Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I was recently approached by a network-engineer, co-worker who would like to offload his minor network admin duties to a junior-level helpdesk tech. The specific location in need of management acts as an ISP for tenants on its single-site property, so there's a lot of small adjustments being made on a daily basis.
I am thinking it would be helpful to write him a winform app to manage the 32 Cisco devices, on-site. I'd like to initially provide functionality which could modify access control lists, port VLAN assignments, and bandwidth limitations per VLAN... adding more to the list as its deemed valuable.
My initial thought was to emulate a telnet session with the network device; utilizing my network-engineer's familiarity with the command-line / IOS interaction. Minimal time would be required to learn Cisco IOS conventions, myself.
Though while searching for solutions, it appears that most people favor SNMP. That, or, their specific circumstances pushed them in the direction of SNMP.
I wanted to know if I've overlooked an obvious benefit of SNMP. Should I be using SNMP? Why or why not?
SNMP is great for getting information out of a Cisco device, but is not very useful controlling the device. (although technically, you can push a new config to a Cisco IOS device using a combination of SNMP and TFTP. But sending a whole new config is a pretty blunt instrument for controlling your router or switch).
One of the other commenters mentioned the Cisco IOS XR XML API. It's important to note that the IOS XR XML API is only available on devices that run IOS XR. IOS XR is only used on a few of Cisco's high end carrier class devices, so for 99% of all Cisco routers and switches the IOS XR XML API is not an option.
Other possibilities are SSH or HTTP (many Cisco routers, switches, AP, etc. have an optional web interface). But I'd recommend against either of those. To my knowledge, the web interface isn't very consistent across devices, and a rather surprising number of Cisco devices don't support SSH, or at least don't support it in the base license.
Telnet is really the only way to go, unless you're only targeting a small range of device models. To give you something to compare against, Cisco's own CiscoWorks network management software uses Telnet to connect to managed devices.
I wouldn't use SNMP, instead look at a little language called 'expect'. it makes for a very nice expect/response processor for these routers.
I have done a reasonable amount of real world SNMP programming with Cisco switches and find Python on top of Net-SNMP to be quite reasonable. Here is an example, via Google books, of uploading a new Cisco configuration via Net-SNMP and Python: Cisco Switch Upload via Net-SNMP and Python. I should disclose I was the co-author of the book referenced in the link.
Everyone's milage may vary, but I personally do not like using expect, and prefer to use SNMP because it was actually designed to be a "Simple Network Management Protocol". In a pinch, expect is ok, but it would not be my first choice. One of the reasons some companies use expect is that a developer just gets used to using expect. I wouldn't necessarily chock up bypassing SNMP just because there is an example of someone automating telnet or ssh. Try it out for self first.
There can be some truly horrible things that happen with expect, that may not be obvious as well. Because expect waits for input, under the right conditions there be very subtle problems that are difficult to debug. This doesn't mean a very experienced developer can't develop reliable code with expect, but it something to be aware of as well.
One of the other things you may want to look at is an example of using the multiprocessing module to write non-blocking SNMP code. Because this is my first post to stackoverflow I cannot post more then one link, but if you google for it you can find it, or another one on using IPython and Net-SNMP.
One thing to keep in mind when writing SNMP code is that it involves reading a lot of documentation and doing trial and error. In the case of Cisco, the documentation is quite good though.
SNMP isn't bad but it may not be able to do everything you need it to do. Depending on the library you use and how it hides the details of interacting with SNMP you may have a hard time finding the correct parts of the MIB to change and even knowing what or how to change them to do what you want.
One reason not to use SNMP is that you can do all the configuration you need using the IOS XR XML API. It could be a lot easier to bundle up the commands you want to send to the devices using that than to interact with SNMP.
I've found SNMP to be a pain for management. If you just need to grab a little data it's great; if you need to change things or use if heavily it can be very time consuming. In my case I'm comfortable with the CLI so a Telnet approach works well. I've written some Python scripts to perform administrative tasks on various pieces of network gear using Telnetlib
SNMP has quite a significant CPU hit on the devices in question compared to telnet; I'd recommend telnet wherever possible. (As stated in a previous answer, the IOS XR XML API would be nice, but as far as I know IOS XR is only deployed on high-end carrier grade routers).
In terms of existing configuration management systems, two commercial players are HP Opsware, and EMC Voyence. Both will probably do what you need. I'm not aware of many open source solutions that actually support deploying changes. (RANCID, for example, only does configuration monitoring, not pre-staging and deploying config changes).
If you are going to roll your own solution, one thing I would recommend is sitting down with your network admin and coming up with a best-practice deployment model for the service he's providing (e.g. standardised ACL, QoS queue, and VLAN names; similar entries in ACLs that have the same function for different customers, etc.). Ensure that all the existing deployed config complies with this BP before you start your design, it will make the problem much more manageable. Best of luck.
Sidenote: before you reinvent the wheel writing another service provisioning system/network management system, try looking for existing ones. I know quite a lot of commercial solutions of various degrees of flexibility/functionality, but I am sure there are quite a lot opensource ones.
Cisco has included menu options for helpdesk applications. Basically you telnet to the box and it presents a nice clean menu (press 1, 2, 3). For more info check this link:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf001.html#wp1050026
Another vote for expect.
Also, you don't want to allow configuration of your firewalls via either telnet or SNMP - ssh is the only way to go. The reason is that ssh encrypts its payload, and will not expose the privileged management credentials to potential interception.
If for some reason you cannot use ssh directly, consider connecting up an ssh-enabled serial console server to the firewall's console port and configuring it that way.
Related
We all know situations when you cannot go open source and freely distribute software - and I am in one of these situations.
I have an app that consists of a number of binaries (compiled from C sources) and Python code that wraps it all into a system. This app used to work as a cloud solution so users had access to app functions via network but no chance to touch the actual server where binaries and code are stored.
Now we want to deliver the "local" version of our system. The app will be running on PCs that our users will physically own. We know that everything could be broken, but at least want to protect the app from possible copying and reverse-engineering as much as possible.
I know that Docker is a wonderful deployment tool so I wonder: is it possible to create encrypted Docker containers where no one can see any data stored in the container's filesystem? Is there a known solution to this problem?
Also, maybe there are well known solutions not based on Docker?
The root user on the host machine (where the docker daemon runs) has full access to all the processes running on the host. That means the person who controls the host machine can always get access to the RAM of the application as well as the file system. That makes it impossible to hide a key for decrypting the file system or protecting RAM from debugging.
Using obfuscation on a standard Linux box, you can make it harder to read the file system and RAM, but you can't make it impossible or the container cannot run.
If you can control the hardware running the operating system, then you might want to look at the Trusted Platform Module which starts system verification as soon as the system boots. You could then theoretically do things before the root user has access to the system to hide keys and strongly encrypt file systems. Even then, given physical access to the machine, a determined attacker can always get the decrypted data.
What you are asking about is called obfuscation. It has nothing to do with Docker and is a very language-specific problem; for data you can always do whatever mangling you want, but while you can hope to discourage the attacker it will never be secure. Even state-of-the-art encryption schemes can't help since the program (which you provide) has to contain the key.
C is usually hard enough to reverse engineer, for Python you can try pyobfuscate and similar.
For data, I found this question (keywords: encrypting files game).
If you want a completely secure solution, you're searching for the 'holy grail' of confidentiality: homomorphous encryption. In short, you want to encrypt your application and data, send them to a PC, and have this PC run them without its owner, OS, or anyone else being able to scoop at the data.
Doing so without a massive performance penalty is an active research project. There has been at least one project having managed this, but it still has limitations:
It's windows-only
The CPU has access to the key (ie, you have to trust Intel)
It's optimised for cloud scenarios. If you want to install this to multiple PCs, you need to provide the key in a secure way (ie just go there and type it yourself) to one of the PCs you're going to install your application, and this PC should be able to securely propagate the key to the other PCs.
Andy's suggestion on using the TPM has similar implications to points 2 and 3.
Sounds like Docker is not the right tool, because it was never intended to be used as a full-blown sandbox (at least based on what I've been reading). Why aren't you using a more full-blown VirtualBox approach? At least then you're able to lock up the virtual machine behind logins (as much as a physical installation on someone else's computer can be locked up) and run it isolated, encrypted filesystems and the whole nine yards.
You can either go lightweight and open, or fat and closed. I don't know that there's a "lightweight and closed" option.
I have exactly the same problem. Currently what I was able to discover is bellow.
A. Asylo(https://asylo.dev)
Asylo requires programs/algorithms to be written in C++.
Asylo library is integrated in docker and it seems to be feаsable to create custom dоcker image based on Asylo .
Asylo depends on many not so popular technologies like "proto buffers" and "bazel" etc. To me it seems that learning curve will be steep i.e. the person who is creating docker images/(programs) will need a lot of time to understand how to do it.
Asylo is free of charge
Asylo is bright new with all the advantages and disadvantages of being that.
Asylo is produced by Google but it is NOT an officially supported Google product according to the disclaimer on its page.
Asylo promises that data in trusted environment could be saved even from user with root privileges. However, there is lack of documentation and currently it is not clear how this could be implemented.
B. Scone(https://sconedocs.github.io)
It is binded to INTEL SGX technology but also there is Simulation mode(for development).
It is not free. It has just a small set of functionalities which are not paid.
Seems to support a lot of security functionalities.
Easy for use.
They seems to have more documentation and instructions how to build your own docker image with their technology.
For the Python part, you might consider using Pyinstaller, with appropriate options, it can pack your whole python app in a single executable file, which will not require python installation to be run by end users. It effectively runs a python interpreter on the packaged code, but it has a cipher option, which allows you to encrypt the bytecode.
Yes, the key will be somewhere around the executable, and a very savvy costumer might have the means to extract it, thus unraveling a not so readable code. It's up to you to know if your code contains some big secret you need to hide at all costs. I would probably not do it if I wanted to charge big money for any bug solving in the deployed product. I could use it if client has good compliance standards and is not a potential competitor, nor is expected to pay for more licenses.
While I've done this once, I honestly would avoid doing it again.
Regarding the C code, if you can compile it into executables and/or shared libraries can be included in the executable generated by Pyinstaller.
I want to create mobile apps using webRTC APIs. My basic need is one-to-one video calling capability. Should I just use an open source webRTC server like openwebrtc? I want it to handle at least 5k clients. Is there any other option to fulfill my needs?
This question is very broad (and this isn't a proper answer), and is likely to attract very opinionated answers, and is also likely to be deemed as off-topic for Stack Overflow.
Having said that, if you can provide more information, you might get some reasonable opinions.
Please provide more information about what is important to you.
As WebRTC is a peer-to-peer system, scaling isn't a major issue. You need a signalling server of some kind to do call establishment. That work is over quite quickly, and then the two parties can continue the call without needing the server any more.
I don't have experience with openwebrtc, but I have used PeerJS, and found it to be quite good. It hasn't been updated in 2 years, but it seems to do the job pretty well, and is quite lightweight.
There are some commercial offerings around, but I question the value, as they leverage heavily from the open source components, and rely on the browsers for support. They are probably worth using if you want to do many-to-many video calling, as that is when you need a video server.
WebRTC is supposed to be easy, and it has been in the browsers for several years now (notably excluding Safari and IOS). It is a difficult area, and will take some time to master.
OpenWebRTC project is a reasonable option for a basic video calling native mobile app; its signalling server is only a basic demo, all written in JavaScript. As such, it should not crash on 5K simultaneous peer video connections.
But a real-world solution might require much more than this: TURN and STUN services, backup for the moments of hardware failure, load balancing, statistics and administration interfaces. Take security seriously: you should be able to cut out a spammer or other offender, in addition to protection against hackers.
Server software is that can help you will not necessarily cost much. See also https://stackoverflow.com/a/38810518/192373.
I Program my local schools program launcher which allows students to get on the internet with an randomly generated key provided by a teacher. This is done by changing the proxy in Internet explorer to the one needed for the internet and the wb filter.
With the schools website and learning resources gradually moving to offsite hosting the internet key is needed for the students to access them. What the school would like is a way to enable these websites without unblocking the rest of the internet unless the internet key is given to the student.
The two ways ive come up with doing this by googleing is to block all websites in IE content adviser exept those that are allowed wthout the key. Or to create anouther proxy in delphi which the program can make ie point to and will only allow certain websites through to the real proxy.
I am reasonble fluent in simple delphi functions with an a level in computing but dont have a clue where to start with this and would appreciate any help.
Don't go through the DIY path - use a proxy with blacklist/whitelist functionalities, you can also set up a "transparent proxy" through which all internet traffic is routed and doesn't require to setup the proxy in browsers. You can also use proxy authentication to setup who can access what.
In Delphi you will end up to write a proxy with the same functionalities. If you don't have a very good rason to write your own proxy, it's far better to go through an already existing solutions, which also is already tested by a lot of users. There are commercial and opensource/free ones.
If you really like to write a proxy in Delphi:
A good knowledge of how TCP, HTTP(S), and a proxy works is required.
The application needs to be a service, and should be robust or accessing the Internet may be become impossible.
The application will have to serve concurrent requests, thereby it needs to be multithreaded (Indy offers a basic HTTP proxy component - how well it scales I do not know, and it implements basic features only).
If you need authentication, knowledge of authentication methods and if integrated authentication is needed, how Windows auhtentication works.
It should be tested with all the browser type used.
Although a very interesting app to write from scratch if you liked to learn about that all, if you have a "business need" it's better to use an already existing one.
+1 and the proxy may cache some of the Internet resources, so the whole Internet experience will be smoother with such a tool.
I'll recommend using a linux box (some old PC can be revamped into this) with Squid, just to separate your students network to the Internet. There is a lot of info on the Internet about that, and also dedicated linux distributions: a lot of schools around the world had the same problem!
OpenDNS is the best place to start. Put that up, set all PCs to use it, and that'll take care of most of your problems.
I have to confirm the detail of my gradutaion project recently.
My setup a goal for myself, that is it should have values( maybe as a opensource project or tools that can be use by others).
Can you suggest some ideas or projects pertaining to one of :
Web architect, Social Media, Ruby, ROR, Testing.
Thanks!:D
First choose something that both interests you and is in the scope of your abilities.
After you have made such a choice, formalize the decision, perform research and, build requirements; at this stage one can still set "how big a bite they can chew". Most professors I have dealt with are understanding of partial implementations as long as the expectations have been previously established.
Finally, decided on the tools/language and approach for implementation that best fits in the requirement and resources (this includes your time, desired level of effort vs payout, and ability).
I personally find web work absolutely dull, but if I were to write something new, by choice, that was "web-related" and "social" it would be a multi-user interactive whiteboard which is in turn an extension of a real-time collaborative document. (I actually used this as one of my own projects, albeit I focused on a specific protocol implementation.)
i just had this thing a while ago .... and i really needed some help with that same problem ....
i gut a couple of ideas, witch i already used one of them, so i'll suggest the other:
its a network monitoring system based on "SNMP" protocol, gets it's data from the snmp agent on the desired machine (witch can be a computer, a router, a printer, ... ,any thing connected to the network), and alert the administrator (when somthing wrong is there like too many ports are open, or denial of service problem, or too many tcp packets, so it might be a tcp ping problem, ...) with any way u would like to (email, sms, a live ajax warning, ...) ...
sorry .... it sounds messy, but basically it will be like the "CACTI" or the "openNMS" systems (just google them), and it's based on alot of technologies ,thing like: ruby, mysql(to save the actions and to have users DB), linux(i would use Debian), SNMP agents, cron (to schedule the basic system working), SSH/telnet (take a reaction of some harmful action), PHP/RubyonRails to build an web interface that can also connect to your database, ...
i know it sounded like a big fat thing to do, but it's not that hard .... i can provide more things if u want, caus i worked some kind of a specification for this thing.
When I was in college, I used to look into a lot of the programming contests (which involved 3-4 months of projects). Recently came across https://tgmc.in/project_scenario.php. Quite possible that you can get some ideas after reading these project descriptions!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I've been tasked with writing a monitoring program for my company's server software that integrates with zenoss via snmp.
To be brief, I can't get anything up off the ground. I think my first goal is to figure out the correct way to write an snmp agent (in any language to start, although it will eventually be in java). Are there any good test harnesses out there? I've used snmptest, which ships with zenoss, but it's not much good to me if I can't get a test agent off the ground. Anything that I know the zenoss manual has a lot of info, but it seems to presume a prior knowledge of standard systems monitoring practices and tools, and I can barely penetrate it.
Also, is it generally a good practice to use snmp to monitor software?
Short description of a typical SNMP agent:
Set the agent up. This usually entails telling it what server to send alerts to.
Run it.
Send appropriate SNMP messages to the configured server when things happen.
Reply to requests from the configured server.
All of the request/reply stuff is done using SNMP messages. If your company does not have a specially designed/assigned OID for the server software, you'll need to look into the standard MIB definitions to determine which OID(s) are appropriate.
MIB: Management Information Block. These come in standard and custom flavors. Standard ones are defined by a standards body (IETF?). Custom ones are created by vendors to support information unique to their product(s). MIBs are basically collections of OIDs.
OID: Object IDentifier - this is a dotted-notation number string that identifies the piece of hardware/software, and the bit of information you're looking for from it - for example, the number of TX collisions on an ethernet port might look something like: 1.5.82.316.8.4.3 (though that's not a valid OID, it's just a made-up example).
More detail available at Wikipedia. Download a free MIB browser to get an idea of what OIDs look like, and how detailed they can get. Check the RFCs for more detailed information. Look at something like perl's Net-SNMP - you may even be able to use the snmpd software that's included with it to do most of your work.
SNMP is certainly an acceptable way to monitor your network, devices and servers. Because it uses UDP it won't unduly stress the network via TCP retries and the like (SNMP clients are, or should be, architected to handle dropped packets etc.). Plus you'll have a huge array of client solutions to monitor your system and integrate against.
If you envisage a final solution in Java, see the Java/SNMP documentation and SNMP4J
SNMP.com (founded by Jeffrey Case, one of the SNMP architects) sells extensible SNMP agents. One of these may save you a world of grief.
nSoftware has an SNMP agent (not free). This might be easier than rolling your own.
Also check out William Stalling's book: SNMP.
Zenoss is quite complicated and comes with many pre-defined SNMP stuff. Do you really need to code your own SNMP agents?
SNMP is a big topic, with lots of complexity if you go into all the details and all the historical versions of the protocol and related tools. I'd suggest picking up a copy of Essential SNMP by Mauro and Schmidt, which gives a very clear introduction to both the fundamental ideas behind SNMP as well as practical examples of how to get started with it and use it in parctice with a number of different tools.
you can aim lower and try the Cacti (http://www.cacti.net/).
I too tried the Zenoss but gave up. The Cacti was up and running pretty fast. I just monitor use of bandwith of quite a few routers and many many ports in switches all over the country. But there are templates for monitoring all kind of things more related to a single server (temp, fan speed etc.)
BR. Anders