Build Zero Trust rules with managed devices
Starting today, your team can use Cloudflare Access to build rules that only allow users to connect to applications from a device that your enterprise manages. You can combine this requirement with any other rule in Cloudflare’s Zero Trust platform, including identity, multifactor method, and geography.
As more organizations adopt a Zero Trust security model with Cloudflare Access, we hear from customers who want to prevent connections from devices they do not own or manage. For some businesses, a fully remote workforce increases the risk of data loss when any user can login to sensitive applications from an unmanaged tablet. Other enterprises need to meet new compliance requirements that restrict work to corporate devices.
We’re excited to help teams of any size apply this security model, even if your organization does not have a device management platform or mobile device manager (MDM) today. Keep reading to learn how Cloudflare Access solves this problem and how you can get started.
The challenge of unmanaged devices
An enterprise that owns corporate devices has some level of control over them. Administrators can assign, revoke, inspect and manage devices in their inventory. Whether teams rely on management platforms or a simple spreadsheet, businesses can Continue reading
Inside Cloudflare: Preventing Account Takeovers
Over the last week, Cloudflare has published blog posts on products created to secure our customers from credential stuffing bots, detect users with compromised credentials, and block users from proxy services. But what do we do inside Cloudflare to prevent account takeovers on our own applications? The Security Team uses Cloudflare products to proactively prevent account compromises. In addition, we build detections and automations as a second layer to alert us if an employee account is compromised. This ensures we can catch suspicious behavior, investigate it, and quickly remediate.
Our goal is to prevent automated and targeted attackers regardless of the account takeover technique: brute force attack, credential stuffing, botnets, social engineering, or phishing.
Classic Account Takeover Lifecycle
First, let's walk through a common lifecycle for a compromised account.
In a typical scenario, a set of passwords and email addresses have been breached. These credentials are reused through credential stuffing in an attempt to gain access to any account (on any platform) where the user may have reused that combination. Once the attacker has initial access, which means the combination worked, they can gain information on that system and pivot to other systems through methods. This is classified Continue reading
End User Security: Account Takeover Protections with Cloudflare
End user account security is always a top priority, but a hard problem to solve. To make matters worse, authenticating users is hard. With datasets of breached credentials becoming commonplace, and more advanced bots crawling the web attempting credential stuffing attacks, protecting and monitoring authentication endpoints becomes a challenge for security focused teams. On top of this, many authentication endpoints still rely just on providing a correct username and password making undetected credential stuffing lead to account takeover by malicious actors.
Many features of the Cloudflare platform can help with implementing account takeover protections. In this post we will go over several examples as well as announce a number of new features. These include:
- Open Proxy managed list (NEW): ensure authentication attempts to your app are not coming from proxy services;
- Super Bot Fight Mode (NEW): keep automated traffic away from your authentication endpoints;
- Exposed Credential Checks (NEW): get a warning whenever a user is logging in with compromised credentials. This can be used to initiate a two factor authentication flow or password reset;
- Cloudflare Access: add an additional authentication layer by easily integrating with third party OATH services, soon with optional enforcement of managed devices (NEW);
- Rate Limiting Continue reading
Nokia Service Routing Certification and my experience
Introduction Many times I heard that certification is just wasting time. And only real experience does matter. Of course, real experience is important. But often It’s so hard to get experience. E.g. your current job can’t give you opportunities to work with some technologies and you can’t get a new promotion or change a job, because you don’t have some experience. A typical loop. And in my opinion, certification is one of the suitable tools to break this loop and expand your opportunities.
Benefits of every certification:
- We always need motivation for learning something. Every certification consists of several levels. Step by step approach. Levels are goals for us. And it helps to keep motivation on a high level. And every achieved level helps to feel more confident.
- Every certification program has proper learning tools. Self-study guides, books, online/offline courses, etc. It helps to save time so we can just start to study.
- Certification is not the main goal. Preparing is the main goal. And preparing results. For example, notes. Notes were useful before exams as well as they will be useful in the future.
Benefits of every certification:
- We always need motivation for learning something. Every certification consists of several levels. Step by step approach. Levels are goals for us. And it helps to keep motivation on a high level. And every achieved level helps to feel more confident.
- Every certification program has proper learning tools. Self-study guides, books, online/offline courses, etc. It helps to save time so we can just start to study.
- Certification is not the main goal. Preparing is the main goal. And preparing results. For example, notes. Notes were useful before exams as well as they will be useful in the future.
- Engineers Continue reading
Dealing with Cloud Challenges
Here’s a message I got from one of my subscribers (probably based on one of my recent public cloud rants):
I often think the cloud stuff has been sent to try us in IT – the struggle could be tough enough when we were dealing with waterfall development and monolithic projects. When products took years to develop, and years to understand.
And now we’re being asked to be agile and learn new stuff all the time about moving targets that barely have documentation at all, never mind accurate doco! We had obviously got into our comfort zone and needed shaking out of it!
Always interested to hear your experiences with the cloud networking though – it’s what I subscribed to ipspace.net for TBH as I think it’s the most complete reference source for that purpose and a vital part of enterprise networking these days!
Dealing with Cloud Challenges
Here’s a message I got from one of my subscribers (probably based on one of my recent public cloud rants):
I often think the cloud stuff has been sent to try us in IT – the struggle could be tough enough when we were dealing with waterfall development and monolithic projects. When products took years to develop, and years to understand.
And now we’re being asked to be agile and learn new stuff all the time about moving targets that barely have documentation at all, never mind accurate doco! We had obviously got into our comfort zone and needed shaking out of it!
Always interested to hear your experiences with the cloud networking though – it’s what I subscribed to ipspace.net for TBH as I think it’s the most complete reference source for that purpose and a vital part of enterprise networking these days!
Tech Bytes: Inside The Latest SASE Features Of Palo Alto Networks Prisma Access 2.0 (Sponsored)
oday on the Tech Bytes podcast, sponsored by Palo Alto Networks, we dive into Prisma Access 2.0 and how it differs from the first-generation version. We talk about cloud-delivered security, Zero Trust Network Access, the return of proxies, and the importance of user experience management for distributed work.
The post Tech Bytes: Inside The Latest SASE Features Of Palo Alto Networks Prisma Access 2.0 (Sponsored) appeared first on Packet Pushers.
Tech Bytes: Inside The Latest SASE Features Of Palo Alto Networks Prisma Access 2.0 (Sponsored)
oday on the Tech Bytes podcast, sponsored by Palo Alto Networks, we dive into Prisma Access 2.0 and how it differs from the first-generation version. We talk about cloud-delivered security, Zero Trust Network Access, the return of proxies, and the importance of user experience management for distributed work.Dridex Reloaded: Analysis of a New Dridex Campaign
Dridex is a banking Trojan. After almost a decade since it was first discovered, the threat is still active. According to a report published by Check Point [1], Dridex was one of the most prevalent malware in 2020. The recent Dridex campaign detected by VMware demonstrates that this ongoing threat constantly evolves with new tactics, techniques, and procedures (TTPs), which exhibit great differences with respect to the variants we’ve collected from campaigns since April 2020 (as discussed in the section Comparison with old Dridex samples).
In this blog post, we first examine the recent Dridex attack by looking into some of VMware’s NSX Advanced Threat Prevention telemetry, which showcases the magnitude of the campaign. We then present the analysis for the most distinctive aspects of the attack, from the techniques leveraged by the XLSM downloader to the main functionality of the DLL payloads. Finally, we provide a comparison to some other Dridex variants seen in the past, which leads to the conclusion that the Dridex variant from the January 2021 campaign is very different from previous variants.
The Dridex Campaign
The chart below shows Continue reading
The Insecurity of Ambiguous Standards
Why are networks so insecure?
One reason is we don’t take network security seriously. We just don’t think of the network as a serious target of attack. Or we think of security as a problem “over there,” something that exists in the application realm, that needs to be solved by application developers. Or we think the consequences of a network security breach as “well, they can DDoS us, and then we can figure out how to move load around, so if we build with resilience (enough redundancy) we’re already taking care of our security issues.” Or we put our trust in the firewall, which sits there like some magic box solving all our problems.
The problem is–none of this is true. In any system where overall security is important, defense-in-depth is the key to building a secure system. No single part of the system bears the “primary responsibility” for “security.” The network is certainly a part of any defense-in-depth scheme that is going to work.
Which means network protocols need to be secure, at least in some sense, as well. I don’t mean “secure” in the sense of privacy—routes are not (generally) personally identifiable information (there are always Continue reading
Root Cause Analysis of the Most Common Network and User Experience Problems
To find the root cause and speed up issue resolution, IT teams need a clear view of the correlation between user experience, measurable network behavior, and underlying network issues.Network Break 326: Cloudflare Announces New WAN Services; Intel’s Turnaround Roadmap
Can Pat Gelsinger refloat the Intel container ship? Is Cloudflare's new magic WAN service all that new? What's behind the Fortinet/Linksys partnership? Is a tweet really worth $2.9 million? This week's Network Break podcast ponders these and other tech questions, plus listener FUs.Network Break 326: Cloudflare Announces New WAN Services; Intel’s Turnaround Roadmap
Can Pat Gelsinger refloat the Intel container ship? Is Cloudflare's new magic WAN service all that new? What's behind the Fortinet/Linksys partnership? Is a tweet really worth $2.9 million? This week's Network Break podcast ponders these and other tech questions, plus listener FUs.
The post Network Break 326: Cloudflare Announces New WAN Services; Intel’s Turnaround Roadmap appeared first on Packet Pushers.
The Week in Internet News: Facebook Calls for Changes in Legal Protections for User Content
Rewriting the rules: Facebook, during a hearing in the U.S. Congress, called on lawmakers to revamp Section 230 of the Communications Decency Act of 1996, which protects websites from lawsuits for content posted by users, NBC News reports. Websites should be protected if they adopt user moderation practices largely in line with Facebook’s own rules, ZDNet noted. The change could give Facebook an advantage while upending much of the rest of the Internet, The Verge suggested.
Competition in space: The competition among satellite-based broadband providers is heating up, with OneWeb launching 36 new satellites from eastern Russia, The BBC reports. The company, now primarily owned by Indian conglomerate Bharti Global and the U.K. government, now has 146 broadband satellites deployed. The company plans to offer broadband service later this year to northern latitudes, including the U.K., Northern Europe, Alaska, Canada, and other areas. Meanwhile, three rural counties in North Carolina are testing broadband service from SpaceX, another satellite provider, as a way to provide Internet service to students, GCN says.
Bad virus information: Facebook and Twitter have removed millions of posts containing misinformation about COVID-19 in recent months, The Straits Times reports. Since last year, Continue reading
A new Cloudflare Web Application Firewall
The Cloudflare Web Application Firewall (WAF) blocks more than 57 billion cyber threats per day. That is 650k blocked HTTP requests per second. The original code that filters this traffic was written by Cloudflare’s now CTO and the WAF has since received many accolades including the highest score for ability to execute in the 2020 Gartner Magic Quadrant for WAF.
Because we value replacing code when it is no longer as maintainable, performant, or scalable as it once was, we regularly rewrite key parts of the Cloudflare stack. That’s necessary as our enormous growth makes yesterday’s solutions unworkable. For some time, we have been working on replacing that original LuaJIT code John wrote with new code, written in Rust, along with an improved UI.
We are now excited to announce a new Cloudflare Web Application Firewall.
Starting today, 10% of newly created accounts on Cloudflare will be given access to the new WAF whenever a Pro plan zone or above is added. This percentage will increase to 100% of new accounts over the month of April, after which migration efforts will commence for existing customers. Enterprise customers may migrate early by contacting their account team.
What’s changing
The Web Application Continue reading
Playing games with Tensorflow
As a fun project, I recently built a web app to play checkers online against the computer. This post tries to outline the methodology I used. If you want to checkout the results, I would encourage you to try the web link above, change the difficulty level to ‘hard’ and play a round against the computer. You will be playing against a very simple neural network model that is, as far as I can tell, reasonably effective.
The standard approach to developing a game AI for something like board games is the “MiniMax” algorithm. Implementing “MiniMax” for a game like checkers is a relatively simple task; one needs to components:
- A method of generating valid moves for a play given a board position;
- A scorer function that evaluates the “goodness” of a given board position for a play;
There are multiple sets of possible rules for the game of checkers. I used the “Spanish draughts” rule set popular in Portugal: men move forward only; flying kings and mandatory moves on a 8×8 board. The minimax algorithm is independent of the particular rule-set used.
The scorer function must be able to look at a given player position and determine a score. Continue reading