Microburst: PSIRT Notifications – Are They Good Or Bad?
If your hardware or software vendor issues a lot of PSIRT (Product Security Incident Response Team) notifications, is that a good thing or a bad thing? After all, a PSIRT bulletin means that there’s a security issue with the product, so lots of PSIRTs means that the product is insecure, right?
What about the alternative, then? If a vendor issues very few PSIRT notifications does it mean that their product is somehow more secure? This is an issue I’ve been thinking about a lot over the last year, and the conclusion I came to is that if a vendor is not issuing regular bulletins, it’s a bad thing. Either the vendor doesn’t think its customers should be aware of vulnerabilities in the product, or perhaps the bugs aren’t being fixed. A PSIRT bulletin involves the vendor admitting that it got something wrong and potentially exposed its customers to a security vulnerability, and I’m ok with that. Sure, I don’t like sloppy coding, but I do appreciate the transparency.
I believe that when a vendor is shy about publishing security notifications it’s probably a decision made by management based on the naive belief that limiting the number of times they admit Continue reading
Should We Build A Better BGP?
One story that seems to have flown under the radar this week with the Net Neutrality discussion being so dominant was the little hiccup with BGP on Wednesday. According to sources, sources inside AS39523 were able to redirect traffic from some major sites like Facebook, Google, and Microsoft through their network. Since the ISP in question is located inside Russia, there’s been quite a lot of conversation about the purpose of this misconfiguration. Is it simply an accident? Or is it a nefarious plot? Regardless of the intent, the fact that we live in 2017 and can cause massive portions of Internet traffic to be rerouted has many people worried.
Routing by Suggestion
BGP is the foundation of the modern Internet. It’s how routes are exchanged between every autonomous system (AS) and how traffic destined for your favorite cloud service or cat picture hosting provider gets to where it’s supposed to be going. BGP is the glue that makes the Internet work.
But BGP, for all of the greatness that it provides, is still very fallible. It’s prone to misconfiguration. Look no further than the Level 3 outage last month. Or the outage that Google caused in Japan in August. Continue reading
Another BGP Routing Incident Highlights an Internet Without Checkpoints
Yesterday, there were two BGP routing incidents in which several high-profile sites (Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games) were rerouted to a previously unused Russian AS. The incidents only lasted about three minutes each, but demonstrated once again the lack of routing controls like those called for in MANRS that could have prevented this from happening.
As reported in BGPmon’s blog post on 12 December 12,
“…our systems detected a suspicious event where many prefixes for high profile destinations were being announced by an unused Russian Autonomous System.
Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.”
Either a configuration mistake or a malicious attack, it propagated quickly through the Internet without visible obstacles. This was one of almost 5000 route leaks and hijacks in 11 months of 2017. For comparison, network outages during the same period caused almost 8000 incidents (source: https://bgpstream.com/):
In practice, the efficacy of corrective actions strongly depends on the reliability and completeness of information related to Continue reading
Reflections from the Global Commission on the Stability of Cyberspace
Two weeks ago, a small delegation from the Internet Society was in Delhi for a series of meetings. (See yesterday’s post about GCCS and GFCE.) In this post, I’ll pick up with the Global Commission on the Stability of Cyberspace (GCSC).
The international community has been trying to develop cybernorms for international behaviour for over a decade. This has been happening through UN processes, through the GCCS, through international law discourse, and other fora. And, some progress has been made. For instance, the Tallin manuals provide some insights on how international law applies to cyber war and cyber operations, while the UN GGE, among others, recognized the applicability of international law on the digital space and has provided some protection to cybersecurity incident response teams (CIRTs) and critical infrastructure.
However, these processes are slow, and certainly not without roadblocks. The 5th UN Group of Governmental Experts on Information Security (GGE), for example, failed to reach consensus on whether certain aspects of international law, in particular the right to self-defence, apply to cyberspace as well as issues related to attribution. During a panel at GCCS, five participants in the 5th UN GGE shared their perspectives. To me Continue reading
Juniper Security Platform Adds Automation, One-Touch Mitigation
The updates include technology acquired from security startup Cyphort.
Approaches to Data Protection Start to Rapidly Evolve
Thanks to rise of APIs IT organizations are crafting more modern approaches to data protection.
Reflections on a Global and Cyber heavy week at GCCS and GFCE
Two weeks ago, a small Internet Society delegation was in Delhi to participate in a number of events that contained the word ‘Global’ and ‘Cyber’. In this post, I’ll share some of our perspectives on the first two events – the GCCS and the GFCE.
GCCS – The Global Conference on Cyberspace
The first meeting of the week was the Global Conference on Cyberspace. This was originally a government-initiated conference series and is also commonly known as the London Process.
Part of the strength of these meetings is that they create a trusted environment for governments to discuss global issues that are usually state-centric, such as international aspects of security and stability. Over time, these meetings have opened up to other stakeholders, with the 2015 meeting in The Hague being the most inclusive so far. However, inclusive participation is not a given. Inclusion is important because these types of meetings ultimately are where norms for inter-state behaviour emerge, not necessarily in writing but through the development of a common narrative. But such narratives are only strong and impactful if those who implement and are impacted by those norms have a seat at the table. Although inclusive, multi-stakeholder participation has historically Continue reading
Menlo Security Closes $40M Series C for its Isolation Platform
Ericsson is one of the startup's investors.
Take a Deep Dive Into the SD-WAN Market
Find out why Citrix NetScaler SD-WAN was named a leading player to watch and how its solution is reshaping the modern enterprise network with improved performance reduced costs and enhanced security, with the flexibility of a hardware or virtual appliance, on-premises or in the cloud.
The end of the road for Server: cloudflare-nginx
Six years ago when I joined Cloudflare the company had a capital F, about 20 employees, and a software stack that was mostly NGINX, PHP and PowerDNS (there was even a little Apache). Today, things are quite different.
CC BY-SA 2.0 image by Randy Merrill
The F got lowercased, there are now more than 500 people and the software stack has changed radically. PowerDNS is gone and has been replaced with our own DNS server, RRDNS, written in Go. The PHP code that used to handle the business logic of dealing with our customers’ HTTP requests is now Lua code, Apache is long gone and new technologies like Railgun, Warp, Argo and Tiered Cache have been added to our ‘edge’ stack.
And yet our servers still identify themselves in HTTP responses with
Server: cloudflare-nginx
Of course, NGINX is still a part of our stack, but the code that handles HTTP requests goes well beyond the capabilities of NGINX alone. It’s also not hard to imagine a time where the role of NGINX diminishes further. We currently run four instances of NGINX on each edge machine (one for SSL, one for non-SSL, one for caching and one Continue reading
MANRS, Routing Security, and the Brazilian ISP Community
Last week, I presented MANRS to the IX.BR community. My presentation was part of a bigger theme – the launch of an ambitious program in Brazil to make the Internet safer.
While there are many threats to the Internet that must be mitigated, one common point and a challenge for many of them is that the efficacy of the approaches relies on collaboration between independent and sometimes competing parties. And, therefore, finding ways to incentivize and reward such collaboration is at the core of the solutions.
MANRS tries to do that by increasing the transparency of a network operator’s security posture and its commitment to a more secure and resilient Internet. Subsequently, the operator can leverage its increased security posture, signaling it to potential customers and thus differentiating from their competitors.
MANRS also helps build a community of security-minded operators with a common purpose – an important factor that improves accountability, facilitates better peering relationships, and improves coordination in preventing and mitigating incidents.
So, what does the Brazilian ISP community think about routing security and MANRS?
I ran an interactive poll with four questions to provide a more quantitative answer. More than 100 people participated, which makes the results Continue reading
CAA of the Wild: Supporting a New Standard
One thing we take pride in at Cloudflare is embracing new protocols and standards that help make the Internet faster and safer. Sometimes this means that we’ll launch support for experimental features or standards still under active development, as we did with TLS 1.3. Due to the not-quite-final nature of some of these features, we limit the availability at the onset to only the most ardent users so we can observe how these cutting-edge features behave in the wild. Some of our observations have helped the community propose revisions to the corresponding RFCs.
We began supporting the DNS Certification Authority Authorization (CAA) Resource Record in June behind a beta flag. Our goal in doing so was to see how the presence of these records would affect SSL certificate issuance by publicly-trusted certification authorities. We also wanted to do so in advance of the 8 September 2017 enforcement date for mandatory CAA checking at certificate issuance time, without introducing a new and externally unproven behavior to millions of Cloudflare customers at once. This beta period has provided invaluable insight as to how CAA records have changed and will continue to change the commercial public-key infrastructure (PKI) ecosystem.
As of today, Continue reading
VMware and Carbon Black Join Forces, Tackle Data Center Security
The product also moves the partners into new markets.
Libertarians are against net neutrality
This post claims to be by a libertarian in support of net neutrality. As a libertarian, I need to debunk this. "Net neutrality" is a case of one-hand clapping, you rarely hear the competing side, and thus, that side may sound attractive. This post is about the other side, from a libertarian point of view.That post just repeats the common, and wrong, left-wing talking points. I mean, there might be a libertarian case for some broadband regulation, but this isn't it.
This thing they call "net neutrality" is just left-wing politics masquerading as some sort of principle. It's no different than how people claim to be "pro-choice", yet demand forced vaccinations. Or, it's no different than how people claim to believe in "traditional marriage" even while they are on their third "traditional marriage".
Properly defined, "net neutrality" means no discrimination of network traffic. But nobody wants that. A classic example is how most internet connections have faster download speeds than uploads. This discriminates against upload traffic, harming innovation in upload-centric applications like DropBox's cloud backup or BitTorrent's peer-to-peer file transfer. Yet activists never mention this, or other types of network traffic discrimination, because they no more care about "net Continue reading
Make SSL boring again
It may (or may not!) come as surprise, but a few months ago we migrated Cloudflare’s edge SSL connection termination stack to use BoringSSL: Google's crypto and SSL implementation that started as a fork of OpenSSL.
We dedicated several months of work to make this happen without negative impact on customer traffic. We had a few bumps along the way, and had to overcome some challenges, but we ended up in a better place than we were in a few months ago.
TLS 1.3
We have already blogged extensively about TLS 1.3. Our original TLS 1.3 stack required our main SSL termination software (which was based on OpenSSL) to hand off TCP connections to a separate system based on our fork of Go's crypto/tls standard library, which was specifically developed to only handle TLS 1.3 connections. This proved handy as an experiment that we could roll out to our client base in relative safety.
However, over time, this separate system started to make our lives more complicated: most of our SSL-related business logic needed to be duplicated in the new system, which caused a few subtle bugs to pop up, and made it Continue reading
Verizon Enterprise Launches Bundled VNS Pricing Scheme
Verizon also plans to integrate unified communications into the VNS platform.
CloudPassage Bolsters Container Security as Market Adjusts to Growth
Updates focused on attacks against security and compliance processes.
Come Visit Us at AWS re:Invent!
We’ll be at AWS re:INVENT in Las Vegas all week (Nov 27 – Dec 1, 2017)!
Come say hi to the NSX Team at the VMware booth (#900 right as you walk in the main entrance) in the Expo Hall at the Venetian Hotel. Stop by our booth to…
- Check out a quick demo on VMware NSX Cloud
- Attend a 30-minute in-booth session about VMware NSX Cloud (Thursday, Nov 30 at 11:30am)
- Grab some swag
- Play one of our booth games and win a prize – Apple iPhone 8, AWS Credits, Amazon Echo, T-Shirts, and more!
As always, continue the conversation with us on Twitter @vmwarensx or use the hashtag #RunNSX or #NSXMindset. We hope to see you at the show!
The post Come Visit Us at AWS re:Invent! appeared first on Network Virtualization.
Terminology Tuesday Presents: Blockchain
Think of Blockchain as primarily two things. 1) A peer-to-peer technology 2) A way of keeping a public record.
The technological backing of Blockchain is the ability to have many (many) computers host the same information. Snippets of code (known as blocks) are duplicated and maintained in so many different places rendering fraud impossible. The fact that each of these blocks is timestamped and unique makes it increasingly challenging to outsmart. If you’re interested in learning more about the technological specifics there are a number of great resources online including this presentation by Binh Nguyen, IBM’s Blockchain Fabric Chief Architect.
Today, Blockchain is most commonly thought of in connection to Bitcoin as it describes the technology and process that we’ve all come to know as being so secure. Bitcoin’s past affiliations with illegalities of all sorts have given a bad name to Blockchain but there are many benefits to secure transactions all with a public record as our purchases and currency become increasingly digital.
Want to learn more? Check out these sources:
- https://www.economist.com/news/leaders/21677198-technology-behind-bitcoin-could-transform-how-economy-works-trust-machine
- https://www.reddit.com/r/Bitcoin/comments/4yp5q1/could_you_please_eli5_the_blockchain_technology/
- https://en.wikipedia.org/wiki/Blockchain
Terminology Tuesday is a new blog series. What would you like Continue reading
Cavirin Favors Docker, AWS with Latest Security Updates
Company sees its "agentless approach" as well suited to function-as-a-service platforms.