Solace provides sophisticated middleware functionality in hardware to monitor, filter, route, transform and secure very large volumes of events in real time and with minimal processing overhead.  Solace uses leading-edge FPGA, ASIC and network processor technology to increase throughput and lower latency of event processing. Applications such as fraud detection, algorithmic trading, compliance, insider trade monitoring, risk management and more can be tackled more effectively by separating the simple monitoring, filtering and normalization of raw events from the complex processing of select events. This event pre-processing takes the burden off CEP engines allowing individual engines to be much more effective. 

The Cisco 7600 OSR consists of a 256 Gbps switching fabric and a 30 million packets per second (mpps) forwarding engine. Its breadth of IP services comes from Cisco IOS, which provides features such as security, enhanced QoS, and destination sensitive services. In addition, the Cisco 7600 OSR allows the migration of existing port adapters from Cisco 7500 series routers, via the Cisco FlexWAN module, giving service providers one the industry’s widest array of interface options in any single platform. This provides service providers great flexibility in deploying the Cisco 7600 OSR for a variety of applications, protects their investment in existing systems, and gives them a practical migration path to the New World Optical Internet.

A Revolutionary Platform For Evolving Networks

The Cisco 7600 OSR helps service providers break through service and bandwidth barriers today, while designing networks to scale for future growth. The Cisco 7600 OSR achieves this through “adaptive network processing,” or the ability to evolve the platform for new IP services without hardware upgrades. Unlike fixed, ASIC-based platforms, which are hardware encoded, the Cisco 7600 OSR relies on the highly flexible Parallel eXpress Forwarding (PXF) technology for scalable performance of services. PXF is a patented, Cisco-developed network processor capable of line-rate IP services delivery that can support new IP services through periodic software upgrades. Each OSM has two PXF processors capable of 12 mpps of IP services delivery per interface card.

“IP+Optical combines the dynamism of the Internet world with the foundation of the transport world, creating an infrastructure that can deliver the services that service providers need,” said Lele Nardin, vice president of the Internet Systems Business Unit at Cisco. “Cisco will continue to add innovative solutions on top of this solid foundation to make service providers better equipped to meet the constantly escalating and changing customer demands for new networking services.”

Pricing and Availability

The base Cisco 7600 OSR system is list priced at $73,000 and the entry level system, with interfaces, start at $100,000. The interfaces modules are priced between $27,000 to $180,000. The Cisco 7600 OSR is available now worldwide.

Ten days before VMworld and VMware still can’t get good press. First their CEO, Diane Greene, gets ousted, then a high-profile licensing bug is found and now the Director of R&D, Richard Sarwal, leaves his $1.25 million salary after just 7 months. (Note to self: get into R&D) It will be interesting to take the pulse of the VMware community at the show and in person. And in the meantime, Microsoft Hyper-V comes out of the gate with customers already touting its benefits.

The hypervisor is the “new” operating system. If you didn’t think that before, take a look at Red Hat’s purchase of Qumranet for $107 million. With Qumranet, Red Hat gets KVM, described by CTO Brian Stevens as an extension to the Linux kernel that allows it to be used as a bare-metal hypervisor, running directly on the underlying hardware and hosting guest operating systems. But according to Brian Madden, the “press” around the purchase is all focusing on the not-so-interesting part. Along with KVM, the SolidICE product includes Spice, a remote display protocol for VDI.

I wonder if this will be like Symantec buying Altiris or Microsoft buying Softricity, where the portion that we care about sort of loses focus as The Borg concentrates on the parts of the acquired technology that are more relevant to them?

(I’m a sucker for quotes that reference The Borg)

Network World publishes “10 open source companies to watch”. On the list, Qumranet!

Also on the list: Kickfire, Marketcetera, Vyatta, Sonatype, Untangle, XAware, SnapLogic, Acquia and Openmoko. What’s best about the list: Matt Asay gives it a thumbs up.

It's a man-in-the-middle attack. "The Internet's Biggest Security Hole"  has been that interior relays have always been trusted even though they are not trustworthy.

That could apply word for word to how MQ Series and other enterprise messaging systems are deployed. Let's say you are a bank and have been happily running your business on a mainframe for decades. Life is good, come in at 9 leave at 5, count the cash. Then some dotcommer comes along and tells you that you need to get online. What are you gonna do? Rewrite your whole system from scratch? Hard to make that case.

Synopsis:  Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk.  Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him!  Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk.  Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him!  Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October.  While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done.  I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

• Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization.  This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
• The role of the QSA – organizations are also still trying to understand the role of a QSA.  Should they get a QSA involved in the gap and remediation process in advance of certification?  If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
• Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform.  So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
• Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
• Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security?  With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened.  So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
• PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model?  Should it be maintained separately? Should some components be integrated with similar security mechanisms?  Should PCI be at the top of the security model and other configurations be based upon its requirements?  There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

I agree with Mark that SOR is important and very interesting; but in his reply he seems to be confusing CEP with “complex EAI” or a “complex messaging” application.  For example, Mark says,

“It’s not uncommon for a single SOR system to connect to 10 or more markets and multiple asset classes.  Not only is this a confluence of events, it’s a stunningly complicated environment in which to create a complex, real-time model in which to apply “simple” routing decisions. On this basis alone, SOR needs CEP.”

Connecting to many market feeds with multiple asset classes might be complicated, but “complicated connections” are an EAI  (adaptation layer) function, not a core CEP function.   In fact, TIBCO Software has been doing this type of low latency back-office order routing for many years, and TIBCO historically calls this “messaging.”  Adding some rules to high speed, low latency messaging does not make it a “CEP” application.

Mark goes on to set up a counter argument to ILOG’s Changhai Ke, comments with,

“SOR operates by analyzing the confluence of events from market data feeds, order flows from OMS systems, and executions, aggregating and analyzing those events in real time, and adjust routing decisions on the fly.”

This is the well travelled argument the “new stream processing vendors in capital markets” have been saying, still unconvincingly, for the last few years.  Basically their perspective is that if you have a lot of ”feeds” and a core requirement for “speed” - “feeds and speed” - you are doing “complex event processing.” 

Mark Palmer forcefully stated his opinon that the folks who do not agree with him do not “understand” modern day SOR.    However,  a strong counter argument can be made that the “newcomers” to capital markets like StreamBase do not understand that “feeds and speeds” with order routing is little more than moderan day EAI.   This is a basic message routing capability and it has been around for a long time.  After all, Wall Street operated quite well before the term CEP was coined!  TIBCO technology was providing Wall Street back office, low latency, smart order routing a decade ago, and they called this technology “messaging”.  

So, I remain unconvinced, at least by Mark’s passionate counter post, that SOR is CEP.   SOR, as Mark and other have described it, is a low latency messaging technology.  Message routing rules have exisited in this technology space for decades.

I agree with Mark completely that low latency EAI (like SOR has been described) can be quite complex, from a “feeds and speeds” perspective.   However,  I remain skeptical that “feeds and speeds” is much more than  modern day messaging and message routing.

In closing, in the network and security management world we have been dealing with “myriad feeds and speeds” for as long as I can remember, but admitted not like capital markets.    Taking myriad feeds, running rules against the feeds and then routing the messages/events for further processing, regardless of the complexity of the feeds and the data, is actually more of a messaging/ESB technology than a CEP technology. 

I remain completely open minded to any convincing counter arguments.

Given recent media coverage, it’s easy to believe that P2P and streaming video traffic is a rising hurricane battering upon ISP levees, that ISPs are frantically sandbagging their systems against disaster, that throttling, bandwidth caps, and traffic management are urgent and absolute necessities to keep the storm surge at bay. But new research from Telegeography only confirms what we’ve been saying for some time: the Internet backbone isn’t drowning beneath any kind of exaflood. In fact, backbone capacity has grown faster than Internet traffic in the last year—for the second year in a row.

Check out the full article, it even has some shiny graphs. It also reminds me of XKCD the other day… header: “I get in trouble for showing up contented to protests,” and the stick figure’s holding signs: “Things are pretty OK!” and “Anyone for Scrabble later?”