Information about my New Blog Page (Nifty Financial Market)

Hello guyz i have not written on this blogsite for long term, but continous messages from viewers on my blog page has made me come again to this blog.

I will surely keep sharing critical and useful information through this blog as i get time.

But to tell you one thing, i have started a new blog considering my interest todays Financial Stock Market, and have started blogging on daily basis considering the Financial Market and Technical parameters for investing and many more thing.

This is just a piece of information for those who like to join me on my new blogpage, i im sharing the link below, i will keep posting about the recent market picture and its fundamental and technical parameter.
Do visit this blog on daily basis, i would be sharing handy contents.

https://niftyfinancialmarket.blogspot.com

Fabric Extender Technology (FEX) in Nexus

Fabric Extender, the term marketed by Cisco, is basically a port extender as it is referenced in the developing IEEE 802.1Qbh (Bridge Port Extension). The 802.1Qbh standard is specific to control protocol used between the controlling bridge and the port extender, as it is referred in the draft. Supporting standards, also currently being developed like IEEE 802.1Qbg (Edge Virtual Bridging)  and IEEE 802.1Qbc

The Fabric Extender Architecture

The components involved:

Controlling Bridge (Parent Switch) to provide the control and management plane functions. This could be one or two Nexus 5000 or Nexus 7000 switches.
Port Extender which provides the physical port termination. This would be the Nexus 2000 series.
Connecting the FEX to the controlling bridge is done using SFPs over Ethernet fiber.
Encapsulation mechanism to transport frames from the FEX to the controlling bridge.
Control protocols to manage/monitor the FEXs

Cisco calls the encapsulation mechanism used on between the FEX and controlling bridge VN-Tag (previously VN-link). Controlling bridge is IEEE terminology, whereas parent switch is Cisco terminology. The IEEE 802.1Qbh working group was initiated by Cisco in a hope to standardize their VN-Tag technology. VN-Tag provides the capability to differentiate traffic between different host interfaces traversing the fabric uplinks. 

VN- Tag Header

The Fabric Extender Forwarding

A FEX or a Nexus 2000 operate as a remote linecard, but does not support local switching, all forwarding is performed on the parent switch. This is in contrast to most modular switches like the DFCs on Catalyst 6500. One of the reasons this was done was re-usability. By offloading the forwarding and intelligent decisions, the idea Cisco had in mind is that by upgrading the parent switch, the FEX being deployed in larger numbers can remain. Where the DFC on a Catalyst 6500 lives on the line card, the equivalent processing lives on the parent switch, be it the Nexus 7000/5000. Thus upgrading the parent switch upgrades that FEX capability since all it does is encapsulate traffic for identification. In large deployments where the cost of hundreds of FEXs out ways the cost of the Nexus 5000s used, this makes perfect sense. In very small deployments, this reason becomes arguable.

The Fabric Extender Management

It was briefly mentioned before that a parent switch and all its FEXs are treated as a single management device. This is accomplished by a small satellite image running on the FEX. This image is a smaller compatible version of the parent NX-OS image pushed from the parent switch. The parent switch is responsible for this and happens with no user involvement. Same applies to when the parent switch is upgraded, every attached FEX is upgraded during this time too.

The Fabric Extender Operation

Lets take a deep look at the backend operations. There are various interfaces involved:

1. HIF (Host Interface): Are the physical user/host interfaces on the FEX. These interfaces receive normal Ethernet traffic before it is encapsulated with the VN-Tag header. Each HIF interface is assigned a unique VN-Tag ID that is used with the encapsulation.

2. NIF (Network Interface): Physical uplink interfaces on the FEX. These interfaces can only connect back to the parent switch and carries only VN-Tagged traffic.

3. LIF (Logical Interface): Is the logical interface representation of the HIF and its configuration on the parent switch. Forwarding decisions are based on the LIF.

4. VIF (Virtual Interface): Is a logical interface on the FEX. The parent switch assigns/pushes the config of a LIF to the VIF of an associated FEX which is mapped to a physical HIF. This is why replacing a FEX becomes trivial in that the broken FEX is unplugged and the replacement is plugged in.

Nexus Switches Overview

Cisco Nexus Family of products has become extremely popular in small and large data centers thanks to their ability of unifying storage, data and networking services.
Also the Cisco Fabric Interconnect can provide a rock-solid programmable platform that fully supports any virtualized environment.

The Cisco Nexus family includes a generous number of different Nexus models to meet the demands of any Data Center environment.

Nexus Family Switch

Cisco Nexus Family consists of following series types

1) CISCO NEXUS 9000 SERIES SWITCHES
The Data Center switches of Nexus 9000 can operate in Cisco NX-OS Software or Application Centric Infrastructure (ACI) modes.
The main features of the new Cisco Nexus 9000 Series are: support of Fabric Extender Technology (FEX), virtual Port Channel (VPC) and Virtual Extensible LAN (VXLAN).

Nexus 9K Switches

2) CISCO NEXUS 7000 SERIES SWITCHES

The Data Center switches of 7K Nexus can provide an end-to-end data center architecture on a single platform, including data center core, aggregation, and access layer. The 7k series provides high-density 10, 40, and 100 Gigabit Ethernet interfaces. The main features of the Cisco Nexus 7000 Series are support for FEX, Virtual Port Channel (VPC), VDC, MPLS and Fabricpath. In addition, the N7K supports fairly robust and established technologies for multi-DC interconnect (DCI).

Nexus 7K Switches

3) CISCO NEXUS 5000 SERIES SWITCHES
The Data Center switches of 5K provides access layer (End of Row), providing architectural support for virtualization and Unified Fabric environments. Cisco Nexus 5000 Series can support VXLAN and comprehensive Layer 2 and 3 features for scaling data center networking. It supports Native Fibre Channel, Ethernet, and FCoE interfaces. The default system software includes most Cisco Nexus 5000 Platform features, such as Layer 2 security and management features. Licensed features include: Layer 3 routing, IP multicast and enhanced Layer 2 (Cisco Fabric Path).

Nexus 5K Switches

4) CISCO NEXUS 3000 SERIES SWITCHES
The product family offers features such as latency of less than a microsecond, line-rate at Layer 2 & 3 unicast, multicast switching, and the support of 40 Gigabit Ethernet interfaces. The Cisco Nexus 3000 Series switches are positioned for use in environments with ultra-low latency requirements such as financial High-Frequency Trading (HFT), High-Performance Computing (HPC) and automotive crash-test simulation Applications.

Nexus 3K Switches

The Cisco Nexus 3000 platform offers more than 15 models to satisfy all the switching needs an organization might have. The Nexus 3000 series offers switches starting with 1GE ports (Nexus 3000) and scales all the way up to 32 port 100GE ports with the Nexus 3232C model. Environments sensitive to delays will surely benefit from this series as they have been designed to practically eliminate any switching latency while at the same time offering large buffer spaces per port.

Cloud Computing Security Threat - IV

Cloud Computing, continuing further to its world of Security Threats

Threat No. 10: Cloud service abuses

Cloud services can be commandeered to support nefarious activities, such as using cloud computing resources to break an encryption key in order to launch an attack. Other examples including launching DDoS attacks, sending spam and phishing emails, and hosting malicious content.

Providers need to recognize types of abuse -- such as scrutinizing traffic to recognize DDoS attacks -- and offer tools for customers to monitor the health of their cloud environments. Customers should make sure providers offer a mechanism for reporting abuse. Although customers may not be direct prey for malicious actions, cloud service abuse can still result in service availability issues and data loss.

Threat No. 11: DoS attacks

DoS attacks have been around for years, but they've gained prominence again thanks to cloud computing because they often affect availability. Systems may slow to a crawl or simply time out. “Experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock; there is one way to get to your destination and there is nothing you can do about it except sit and wait,” the report said.

DoS attacks consume large amounts of processing power, a bill the customer may ultimately have to pay. While high-volume DDoS attacks are very common, organizations should be aware of asymmetric, application-level DoS attacks, which target Web server and database vulnerabilities.

Cloud providers tend to be better poised to handle DoS attacks than their customers, the CSA said. The key is to have a plan to mitigate the attack before it occurs, so administrators have access to those resources when they need them.

Threat No. 12: Shared technology, shared dangers

Vulnerabilities in shared technology pose a significant threat to cloud computing. Cloud service providers share infrastructure, platforms, and applications, and if a vulnerability arises in any of these layers, it affects everyone. “A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud,” the report said.

If an integral component gets compromised -- say, a hypervisor, a shared platform component, or an application -- it exposes the entire environment to potential compromise and breach. The CSA recommended a defense-in-depth strategy, including multifactor authentication on all hosts, host-based and network-based intrusion detection systems, applying the concept of least privilege, network segmentation, and patching shared resources.

Cloud Computing Security Threats-III

Further we go on for threats for Cloud Computing

Threat No. 7: The APT parasite

The CSA aptly calls advanced persistent threats (APTs) “parasitical” forms of attack. APTs infiltrate systems to establish a foothold, then stealthily exfiltrate data and intellectual property over an extended period of time.

APTs typically move laterally through the network and blend in with normal traffic, so they're difficult to detect. The major cloud providers apply advanced techniques to prevent APTs from infiltrating their infrastructure, but customers need to be as diligent in detecting APT compromises in cloud accounts as they would in on-premises systems.

Common points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networks. In particular, the CSA recommends training users to recognize phishing techniques.

Regularly reinforced awareness programs keep users alert and less likely to be tricked into letting an APT into the network -- and IT departments need to stay informed of the latest advanced attacks. Advanced security controls, process management, incident response plans, and IT staff training all lead to increased security budgets. Organizations should weigh these costs against the potential economic damage inflicted by successful APT attacks.

Threat No. 8: Permanent data loss

As the cloud has matured, reports of permanent data loss due to provider error have become extremely rare. But malicious hackers have been known to permanently delete cloud data to harm businesses, and cloud data centers are as vulnerable to natural disasters as any facility.

Cloud providers recommend distributing data and applications across multiple zones for added protection. Adequate data backup measures are essential, as well as adhering to best practices in business continuity and disaster recovery. Daily data backup and off-site storage remain important with cloud environments.

The burden of preventing data loss is not all on the cloud service provider. If a customer encrypts data before uploading it to the cloud, then that customer must be careful to protect the encryption key. Once the key is lost, so is the data.

Compliance policies often stipulate how long organizations must retain audit records and other documents. Losing such data may have serious regulatory consequences. The new EU data protection rules also treat data destruction and corruption of personal data as data breaches requiring appropriate notification. Know the rules to avoid getting in trouble.

Threat No. 9: Inadequate diligence

Organizations that embrace the cloud without fully understanding the environment and its associated risks may encounter a “myriad of commercial, financial, technical, legal, and compliance risks,” the CSA warned. Due diligence applies whether the organization is trying to migrate to the cloud or merging (or working) with another company in the cloud. For example, organizations that fail to scrutinize a contract may not be aware of the provider’s liability in case of data loss or breach.

Operational and architectural issues arise if a company's development team lacks familiarity with cloud technologies as apps are deployed to a particular cloud. The CSA reminds organizations they must perform extensive due diligence to understand the risks they assume when they subscribe to each cloud service.

Cloud Computing- Security Threats-II

The shared, on-demand nature of cloud computing introduces the possibility of new security breaches that can erase any gains made by the switch to cloud technology. Cloud services by nature enable users to bypass organization-wide security policies and set up their own accounts in the service of shadow IT project.

Continuing with Security Threats, we further have the following threats that are vulnerable through cloud

Threat No. 4: Exploited system vulnerabilities

System vulnerabilities, or exploitable bugs in programs, are not new, but they've become a bigger problem with the advent of multitenancy in cloud computing. Organizations share memory, databases, and other resources in close proximity to one another, creating new attack surfaces.

Fortunately, attacks on system vulnerabilities can be mitigated with “basic IT processes,” says the CSA. Best practices include regular vulnerability scanning, prompt patch management, and quick follow-up on reported system threats.

According to the CSA, the costs of mitigating system vulnerabilities “are relatively small compared to other IT expenditures.” The expense of putting IT processes in place to discover and repair vulnerabilities is small compared to the potential damage. Regulated industries need to patch as quickly as possible, preferably as part of an automated and recurring process, recommends the CSA. Change control processes that address emergency patching ensure that remediation activities are properly documented and reviewed by technical teams.

Threat No. 5: Account hijacking

Phishing, fraud, and software exploits are still successful, and cloud services add a new dimension to the threat because attackers can eavesdrop on activities, manipulate transactions, and modify data. Attackers may also be able to use the cloud application to launch other attacks.

Common defense-in-depth protection strategies can contain the damage incurred by a breach. Organizations should prohibit the sharing of account credentials between users and services, as well as enable multifactor authentication schemes where available. Accounts, even service accounts, should be monitored so that every transaction can be traced to a human owner. The key is to protect account credentials from being stolen, the CSA says.

Threat No. 6: Malicious insiders

The insider threat has many faces: a current or former employee, a system administrator, a contractor, or a business partner. The malicious agenda ranges from data theft to revenge. In a cloud scenario, a hellbent insider can destroy whole infrastructures or manipulate data. Systems that depend solely on the cloud service provider for security, such as encryption, are at greatest risk.

The CSA recommends that organizations control the encryption process and keys, segregating duties and minimizing access given to users. Effective logging, monitoring, and auditing administrator activities are also critical.

As the CSA notes, it's easy to misconstrue a bungling attempt to perform a routine job as "malicious" insider activity. An example would be an administrator who accidentally copies a sensitive customer database to a publicly accessible server. Proper training and management to prevent such mistakes becomes more critical in the cloud, due to greater potential exposure.

Cloud Computing-Security Threats-I

Top security threats organizations face when using cloud services

Enterprises are no longer sitting on their hands, wondering if they should risk migrating applications and data to the cloud. They're doing it -- but security remains a serious concern.

The first step in minimizing risk in the cloud is to identify the top security threats.

The shared, on-demand nature of cloud computing introduces the possibility of new security breaches that can erase any gains made by the switch to cloud technology, the CSA warned. As noted in previous CSA reports, cloud services by nature enable users to bypass organization-wide security policies and set up their own accounts in the service of shadow IT projects. New controls must be put in place.

Threat No. 1: Data breaches

Cloud environments face many of the same threats as traditional corporate networks, but due to the vast amount of data stored on cloud servers, providers become an attractive target. The severity of potential damage tends to depend on the sensitivity of the data exposed. Exposed personal financial information tends to get the headlines, but breaches involving health information, trade secrets, and intellectual property can be more devastating.

When a data breach occurs, companies may incur fines, or they may face lawsuits or criminal charges. Breach investigations and customer notifications can rack up significant costs. Indirect effects, such as brand damage and loss of business, can impact organizations for years.

Cloud providers typically deploy security controls to protect their environments, but ultimately, organizations are responsible for protecting their own data in the cloud. The CSA has recommended organizations use multifactor authentication and encryption to protect against data breaches.

Threat No. 2: Compromised credentials and broken authentication 

Data breaches and other attacks frequently result from lax authentication, weak passwords, and poor key or certificate management. Organizations often struggle with identity management as they try to allocate permissions appropriate to the user’s job role. More important, they sometimes forget to remove user access when a job function changes or a user leaves the organization.

Multifactor authentication systems such as one-time passwords, phone-based authentication, and smartcards protect cloud services because they make it harder for attackers to log in with stolen passwords. The Anthem breach, which exposed more than 80 million customer records, was the result of stolen user credentials. Anthem had failed to deploy multifactor authentication, so once the attackers obtained the credentials, it was game over.

Many developers make the mistake of embedding credentials and cryptographic keys in source code and leaving them in public-facing repositories such as GitHub. Keys need to be appropriately protected, and a well-secured public key infrastructure is necessary, the CSA said. They also need to be rotated periodically to make it harder for attackers to use keys they’ve obtained without authorization.

Organizations planning to federate identity with a cloud provider need to understand the security measures the provider uses to protect the identity platform. Centralizing identity into a single repository has its risks. Organizations need to weigh the trade-off of the convenience of centralizing identity against the risk of having that repository become an extremely high-value target for attackers.

Threat No. 3: Hacked interfaces and APIs

Practically every cloud service and application now offers APIs. IT teams use interfaces and APIs to manage and interact with cloud services, including those that offer cloud provisioning, management, orchestration, and monitoring.

The security and availability of cloud services -- from authentication and access control to encryption and activity monitoring -- depend on the security of the API. Risk increases with third parties that rely on APIs and build on these interfaces, as organizations may need to expose more services and credentials, the CSA warned. Weak interfaces and APIs expose organizations to security issues related to confidentiality, integrity, availability, and accountability.

APIs and interfaces tend to be the most exposed part of a system because they're usually accessible from the open Internet. The CSA recommends adequate controls as the “first line of defense and detection.” Threat modeling applications and systems, including data flows and architecture/design, become important parts of the development lifecycle. The CSA also recommends security-focused code reviews and rigorous penetration testing.