Unnumbered Ethernet Interfaces
Imagine an Internet Service Provider offering Ethernet-based Internet access (aka everyone using fiber access, excluding people believing in Russian dolls). If they know how to spell security, they might be nervous about connecting numerous customers to the same multi-access network, but it seems they have only two ways to solve this challenge:
- Use private VLANs with proxy ARP on the head-end router, forcing the customer-to-customer traffic to pass through layer-3 forwarding on the head-end router.
- Use a separate routed interface with each customer, wasting three-quarters of their available IPv4 address space.
Is there a third option? Can’t we pretend Ethernet works in almost the same way as dialup and use unnumbered IPv4 interfaces?
How Do Surveillance Laws Impact the Economy?
In 2018 the Australian parliament passed the “TOLA” Act, expanding the government’s powers to bypass digital data protections, and bringing with it the potential for significant harm to the economy and to trust in digital services and the Internet. Under TOLA, law enforcement and security agencies can require “designated communications providers,” or other businesses associated […]
The post How Do Surveillance Laws Impact the Economy? appeared first on Internet Society.
Keeping the Internet on during Benin’s Presidential Elections
With protests intensifying and social media interruptions reported in the weeks leading up to Benin’s presidential elections on 11 April 2021, many Internet and civil rights organizations were growing nervous about the potential for another Internet shutdown. Internet access was cut for almost 24 hours during Benin’s legislative elections in 2019 and there has been […]
The post Keeping the Internet on during Benin’s Presidential Elections appeared first on Internet Society.
Is Your Perimeter Firewall Enough?
It’s not unnecessary, but a perimeter firewall is not enough. Picture this: innocent end-user at a mid-size commercial firm clicks on an email link originating in a phishing email attack. Sigh. The bad actor is now already behind the firewall. Without lateral controls, the exploit can quickly propagate throughout the network. In fact, according to our recent Threat Landscape Report, email is still the number one vector to deliver malware, and 4% of all emails are malicious. So if you have 701 emails in your inbox right now (no? just me?) 28 of them may be malicious. Yikes.
Most data center traffic happens within the data center and behind perimeter firewalls—a.k.a. east-west traffic, internal traffic, or lateral traffic—as opposed to north-south traffic, which is inbound/outbound. Likewise, most of the high-profile attacks in recent times have involved malware sitting inside the network, moving laterally from server to server and remaining undetected for months. This is what causes real damage. You simply need more visibility and control in east-west traffic to prevent attackers’ lateral movement.
Perimeter Firewalls Weren’t Made to Secure East-West Traffic
It’s true, traditional appliance-based firewalls Continue reading
Network Break 335: Cyber Insurance Premiums Climb; Aruba To Debut Wi-Fi 6E AP
Today's Network Break discusses rising cyber insurance premiums and how wider insurance adoption might affect the security market. We also discuss a forthcoming Aruba AP that uses newly available spectrum, a new packet broker from Extreme with a programmable ASIC, Juniper's Apstra 4.0 release, and more IT news.
The post Network Break 335: Cyber Insurance Premiums Climb; Aruba To Debut Wi-Fi 6E AP appeared first on Packet Pushers.
Network Break 335: Cyber Insurance Premiums Climb; Aruba To Debut Wi-Fi 6E AP
Today's Network Break discusses rising cyber insurance premiums and how wider insurance adoption might affect the security market. We also discuss a forthcoming Aruba AP that uses newly available spectrum, a new packet broker from Extreme with a programmable ASIC, Juniper's Apstra 4.0 release, and more IT news.What is the Zoned Namespace Specification?
The Zoned Namespace specification (ZNS) brings a new command set for host systems to use when accessing SSDs and to get more out of those SSDs under certain workloads.Tech Bytes: Why Sanitas Selected Aruba EdgeConnect As Its SD-WAN Solution (Sponsored)
On today's Tech Bytes podcast we speak with healthcare provider Sanitas on why the organization is replacing its existing SD-WAN vendor with Aruba EdgeConnect to provide network insights for visibility and troubleshooting, fine-grained segmentation for security and compliance, and easier operation for a small IT team.Tech Bytes: Why Sanitas Selected Aruba EdgeConnect As Its SD-WAN Solution (Sponsored)
On today's Tech Bytes podcast we speak with healthcare provider Sanitas on why the organization is replacing its existing SD-WAN vendor with Aruba EdgeConnect to provide network insights for visibility and troubleshooting, fine-grained segmentation for security and compliance, and easier operation for a small IT team.
The post Tech Bytes: Why Sanitas Selected Aruba EdgeConnect As Its SD-WAN Solution (Sponsored) appeared first on Packet Pushers.
Packet Actions – Python and Scapy
Hello and welcome to the “Packet Actions” series of blog posts. I’d like to spend a few posts talking through how you can programmatically integrate with a network dataplane. I had thrown around the idea of calling this series “Doing things with packets” but that seemed a bit long and also could mean just about anything. So what does Packet Actions mean? Well – its the shortest way I could come up with to say “Looking at packets on the wire and doing things based on what you see in the packet”. To discuss this further I’d like to talk about the often made analogy of network engineers being plumbers – an analogy that makes fairly good sense in most cases. For instance, network engineers create the paths for data to flow – plumbers make paths for water to flow. Additionally both need to make sure that there are no blockages or issues with handling the amount of data or water that needs to flow through the pipes. Going a step further – plumbers might use a diagnostic tool like a scope to physically look inside the pipes if theres a blockage or issue so they can see what’s going Continue reading
Single-Metric Unequal-Cost Multipathing Is Hard
A while ago we discussed whether unequal-cost multipathing (UCMP) makes sense (TL&DR: rarely), and whether we could implement it in link-state routing protocols (TL&DR: yes). Even though we could modify OSPF or IS-IS to support UCMP, and Cisco IOS XR even implemented those changes (they are not exactly widely used), the results are… suboptimal.
Imagine a simple network with four nodes, three equal-bandwidth links, and a link that has half the bandwidth of the other three:
Single-Metric Unequal-Cost Multipathing Is Hard
A while ago, we discussed whether unequal-cost multipathing (UCMP) makes sense (TL&DR: rarely), and whether we could implement it in link-state routing protocols (TL&DR: yes). Even though we could modify OSPF or IS-IS to support UCMP, and Cisco IOS XR even implemented those changes (they are not exactly widely used), the results are… suboptimal.
Imagine a simple network with four nodes, three equal-bandwidth links, and a link that has half the bandwidth of the other three:
The Week in Internet News: Russia Hackers Target Human Rights Groups
Targeted attacks: A Russian hacking group is targeting international aid and human rights organizations, according to Microsoft, Al Jazeera reports. The recent attacks, from the Nobelium group, targeted about 3,000 email accounts of more than 150 organizations spanning 24 countries. Nobelium is blamed for the recent SolarWinds attacks as well. The group gained access to […]
The post The Week in Internet News: Russia Hackers Target Human Rights Groups appeared first on Internet Society.
Illusory Correlation and Security
Fear sells. Fear of missing out, fear of being an imposter, fear of crime, fear of injury, fear of sickness … we can all think of times when people we know (or worse, a people in the throes of madness of crowds) have made really bad decisions because they were afraid of something. Bruce Schneier has documented this a number of times. For instance: “it’s smart politics to exaggerate terrorist threats” and “fear makes people deferential, docile, and distrustful, and both politicians and marketers have learned to take advantage of this.” Here is a paper comparing the risk of death in a bathtub to death because of a terrorist attack—bathtubs win.
But while fear sells, the desire to appear unafraid also sells—and it conditions people’s behavior much more than we might think. For instance, we often say of surveillance “if you have done nothing wrong, you have nothing to hide”—a bit of meaningless bravado. What does this latter attitude—“I don’t have anything to worry about”—cause in terms of security?
Several attempts at researching this phenomenon have come to the same conclusion: average users will often intentionally not use things they see someone they perceive as paranoid using. Continue reading