockstar (yuck).

Soon enough Brian Dennis and Petr Lapukhov joined us and the class was underway.  One of my classmates pointed them out and said "There's Brian Dennis."  I had heard his voice (over and over again) on the IECODs so it was interesting to put a face to that voice.  I was very surprised at how young he was.  Then I figured out that I was looking at Petr and not Brian.  :-)

There were about 20 people in the class.  All but a handful of them (like myself) had been there for the previous seven days.  As I stated earlier, we had a virtual United Nations going in the class.  There were students from many different countries.  We did brief introductions (name, experience, and lab date).  Most of the students had scheduled the lab within the next 1.5 months with about 5 of them going within a week.

The format of the workshop is lecture in the morning (starting around 8 am and ending around 11 am) followed by a mock lab each day except for Friday.  Monday's lecture was about the class structure and (mostly) about lab strategies.  If you've completed the IECOD or viewed the free COD on lab strategies, then you will have already seen a lot of what was presented.  To my surprise there was a lot of new (to me) information presented.  Here are a few of the things mentioned (these may or may not be verbatim):

What you can take into the lab is generally up to the proctor's dicretion.  Officially you cannot bring in anything.

The lab is in a binder with about 15 - 20 pages with plastic covers on each page.  You can pull the pages out of the binder.  Do that.  Put them back at the end of the day.  Do NOT take the pages out of the plastic cover.

The old version of the lab was on red paper with black ink (difficult to copy).

Most redistribution will take 30 minutes.  Do a workaround and come back to it.

The Brussels lab location is incorrect on Google maps.  Don't stay at the Cisco recommended hotel in Brussels as you cannot walk to the lab center and driving there is difficult.

Make sure to put a slash on the end of univercd (/) or the web filter will filter.

The telnet client is SecureCRT running version 4 (or something close to it).  No menus.  No tabs.  You can change the colors.  You can change the keyboard mapping.  Brian mapped the ~ key to perform copy and paste.  Set your scrollback buffer to max (9999 lines).  You can use access server or open a unique window to each device.  IE recommends to practice labs with the lab restrictions for the last two weeks so you are used to them when you get to the real lab.

Draw your own diagram.  IE says that you will get a routing protocol diagram in the lab.

The goal is to try to finish 2 hours early and then use the remaining 2 hours for verification.

There is quite a bit of grading by script in the Routing and Switching lab.

BGP is usually mentioned at the end of the discussions by Cisco, so it's likely at the end of the test.

You don't need to build scripts if you are running short on time.  Just ping some sample routes.

When you're done with "full reachability" you should have around 40 points.

Save your configurations after each task.

You want to score 95% of the Frame Relay, IGP, and Ethernet sections in order to pass the lab.

As I mentioned earlier, you will receive $40 worth of meal vouchers for each day of your training.  These vouchers are good anything (booze included) at a number of restaurants in the resort.  There is a buffet, bistro, sport bar, hamburger joint, sandwich shop, and others in the resort. IE also had a Starbucks gift card available for anyone to use to get free coffee at Starbucks (also in the hotel).  You're not going to go hungry.  :-)  Do keep in mind that the vouchers do not include gratuity, so bring some cash to tip the waitstaff.

After lunch, we started the first mock lab.  I had done this lab months ago and scored an 89 on it.  It was a difficulty level 6 lab and did not have a lot of interlocking questions - or so I thought.  I was given the opportunity to substitute a different lab for this one since I had already taken it.  I decided to do the lab because of the breakdown lecture and because I was coming into the workshop with very little time on the CLI in the prior month.  My moral was at a low point and I needed an "easy victory" to get my spirits up again.

One thing that I've learned that surprises me is that I am not memorizing labs.  My experience with practice exams is that I quickly memorize the question (and answer) so repeated attempts really don't do me much good because I tend to remember the answer.  This has NOT been the case with practice labs.  I was initially worried that repeating labs would be fruitless because I would remember the answers.  Not so.  Maybe it's due to the length of the labs or the fact that when I do repeat a lab it's usually been weeks or months since my previous attempt.  I did Mock Lab 1 back in March and have not looked at it since.  Keen readers will sense that I'm setting the scene for a poor showing on this lab.  :-)

For the first time, I followed the advice of completing the core task first and then going back to complete the non-core tasks later.  This worked out really well.  Brian stated in his lecture that there are certain people who have a hard time skipping tasks.  I am in that camp.  I can skip (most of the time) non-core tasks that I have no clue how to solve, BUT if I think that I know the answer then I will wrestle that sucker until I complete it.  This has thrown me off on a couple of timed labs.  I eventually finish the task, but lose so much time and momentum that I screw myself over on the rest of the lab.  By sticking to core tasks only, I was able to get full reachability in around 3 hours.  Of course I would lose that advantage later when I spent about an hour trying to mine the documentation for a 3 point task instead of verifying my configuration.  :-(

I finished all of the tasks that I knew how to do with about 1.5 hours left.  My false sense of confidence - "this is an easy lab and I've seen it once before" - plus my mental exhaustion lead me to skip the verification stage and try to mine points on the tasks that I was unsure on.  I'm still hitting the wall about 6 hours into a lab.  At that point I had zero fucking interest in going through each task line by line.  I do verification after I complete each task so I should be golden right?  I think we all know the answer to that question.

The start times of the labs were slightly staggered so once you were done with your lab most people went back to their rooms or went to dinner.  Most would reconvene in the conference room later to take advantage of the rack rentals or just the free wifi.  The labs were all graded by the start of the next morning's session.  Brian mentioned that the labs are hand-graded by a CCIE in India.  That guy really earned his pay during the week.  He had to grade up to 20 (there were a couple of students who did not do the mock labs) mock labs a night.  Many times my grade report was done by the time I got back from dinner.

I was unable to download a (free) telnet client that worked with Ubuntu.  I DID get Putty installed and working, but could not figure out how to cut and paste.  I eventually just used the terminal program in Ubuntu.  While using this lead to bouts of anger because of the difference in the copy and paste function (I use Tera Term in "real life") it was good practice as it made me adjust to a different environment.

One other surprising thing: I was not affected by the noise around me.  I had brought ear plugs just in case, but I was able to focus on my lab and not get thrown off by the surrounding noise.  I will still bring ear plugs to the lab (VoIP phones ringing will most like throw me off) and it should be noted that there was not a lot of noise in the workshop outside of the occasional groan and the constant clicking of keys.

Anyhoo...I've droned on long enough.  I'll try to get this review completed by the end of this week.  If you've been reading these reviews so far, you know that it's pretty unlikely that I will be able to hold to that schedule.  :-)

- IPv6 Prefixes
- AS Path

By showing the bgp6 neighbor advertising routes or showing the incoming routes on your ipv6 router don't seem to give you the right thing and should be done by the policy....

Please check your config and ensure that outgoing / incoming policy (ROUTE-MAP, PREFIX-LIST) applied on as the part of (under) bgp address family ipv6

address-family ipv6
neighbor 2001:470:1F01:FFFF::17AE activate
neighbor 2001:470:1F01:FFFF::17AE soft-reconfiguration inbound
neighbor 2001:470:1F01:FFFF::17AE route-map IPv6-PROVIDERv6-IN in
neighbor 2001:470:1F01:FFFF::17AE route-map IPv6-OUT out

Should you apply under address family of ipv4, than it won't work at all.

a. rahman isnaini rangkayo sutan

oncelikle konunun mantigi su sekilde

WEP’ in çözmesi gereken üç temel öğre vardı;

• Kimlik Doğrulama (Authentication)
• Gizlilik (Privacy)
• Bilgi Değiştirme Kontrolu (Message Modification Control)

Bunun harici aslında çözülmesi gereken Cevap Kontrolü (Replay Control), Erişim Kontrolü, Anahtar Dağıtımı ve Korunması konularına ise hiç WEP girmemiştir. Bu sorunların birçoğu bir sonraki WPA, RSN gibi standartlarda hep çözümlenmeye çalışılmıştır.

Kimlik Doğrulama

İlk adım kimlik doğrulamadır, ağa bağlanan kişinin gerçekten ağa bağlanma yetkisinin olup olmamasının düzenlenmesi, ikinci adım ise ağa bağlı kişinin trafiğinin diğer kişiler tarafından izlenilememesi.

WEP’ in kimlik doğrulaması şu şekilde çalışıyor;

civardaki aglari tespit etmek icin

Windows altında en eski ve en güzel wardriving araçlarından biridir. Ek olarak isteyenler için MiniStumbler da Pocket PC’ ler de çalışıyor. Aşağıdaki mantıkların hepsi hemen hemen Ministumbler’ a da uygulanabilir.

Netstumbler’ ı civardaki AP’ leri bulmak için kullanacağız. Netstumbler bir aktif tarayıcıdır yani civara probe requestleri gönderir, dolayısıyla tespit edilebilir. Tabii ki civardaki şifresiz kablosuz ağların yüzlerce olduğunu düşünürseniz bu tip bir şeyi birilerinin tespit edebilmesi milli piyangoyu kazanmanız gibi bir şey olur. İkinci olarak bu kanunlara aykırı veya suç içeren bir durum da değildir.

Netstumbler çok basit bir program ve şu an ki sürümü (0.4.0) bir çok kartla sorunsuz şekilde çalışıyor (RF modu istemediğinden ve paket dinleme yapmadığından dolayı donanım deseği çok geniş).

Download etmek için http://www.netstumbler.com/downloads/ adresini kullanabilirsiniz. Program ücretsizdir.

Programı kurduktan sonra açınca zaten varsayılan kartınız ile çalışmaya başlayacak ve hemen civardaki AP’ leri tespit edecektir.

Airodump

Daha önceden de belirttiğimiz gibi Kismet ile paket toplayabilirsiniz ancak airodump bu işlem için çok daha pratiktir.

Airodump’ ı yükledikten sonra daha önceden bulduğunuz AP’ nin çalıştığı kanalda airodump’ ı çalıştırın.

Airodump Parametreleri;

• <nic index>
  Hangi wireless adapter ile kullanacağınız, Yani bilgisayarınızdaki kablosuz ağa arabirimi.
• <nic type> (a/o)
  Wireless adapter’ in chipset i
  o : Hermes /Realtek
  a : Aironet/Atheros
  Eğer diğerse parametre olarak ne verdiğiniz farketmiyor.
• <channel(s)> (0-14)
  Hangi kanal yada kanalları dinleyeceği 0 verirseniz tüm kanalları dinlemeye alacaktır.
• <output prefix>
  Paketlerin yazılacağı dosyaların başlangıç ismi
• <ivs only flag> | Opsiyonel
  Eğer 1 yaparsanız sadece IV’ leri yazacak. Eğer sadece şifre kırmak istiyorsanız bunu seçebilirsiniz. Tüm paketleri toplayarak daha sonradan şifreyi kırabilir ve bu paketleri de bulduğumuz şifre ile açabilir ve analiz edebiliriz.

Bizim örneğimizde şu şekilde çalıştırıyoruz;

C:Airodump.exe 14 a 13 FM_APIVleri y

Aircrack

Aircrack paket toplama için kullandığımız “airodump” ın geliştiricisinden, çok kısa bir sürede ve az paketle sonuca ulaşabiliyor.

Tek yapmamız gereken topladığımız paketleri ona vermemiz.

Ciddi sorunlardan biri kaç bit şifreleme kırmamız gerektiğini bilmiyor olmamız. Çünkü WEP şifresinin 64bit mi 128bit mi olduğunu elimizdeki şifrelenmiş paketler ile tespti edemiyoruz. Bu yüzden eğer bilgimiz yoksa en iyisi önce 64 ile deneyip daha sonra 128bit olarak kırmayı denemek olacaktır.

Örnek kullanımı şu şekilde olabilir;

C:airrack.exe –a 1 –n 128 *.ivs (bu komuta gore 128 bitlik bir wep sifresini butun kayitli ivs uzantili paket dosyalarini inceleyerek kiracagiz. sifrelemenin 64 bit olabilme ihtimalinide varsayarak ilk denemede sifre cozemedi isek 128 bit denemekte fayda var.)

-a Parametresi kırılacak şifrenin WEP şifresi olduğunu belirtiyor,
-n parametresi ise kaç bitlik bir şifreleme olduğunu.

En sondaki *.ivs parametresi ise o klasördeki tüm “.ivs” uzantılı dosyaların kırılacağını belirtiyor. Önemli olan bir önceki paket toplama işleminde üretilen dosya veya dosyaları vermeniz.

Aynı şekilde eğer sırf IV’ leri değil tüm paketleri yazdıysanız *.cap dosyalarınızı da verebilirsiniz.

Kısa bir süre sonra şifre kırılmış olacaktır.

Karşınıza birden fazla cihazdan toplanan paketler gelebilir bu durumda ilgili AP’ yi seçmeniz gereklidir. Zaten ilgili AP’ nin MAC adresini daha önceki Kismet / Netstumbler bilgimizden dolayı biliyoruz. Aşağıdaki resimde bu durumun bir örneğini görebilirsiniz.

Birden fazla cihazdan IV toplanması sonucunda çıkan sorgu ekranı

Eğer tek bir sonuç çıkarsa aircrack otomatik olarak kırma ekranına geçecektir.

128bit WEP şifresi kırılma işlemi tamamlandı

Program farklı atak yöntemleri ve dictionary (belli bir sözlüğe dayalı deneme-yanılma) atak gibi opsiyonel bir dizi seçeneğe de sahip.

konuyu Ferruh Mavituna isimli arkadasin anlatimini ozetleyerek yayinladim

kaynak

windows tabanli aircrack ve airodump programini indirmek icin tiklayin

aircrack download airodump download

evet sonunda yazilarimizi takip eden bir arkadasimiz Ercan Dolu Wireless sifre kirma olayini basarmisgorunuyor. ispati alttaki resimde gorebilirsiniz. en basit sifreleme sistemi 64 bit wep sifresinin kirilma isleminin 1 sn surdugunu soyluyor (sifreye bagli olarak 3-5 sn surebilir) kendisini tebrik ediyorum diger arkadaslarada azmederek calismanin sonucunun basari oldugunu soylemek istiyorum.

“DNS servers are responsible for routing all Internet traffic to their correct destinations. The so-called cache-poisoning vulnerability that Kaminsky discovered could allow attackers to redirect Web traffic and e-mails to systems under their control, according security researchers. The flaw exists at the DNS protocol level and affects numerous products from multiple vendors.”

Jaikumar Vijayan, Computerworld, July 17

Word of the DNS flaw was made public earlier this month thanks to a collaborative update from the likes of Cisco and Microsoft.  Details were withheld in order to give administrators time to patch their systems. 

The flaw would allow hackers to launch unlimited queries against DNS servers without being detected, allowing them to run simple random number guesses to collect transaction IDs and other critical information that could be used to redirect web traffic to spoof sites.  These kinds of attacks can be successful, and in turn, detrimental to an organization’s web presence, in mere seconds.

“According to Kaminsky, a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS messages include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.”

Jaikumar Vijayan, Computerworld, July 17

While some have speculated whether or not the vulnerability is old news, Mike Fratto had recently delivered a stern warning to patch all DNS servers in his InformationWeek blog: 

“Since the CERT announcement yesterday about the new vulnerabilities in DNS, there has been a lot of speculation that what Dan Kaminsky found is old news. Thomas Ptacek from Matasano, in an interview with Nathan McFeters at ZDNet, pretty much dismisses the vulnerability as old news and therefore unimportant. That sentiment is echoed on mailing lists and message boards. But in an e-mail today, Kaminsky confirmed that what he found is something very new. I believe him. Forget the arguments. Go patch your DNS servers. Now.”

 Mike Fratto, InformationWeek, July 9

Making matters worse, a slip-up between security researchers discussing the cache poisoning attack via blog exchanges has inadvertently released details of how to launch an exploit in  the wild, making it only a matter of time before real attacks appear.

Here is the coverage from ZDnet yesterday afternoon: Has Halvar figured out super-secret DNS vulnerability?

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a reliable method to forge and poison DNS lookups.

Ryan Naraine, ZDnet, July 21

You can expect to read much more about this in the coming days, if not hours.

You can find out even more from this recent webinar hosted by Dan Kaminsky and Infoblox VP of Architecture Cricket Liu: DNS Security: Old Vulnerabilities, New Exploits.  It is sponsored by Infoblox, and is perhaps one of the most current and informative recorded events on the topic.  You can also read more at Kaminsky to discuss DNS flaw at Black Hat sponsored webcast.

For more background, you can read the following articles:

internetnews.com: Who is Really at Risk From the DNS Flaw?

internetnews.com: Is DNSSEC the Answer to Internet Security?

InformationWeek blog: Stop Arguing and Patch your DNS

Computerworld: DNS flaw discoverer says more permanent fixes will be needed

You can read my disclosure at: About Archimedius .

With the turmoil in the financial markets, it shouldn't come as a surprise that banks aren't going on a spending spree. That's one of the backdrops to Fortune's Brainstorm Tech conference in Half Moon Bay, where a handpicked group of tech luminaries have gathered to talk about the digital future.

In a side conversation near the bar here at the Ritz-Carlton, EMC (EMC) executive Mark Lewis drove it home. Financial services companies are "doing very thorough reviews" before buying tech gear, he said – that's a nice way of saying they're tight-fisted - and that's bound to have a real impact on companies that sell to them. (Think Dell (DELL), Sun Microsystems (JAVA), Cisco Systems (CSCO) and others.) Lewis, president of storage giant EMC's content management division, didn't seem alarmed. He said that because customers haven't recently overspent on technology, the buying pause isn't likely to last long. But for now, they're pushing for a faster return on their investment in technology, because budgets are tight.