Archive

Category Archives for "Security"

Remote User Authentication and RBAC with NSX-T

Remote user authentication and role based access control (RBAC) is an important requirement when deploying new systems in an organization, particularly in the networking world. For that matter, systems typically leverage RADIUS or Active Directory (AD) servers, to name a few.

NSX-T integrates with VMware Identity Manager (vIDM) to get the following benefits related to user authentication:

  • Support for extensive AAA Systems, including
    • AD-based LDAP, OpenLDAP
    • RADIUS
    • SmartCards / Common Access Cards
    • RSA Secure ID
  • Enterprise Single Sign-On
    • Common authentication platform across multiple VMware solutions
    • Seamless single sign-on experience


This blog post covers the main steps required to integrate NSX-T with vIDM and to configure roles that grant different privileges to different users. It does not cover deployment and hardening of VMware Identity Manager (vIDM). At the end of the post, there is a link to a demo showing how to do the configuration and several role-based access tests.

Assuming that both NSX-T Manager and vIDM appliances are deployed, powered on and configured with the basic management details (IP address, admin users, etc.), the integration requires the following steps:

  1. Creating a OAuth client ID for the NSX-T Manager in vIDM
  2. Getting the vIDM appliance thumbprint
  3. Registering NSX-T Manager with Continue reading

One Week to IPv6, Routing Security, and More at ION Belgrade

One week from today, we’ll be at ION Belgrade! Our last event of the year take place on Thursday, 23 November 2017, alongside the 3rd Republic of Serbia Network Operators’ Group (RSNOG).

As always, ION Conferences bring network engineers and leading industry experts together to discuss emerging technologies and hot technology topics. Early adopters provide valuable insight into their own deployment experiences and bring participants up to speed on new standards emerging from the IETF.

Agenda

The half-day agenda and all our great speakers for ION Belgrade will make this a great event. Here’s a quick look at the day:

  • Opening Remarks
  • Welcome from the ISOC Serbia Chapter
  • MANRS, Routing Security, and Collaboration
  • NAT64check
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
  • Panel Discussion: IPv6 Success Stories
  • Closing Remarks

Registration

ION Belgrade registration is open! Learn more about our co-host on the RSNOG main page.

Webcast

RSNOG will be live streaming the ION in the morning and RSNOG in the afternoon. The stream will be embedded on the conference main page, right above the agenda, here (Serbian) and here (English).

IPv6 Tutorial

Jordi Palet Martinez will conduct an IPv6 training session the day before the ION. Continue reading

Security with Fish: My First Couple Months

In late June I wrote Security Here I Come!  The transition wasn’t quite as fast as I thought it would be.  🙂   But for the past couple months I’ve been able to really start digging in.

My initial response after watching just 2 CiscoLive VoDs?  FEAR!

I really enjoyed these sessions a great deal!!  They were the absolute perfect eye-opener to me!

Neil Lovering had the “Verizon Data Breach Report” in his slides (below).

Its funny because I have seen it before.  To be completely honest I have seen it quite a number of times.  But it was just something about how he presented it.  He got past my not wanting to really “hear” about the risk and the danger and the reality of the security landscape in the world around us.  I paused the VoD on this slide…. paused it and just really took the time to take it all in.

My reaction to this slide?  Lol. This is when the fear began.  Two simple facts on the Continue reading

Security with Fish: My First Couple Months

In late June I wrote Security Here I Come!  The transition wasn’t quite as fast as I thought it would be.  ?   But for the past couple months I’ve been able to really start digging in.

My initial response after watching just 2 CiscoLive VoDs?  FEAR!

I really enjoyed these sessions a great deal!!  They were the absolute perfect eye-opener to me!

Neil Lovering had the “Verizon Data Breach Report” in his slides (below).

Its funny because I have seen it before.  To be completely honest I have seen it quite a number of times.  But it was just something about how he presented it.  He got past my not wanting to really “hear” about the risk and the danger and the reality of the security landscape in the world around us.  I paused the VoD on this slide…. paused it and just really took the time to take it all in.

My reaction to this slide?  Lol. This is when the fear began.  Two simple facts on the Continue reading

Integrating Docker EE Into Société Générale’s Existing Enterprise IT Systems

Société Générale is a 153-year old French multinational bank that believes technology and innovation are key to enriching the customer experience and advancing economic development. A few years ago, the bank started a project to define their next generation application platform that would help them get 80% of their applications running in the cloud by 2020. Société Générale chose Docker Enterprise Edition (Docker EE) to be the foundation of their application platform and began working with it 15 months ago. This year at DockerCon Europe, Stephan Dechoux, DevOps architect, and Thomas Boussardon, Middleware Specialist, shared their journey over this time integrating Docker Enterprise Edition [Docker EE] into Société Générale IT systems.

You can watch their breakout session here:

A New Platform For Today and Tomorrow

Société Générale has a diverse application portfolio that includes many different types of applications, including legacy monolithic apps, SOA, distributed apps and REST APIs. The bank is also a global organization with teams and data centers around the world. A primary goal  was to deliver a new application platform to improve time-to-market and lower costs, while accelerating innovation. Initially Société Générale considered off-the-shelf PaaS solutions, but realized that these were better suited for greenfield applications Continue reading

THE ENTERPRISE IT CHECKLIST FOR DOCKER OPERATIONS

At Docker, we believe the best insights come from the developers and IT pros using the Docker platform every day. Since the launch of Docker Enterprise Edition, we learned three things from our customers.

  1. First, a top goal in enterprise IT is to deliver value to customers (internal business units or external clients)…and to do so fast.
  2. Second, most enterprises believe that Docker is at the center of their IT platform.
  3. Finally, most enterprises’ biggest challenge is moving their containerized applications to production in time to prove value. My DockerCon talk focused on addressing the third item, which seems to be a critical one for many of our customers.

In our recent customer engagements, we’ve seen a pattern of common challenges when designing and deploying Docker in an enterprise environment. Particularly, customers are struggling to find best practices to speed up their move to production. To address some of these common challenges, we put together a production readiness checklist (https://github.com/nicolaka/checklist) for Docker Enterprise Edition. This list was discussed thoroughly during my DockerCon EU 2017 session. Here’s a video of that talk:

I go through 10 key topics (shown below) that a typical enterprise should  go through when deploying Continue reading

Deploy360 at IETF 100, Day 2: More IPv6 & IoT

This week is IETF 100 in Singapore, and we’re bringing you daily blog posts highlighting some of the topics that Deploy360 is interested in. ‘Things’ are less hectic today, although there’s still plenty to follow in the areas of IPv6, the Internet of Things and encryption.

There’s a couple of choices for starting the day at 09.30 SGT/UTC+8. ACE is defining a framework for authentication and authorization in IoT environments based on OAuth 2.0 and CoAP, and there are 8 drafts up for discussion. Alternatively, DMM will be meeting to discuss issues related to Mobile IPv6.

NOTE: If you are unable to attend IETF 100 in person, there are multiple ways to participate remotely.

After lunch is 6MAN at 13.30 SGT/UTC+8 which is one of the key IPv6-related Working Groups. There’s one working group sponsored draft on IPv6 Node Requirements that specifies the minimum requirements for enabling effective IPv6 functionality and interoperability on nodes. There are also three recommendations on the security and privacy implications of IPv6, temporary IPv6 interface identifiers, and on the filtering of IPv6 packets containing extension headers, a further draft requesting the creation of an IANA registry for the Prefix Information Option in the IPv6 Neighbour Continue reading

Rough Guide to IETF 100: Identity, Privacy, and Encryption

Identity, privacy, and encryption continue to be active topics for the Internet Society and the IETF community impacting a broad range of applications. In this Rough Guide to IETF 100 post, I highlight a few of the many relevant activities happening next week in Singapore, but there is much more going on so be sure to check out the full agenda online.

Encryption

Encryption continues to be a priority of the IETF as well as the security community at large. Related to encryption, there is the TLS working group developing the core specifications, several working groups addressing how to apply the work of the TLS working group to various applications, and the Crypto-Forum Research Group focusing on the details of the underlying cryptographic algorithms.

The Transport Layer Security (TLS) working group is a key IETF effort developing core security protocols for the Internet. This week’s agenda includes both TLS 1.3 and Datagram Transport Layer Security. Additionally, the TLS working group will be discussing connection ID, exported authenticators, protecting against denial of service attacks, and application layer TLS. The TLS working group is very active and, as with all things that are really important, there are many Continue reading

Rough Guide to IETF 100: Internet of Things

The Internet of Things (IoT) is a major buzzword around the Internet industry and the broader technology and innovation business arenas. We are often asked what the IETF is doing in relation to IoT and in this Rough Guide to IETF 100 post I’d like to highlight some of the relevant sessions scheduled during the upcoming IETF 100 meeting in Singapore. Check out the IETF Journal IoT Category, the Internet Society’s IoT page, or the Online Trust Alliance IoT page for more details about many of these topics.

The Thing-to-Thing Research Group (T2TRG) investigates open research issues in turning the IoT into reality. The research group will be holding a half-day joint meeting with the Open Connectivity Foundation (OCF) on the Friday before IETF, and they will also be meeting on Tuesday afternoon in Singapore to report out on their recent activities. Included on the agenda is the upcoming Workshop on Decentralized IoT Security and Standards (DISS). This workshop will be held in conjunction with the Network and Distributed System Security (NDSS) Symposium on 18 February 2018 in San Diego, CA, USA. The DISS workshop will gather researchers and the open standards community together to help address Continue reading

ARM Takes Wing: Qualcomm vs. Intel CPU comparison

One of the nicer perks I have here at Cloudflare is access to the latest hardware, long before it even reaches the market.

Until recently I mostly played with Intel hardware. For example Intel supplied us with an engineering sample of their Skylake based Purley platform back in August 2016, to give us time to evaluate it and optimize our software. As a former Intel Architect, who did a lot of work on Skylake (as well as Sandy Bridge, Ivy Bridge and Icelake), I really enjoy that.

Our previous generation of servers was based on the Intel Broadwell micro-architecture. Our configuration includes dual-socket Xeons E5-2630 v4, with 10 cores each, running at 2.2GHz, with a 3.1GHz turbo boost and hyper-threading enabled, for a total of 40 threads per server.

Since Intel was, and still is, the undisputed leader of the server CPU market with greater than 98% market share, our upgrade process until now was pretty straightforward: every year Intel releases a new generation of CPUs, and every year we buy them. In the process we usually get two extra cores per socket, and all the extra architectural features such upgrade brings: hardware AES and CLMUL in Westmere, Continue reading

Announcing Four NDSS 2018 Workshops on Binary Analysis, IoT, DNS Privacy, and Security

The Internet Society is excited to announce that four workshops will be held in conjunction with the upcoming Network and Distributed System Security (NDSS) Symposium on 18 February 2018 in San Diego, CA. The workshop topics this year are:

A quick overview of each of the workshops is provided below. Submissions are currently being accepted for emerging research in each of these areas. Watch for the final program details in early January!

The first workshop is a new one this year on Binary Analysis Research (BAR). It is exploring the reinvigorated field of binary code analysis in light of the proliferation of interconnected embedded devices. In recent years there has been a rush to develop binary analysis frameworks. This has occurred in a mostly uncoordinated manner with researchers meeting on an ad-hoc basis or working in obscurity and isolation. As a result, there is little sharing or results and solution reuse among tools. The importance of formalized and properly vetted methods and tools for binary code analysis in order to deal with the scale of growth in these interconnected embedded devices cannot be overstated. Continue reading

Rough Guide to IETF 100: Internet Infrastructure Resilience

As we approach IETF 100 in Singapore next week, this post in the Rough Guide to IETF 100 has much progress to report in the world of Internet Infrastructure Resilience. After several years of hard work, the last major deliverable of the Secure Inter-Domain Routing (SIDR) WG is done – RFC 8205, the BGPSec Protocol Specification, was published in September 2017 as standard. BGPsec is an extension to the Border Gateway Protocol (BGP) that provides security for the path of autonomous systems (ASes) through which a BGP update message propagates.

There are seven RFCs in the suite of BGPsec specifications:

  • RFC 8205 (was draft-ietf-sidr-bgpsec-protocol) – BGPsec Protocol Specification
  • RFC 8206 (was draft-ietf-sidr-as-migration) – BGPsec Considerations for Autonomous System (AS) Migration
  • RFC 8207 (was draft-ietf-sidr-bgpsec-ops) – BGPsec Operational Considerations
  • RFC 8208 (was draft-ietf-sidr-bgpsec-algs) – BGPsec Algorithms, Key Formats, and Signature Formats
  • RFC 8209 (was draft-ietf-sidr-bgpsec-pki-profiles) – A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
  • RFC 8210 (was draft-ietf-sidr-rpki-rtr-rfc6810-bis) – The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1
  • RFC 8211 (was draft-ietf-sidr-adverse-actions) – Adverse Actions by a Certification Authority (CA) or Repository Manager in the Resource Public Key Infrastructure (RPKI)

You can read more Continue reading

1 109 110 111 112 113 178