Human Infrastructure 410: Plan B, PANW Buys CyberArk, Wi-Fi Toolkit <$2K

AuthorAuthor

Drew Conry-Murray & Ethan Banks
July 31, 2025

Essay: Working With Plan B

by Nathan Evans
Ever have a brilliant design for an upcoming project, only to discover the product you recommended was not selected as the solution? In its place you get to deploy the alternative, chosen for its lower cost, or its sales buzzwords, or because “somebody knows a guy”. Do you complain? Do you threaten to resign? I did not, and here are a few practices I learned in the process to help with the implementation: 

Own It

I have repeatedly seen the value in engineers having a thorough understanding of the tools they use (even if it’s a tool they themselves wouldn’t have chosen). If circumstances permit, a team that manages an environment themselves, rather than through an MSP, will be more agile, being able to resolve issues and implement changes much more efficiently (I fully understand that this is sometimes not possible). My team’s (and by extension the whole company’s) success with new tools is directly linked to how much we know about its operation. Read the manual, both for new and existing products, and you may be surprised by its capabilities. 

Align Standards 

I value consistent naming standards as much as the next person, and effective standards benefit the “readability” of the network configuration. Aligning toward existing standards, where possible, will help make this new tool feel like it fits. Documentation is more useful when it shows the relationships between services, so update existing documentation to include this new product.  

Consider Abstraction 

How can you integrate this tool into your existing systems? Can you use the same monitoring and logging platforms? Can you plan, deploy, and alert on changes using the same processes? At my organization, our network monitoring tool is our beating heart. We strive to make our alerting criteria consistent and ensure alerts represent actual system issues, regardless which system we are observing. So whenever we are considering a new product, integration via one of the ingestion protocols for monitoring (SNMP, REST API, etc) is essential. 

Check Your Attitude 

Your attitude towards a project affects your success with it. Have you already decided this project will be a failure? If so, you risk it turning out that way. Remember why you do what you do, and try to keep the big picture in mind. If the decision does not make sense from your vantage point, ask your department leadership and you may come to a new appreciation.

Maintain Professionalism 

This is a similar point to the above, but relates more to your interactions with coworkers. If you are the SME for this product, how does your attitude toward it get interpreted by others? Does this help or hinder adoption? The opinion of a senior engineer can easily rub off on less experienced engineers, affecting the whole team’s morale. And ultimately, your reputation takes a while to build, so think with a cool head before saying something you cannot take back.

THIS WEEK’S MUST-READ BLOGS 🤓

Bart Dorlandt is writing a blog series on pydantic. In the latest installment, he writes “Continuing in this post we will handle some custom fields, being specific using "Literal", but also dealing with "Optional" fields. All of this still needs to be able to convert back in the same way it was written. Because of this I'll also introduce the "deepdiff" library. Allowing me to compare the in and output, to validate them. This also allows me to capture any field that I could've missed, which would not show up in the output.” He shares code examples and screenshots.  - Drew 

Tom Hollingsworth warns executives not to be bamboozled by the idea they can replace knowledgeable network and IT professionals with AI. While LLMs have improved by leaps and bounds, you can’t just get rid of the humans who’ve spent their careers building knowledge and refining their skills and expect AI to provide the same level of expertise.  - Drew 

Bryan writes “Once an SSR appliance is connected to the Mist cloud, it’s easy to make changes to the config. However, if your ISP has assigned a Static IP Address, you’ll need to know how to set that on the SSR using the console port before it will be able to phone-home to the Mist cloud.” His post walks through how to do it. - Drew

This thread hit home as AI tools with LLM backends are contributing more to configuration changes in network infrastructure. Yes, it’s real tech that’s slowly becoming trustworthy and gaining acceptance. In the last week, we’ve recorded 2 Heavy Networking episodes with Cisco and Juniper discussing how agentic AI already is and increasingly will be part of network operations. (They’ll be published soon.)

However, quoting the developer from the thread, AI coding “is leading to a progressively weaker sense of ownership over the project. The workflow becomes:

  • Tell the AI to write a function.

  • Debug and test it.

  • Tell the AI to write the next function that connects to it.

Rinse and repeat. While fast, I end up with a series of black boxes I've prompted into existence. My role shifts from I know what I'm building to I know what I want. There's a subtle but crucial difference. I'm becoming a project manager directing an AI intern, not an engineer crafting a solution.”

What happens to network engineering if engineers are prompting an AI to build? How much intimate knowledge of what’s really going on is lost? Or am I overthinking it, because knowledge of configuration stanzas isn’t as important as understanding the design principles of what you’re doing? Maybe prompting an AI to build your network and outsourcing routine network change management to a group of AI agents is simply…efficient. - Ethan

MORE BLOGS

  1. Do You Really Know How or And and Work in Python? (truthy and falsy) - The Python Coding Stack

  2. Expanding a Running Netlab Topology - ipSpace

  3. Cisco IOS/XE Hates Redistributed Static IPv6 Routes - ipSpace

  4. OpenVPN puts packets inside your packets (going deep on tunneling in Linux) - saminiir

  5. Cloudflare and the infinite sadness of migrations (thought exercise inspired by 1.1.1.1 outage on 14-July-2025) - Surfing Complexity

  6. Traditional Data Science is dying. Building models burns money. Assembling AI is the shift teams aren’t ready for. (and why it’s getting easier for your company to build AI solutions) - Tanay Sai

SuzieQ - Deep Insights About Your ENTIRE Network

Deep, Up-to-Date, Actionable Insights About Your Network
SuzieQ, from Stardust Systems (Dinesh Dutt’s corporate identity), is a high performance, agentless, multi-vendor application to help you make sense of your network. Check if the MTU is consistent across your entire network, or if STP is configured correctly, or where an endpoint is, validate that an OS upgrade went as expected, and so much more.

All without writing a single line of code. Because SuzieQ can gather data as frequently as a minute, you’re always working with up-to-date information, while transforming your work, whether it be automation, troubleshooting, validation and so much more.

One user said that before SuzieQ, none of the dozens of tools they had could answer really fundamental questions about their network.

Schedule a demo, come see why Gartner recognized us as a cool vendor, and how we can empower and de-stress every member of your network infrastructure team while confidently providing a solid foundation for your business to thrive.

Want more information first? Listen to the Packet Pushers chat with Dinesh about SuzieQ.

TECH NEWS 📣

As the story notes, this is a clear sign that tech companies want employees using AI tools. By incorporating AI in the testing phase of an interview, the company can assess the candidate’s familiarity with AI and their ability to use it to help solve problems. It also eliminates the problem of trying to figure out if a candidate is “cheating” by using AI. - Drew 

Ars Technica reports that researchers were able to execute a supply chain attack on Google’s Gemini CLI coding agent that enabled exfiltration of sensitive data to an attacker-controlled machine. The researchers built a harmless code package, but then added a string of prompt injection attacks in the README file of the package, under the assumption that a developer using this package wouldn’t pay much attention to the README file, but the AI agent would read it carefully.

The article says “The commands caused the developer’s device to connect to an attacker-controlled server and pass off environmental variables of the device the developer was using. Such information contains a variety of system settings and can frequently include account credentials.”  

Ars Technica notes that Google has since patched the vulnerability that allowed this exploit to succeed, but it does demonstrate that we’re entering a brave new world of exploits that take advantage of humans not reading the manual while the AI reads and follows explicitly. - Drew

MORE NEWS

FOR THE LULZ 🤣

RESEARCH & RESOURCES 📒

Instructor, consultant, conference organizer, and podcast host Keith Parsons has published this list to help you assemble your own Wi-Fi engineering toolkit. All items are hyperlinked and are noted with their costs. Fantastic resource. BTW, Keith lists an $850 MacbookAir as part of the kit. So, if you’ve already got an adequate laptop, this toolkit just got a whole lot cheaper! - Ethan

John Capobianco provides guidance on preparing for CCNP Network Professional automation track, which will replace the DevNet Pro cert. This video focuses on two sub-topics in the CCNP Automation certification blueprint. John walks through how to put together a real subnet calculator MCP using Python FastMCP. He also shows you how to build an AI agent client that connects from VS Code, and explains the logic Cisco wants you to use. - Drew  

Ned Bellavance (co-host of Day Two DevOps) has put together a list of tech blogs, along with an RSS feed link and general topic descriptor. Ned writes “Below is a list of tech blogs that are self-hosted and do not have a bunch of pop-up garbage. Each blog has been checked by me, Ned, to ensure it doesn't pester you with stupid email logins, pop-up ads, or random paywalls. Please share and enjoy!”

If you’ve got a blog and would like to be on the list, I’m happy to pass along the request to Ned. You can reach me at [email protected]. - Drew

The FRR project marches on with the release of 10.4.0. Here’s what’s new.

  • BGP BFD Strict-Mode

    • neighbor PEER bfd strict [hold-time N]

  • BGP Link-Local Next Hop Capability (draft-ietf-idr-linklocal-capability)

    • neighbor PEER capability link-local

  • BGP Transparent mode

    • neighbor PEER ip-transparent

  • BGP Next Hop Dependent Characteristics Attribute (draft-ietf-idr-entropy-label)

    • neighbor PEER send-nexthop-characteristics

  • IGMP and MLD group/source limits

    • ip igmp max-groups

    • ip igmp max-sources

    • ipv6 mld max-groups

    • ipv6 mld max-sources

  • PIM dense and sparse-dense mode support (RFC3973)

    • new interface mode: dense ip pim dm

    • new interface mode: sparse-dense ip pim sm-dm

  • IGMPv2/MLDv1 immediate leave

  • v4-via-v6 nexthop support for static routes

  • Timeout for vtysh

    • exec-timeout

  • Discover PREF64 in Router Advertisements (RFC8781)

    • ipv6 nd nat64

On the click, you can read about many other changes and tweaks as well. Enjoy this latest iteration of the FRR team’s fine work! - Ethan

MORE RESOURCES

  1. RFC Index (all RFCs listed from 0001 to 9829 as of this writing) - IETF

  2. Learning Center (resources on cyber security and how the Internet works) - Cloudflare

  3. AWS EC2 instance timeline (open source historical overview of AWS instance releases, also available as JSON) - instancetyp.es

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

Palo Alto Networks is buying identity and privileged access management company CyberArk for $25 billion in a stock-and-cash deal. This is, by far, the largest acquisition by price in Palo Alto Networks’ history (it spent $1.25 billion to buy Expanse back in 2020, and picked up IBM QRadar assets for $1.14 billion last year). 

The acquisition gives Palo Alto Networks a significant footprint in the identity and privileged access management market, with little overlap of its existing portfolio. In the press release, Palo Alto Networks says identity will become a core pillar of its strategy and “will extend privileged identity protection to all identity types including human, machine, and the new wave of autonomous AI agents.” - Drew 

Analyst firm Dell’Oro Group forecasts that the SASE market will grow to $17 billion over the next four years, a 12% compound annual growth rate. What’s really struck me is that Dell’Oro predicts 90% of the market will go to vendors that can offer both the SD-WAN and SSE sides of SASE, aka single-vendor SASE.

I’m not surprised that a majority of customers would want to go single-source for SASE (one throat to choke, maybe better visibility into network and security performance, incentives such as discounts, etc.), but 90% seems incredibly high. If that’s the case, it’s good news for companies such as Palo Alto Networks, Fortinet, and Cato Networks. It’s going to make things tougher for vendors such as HPE, which has a robust SD-WAN portfolio but is still listed as “Niche” in SASE (according to Gartner). Meanwhile, Arista just moved into SD-WAN with its purchase of VeloCloud, and says it plans to partner with third parties for SSE. But if the vast majority of customers are looking for a single-vendor solution, that leaves Arista out of a lot of deals.

It may also mean that vendors such as Versa Networks, Zscaler, and Netskope may want to put more effort into reaching out to network buyers to educate them on the SD-WAN side of their SASE portfolios. - Drew 

IPXO leases IPv4 addresses and provides a variety of IP management services including IPAM and DNS tools, RPKI management, geolocation services, and more. The company is offering a new bundle deal wherein if you lease IPv4 addresses from them, or renew an existing contract, they’ll throw in IPAM services, reputation scans for your IPs, and a free /48 IPv6 block. From the announcement: “Rather than just securing IP addresses, you’ll also gain access to premium tools that help you manage, monitor, and prepare your infrastructure for future scalability – all included free of charge for the remainder of 2025.” - Drew 

Forward Networks makes digital twin software for data center networks. The company has announced an integration with Infoblox in which Forward Networks can push its network data into Infoblox NIOS automatically. The benefit? From the press release, Forward Networks claims that it can populate NIOS with network views that include “ccurate subnets, interface IPs, device metadata, and classification details.” - Drew  

Nexos is a startup from the founders of Nord Security that aims to help companies get their arms around the AI models they are using inside their organizations. The company says it supports over 200 AI models, and can provide services such as model routing and load balancing, monitoring and analytics, performance optimization across model providers, and security controls and guardrails to prevent data leaks and make sure output aligns with company policies. Nexos is now offering free trials of the platform. The trial lasts for 14 days, and Nexos says you don’t have to provide a credit card for the trial version. - Drew

MORE INDUSTRY NOISES

DYSTOPIA IRL 🐙

TOO MANY LINKS WOULD NEVER BE ENOUGH 🐳

LAST LAUGH 😆

Shared by Kaj on the Packet Pushers’ Community Slack