This is another edit on my article on becoming an IT Engineer and as always questions are welcomed and indeed encouraged. I apologize for the reposts, but none of it is deliberate, were it possible to edit a posting on the fly after 180 minutes had elapsed. It’s simply the case of lack of time in my busy schedule lately that afflicted me lately, whereby the original variant here was actually typed as I furiously blasted away at my keyboard en route to a straight 34 hour shift, interrupted only by two minor bathroom breaks for a project I am working on!
Pardon the length, and the applicability to multiple different forums depending on where I post it, but for those masochists who hang in there to the end, there is some good to be learnt by more than a few on a serious note, and with no further ado, grab the coffee mugs and jump on the wagon:
ARE YOU INTERESTED IN PURSUING IT AS A CAREER?
HIGH SCHOOL AND EARLY CAREER:
It’s a very long but rewarding journey, so grab some coffee and enjoy.
This top part is a minor digression relevant to this specific forum because we schooled together in the 4 formative high school years, and these will likely always stand out far and above any other phase of your life. Perhaps the most important reason that many might not be immediately clear is the transition from experiencing life under the parental/guardian umbrella, and creation of your own umbrella that is “you” today.
High School life revolved around constant hunger, mischief, and for some of us like myself, the absolute inability to remain awake during waking hours. I am perhaps one of very few that ranked sleeping slightly ahead of BREAD, which was a VERY BOLD statement for a high school teenage MALE anywhere, at least those days!! The 2K1->3Q1-4R train (Corruption having driven up Forms 1 and 2 population way north of 250, that a 6th stream had to be created!!!) accommodated my sleep well, because we SIMPLY lacked teachers in half the subjects, and literally half the students in our new 3Q1 class for the Outlawz got expelled after the early 3rd Form strike, and sadly for that matter resulted in the loss of KK, then MP Sambu’s son, in its wake, and thus sleep punctuated the blank lessons. Some interesting occurrences included the fact: I simply don’t for instance remember having a Biology teacher among various other subjects in Form 3 and 4, and I am not sure there was any; Mr. Makenzi’s form 2 Chemistry lesson on Pauli’ s exclusion principle, a joint Chemistry lesson in form 2 with whoever Siwo taught Chem, when my life and limb was threatened to immediately cease to exist and into oblivion, through the use of a lit up Bunsen Burner that Siwo trained on me with wild and dead serious gesticulation for my ‘stupid question’ to “disambiguate acidified water from dilute sulfuric acid”, thanks to differing descriptions from the Form 2 Patel Physics Book and Form 1 KIE Chem Book, of the electrolysis process (this was an epic moment and don’t know if anyone remembers being so kitambo hahaha!!!); myself bothering to only ever study Maths/Physics/Chem while very convincingly B’Sing through the rest, stealing points where I had no clue about the truth; that once in Form 3 I think, during the misery of really cold July weather and a flu to match, I was dead asleep snoring in Foko’s Chem class, and the way he was a wrong number, yet nobody woke me up, but instead they were laughing at me, and I was miraculously not caught!!
I never went through the 4 year University routine for various good reasons, and as you eagerly opened ur University invitations, I had gotten to California, 70 US dollars in hand and a “good luck” message to eke it out on my own, cruised the blue collar sector, learnt about the brutality of how US sometime later upon the incidence of 911 when crap hit the fan with massive layoffs, joined the US Air Force, did some evening classes, enough to probably cumulatively square out a full time College year, and through magnificent sleight of hand converted that into an Associates Degree, and stopped doing classes altogether shortly thereafter, as they were a waste of my time, for I taught myself random stuff better with no term papers. I don’t remember a single term paper that was not put together in a hurry all night long leading to the AM when they were due! Somehow, I never was a fan of structured class work. As you graduated University, I was leaving the US Air Force as a seasoned Network Engineer, and the rest is History. I am HIGHLY INDEPENDENT minded and resistant to PEER PRESSURE, and I don’t doANYTHING coz others do if it makes no sense to me, no matter what anyone says or thinks. In high school, maybe 90% of all my company in school, and an emphatic 99.99% at home, were religious Ganja enthusiasts but I never puffed once, though, I wouldn’t dare introduce alcohol into this discussion!!
I am a Networking Consulting Engineer with Cisco Systems, arguably the largest Networking Equipment manufacturer in the world, which some may be familiar with, and others not, and there you get confronted with the ultimate challenges that will test you to breaking point!!
If you grasp the job of a Network Architect, it might give you a good picture of what I do. My job match-ups for interviews nowadays are predominantly MSc., and even some PhD. Holders, but nothing rattles me, and with not much difficulty I typically crush 98 to 99% of them to a job I am interested in. I am a very polished procrastinator, but for things I really want, I zero in and strike until I score. Even in High School my studying was a function of pure quality opposed to quantity of study.
OK so for most of you this is N/A, granted most of you are almost certainly seasoned experts in their respective fields by now, but for any cross trainees out there, or curious heads, much like I am, or even the seasoned professionals in various disciplines, one or two things may help you, or someone you know, such as a younger relative or friend seeking a mentor if they aspire to go the IT Engineering route.
OK now down to business on becoming an IT Engineer and how things might look like.
You may export to a word processor for easier reading.
BECOMING AN IT ENGINEER:
At the end I will glad to answer any question you may have, for, the most stupid question is the one you neglected to ask, or dare I that you asked Siwo!! The smartest people to a good extent flourish from an in-depth understanding of their weaknesses, while the happy go lucky delusional type assuming or pretending to know all are the morons, and this point I cannot emphatically enough enunciate.
The vastness of the IT industry is literally like a basket ball thrown at an arbitrary rim in the milky way galaxy.
It might be useful for those interested in Networking, to a lesser extent Programming, and to even a lesser extent, and perhaps even more so, the non-IT professionals with curiosity et cetera, but whatever the case, you might glean an iota or two that might prove beneficent. Even those Medical Doctors and many other professionals need to learn quite a significant amount of IT stuff to utilize state their state of the art toys at work.
In the various IT industries, you will find that there may be pre-requisite College Degree, Professional Certs, experience, and so forth to break into the system. People with less experience depend on a “robust looking resume” that is “degree/certification” based for there is no much else to populate, whereas with time, and for smart hiring managers experience is what generates that moolah for whichever organization may be in question. In many of these cases the College degree tends to be more a filtering mechanism to narrow the candidate pools, more so than direct relevance to the field, but granted some programs like Computer Science might prove relevant for those who take the programming route, and various other fields to a greater or lesser extent.
I am a Network Consulting Engineer with Cisco Systems, which some may have heard about, and others perhaps never, depending on your interests. It’s perhaps the biggest company that specializes in products aimed at the Networking Industry, but the margins are getting blurry between different fields nowadays. You might assume that I am an expert in 100% of the Cisco product portfolios, but that is very far from the truth for anybody, with reality closer to maybe 5% to 10%. Your skills manifest in being presented with some new or unfamiliar technology, and through the leveraging your experience, to gain functional competence in the same very quickly, which is tougher than one might at first glance think.
With no exaggerations whatsoever, the entirety of data sheets, white papers, technology briefs, guides etc., that Cisco has online in the aggregate would likely reach somewhere in the neighborhood of perhaps 50 million or more pages of ever changing documentation, for material that is predominantly not so easy to read like a novel, or you may opt to read them as such, but you will effectively instantiate an effective FIFO vestibule afferent through one ear and efferent the other, with no residue left in the middle, or rather, from “tablula rasa state 1” to “tabula rasa state 2”. This may be posited as travelling back to square zero. This does not mean we only get to work with the same 5% to 10% focus areas, but rather, that your focus at any one point in time amounts to that statistic and you must have the skills to pick up the “next 5% to 10%”.
Gone are the days when you could spend maybe 20 to 25 hours and literally grasping the full range of technologies Cisco offers on aggregate. Nowadays there are PARAGRAPHS inside some guides that might LITERALLY take that amount of time to fully comprehend! What is needed is a SOLID FOUNDATION IN THE ESSENTIALS, and an agile and resilient mindset 24/7.
The KEY REQUIREMENT of an experienced engineer is to take your understanding of technologies to carefully evaluate solutions that maximize the bottom line for your organization, whereby the priorities might LARGELY vary, e.g. the need for ABSOLUTE accuracy for Banking Industry systems, whereas SECURITY will be the primary focus on a Military network.
You will as well be expected to conduct both “executive briefs” for leadership who are the shot callers, as well as, and as such, accompanied with corresponding documentation, plus highly technical briefs to bring up to speed the “technical gurus” that may be resident in whichever customer organization you have been slotted to take care of.
ESSENTIALS:
This is the bedrock for any successful career, and especially as an IT engineer. It is analogous to the significance of Newton’s Law Of Motion to an aspiring Theoretical Physicist.
What does it take?
To claim ascendancy to expertise for a specific technology, two surefire tests will do:
=>Being able to explain the technology to someone with absolutely ZERO IT acumen, such that, they can clearly visualize the material in simple terms, and this without requiring anti-migraine medication. I fumble a lot on this one outside work, mostly accidentally though, but not when its actually needed for work though.
=>The ability to provide a detailed step by step process to get a specific technology set up, as well as the proper methodology to troubleshoot the same WHEN things go awry, not IF. That same ZERO acumen of IT competency afflicted person is who the procedures must be executed by as the litmus test! You got your work cut out.
Medical Doctors may take a variant of the “Hippocratic Oath”, of which the exact utterances may vary, but that generally correspond to the notion of “Primum Non Nocere”, or rather, “First Do No Harm.”
I guess you can learn some stuff from TV shows, as I did learn about the Hippocratic oath from Gil Grissom in CSI Las Vegas.
The “Hippocratic Oath” for learning a Technology is the MANDATORY use of:
ALGORITHMIC vs HEURISTIC reasoning. The two terms in this context are psychological and not technological, with the former entailing a rigorous step by step methodical learning process to establish full competence, while the latter is the use of “mental shortcuts” to the same effect. The former guarantees success, and the latter ascertains failure. The heuristic fellaz are those that get a job that from a seemingly verbose CV/Resume, coupled with utterly incompetent interviewers, but whose KEN is riddled with cobwebs that can’t trap a single housefly.
FOUR Steps To Mastering Any Technology Will Be Enumerated:
=>Read up to get a basic understanding of the technology, such that you grasp the specific goal the technology was designed for, and being able to visualize it after closing the book.
=>Conduct basic hands on experiments to solidify your understanding.
=>Read again to get a complex understanding of the theory, and how it relates to interaction with other technologies.
=>Conduct complex hands on experiments to solidify those complex interactions.
If followed to the T, ANY technology will bow down in your wake.
NOTE: Very experienced Engineers do employ “heurisitic” troubleshooting, as I do almost daily, with a very crucial BUT, and that being that you have enough mastery to quickly narrow down a problem as accurately as done by one employing the algorithmic route, and all this from experience, and for that matter an approach I would EMPHATICALLY ADVISE AGAINST for those who are still inexperienced, to save you from the salvos that would otherwise decimate you down the road. Avoid evaluating yourself by striking your own drum to tickle your fancies, but rather be genuine in what you think you know so far, and the more brutal the assessment, the better, literally speaking, plus you should find someone more experienced than yourself to keep you outside the comfort zone for you. Working with and closely observing emulating a very good engineer who produces results, guarantees elevation of your own skill sets, especially when they either prod you, or you ask them to do so to constantly keep you on your toes to avoid complacency for the crucial foundation phases of your IT career. You might remember to thank the fella years down the road when you are very successful, having heeded proper advice.
Driving a stick shift transmission vehicle for the first few times is a formidable challenge to anyone, but with good instruction, it becomes almost infinitely simpler.
The other week I mentioned something about people having different kinds of brain power, and I had specifically mentioned “eidetic memory” and “crunching power memory” when the story of one Bethuel Mbugua was narrated. That child prodigy going by “Master Mbugua”, particularly gifted in human anatomy at a very tender age, and with whom I actually conversed with briefly at the swimming pool where I grew up in 1992, when he had come to give a lecture, and he sounded and acted normal save for his “singular and unblinking” focus on an across the street neighbor chick who had what Sisqo would have it as “dumps like a truck luo style”, and follow up with,
“thighs like what???” . The eidetic memory, or tendency to, in flashes, capture a lot of information in a very brief time frame without much manipulation, essentially like rote memorization, opposed to “crunching” memory, which is for correlation of complex constructs. The latter is the most important for the IT industry.
On Bethuel Mbugua:
https://omgvoice.com/news/ke-scholar-dar-salaam-university?country=KE
Invisibly, eidetic type memory pulls the Medical Doctor Types, while the Crunching pulls the Physicists/Engineers, of course none of this being blanket generalizations but rather a tendency. Our high school had perfect examples of both if you carefully look back retrospectively. The sheer scale of abstraction extant to effect modern technologies is way too baffling for simple rote memorization. Strangely, even at high school edge, I perceived this notion, for example, when this guy, I think Justin Nthiani my dorm mate who was perhaps in 2K when I was in 2K1 on a Sunday afternoon was studying physics, and asked me to clarify some concepts maybe on laws of motion or something. I told him to explain how he was trying to learn it and proceed to go at it for few minutes without me disturbing to observe his technique. What I gleaned, was that he was trying to learn the physics through memorization like history, which is why it necessarily failed to make sense, and I think he adjusted after. Similarly, in Form 3 Chemistry, the vast majority cried about the mole concept, while I personally had never seen as easy a stash of free points to be bagged in a test. Through rote memorization, it was impossible to understand, but through simple algebraic placement of the type, well if 5 stones fill one gunia, then how many will fill 4 gunias? Can that question seriously befuddle anyone? Nuff said.
An experienced manager hiring an IT Network Engineer, or maybe even a different kind of Engineer, as in the case for Cisco Systems, would not necessarily have “pre-typed” question list to conduct an interview, or maybe, they might loosely follow a vague script, but rather they do interview based on YOUR OWN RESUME. I find it silly telling someone to disambiguate a link state from a distance vector routing protocol as a question/answer in and of itself, instead of perhaps receiving the same information within the process of the interviewee telling you what they DO know about distance vector protocols opposed to link state protocols. The is a subtle nuance but a very crucial one between the two approaches. Here, if you think about it, the resume will make or break you. If it is too weak, you might never get considered for an interview, and if too “ambitious” as many people do to “up” their chances, then you are effectively screwed, because you can’t back up your expertise! Be resourceful but realistic in drafting that resume. The reason for a smart interviewer to interview you based on your resume, might appear to be a novice move whereas it is the entirely opposite, because, they can only accurately gauge your knowledge level if you are discussing stuff that you know and work with daily. They won’t be too worried about, oh he doesn’t yet know about BGP routing protocol at all and thus they are a no go! Well that may be the case if that BGP is the MOST salient aspect of the job in question, as might be the case for a Service Provider Engineer Slot, similar to what I did in South West Asia in my prior job, and particularly the MP-BGP range of technologies. Don’t worry about the exact meaning of all those terms, but pay CLOSE attention to the reasoning, for you might thank me for one or two reasons after something I have said helps you in future.
Why one would ask? Anyone can quickly google “rote memorization” stuff in a blink of an eye, but the same cannot be said of comprehensively stepping through the DUAL algorithm for EIGRP, along with the purpose of each state of the finite state machine underlying the algorithm (EIGRP is simply a proprietary routing protocol used by Cisco Systems and it is used by devices to build loop free forwarding paths, and it though it may get standardized coz I actually read an RFC on EIGRP maybe in 2014).
FORMAL EDUCATION VS PROFESSIONAL CERTIFICATIONS:
I have already slightly touched on this but I will rehash it. For most intent and purposes your professional certs, and infinitely more so, your experience will make or break you. The college education will mostly help to you to escape being flushed out of contention to reduce the number of resumes to focus on. “For every Resume where by College Education<Bachelor Degree”, send to the bin kind of thing. Some skills from computer science may translate, and few other degrees here and there but they are not the “meat of the business”, as say Technical Certifications, and this may be contrasted with Professional Degrees like “Medicine” and “Law”, where your College Work is just about literally what you might expect to do in real life, plus of course tackling any relevant BAR exams for Lawyers, and the painful long shift Internships/Residency requirements for Doctors.
The INFORMAL definition of a COLLEGE DEGREE is a piece of paper that is used to get in line for consideration for a job, and to demonstrate you have the discipline to follow through on a project, and in many cases, little beyond that. I don’t have much in the way of advanced degrees, but I am always pitted against predominantly MSc. and few PhD. holders for the jobs I interview for nowadays, and I do decisively crush maybe 98-99% of them for a job and that is not difficult for me to do. But the formal education will provide a certain “well roundedness”, but that is N/A for people like myself, because I analyze much more issues than most do in different facets of life as a hobby, that very stuff you claim I am obsessed with, second only to cursing out smart assess which is my premiere hobby…just kidding…See how fun black humor is?
DEMANDS FACING EXPERIENCED IT ENGINEERS:
POINT NUMBER 1: You will need to not only STUDY, but STUDY a lot to remain competitive in IT with the lightning speed with which products hit the market, only to get obsolescent shortly thereafter.
Case in point, I am working on a NAC(Network Access Control Solution) for the theater as a whole, which is a fancy way of “ensuring all that funny stuff you plug into the network gets authenticated and cleaned up BEFORE it goes online”. Ironically, as I prepare to present the solution, there is already a wave of next generation called EVAS proliferating through the markets as a bleeding edge technology (so new it hasn’t faced the scrutiny that only time does to throw blind spots wide open). EVAS is End Point Visualization And Security, or something of the nature, that will simply get the network more agile, and automated in effecting the NAC requirements, with some chatter taking hold about the potential of entirely GETTING RID of NAC as archaic!!! You will be tortured by technology insofar as remaining competent contemporarily at any one point in time.
If you think that completion of that hard-earned Bachelors, or Masters, or PhD. was the end of your education, I will bluntly tell you to look for a career in a different specialty, for you are not consistent with the requirements of these IT jobs.
Take cognizance of the fact that, as you climb the scale in IT, the jobs that place more responsibility on your plate, and for that matter increase the level of Poxi Preshas OTONGOLO(and speaking for which I had to play my hero’s song Otonglo time as I continue… DON’T LOOK AT THE CITY CLOCK!!! this guy kills me hahaha), the tolerance for errors is inversely proportional to your career advances, with very narrow margins for error at the highest levels, where you are forced to actually EARN YOUR PAYCHECK. If you fumble as an engineer, and all of a sudden customers are unable to reach their Amazon AWS services that the customers have paid for, things called Service Level Agreements or SLAs are very tightly constrained demanding as much as 99.999% availability, failure of which, Amazon must pay, often millions of dollars for breach of contract, and it’s not too difficult to imagine the fate of whichever engineer was responsible.
This underscores why it is MANDATORY to grasp the fundamentals, because everything else builds on this.
Anyone who might have observed my postings and perversions, you might quickly pick up the constant accusations of “obsessiveness on issues”, and calls for, “summary summary summarize”, and I laugh, telling them that is my journal, and not necessarily meant for your consumption, for the reason there are just not many people to discuss these things with so I engage in soliloquy, which may assume a life of its own, and not rarely either. Partly true, but really it is that this specific kind of reasoning that makes excellent engineers, with the ability to tie together complex products verbosely. As you advance in your career, more is demanded of you, so you must learn infinitely more, and the manifest obsessiveness is a side-effect!!! In typing this whole document, the only two things were the categorization of two pronouns, and stating a few things more clearly to avoid discombobulation, and all else is on the fly typing with various edits as I steal few minutes out of my current busy schedule as days go by. The bottom line is that as you get to the pinnacle of an IT Engineering career, the kind of detailed in here is not a luxury but rather more of a necessity of survival. Do not take that statement lightly.
There is a latent quiz, which if passed you can straight away graduate to heuristic troubleshooting. The world of computing is based on Binary and variants thereof, e.g. Hexadecimal system, which is simply a condensed flavor of binary, and all these based on the transitions of on and off through transistors, and calling out half of the list below off the top of your head, for their commonality in our day to day work in our business, is mandatory.
2^0 - 16; 2^20, 2^24, 2^32
0 1; 1 2; 2 4; 3 8; 4 16; 5 32; 6 64; 7 128; 8 256; 9 512 ; 10 1024; 11 2048; 12 4096; 13 8192; 14 16384; 15 32768; 16 65536; 20 1048576; 24 16777216; 32 4294967296.
I didn’t look anywhere for the answers but it’s unlikely they are not 100% accurate and the doubting Thomases may verify. This is of course a facetious joke nonetheless, a part of my black humor if so to speak to underscore a point, since this is precisely the googlable stuff anyone can check up that I said was irrelevant! I more often than not speak in parables and with sarcasm, and so many come out in attack failing to disambiguate a joke from a qualified declaration in itself, but the attacks are typically “apainful” if I were permitted to defile the Queen’s language.
MY IT CAREER:
For various good reasons, I never had that traditional 4 years of College, where most are predominantly hustle free from full time jobs, and for various good reasons, but immediately jumped into the blue collar sector in California while my high school classmates enrolled at UON, KU, JKUAT, Moi University et. al, then I transitioned into the US Airforce, where my IT career began in earnest., stealing few evening classes here and there through some of those years, and entirely cut off the formal education route to focus on my IT work because a lot of this stuff is a waste of time for me. I teach myself a lot of that “Basic Education” stuff better and supplant that with classes I took in Philosophy, Psychology, HRM, History, and a few other ones I might have occasionally stumbled into, up to about 12 or 13 years ago then stopped entirely. When my classmates graduated University I was already a seasoned Network Engineer.
I have since mostly worked as a Senior Level Engineer with various companies, many associated with DOD, as is the case with the current time, being the Cisco Systems Engineer for the Air Force District Of Washington, or rather every major government entity you might hear about in the DC Metropolitan Area. Some bases (like where Trump plane sleeps, which is very close from my customer site office at 0.5KM in the base), Pentagon, NSA, Capitol Hill, and a host of others fall under this umbrella. Needless to say, accuracy here is paramount! Months ago I lived just a 3 minute walk from Capitol Hill but I had to run away, because DC Proper(about 15 by 15 Mile/25KM square, is a very small area, and DC is NOT a State but a Federal District, with only one city, called Washington, such that DC and Washington for the better part refer to the same thing) being very crowded and entirely without parking and a nightmare for “Navigation Columbuses” like me with no sense of direction(many of you take granted of your in-built biological GPS, and when that in-built one doesn’t exist as with me, your work is cut out for you in navigation for you have to remember each corner explicitly, and one wrong turn throws you hopelessly off course!!!), given the extremely messy street mazes that are closer to spaghetti in consistency, and I hated it a lot, so I moved to nearby NoVA. DC Metropolitan borrows from Virginia and Maryland (thus parts of VA and Maryland are considered DC Metropolitan Area).
CASE STUDY OF AN INCIDENT THAT MIGHT STRETCH YOUR SKILLS AS AN ENGINEER:
I will first discuss some of the VPN technologies underlying the issue we had, and subsequently describe the problem itself. This should give perspective of what you might encounter trying to learn different technologies.
There are times when all that you know will be put to test, and not so few times for that matter as you advance. Ironically, this example is from long ago, when I was still in the Air Force, and which I will detail after this VPN run down.
VIRTUAL PRIVATE NETORK (VPN) Technologies:
DOD got their own special stuff they run for their secret networks for obvious purposes, utilizing Type 1 Devices (exclusively used by US DoD and minor exceptions); Suite A or Unpublished Algorithms such as Firefly, Baton, Medley and others, though you may occasionally observe higher bit length Suite B algorithms like AES or say 384-bit, 512-bit or equally as powerful in very minor instances.
For those who are network and security engineers this should be second nature. The blanket IPSEC framework is used for VPNs commercially, while there is an IPSEC derived colloquial variant conforming to HAIPE (High Assurance IP Encryptors); pretty much hardware VPNs with equipment such as GD KG-175 TACLANES, but the concepts are analogous nonetheless with more stringent margins of course.
Quick Rehashing of IPSEC:
INTERNET PROTOOL SECURITY or IPSEC: A framework encompassing various protocols and technologies effecting VPNs.
In this context, a VPN is a secure communication channel between two nodes used to perform communication between two nodes securely over an insecure medium e.g. the Internet.
Internet Security Association Key Management Protocol or ISAKMP: A set of technologies running over UDP Port 500, to realize IPSEC based VPNs, and is utilized by different crypto end points to generate keying material necessary for a VPN to function properly. IKE(Internet Key Exchange Protocol) is a key component for negotiating the various parameters.
VPN formation has got two key Phases of IKE(Internet Key Exchange) which are 1 and 2:.
IKE PHASE 1:
This creates what you might call a “management encryption tunnel” that is used to conduct secure mutual authentication, as well as to lay the ground work for the negotiation of IKE phase 2.
=>There are two modes for IKE Phase 1:
Parameters negotiated for Phase 1 may include:
Encryption Algorithms (e.g. 3DES and AES): for confidentiality to secure Phase 1 mutual authentication and negotiation of Phase 1 proposals ;
Hash Algorithms (e.g. MD5 and SHA): These algorithms derive fixed length output from inputs of different sizes since fixed-length constructs are computationally simpler work with to realize, though under extreme scrutiny, hash collisions may be a security problem albeit a minor one when two different inputs of x and y produce the same fixed length z output, which by perforce are a mathematical fact in cornerstone cases when the input is larger than the output. The two benefits are;
Non-repudiation-> You can’t deny you sent a message, and;
Integrity-> Proof no “tampering” occurred;
DH Diffie Hellman key exchange algorithm-> (e.g. DH group 1, DH Group 2, DH group 5 etc.) enables the devices to securely derive a “common secret key” securely which can’t be intercepted en route because it is not explicitly sent over the wire, and all of these facilitates the establishment of the;
Phase 1 Management Encryption Tunnel-> Secure mutual authentication takes place in here between crypto end points, prior to effecting Phase 2 operations.
=> IKE PHASE 1 MAIN MODE: This is one of the two modes for IKE Phase 1 operations. It consists 6 messages for 3 bidirectional exchanges between an initiator and responder. Its more secure because the first two messages are for selecting proposals on parameters to use, the second two for generating a shared key to create a “first and management encrypted tunnel”, and the third pair of exchanges are then used to conduct secure mutual authentication between the two crypto end points. Note that this “dynamic key” is NOT same as the pre-shared key, but rather the pre-shared key is present at each end to ascertain the two ends derive the same key independently without putting anything on the wire for interception.
Mutual Authentication-> may be via;
Preshared Key: These are essentially shared passwords.
RSA Nonces: These are like one time passwords, someone akin to soft token generators. The idea is actually very simple looking at the big picture. You have a “centralized entity” for validation, and the “individual crypto end points as clients”, both of which have synchronized time. The client piece constantly spits out random one time pass words, and the centralized server does the same in kind to correlate the two. Accounting for clock drift, the server sides authenticates say all “client side random numbers” within a plus and minus 60 second duration. Simplistic on the large whilst elegant in essence; RSA Signatures: This one may employ digital signatures base on the PKI or Public Key Infrastructure. This is a fascinating concept, and I intend to dedicate an article to properly explore it, for it is the cornerstone of online security for ordering those sex toys for fetishes christened ‘miscellaneous merchandise’, in case the wife or other peeps, online and all in a secure manner. The RSA Algorithm is considered to be an ASYMMETRIC ALGORITHM, meaning there are two different, though related keys, namely the public and private keys. Think of the two numbers as say the public key being 21 and the private key 7. You quickly notice 21 is a prime number, and 7 one of the two factors that except 21 and 1, and this is not by mistake. The security is based on the computational difficulty of FACTORING LARGE Prime Numbers and or variants of discrete logarithms, such that by the time the most powerful computers figures out the 3 as the other factor to compromise security in this case, the information that had been secured is already useless essentially, and I will leave it at that for now until I attack it in it’s own comprehensive article.
IKE PHASE 1 AGGRESSIVE MODE: This is the second flavor of IKE Phase 1. As suggested by the name, the “6 messages” are instead replaced with an aggressive approach using only “1 pair of exchanges or 2 messages” to be precise. Its faster but less secure, because the end points identify each other over an insecure tunnel opposed to Main Mode where the first two pair of exchanges enables the formation of an encryption tunnel that is then used in the third pair of messages for mutual authentication.
IKE PHASE 2:
After the phase one has undergone mutual authentication from the 3rd pair of phase 1 exchanges the “encrypted management tunnel” is used to negotiate “proposals” for the “second or production tunnel”, or rather the very VPN tunnel that gets your VPN traffic securely over the insecure internet.
Parameters may include transforms, e.g. AES for encryption, and SHA for integrity/non-repudiation/anti-replay etc. to realize the production tunnel.
“second or production tunnel” may run with one of two encapsulation methods: ESP (Encapsulating Security Payload or IP Protocol 51) or AH(Authentication Header or IP Protocol 50). The ESP provides CIAN-Confidentiality or encryption; Integrity and anti-replay through hashing like MD5/SHA, as well as non-repudiation etc. AH on the other hand carries out the previous same functions as ESP, except there is NO confidentiality/encryption with AH. Modern cryptosystems employ ESP for that reason.
Optionally, a feature called “Perfect Forwarding Secrecy” may be utilized here, whereby, essentially each distinct Phase 2 connection requires a new Phase 1 renegotiation, to prevent a compromised phase 1 tunnel affecting any subsequent phase 2 tunnels. Remember we had that “first management encryption tunnel” for mutual authentication and “second or production tunnel”, for actual user traffic. Normally a phase 1 tunnel is renegotiated by default after about I believe about ~86400 seconds/1 day, whereas each individual phase 2 “Production Tunnel” default to about ~28,800 seconds/8 hours, and thus typically about 3 different Phase 2 production tunnels can utilize a single management tunnel.
NOW THE CASE STUDY ITSELF:
The symptoms presented as failure of a specific program that was used by Commanders to track accountability of personnel to higher echelon Commands for all military/civilian personnel across the board, and out of the blue this program suddenly STOPPED WORKING, yet everything else worked perfectly!! You could look at the affected Servers, but nothing seemed to be obviously wrong, because it formed connections like it was designed to, but just how effective those connection was the crux of the problem. You would think it is very simple after I narrate but if placed back in context of reality weehh!!! This is the VERY LAST kind of thing you want broken in a MILITARY ENVIRONMENT for the fallout and pressure will be relentless, and merciless even. I was in Okinawa Japan and it was affecting the entire PACAF Command. Military leadership are not the type of people to fool around with.
At an experience level of 1.5 to 2 years, roughly co-incident with the time my high school classmates were in their first semester of 2nd year University studies, I was somewhat experienced but not yet fully polished. This kind of issue is one of the most difficult one to troubleshoot, where "some” of the stuff works intermittently, while other “don’t” part of the time. Low overhead operations of the server, particularly light UDP type flows were unaffected, for they used smaller frames, and this will be shortly very clear. When everything else works, you are left scratching your head on where to look. To make factors worse was the fact was that this was a secret network and data is encrypted, so packet captures were effectively useless down the line of transmission, but hey I got to corroborate the protocols used to encapsulate the traffic hell yeahhh!! but unable to read anything meaningful damn booh!!
We scratched our heads and combed through the servers and networking devices for 1.5 full weeks, and the pressure was not letting off. It was a tough one doubtless.
I was slotted for Help Desk Rotation that weekend, and the actual office was right where the Hub Encryptors sat, and I looked around and felt that it might be a perfect chance to analyze the issue by ruling it out as a factor (knock knock!!! Intellectual curiosity!!! Pay attention!!!), because I had no idea if it was relevant or not, because everything else was working fine. Basically, those Encryptors create a hardware based VPN as you would with a SOHO Router at a branch office or at home for those telecommuter types in the stead of say, “Soft Client VPNs”, implemented in software on your computer, which may be invoked through the use of say the Cisco Secure Mobility AnyConnect Client. The hardware VPNs are more effective and efficient at work because they have the ability to encrypt traffic for multiple pools of users by having one VPN front Device fronting dozens of users behind it on the plaintext/unencrypted side.
I went to one of the “Hub Encryptors” and started combing through Menu by Menu, just to see if something might be off. I happened upon one screen that went along the lines of “MTU By Pass”. MTU is Maximum Transmission Unit or biggest PDU that can be carried by an individual enveloped packet of data. Fragmentation needs to be functional in the event the devices in between have “Low MTU” compared to the “Packet Trying to Pass Through” for obvious reasons. If you can’t chop it up, it will get dropped absent of fragmentation. My heart started racing immediately, and I re-read that configuration setting about 10 times like a mad person, because I had to be very cautious, given the fact ALL EYES WERE ON US, and In a STERN WAY for that matter. That is why these jobs are called thankless jobs. As an engineer, when everything works fine, you get ignored like you don’t exist, right until the first problem crops up and suddenly you become a pariah!!
I realized that the setting in place effectively “Turned off IP Fragmentation” or breaking packets into smaller pieces and repackaging the data for transmission. Through my gut instinct, not a BS one but this time the professional one, I immediately concluded that MTU setting MUST be our problem. I had an aura of certainty, the justification for which I couldn’t even today explain. The thing here is that, as devices initiate communication, and particularly TCP for reliable flows, there is a 3-Way handshake for the devices of SYN/SYN ACK/ACK to establish the connection and they negotiate the underlying MTUs etc., then data flows afterwards. Notably, I believe “IP Unreachables” were disabled (diagnostic IP mechanism to signal issues like MTU mismatch etc. but a security hole nonetheless), and thus error messages were quietly discarded mid-way. In this case, the “affected” systems, if you looked at a “NETSTAT”(netstat on a command prompt on a PC) you could see it was touching bases with the server, and this further obfuscated the mystery.
There are several things to consider for encrypted traffic, most relevant of which is to account for the “Overhead” caused by typical encryption. I our case it was ESP traffic running in tunnel mode (tunnel vs transport is a subject for a different discussion and only incidentally mentioned herein), and as such an overhead of about 60 or so bytes got added to all packets. This means you would need to “reduce the payload” portion of intermediary devices so the traffic fits after packing on the overhead. In a nutshell, the devices negotiated for the maximum MTUs, which did not take into account the overhead of encrypted traffic, and being coded to drop fragmented traffic., the problem blew wide open.
I reported my findings and an emergency Telecon, with all PACAF representatives from every single base from Japan, to Korea, to Guam, to Hawaii, to Pearl Harbor thereabouts etc., hopped on the phone to run through the process to reverse that specific setting.
The problem was at this point consigned to history.
The BIG Lessons learnt here were two:
=>LEARN your FUNDAMENTALS!!! I will repeat the message a million times if I have to, I don’t give a damn, because of how important this is. Many novice engineers start do look down on the basics after learning the basics and they they think they know it all, yet little do they realize, their IT Grave Headstones are firmly planted then, they never succeed in IT, absent of stripping themselves of that stupid tendency. “Oh, that is CCNA Stuff”, kind of people are the ones who I am talking about, to you Network and Security Engineer professionals, as well as aspirants to the same, the very things many fumble on repeatedly by being too proud to follow up on basics. Notice I didn’t say ANYTHING about ADVANCED knowledge as an end to itself, because theoretically, it is non-existent as a construct independent of coherent aggregation of fundamentals, and appreciation of this fact is step number one towards becoming an elite engineer!! I employ a lot of repetition in this specific writing due to the varying levels of grasping the material, so that you don’t have to constantly scroll back to see that “ohhh this was the meaning of so and so”. I knew precisely how MTU and fragmentation functioned, but the problem here was the fact that the symptoms were FAR from APPARENT before the fact, but as such, through utilization my understanding of the BASIC fundamentals, and applying this knowledge to a real situation, the genie got blown right of the bottle!
=>Pay very close attention to ANY key changes on your network!!! It turned out that about 2 weeks prior to the onset of the issue, and entirely under the radar and unbeknownst to almost all of us, there was a firmware upgrade on the TACLANE Encryptors by some contractors that flipped the default of that MTU Bypass Bit and resulted in the dropping of the packets that needed to but failed to get fragmentation hence crippling that “Commanders’ Program for Accountability”.
THE OSI MODEL(Vaguely Open Systems Interconnection or a remnant of some ISO stuff:
Let me quickly run down something they call the OSI Model, which is simply a reference point for being properly able to understand how technologies interact, from one party, and all the way to another, perhaps continents away. It is NOT a strict map, but a visualization microscope to understand and implement technologies with a degree of uniformity. When you text someone, vs emailing someone, there are two different conversations but they do pin point entities that are interacting, in this case, the Messaging Client, and the Browser Client, with the two mini-conversations in this case taking place between same Server and Client in each case.
Each layer provides services to that above them in the hierarchy, and my enumeration will be starting from the bottom towards the top.
I never used a specific mnemonic but it goes PDNTSPA from down to up. There is an analogous scheme called TCP/IP Suite with Physical, Data Link, Network, and Access Layers. The Access Layer of the latter agglomerates the top 3 layers of the OSI Model of Application, Presentation, and Session layers. Their purposes are just about the same in effect.
Physical Layer: Bits and electrical signals abound in this layer. These are electrical and mechanical characteristics of the medium forwarding the data, and stuff you are all used to from your various electronic gadgets at work and at home, no mysteries here. Examples are voltage, frequency, RJ-11 standards for POTS phones, CAT 7 Lan Drops, fiber optics etc.
Data Link Layer: PDU or protocol data unit here is a Frame. It receives packets from network layer, optionally may check for errors, and prepares data to be put on the media as signals of various sorts for transport, and so forth. Examples are MAC Sublayer and Logical Level Control Sublayers of ethernet IEEE 802 stylenetworks such as (IEEE 802.3X), 802.11 Wireless, MPLS Shim Layer(2.5) etc.
Network Layer: PDUs are Packets. This is the most familiar layer, being the foundation of the Internet, and because if you open a command prompt and type ipconfig /all you see your IP Address, DNS Server and a host of other information. There are routed protocols e.g. (IP Address) and routing algorithms, e.g. OSPF Open Shortest Path First. Routers forward data from one logical network to another dynamically/automatically (for devices sharing same mask e.g. 10.0.0.X for range 10.0.0.2 - 10.0.0.254 or 254 hosts are all represented by router’s on IP Address of 10.0.0.1 for those 254 users) whereby, the router forwards information on up to 254 end hosts using 1 condensed address of 10.0.0.0/24 subnet/network (/24 means 2^8 or 256 minus 1 and 255 for router address and broadcast addresses respectively), while routing algorithms like OSPF dynamically exchange “reachability” or “subnet” info with other routers all through the internet. 1 entry representing 254 is efficient! And they may be even more granular or sparse per configuration specifics.
Transport Layer: PDUs here are called Segments-TCP, or Datagrams-UDP. It represents every host to host connection between two end nodes, say your laptop, utilizing the Google Chrome web client and an FTP client to communicate with CNN Web Server and CNN FTP Server for surfing and retrieving a file, respectively, and whereby pretty much there is a router locally and a router remotely at CNN that grabs these flows via their collective “network or subnet address” to present the flow between these two entities, as well as potentially a host of other individual communication flows on either side that all reside in the same respective “networks or subnets”. The two best known example of Transport Layer protocols are “Transport Communication Protocol” (TCP), and “User Datagram Protocol” (UDP).The former uses acknowledgements and error correction for reliable delivery of, your browsing session via Google Chrome for instance, whereas the latter uses unreliable and unacknowledged delivery for light weight expedient requests e.g. DNS name queries to figure out what IP Address maps to the CNN.COM that you just typed on your browser, because your laptop and the various intermediate routers don’t inherently know what hell CNN is hence the “DNS mapping”.
Session Layer: Data here is still a bit stream with no “envelope applied” and it does delineate logical connections between two applications, much like the transport layer, whereby different implementations may leverage either “phase” to facilitate the desired communication flows. Remember that these layers are just visual aids and not “built in stone” constructs. All those gibberish love letters by akina Daudi Kabaka to their “babes” back then, but before applying an envelope or wrapping up for transport using a header, and spraying on it some DOOM for fragrance, might be one way to look at it. Examples here include the RPC or Remote Procedure Call, utilized by many different types of servers, plus the unfortunate enough Systems Side Engineers who have to deal with some of those disease ridden, especially Windows Servers, with endless idiosyncrasies, and such frequent hung and frozen processes that the Guinness Book Of World Records would be justified to crown them Kings of technological maleficence, malfeasance, and usurpation. The simplest visualization is your ATM Transaction at a Teller Machine. Has the ATM ever robbed you of your money, no matter how wasted you were huddled somewhere along a Moi Avenue or Koinange Street ATM during the wee hours of the morning early Sunday morning, blowing away your hard earned mbesha? Short of tampering, the likelihood is so sparse as to be non-existent effectively, because the underlying applications properly delineate transactions, and won’t just gaffe up and cough 100 bob instead of the requested 500 bog for example, of course assuming you haven’t effectively annihilated your bank account trying to impress a transient beauty that quickly forgot about you and eagerly hunting down the next poor fella after some spirited aerobic activity.
Presentation Layer: Data is still in bit streams at this layer. A very simple surmise to fully understand this layer it the description that this layer is responsible for receiving information from disparate applications such as web browsers and say FTP clients and there after handing it over to the lower layers in a manner that is uniform and consistent to the layers beneath it. These include various encoding and encryption algorithms such as ASCII and EBCDIC.
Application Layer: The gibberish you type in your forum discussions via browsers would be would show up here. The function is self-evident where say HTTP protocol is used for web surfing and effected by web browsers/webservers; FTP clients and servers for pulling files, or say, SSH or Secure Shell clients and servers for secure remote management of various devices remotely.
THE FUTURE:
Of course the future is likely to be punctuated by a vicissitude of possibilities no one can definitively predict at this time. The IT industry is becoming more and more abstracted, meaning that, there are a whole bunch of layers nested upon yet others, so much so, it might be hard to uncover the original pieces of concrete data on many an occasion, that stuff simply appears to work as though it were magic, and for that matter a very meritorious goal of the underlying nuts and bolts! Technology hides those complex aspects so no one outside the realm of engineers care about the plumbing beneath. There are numerous attendant ramifications in light of these developments, the following are merely a few.
DEVOPS:
This is a relatively new paradigm in software engineering(end IT engineering in general) juxtaposed against operational aspects of the multitude of industries that drive most modern societies, and for that matter one which specifically addresses the challenges posed by the very rapidly increasing demands for business and non-business entities for new technology based products getting into production lightning fast, while maintaining the highest of standards of delivery at all points on the premise that increased agility coupled with increased automation, and all the while maintaining high quality, often than not increases productivity ceteris Paribas, and as such, inevitably boosts profitability by extension. Elements of software engineering and operations will be more and more tightly integrated during the SDLC (Software Development Life Cycle), such that timely feedback can address blind spots soon enough to avoid obstacles down the road pursuant to the multitude of potential benefits that DEVOPS may facilitate.
BINARY vs QUANUM COMPUTING:
As stated earlier, contemporary BINARY Computing is founded upon employment of transistors(logical electrical gates and amplifiers) to deploy various solutions, where by the binary states of “OFF and “ON” to provide distinct transitions that make existing technologies possible.
Quantum Computing on the other hand is a theoretical futuristic paradigm for computation under research, that might realize much more robust data processing capabilities. Whereas the binary basis of binary computing can only be extrapolated to function on the scale 2^X, where that binary distinction is a bottleneck by definition, to yet more robust and agile computing. Quantum Computing is being researched as a way to fortify processing beyond the binary barrier of 2^X, which instead of the on/off transitions, leverages quantum mechanical phenomena to instantiate what may be termed as “a qubit” as the basic unit of data, opposed to the “bit” in the case of binary computing, and has the potential to materialize computation at speed than higher then those possible using the binary 2^X approach, by tapping into such concepts as “superposition” (where 2 or MORE states morph into an extra ”distinct” state, and “entanglement” (whereby, there is an association between the simplest units to the extent that you are unable to describe the “characteristics” of any one constituent unit, but rather you must perform analysis by considering the various vicissitudes of all the constituent units as though they were a “single unified unit” unto themselves. Succinctly, turbo charge electronic computation is realized, and as a matter of fact, dare any octane heads claim they don’t drool at the prospect of a turbo rush!!!
=>Potential Security Problems may emerge upon successfully effecting quantum computing, to the extent that, the increased oomph, theoretically achievable via quantum computing, might defeat the “salient” aspects of existing technology, that happen to be the cornerstone of the way online data is currently secured, both at rest as well as in motion, with the most common examples being found in the very browsers you use daily such as Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge etc. These applications make use of the Secure Socket Layer (SSL), or the newer variant of “Transport Layer Security (TLS)”, which make use of asymmetric algorithms I already briefly touched on such as the RSA Algorithm (named after the three founders Rivest, Shamir, and Adleman, back in the late 70s). These algorithms rely on the computational difficulty of factoring large prime numbers, discrete logarithms etc., such that, it is computationally infeasible defeat the current asymmetric algorithms for the better part through the most cryptanalysis tactics possible today. There have been breaches here and there indeed, but the obsolescence of lower grade algorithms stifles those attempts to kick the can down the road on these potentially explosive, if inimical and perilous tactics, contextualized in the arena of “information security”. The prospect of much faster computation speeds presents a great threat to those mathematic problems that act as the bedrock of current online security. It goes without saying that the development of more complex algorithms to counteract future cryptanalysis are in order.
EXASCALE COMPUTING:
This is basically a futuristic method of increasing computation speed of current technologies, and perhaps rhymes with Quantum Computing, whereby the latter may be thought of as a one of the channels that may realize Exascale Computing.
The goal would be conduction of research efforts aimed at boosting computation speeds 50 to 100 fold relative to top contemporary computation speeds, or stated otherwise, computation speeds of roughly 10^18 operations per second.
A future posting will focus on the ramifications on online security that all the above gibberish envisages!!!
Need I continue for now? I will if you dare me………………
Thanks and have a good day. I will be glad to answer any questions you may have.