What Is A Zero Trust Network Architecture
Every few years the industry takes a significant step towards a more holistic and capable security model. At the beginning, everything and everyone was trusted, and for good reason. You knew every operator and every machine that was connected to the network. But as networks have become ubiquitous, that level of trust is simply unreasonable. So we’ve built firewalls, and differing levels of inspection, but all of these tools still allow for some implicit level of trust between a machine and those machines closest to them. That is changing and that is what we’re here to talk about today. The newest trend in security is the concept of zero trust, and while it’s suffering the common plight of any new trend with multiple vendors trying to shape the definition, removing implicit trust in our networks is the next logical step towards a truly secure infrastructure.
- Additional Resources
- NIST special publication 800-207
- Takes a pragmatic approach
- Probably the best doc on zero trust arch today
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf
- Gilman, E., Barth, D. (2017). Zero Trust Networks : building secure systems in untrusted networks. Sebastopol, CA: O’Reilly Media.
- This is a great book on implementing zero trust in Continue reading
- NIST special publication 800-207
Announcing NFA v 20.10 with support for Custom IP Groups
We’re excited to announce the release of NFA v 20.10 today. This version comes with support for the IPFIX variable length information
The post Announcing NFA v 20.10 with support for Custom IP Groups appeared first on Noction.
Introducing NFA Custom Groups
The post Introducing NFA Custom Groups appeared first on Noction.
Building Secure Layer-2 Data Center Fabric with Cisco Nexus Switches
One of my readers is designing a layer-2-only data center fabric (no SVI interfaces on switches) with stringent security requirements using Cisco Nexus switches, and he wondered whether a host connected to such a fabric could attack a switch, and whether it would be possible to reach the management network in that way.
Do you think it’s possible to reach the MANAGEMENT PLANE from the DATA PLANE? Is it valid to think that there is a potential attack vector that someone can compromise to source traffic from the front of the device (ASIC) through the PCI bus across the CPU to the across the PCI bus to the Platform Controller Hub through the I/O card to spew out the Management Port onto that out-of-band network?
My initial answer was “of course there’s always a conduit from the switching ASIC to the CPU, how would you handle STP/CDP/LLDP otherwise”. I also asked Lukas Krattiger for more details; here’s what he sent me:
Building Secure Layer-2 Data Center Fabric with Cisco Nexus Switches
One of my readers is designing a layer-2-only data center fabric (no SVI interfaces on switches) with stringent security requirements using Cisco Nexus switches, and he wondered whether a host connected to such a fabric could attack a switch, and whether it would be possible to reach the management network in that way.
Do you think it’s possible to reach the MANAGEMENT PLANE from the DATA PLANE? Is it valid to think that there is a potential attack vector that someone can compromise to source traffic from the front of the device (ASIC) through the PCI bus across the CPU to the across the PCI bus to the Platform Controller Hub through the I/O card to spew out the Management Port onto that out-of-band network?
My initial answer was “of course there’s always a conduit from the switching ASIC to the CPU, how would you handle STP/CDP/LLDP otherwise”. I also asked Lukas Krattiger for more details; here’s what he sent me:
DNS Trends
We're now using the Internet's address infrastructure in very different ways than the way we had envisaged in the 1980's. The Internet’s name infrastructure is subject to the same evolutionary pressures, and its these pressures I’d like to look at here. How is the DNS is responding?OnVue – Get certified from your home
One of the positive aspects of this difficult period, if I may say so, is the possibility of taking a Pearson Vue test online, called OnVue. Last Friday, October 23rd, I took a Cisco exam from home and I think it’s interesting to share with you the details of this experience. With OnVue – Get certified from your home! The registration for the exam The registration for the test is almost the same as for a Cisco test done in a Vue test center. Go to the website of Pearson…
The post OnVue – Get certified from your home appeared first on AboutNetworks.net.
Coping with COVID-19: Lessons from the Best CIOs
Those enterprises that were proactive about IT before the pandemic were well positioned to handle the tough challenges that COVID-19 forced upon them.The History of Networking: John Chapman and Cable Networks
Before the large cable providers came on the scene, most people accessed the Internet through dial-up MODEMS, connecting to services like America Online, across plain old telephone lines. The entrance of cable providers, and cable MODEMs, allowed the edge of the Internet to explode, causing massive growth. Join Donald Sharp and I on this episode of the History of Networking as John Chapman discusses the origins of the cable MODEM, and the origins of the DOCSIS standards.
Heavy Networking 546: Making Zero Trust Remote Access Work (Sponsored)
Zero trust network access is ideal for today's distributed workforce, but it can be tricky to put into place. On today's sponsored Heavy Networking podcast, we talk with NetMotion about its remote access product that enable zero trust plus performance monitoring to help troubleshoot problems for remote workers. Our guest is Jay Klauser, VP of Worldwide Sales Engineering & Alliances at NetMotion.Heavy Networking 546: Making Zero Trust Remote Access Work (Sponsored)
Zero trust network access is ideal for today's distributed workforce, but it can be tricky to put into place. On today's sponsored Heavy Networking podcast, we talk with NetMotion about its remote access product that enable zero trust plus performance monitoring to help troubleshoot problems for remote workers. Our guest is Jay Klauser, VP of Worldwide Sales Engineering & Alliances at NetMotion.
The post Heavy Networking 546: Making Zero Trust Remote Access Work (Sponsored) appeared first on Packet Pushers.
Pandemic Accelerates Loss of Internet Freedoms
The COVID-19 pandemic has not only caused more than one million deaths worldwide, but it is also accelerating a decline in Internet freedoms across the globe, according to a new report from Freedom House.
The past year has been “especially dismal” for Internet Freedom, according to the Freedom on the Net 2020 report, sponsored by the Internet Society. Political leaders have used the pandemic as an excuse to limit access to information and to roll out new surveillance measures, the report says.
At the same time, a slow-motion splintering of the Internet has turned into an “all-out race toward ‘cyber sovereignty,’ with each government imposing its own internet regulations in a manner that restricts the flow of information across national borders,” the report says. Authorities in several countries, including the U.S., China, Russia, Brazil, and Turkey have erected new digital borders.
As a result, Internet freedoms have declined for the 10th consecutive year, says the report, which tracks Internet freedom in 65 countries, covering 87 percent of the world’s Internet users. From May 2019 to June 2020, the report found Internet freedom scores dropping in 26 countries, with 22 registering net gains.
The largest declines occurred in Continue reading
Diving into /proc/[pid]/mem
![Diving into /proc/[pid]/mem](http://blog.cloudflare.com/content/images/2020/10/image3-25.png)
![Diving into /proc/[pid]/mem](http://blog.cloudflare.com/content/images/2020/10/image2-27.png)
A few months ago, after reading about Cloudflare doubling its intern class size, I quickly dusted off my CV and applied for an internship. Long story short: now, a couple of months later, I found myself staring into Linux kernel code and adding a pretty cool feature to gVisor, a Linux container runtime.
My internship was under the Emerging Technologies and Incubation group on a project involving gVisor. A co-worker contacted my team about not being able to read the debug symbols of stack traces inside the sandbox. For example, when the isolated process crashed, this is what we saw in the logs:
*** Check failure stack trace: ***
@ 0x7ff5f69e50bd (unknown)
@ 0x7ff5f69e9c9c (unknown)
@ 0x7ff5f69e4dbd (unknown)
@ 0x7ff5f69e55a9 (unknown)
@ 0x5564b27912da (unknown)
@ 0x7ff5f650ecca (unknown)
@ 0x5564b27910fa (unknown)
Obviously, this wasn't very useful. I eagerly volunteered to fix this stack unwinding code - how hard could it be?
After some debugging, we found that the logging library used in the project opened /proc/self/mem to look for ELF headers at the start of each memory-mapped region. This was necessary to calculate an offset to find the correct addresses for debug symbols.
It turns out this mechanism is rather Continue reading
Grasp the Fundamentals before Spreading Opinions
I should have known better, but I got pulled into another stretched VLANs for disaster recovery tweetfest. Surprisingly, most of the tweets were along the lines of you really shouldn’t be doing that and that would never work well, but then I guess I was only exposed to a small curated bubble of common sense… until this gem appeared in my timeline:
Interestingly, that’s exactly how IP works: