Archive

Category Archives for "Security"

Securing Native Cloud Workloads with VMware NSX Cloud Blog Series – Part 1: Getting Started

Introduction

As businesses evaluate their applications in the constantly evolving world of IT, new strategies are emerging for delivery. These strategies include keeping applications on-premises or moving them to one or more public cloud providers.

These public clouds come with their own networking and security constructs and policy management. This results in a new set of technology siloes that increases expense, complexity and risk:

This blog series will discuss the challenges of providing consistent networking and security policies for native cloud workloads, the value of VMware NSX Cloud, and walk through the process of securing and connecting applications running natively in the public cloud.

VMware NSX Cloud

VMware’s strategy is to enable businesses to create and deliver applications. To support new delivery strategies, VMware NSX Cloud provides consistent networking and security for native applications running in multiple public and private clouds. Utilizing a single management console and a common application programming interface, VMware NSX Cloud offers numerous benefits:

  • Unified Micro-Segmentation Security Policies – VMware NSX Cloud provides control over East-West traffic between native workloads running in public clouds. Security policies are defined once and applied to native workloads. These policies are supported in multiple AWS accounts, regions, and VPCs. Policies are Continue reading

Your Holiday Cybersecurity Guide

Many of us are visiting parents/relatives this Thanksgiving/Christmas, and will have an opportunity to help our them with cybersecurity issues. I thought I'd write up a quick guide of the most important things.

1. Stop them from reusing passwords

By far the biggest threat to average people is that they re-use the same password across many websites, so that when one website gets hacked, all their accounts get hacked.

To demonstrate the problem, go to haveibeenpwned.com and enter the email address of your relatives. This will show them a number of sites where their password has already been stolen, like LinkedIn, Adobe, etc. That should convince them of the severity of the problem.

They don't need a separate password for every site. You don't care about the majority of website whether you get hacked. Use a common password for all the meaningless sites. You only need unique passwords for important accounts, like email, Facebook, and Twitter.

Write down passwords and store them in a safe place. Sure, it's a common joke that people in offices write passwords on Post-It notes stuck on their monitors or under their keyboards. This is a common security mistake, but that's only because the Continue reading

Certifications: Why I Like Them, How I Use Them and My Plan for Security Learning

The other day Daniel Dib (http://lostintransit.se) asked me an interview question.  The question was about certifications.  What do I think about them…. and are they losing their “value”.

Poor certifications.  People question their value.  Of course “value” typically means for many what can the cert “do” for you once you have it.  People also get so judgemental of others for “collecting” them.  And yes… when I was younger I was, admittedly, one of those people who looked down on people I viewed as “cert collectors”.  Poor poor certifications.  In every area certifications exist they can get a bad rep.  IT industry, Scuba Diving, .. heck even in girl scouts when there was always that one girl who wanted to try to get every possible girl scout badge.  ?

Why I Like Them and How I Use Them

In 2012 my view on certs changed.  I realized I could use them to my advantage to help me organize my learning by making goals and signing up for certs.   You see, back in 2010 I had bought a few books about Wireshark by Laura Chappel and told myself I would make Continue reading

Certifications: Why I Like Them, How I Use Them and My Plan for Security Learning

The other day Daniel Dib (http://lostintransit.se) asked me an interview question.  The question was about certifications.  What do I think about them…. and are they losing their “value”.

Poor certifications.  People question their value.  Of course “value” typically means for many what can the cert “do” for you once you have it.  People also get so judgemental of others for “collecting” them.  And yes… when I was younger I was, admittedly, one of those people who looked down on people I viewed as “cert collectors”.  Poor poor certifications.  In every area certifications exist they can get a bad rep.  IT industry, Scuba Diving, .. heck even in girl scouts when there was always that one girl who wanted to try to get every possible girl scout badge.  ?

Why I Like Them and How I Use Them

In 2012 my view on certs changed.  I realized I could use them to my advantage to help me organize my learning by making goals and signing up for certs.   You see, back in 2010 I had bought a few books about Wireshark by Laura Chappel and told myself I would make Continue reading

Why Linus is right (as usual)

People are debating this email from Linus Torvalds (maintainer of the Linux kernel). It has strong language, like:
Some security people have scoffed at me when I say that security
problems are primarily "just bugs".
Those security people are f*cking morons.
Because honestly, the kind of security person who doesn't accept that
security problems are primarily just bugs, I don't want to work with.
I thought I'd explain why Linus is right.

Linus has an unwritten manifesto of how the Linux kernel should be maintained. It's not written down in one place, instead we are supposed to reverse engineer it from his scathing emails, where he calls people morons for not understanding it. This is one such scathing email. The rules he's expressing here are:
  • Large changes to the kernel should happen in small iterative steps, each one thoroughly debugged.
  • Minor security concerns aren't major emergencies; they don't allow bypassing the rules more than any other bug/feature.
Last year, some security "hardening" code was added to the kernel to prevent a class of buffer-overflow/out-of-bounds issues. This code didn't address any particular 0day vulnerability, but was designed to prevent a class of future potential exploits from being exploited. This is reasonable.

How to read newspapers

News articles don't contain the information you think. Instead, they are written according to a formula, and that formula is as much about distorting/hiding information as it is about revealing it.

A good example is the following. I claimed hate-crimes aren't increasing. The tweet below tries to disprove me, by citing a news article that claims the opposite:




But the data behind this article tells a very different story than the words.

Every November, the FBI releases its hate-crime statistics for the previous year. They've been doing this every year for a long time. When they do so, various news organizations grab the data and write a quick story around it.

By "story" I mean a story. Raw numbers don't interest people, so the writer instead has to wrap it in a narrative that does interest people. That's what the writer has done in the above story, leading with the fact that hate crimes have increased.

But is this increase meaningful? What do the numbers actually Continue reading

Remote User Authentication and RBAC with NSX-T

Remote user authentication and role based access control (RBAC) is an important requirement when deploying new systems in an organization, particularly in the networking world. For that matter, systems typically leverage RADIUS or Active Directory (AD) servers, to name a few.

NSX-T integrates with VMware Identity Manager (vIDM) to get the following benefits related to user authentication:

  • Support for extensive AAA Systems, including
    • AD-based LDAP, OpenLDAP
    • RADIUS
    • SmartCards / Common Access Cards
    • RSA Secure ID
  • Enterprise Single Sign-On
    • Common authentication platform across multiple VMware solutions
    • Seamless single sign-on experience


This blog post covers the main steps required to integrate NSX-T with vIDM and to configure roles that grant different privileges to different users
. It does not cover deployment and hardening of VMware Identity Manager (vIDM). At the end of the post, there is a link to a demo showing how to do the configuration and several role-based access tests.

Assuming that both NSX-T Manager and vIDM appliances are deployed, powered on and configured with the basic management details (IP address, admin users, etc.), the integration requires the following steps:

  1. Creating a OAuth client ID for the NSX-T Manager in vIDM
  2. Getting the vIDM appliance thumbprint
  3. Registering NSX-T Manager with Continue reading

One Week to IPv6, Routing Security, and More at ION Belgrade

One week from today, we’ll be at ION Belgrade! Our last event of the year take place on Thursday, 23 November 2017, alongside the 3rd Republic of Serbia Network Operators’ Group (RSNOG).

As always, ION Conferences bring network engineers and leading industry experts together to discuss emerging technologies and hot technology topics. Early adopters provide valuable insight into their own deployment experiences and bring participants up to speed on new standards emerging from the IETF.

Agenda

The half-day agenda and all our great speakers for ION Belgrade will make this a great event. Here’s a quick look at the day:

  • Opening Remarks
  • Welcome from the ISOC Serbia Chapter
  • MANRS, Routing Security, and Collaboration
  • NAT64check
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
  • Panel Discussion: IPv6 Success Stories
  • Closing Remarks

Registration

ION Belgrade registration is open! Learn more about our co-host on the RSNOG main page.

Webcast

RSNOG will be live streaming the ION in the morning and RSNOG in the afternoon. The stream will be embedded on the conference main page, right above the agenda, here (Serbian) and here (English).

IPv6 Tutorial

Jordi Palet Martinez will conduct an IPv6 training session the day before the ION. Continue reading

Security with Fish: My First Couple Months

In late June I wrote Security Here I Come!  The transition wasn’t quite as fast as I thought it would be.  🙂   But for the past couple months I’ve been able to really start digging in.

My initial response after watching just 2 CiscoLive VoDs?  FEAR!

I really enjoyed these sessions a great deal!!  They were the absolute perfect eye-opener to me!

Neil Lovering had the “Verizon Data Breach Report” in his slides (below).

Its funny because I have seen it before.  To be completely honest I have seen it quite a number of times.  But it was just something about how he presented it.  He got past my not wanting to really “hear” about the risk and the danger and the reality of the security landscape in the world around us.  I paused the VoD on this slide…. paused it and just really took the time to take it all in.

My reaction to this slide?  Lol. This is when the fear began.  Two simple facts on the Continue reading

Security with Fish: My First Couple Months

In late June I wrote Security Here I Come!  The transition wasn’t quite as fast as I thought it would be.  ?   But for the past couple months I’ve been able to really start digging in.

My initial response after watching just 2 CiscoLive VoDs?  FEAR!

I really enjoyed these sessions a great deal!!  They were the absolute perfect eye-opener to me!

Neil Lovering had the “Verizon Data Breach Report” in his slides (below).

Its funny because I have seen it before.  To be completely honest I have seen it quite a number of times.  But it was just something about how he presented it.  He got past my not wanting to really “hear” about the risk and the danger and the reality of the security landscape in the world around us.  I paused the VoD on this slide…. paused it and just really took the time to take it all in.

My reaction to this slide?  Lol. This is when the fear began.  Two simple facts on the Continue reading

Integrating Docker EE Into Société Générale’s Existing Enterprise IT Systems

Société Générale is a 153-year old French multinational bank that believes technology and innovation are key to enriching the customer experience and advancing economic development. A few years ago, the bank started a project to define their next generation application platform that would help them get 80% of their applications running in the cloud by 2020. Société Générale chose Docker Enterprise Edition (Docker EE) to be the foundation of their application platform and began working with it 15 months ago. This year at DockerCon Europe, Stephan Dechoux, DevOps architect, and Thomas Boussardon, Middleware Specialist, shared their journey over this time integrating Docker Enterprise Edition [Docker EE] into Société Générale IT systems.

You can watch their breakout session here:

A New Platform For Today and Tomorrow

Société Générale has a diverse application portfolio that includes many different types of applications, including legacy monolithic apps, SOA, distributed apps and REST APIs. The bank is also a global organization with teams and data centers around the world. A primary goal  was to deliver a new application platform to improve time-to-market and lower costs, while accelerating innovation. Initially Société Générale considered off-the-shelf PaaS solutions, but realized that these were better suited for greenfield applications Continue reading

THE ENTERPRISE IT CHECKLIST FOR DOCKER OPERATIONS

At Docker, we believe the best insights come from the developers and IT pros using the Docker platform every day. Since the launch of Docker Enterprise Edition, we learned three things from our customers.

  1. First, a top goal in enterprise IT is to deliver value to customers (internal business units or external clients)…and to do so fast.
  2. Second, most enterprises believe that Docker is at the center of their IT platform.
  3. Finally, most enterprises’ biggest challenge is moving their containerized applications to production in time to prove value. My DockerCon talk focused on addressing the third item, which seems to be a critical one for many of our customers.

In our recent customer engagements, we’ve seen a pattern of common challenges when designing and deploying Docker in an enterprise environment. Particularly, customers are struggling to find best practices to speed up their move to production. To address some of these common challenges, we put together a production readiness checklist (https://github.com/nicolaka/checklist) for Docker Enterprise Edition. This list was discussed thoroughly during my DockerCon EU 2017 session. Here’s a video of that talk:

I go through 10 key topics (shown below) that a typical enterprise should  go through when deploying Continue reading

Deploy360 at IETF 100, Day 2: More IPv6 & IoT

This week is IETF 100 in Singapore, and we’re bringing you daily blog posts highlighting some of the topics that Deploy360 is interested in. ‘Things’ are less hectic today, although there’s still plenty to follow in the areas of IPv6, the Internet of Things and encryption.

There’s a couple of choices for starting the day at 09.30 SGT/UTC+8. ACE is defining a framework for authentication and authorization in IoT environments based on OAuth 2.0 and CoAP, and there are 8 drafts up for discussion. Alternatively, DMM will be meeting to discuss issues related to Mobile IPv6.


NOTE: If you are unable to attend IETF 100 in person, there are multiple ways to participate remotely.


After lunch is 6MAN at 13.30 SGT/UTC+8 which is one of the key IPv6-related Working Groups. There’s one working group sponsored draft on IPv6 Node Requirements that specifies the minimum requirements for enabling effective IPv6 functionality and interoperability on nodes. There are also three recommendations on the security and privacy implications of IPv6, temporary IPv6 interface identifiers, and on the filtering of IPv6 packets containing extension headers, a further draft requesting the creation of an IANA registry for the Prefix Information Option in the IPv6 Neighbour Continue reading