Member News: Chapters Focus on Encryption
Lock it down: Several Internet Society chapters across the globe have written about the importance of encryption in recent weeks. The Namibia Chapter wrote about the way encryption can improve privacy and fight against the big business of criminal hacking. “Cybercrime is a global business, often run by multinational outfits,” the Chapter wrote. The Hong Kong Chapter, meanwhile, wrote that “encryption matters to all of us.” Internet users need to work together to protect encryption, the Chapter added. “No party can stand alone to persuade governments to stop creating laws or policies that harm encryption and digital security.”
Freedom for all: The Hong Kong Chapter also called for Internet freedoms to continue in the region as the Chinese government pushes for new security laws there. “We are convinced that the freedoms of speech, press and publication guaranteed by the Basic Law are also applicable to the media industry on the Internet,” the chapter wrote. “Internet users have the freedom and right to obtain, share information and express their expressions, and are protected from being censored, blocked or criminalized.”
Expanding the community: The Nepal Chapter recently wrote about community networks in the country, by highlighting the Rural Continue reading
Sandboxing in Linux with zero lines of code
Modern Linux operating systems provide many tools to run code more securely. There are namespaces (the basic building blocks for containers), Linux Security Modules, Integrity Measurement Architecture etc.
In this post we will review Linux seccomp and learn how to sandbox any (even a proprietary) application without writing a single line of code.
Tux by Iwan Gabovitch, GPL
Sandbox, Simplified Pixabay License
Linux system calls
System calls (syscalls) is a well-defined interface between userspace applications and the operating system (OS) kernel. On modern operating systems most applications provide only application-specific logic as code. Applications do not, and most of the time cannot, directly access low-level hardware or networking, when they need to store data or send something over the wire. Instead they use system calls to ask the OS kernel to do specific hardware and networking tasks on their behalf:
Apart from providing a generic high level way for applications to interact with the low level hardware, the system call architecture allows the OS kernel to manage available resources between applications as well as enforce policies, like application permissions, networking access control lists etc.
Linux seccomp
Linux seccomp is yet another syscall on Linux, but it is a bit Continue reading
Worth Reading: Lies, Damned Lies, and Keynotes
Got sick and tired of conference keynotes? You might love the Lies, Damned Lies, and Keynotes rant by Corey Quinn. Here are just two snippets:
They’re selling a fantasy, and you’ve been buying it all along.
We’re lying to ourselves. But it feels better than the unvarnished truth.
Enjoy!
CVE-2020-5902: Helping to protect against the F5 TMUI RCE vulnerability
Cloudflare has deployed a new managed rule protecting customers against a remote code execution vulnerability that has been found in F5 BIG-IP’s web-based Traffic Management User Interface (TMUI). Any customer who has access to the Cloudflare Web Application Firewall (WAF) is automatically protected by the new rule (100315) that has a default action of BLOCK.
Initial testing on our network has shown that attackers started probing and trying to exploit this vulnerability starting on July 3.
F5 has published detailed instructions on how to patch affected devices, how to detect if attempts have been made to exploit the vulnerability on a device and instructions on how to add a custom mitigation. If you have an F5 device, read their detailed mitigations before reading the rest of this blog post.
The most popular probe URL appears to be /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp followed by /tmui/login.jsp/..;/tmui/util/getTabSet.jsp, /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp and /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp. All contain the critical pattern ..; which is at the heart of the vulnerability.
On July 3 we saw O(1k) probes ramping to O(1m) yesterday. This is because simple test patterns have been added to scanning tools and small test programs made available by Continue reading
History of USENET with Steve Bellovin
Steve Bellovin began working on networks as a system administrator, helping to build USENIX, which supports operating system research. His work as a system administrator drew his interest into security and cryptographic protection of data, leading him into working on some of the foundational protocols on the Internet.
Dictionary: Finger Defined Networking
Because 'command line' is deprectated
The post Dictionary: Finger Defined Networking appeared first on EtherealMind.
BGP EVPN Underlay Network with OSPF
Introduction
The foundation of a modern Datacenter fabric is an Underlay Network and it is crucial to understand the operation of the Control-Plane protocol solution used in it. The focus of this chapter is OSPF. The first section starts by introducing the network topology and AS numbering scheme used throughout this book. The second section explains how OSPF speakers connected to the same segment become fully adjacent. The third section discusses the process of how OSPF speakers exchange Link State information and build a Link-State Database (LSDB) which is used as an information source for calculating Shortest Path Tree (SPT) towards each destination using Dijkstra algorithm. The focus of the fourth section is an OSPF LSA flooding process. It strat by explaining how local OSPF speaker sends Link State Advertisements wrapped inside a Link-State Update message to its adjacent router and how receiving OSPF speakers a) installs information into LSDB, b) Acknowledge the packet, and c) floods it out of OSPF interfaces. The fifth section discusses of LSA and SPF timers. At the end of this chapter, there are OSPF related configurations from every device.
Infrastructure AS Numbering and IP Addressing Scheme
Figure 1-1 illustrates an AS numbering and an IP address scheme used throughout this book. All Leaf switches have dedicated BGP Private AS number while spine switches in the same cluster share the same AS number. Inter-Switch links use Unnumbered IP addressing using (interface Loopback 0) which is also used as OSPF Router-Id. Loopback 0 is not advertised by any device. OSPF type for Inter-Switch link is point-to-point so there is no DR/BDR election process. Leaf switches also have interface Loopback 30 that is used as a VTEP (VXLAN Tunnel End Point) address. Loopback 30 IP addresses are advertised by Leaf switches. All Loopback interfaces are in OSPF passive interface mode. At this stage, all switches belong to OSPF Area 0.0.0.0.
Figure 1-1: AS Numbering and IP Addressing Scheme.
Continue reading
Latest U.S. ‘Anti-Encryption’ Bill Threatens Security of Millions
The Lawful Access to Encrypted Data Act recently introduced to U.S. Congress may be the worse in a recent string of attacks on encryption, our strongest digital security tool online.
While the recently-amended EARN IT Act would leave strong encryption on unstable ground if passed into law, the Lawful Access to Encrypted Data Act (LAEDA) is a direct assault on the tool millions of people rely on for personal and national security each day.
LAEDA would facilitate the death of end-to-end encryption by forcing companies to provide “technical assistance” to access encrypted data upon request by law enforcement investigations.
The problem is the only way for companies to comply would be to build backdoors into their products and services, or not use encryption at all, making everyone more vulnerable to the same crime we are all trying to prevent. To be clear – we’re talking about the same encryption used to keep activities like online banking, working from home, telehealth, and talking with friends secure online.
The Internet Society raised its concerns in an open letter to the co-sponsors of LAEDA in the Senate, which was signed by over 75 global cybersecurity experts, civil society organizations, companies, and Continue reading
Building Cloudflare TV from scratch
Cloudflare TV is inspired by television shows of the 90s that shared the newest, most exciting developments in computing and music videos. We had three basic requirements for Cloudflare TV:
- Guest participation should be as simple as joining a Zoom call
- There should be 24x7 programming. Something interesting should be playing all the time
- Everything should happen in the cloud and we should never have to ask anyone “to leave their computer on” to have the stream running 24 hours a day
We didn’t set out to build Cloudflare TV from scratch
Building a lot of the technology behind Cloudflare TV from scratch was not part of the plan, especially given our aggressive timeline. So why did we decide to pursue it? After evaluating multiple live streaming solutions, we reached the following conclusion:
- 24x7 linear streaming is not something that is a priority for most video streaming platforms. This makes sense: the rise of video-on-demand and event-based live streaming has come at the expense of linear streaming.
- Most broadcasting platforms have their own guest apps which must be downloaded and set up in advance. This introduces unnecessary friction compared to clicking a link in the calendar invite to join a Continue reading
Juniper SRX DNS Proxy Configuration (Split-DNS)
This post is intended to show you how to configure a Juniper SRX to be a DNS proxy for your …NSX Secures Physical Servers with Bare Metal Agents
Our last blog on how NSX secures physical servers provided background on why physical server security is crucial. We cover the percentage share of physical servers to all workloads in the data center and the specific roles physical servers still play. Today, physical servers by percentage are playing a decreasing role in the data center. However, it’s still a vital one, as we pointed out in our last blog on Securing Physical Servers with NSX Service-defined Firewall. In this blog, we will cover a primary way VMware NSX provides secure connectivity for physical servers using a bare metal agent. VMware NSX-T can now offer secure connectivity for Linux and Windows Server physical servers.
How NSX Distributed Firewall Protects Physical Servers
There are several ways in which NSX can provide security for physical servers. Our original article, Extending the Power of NSX to Bare Metal, outlines each of these methods.
- NSX Distributed Firewall (DFW) ingress rules for traffic from physical servers to virtual workloads
- NSX DFW egress rules for traffic from virtual workloads to physical servers
- The NSX Edge using centralized firewall rules to secure traffic between virtual and physical workloads
- Use NSX agents in Physical Servers
VMware NSX Continue reading
Network Break 291: F5 Patches Severe Vulnerability; Senate Bill Aims To Weaken Encryption
Today's Network Break podcast discusses critical security patches from F5 and Palo Alto Networks, examines the implications of a Senate bill that targets encryption, and dives into VMware's latest acquisition. We also explore a new space-oriented business unit at AWS and more tech news analysis.
The post Network Break 291: F5 Patches Severe Vulnerability; Senate Bill Aims To Weaken Encryption appeared first on Packet Pushers.
Network Break 291: F5 Patches Severe Vulnerability; Senate Bill Aims To Weaken Encryption
Today's Network Break podcast discusses critical security patches from F5 and Palo Alto Networks, examines the implications of a Senate bill that targets encryption, and dives into VMware's latest acquisition. We also explore a new space-oriented business unit at AWS and more tech news analysis.The Future of SD-WAN
SD-WAN has been one of the most hyped technologies in a long time but as the hype settles out and real world deployments start to take shape, the picture is becoming clearer on what SD-WAN is and is not. In this episode we take a look at the original promises, where we are today in relation to those promises, and what SD-WAN might look like in the years to come.
 |
A considerable thank you to Unimus for sponsoring today’s episode. Unimus is a fast to deploy and easy to use Network Automation and Configuration Management solution. You can learn more about how you can start automating your network in under 15 minutes at unimus.net/nc. |
Mike Pfeiffer
Guest
Tony Efantis
Host
Jordan Martin
Host
Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/
The post The Future of SD-WAN appeared first on Network Collective.
The Week in Internet News: Facebook Faces Advertising Boycott
Voting with their dollars: Hundreds of companies have pulled their advertising from Facebook because of the social media giant’s lax policing of misinformation and hate speech, CNN reports. Still, most of the company’s biggest advertisers haven’t joined the boycott, and Facebook CEO Mark Zuckerberg has reportedly predicted “these advertisers will be back on the platform soon enough.”
Driving as a service: German car maker BMW is exploring ways to offer common features, like heated seats and cruise control, in a subscription-based, as-a-service model, The Independent reports. The Next Web called the subscription model “anti-consumer rubbish.” Video game maker Brianna Wu also tweeted her disappointment: “Sorry, but if this catches on, I will never buy another new car. Never.”
Networked threats: The U.S. Federal Communications Commission has designated Chinese networking companies Huawei and ZTE as national security threats, Al Jazeera says. This follows long-term concerns about the companies’ relationship with the Chinese Communist Party and the possibility of surveillance through their equipment. The FCC has proposed that rural telecom carriers be required to replace equipment from the two vendors.
Paying for speed: The Japanese government plans to subsidize local 5G companies as a way to catch up Continue reading
Podcasts I’m Playing in 2020
Since I seem to have a lot more time on my hands without travel thanks to current…things, I’ve been consuming podcasts more and more during my morning workouts. I’ve got a decent list going now and I wanted to share it with you. Here are my favorite podcasts (not including the one that I do for Gestalt IT, the On-Premise IT Roundtable:
- Packet Pushers – The oldest and best is still my go-to for listening. I started back at Episode 3 or 4. i can remember the intro music. And I’ve been a guest and a participant more times than I can count. Greg, Ethan, and Drew do an amazing job of collecting all the info about the networking world and pushing it to my ears daily. When you through in their news feed (Network Break), cloud (Day Two Cloud), DevOps (Full Stack Journey), IPv6 (IPv6 Buzz), and one-off stuff (Briefings in Brief) there’s a lot to consume aside from their Heavy Networking “main” feed. You can sub to any or all of these if you want. And stay tuned because you might hear me from time to time.
- Network Collective – Jordan is one of my old and Continue reading
YAML anchors and aliases and how to disable them
Introduction
In this short post I explain what are YAML aliases and anchors. I then show you how to stop PyYAML from using these when serializing data structures.
While references are absolutely fine to use in YAML files meant for programmatic consumption I find that it sometimes confuses humans, especially if they’ve never seen these before. For this reason I tend to disable anchors and aliases when saving data to YAML files meant for human consumption.
Contents
- YAML aliases and anchors
- When does YAML use anchors and aliases
- YAML dump - don’t use anchors and aliases
- Conclusion
- References
- GitHub repository with resources for this post
YAML aliases and anchors
YAML specification has provision for preserving information about nodes pointing to the same data. This basically means that if you have some data that is referenced in multiple places in your data structure then YAML dumper will:
- add an anchor to the first occurrence
- replace any subsequent occurrences of that data with aliases
Now, how do these anchors and aliases look like?
&id001 - example of an anchor, placed with the first occurrence of data
*id001 - example of an alias, replaces subsequent occurrence Continue reading