Archive

Category Archives for "Security"

Least Privilege Container Orchestration

The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator.

container orchestrator

Orchestrators are responsible for critical clustering and scheduling tasks, such as:

  • Managing container scheduling and resource allocation.
  • Support service discovery and hitless application deploys.
  • Distribute the necessary resources that applications need to run.

Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect of the security model of container orchestrators, and how Docker Enterprise Edition with its built-in orchestration capability, Swarm mode, overcomes these difficulties.

Motivation and threat model

One of the primary objectives of Docker EE with swarm mode is to provide an orchestrator with security built-in. To achieve this goal, we developed the first container orchestrator designed with the principle of least privilege in mind.

In computer science,the principle of least privilege in a distributed system requires that each participant of the system must only have access to  the information and resources that are necessary for its legitimate purpose. No Continue reading

“Responsible encryption” fallacies

Deputy Attorney General Rod Rosenstein gave a speech recently calling for "Responsible Encryption" (aka. "Crypto Backdoors"). It's full of dangerous ideas that need to be debunked.

The importance of law enforcement

The first third of the speech talks about the importance of law enforcement, as if it's the only thing standing between us and chaos. It cites the 2016 Mirai attacks as an example of the chaos that will only get worse without stricter law enforcement.

But the Mira case demonstrated the opposite, how law enforcement is not needed. They made no arrests in the case. A year later, they still haven't a clue who did it.

Conversely, we technologists have fixed the major infrastructure issues. Specifically, those affected by the DNS outage have moved to multiple DNS providers, including a high-capacity DNS provider like Google and Amazon who can handle such large attacks easily.

In other words, we the people fixed the major Mirai problem, and law-enforcement didn't.

Moreover, instead being a solution to cyber threats, law enforcement has become a threat itself. The DNC didn't have the FBI investigate the attacks from Russia likely because they didn't want the FBI reading all their files, finding wrongdoing by the Continue reading

“Keep those eyebrows up!” – Cybersecurity at the Global Women’s Forum

News of cyberattacks is slowly becoming a new normal. We are still at a stage where high-profile cases, like the recent attack against the American credit reporting company Equifax, in which 145.5 million users had their personal information compromised, raise eyebrows. But we need those eyebrows to stay up because we should never accept cyber threats as the new normal.

This week in Paris, hundreds of leaders met at the Women’s Forum to discuss some of the key issues that will shape the future of a world in transition, including cybersecurity. But this topic is not just a concern for the experts – it’s a concern to all men and women leading any business today.

New risks on the horizon

A recent report by the Internet Society, “Paths to Our Digital Future”, points out that now is a big moment for the Internet. The revolution we already see could accelerate in the coming years, not only due to the increasing digitalization of services and businesses, but also through the expansion of objects being connected to the Internet – the Internet of Things (IoT). By 2020 more than 20 billion “things” could be connected.

Suddenly it’s not only Continue reading

IPv6, DNSSEC, Security and More at ION Malta

The Deploy360 team is back from ION Malta, which took place on 18 September alongside an ICANN DNSSEC Training Workshop. We again thank our sponsor Afilias for making this possible, and are now working toward our final ION Conference of the year, ION Belgrade in November. All the presentations from ION Malta are available online.

I opened the event with an introduction to Deploy360 and an invitation for everyone to get involved with the Internet Society’s 25th anniversary the next day. We also heard from Jasper Schellekens, the president of the ISOC Malta Chapter about their activities and how to get more involved. They have a small but mighty presence in Malta and are looking forward to getting more members and increasing their activity.

Next, Nathalie Trenaman from RIPE NCC gave a fascinating presentation on the status of IPv6 in Malta. Unfortunately, IPv6 penetration in Malta is extremely low, but ISPs are transferring IPv4 address space around and, interestingly, have purchased over 30,000 IPv4 addresses from Romania. She encouraged ISPs to begin moving to IPv6 now, as RIPE NCC estimates that full transition takes about 2.5 years to complete.

Next up, Klaus Nieminen from the Finnish Communications Continue reading

Recapping the Incredible Presentations at future:net 2017

For those of you unable to attend future:net 2017 in Las Vegas, NV last month, fear not—what happens in Vegas doesn’t always stay in Vegas!

That’s right, thanks to the wonder that is YouTube, there are video recordings available of the amazing keynote speakers and presentations that took place at this year’s future:net conference, which brought together the technical and networking leaders shaping new network strategies, solutions and innovations for the future of digital transformation.

To cure you of any FOMO you may have, check out a recap of future:net presentations below, including links to their videos and a brief description of the speakers and topics discussed during each.

Demo: Multi-site Active-Active with NSX, F5 Networks GSLB, and Palo Alto Networks Security

I wrote this post prior on my personal blog at HumairAhmed.com. You can also see many of my prior blogs on multisite and Cross-vCenter NSX here on the VMware Network Virtualization blog site. This post expands on my prior post, Multi-site Active-Active Solutions with NSX-V and F5 BIG-IP DNS. Specifically, in this post, deploying applications in an Active-Active model across data centers is demonstrated where ingress/egress is always at the data center local to the client, or in other words localized ingress/egress. Continue reading

The Most Important Participant in the Internet Ecosystem

The Internet is borderless, decentralised and indiscriminate, and it can empower people across class, colour and social status. But one question has always intrigued me: How can the universality of the Internet be ensured and sustained? I received the theoretical response to this question at the Pakistan School on Internet Governance in 2016 where I learned about the multistakeholder model and community-driven approaches to addressing the broad range of complex issues of the Internet ecosystem. Being part of a telecom regulator in South Asia that generally follows the chain of command, the idea of inclusive policies and programmes was truly a revelation. I decided to explore further and applied for a fellowship to the 2017 Asia-Pacific Regional Internet Governance Forum (APrIGF) and the Asia-Pacific School on Internet Governance (APSIG).

APSIG kicked off on 22 July, followed by APrIGF that ended on 29 July in the beautiful city of Bangkok, Thailand. APSIG had a fantastic line up of speakers that touched upon advanced topics like the Internet governance ecosystem, data governance, cybersecurity, Internet of Things governance, gender equality and the digital economy. The learnings I gained from APSIG laid an ideal foundation for me to contribute to Continue reading

Not Your Mama’s Security Architecture (Thwack)

It puts a firewall at the edge of the network or it gets the hose again. Think that’s still how security works? I don’t think so, my friend.

On the Solarwinds Thwack Geek Speak blog I look at how security architectures have changed from when our Mama used to create them, and I even take a moment to mention Greg Ferro (because, well, why not). Please do take a trip to Thwack and check out my post, “Not Your Mama’s Security Architecture“.

Not Your Mama's Security Architecture

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at Not Your Mama’s Security Architecture (Thwack) and give me a share/like. Thank you!

Nuage Networks Q&A: Automated Analytics and Remediation for Cloud-based Security Services

Thanks to all who joined us for the Nuage Networks 2017 SDx Infrastructure Security Report Webinar, Automated Analytics and Remediation for Cloud-based Security Services. During the webinar Nuage Networks discussed how their VSP delivers an SDN solution with built-in security capabilities that combines scale, performance and flexibility in a single, boundary-less platform without compromising security or... Read more →

CYA! Cover Your Assets (By Securing Them) (Thwack)

Still using local accounts for device access? Don’t know what a Term Process is? You need to CYA!

On the Solarwinds Thwack Geek Speak blog I looked at a variety of security (and related) features which should be configured on all devices. Please do take a trip to Thwack and check out my post, “CYA! Cover Your Assets (By Securing Them)“.

CYA! Cover Your Assets (By Securing Them)

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at CYA! Cover Your Assets (By Securing Them) (Thwack) and give me a share/like. Thank you!

Microcell through a mobile hotspot

I accidentally acquired a tree farm 20 minutes outside of town. For utilities, it gets electricity and basic phone. It doesn't get water, sewer, cable, or DSL (i.e. no Internet). Also, it doesn't really get cell phone service. While you can get SMS messages up there, you usually can't get a call connected, or hold a conversation if it does.

We have found a solution -- an evil solution. We connect an AT&T "Microcell", which provides home cell phone service through your Internet connection, to an AT&T Mobile Hotspot, which provides an Internet connection through your cell phone service.


Now, you may be laughing at this, because it's a circular connection. It's like trying to make a sailboat go by blowing on the sails, or lifting up a barrel to lighten the load in the boat.

But it actually works.

Since we get some, but not enough, cellular signal, we setup a mast 20 feet high with a directional antenna pointed to the cell tower 7.5 miles to the southwest, connected to a signal amplifier. It's still an imperfect solution, as we are still getting terrain distortions in the signal, but it provides a good Continue reading

Micro-segmentation of the Epic Electronic Health Records System with VMware NSX

authors – Geoff Wilmington, Mike Lonze

Healthcare organizations are focusing more and more on securing patient data.  With Healthcare breaches on the rise, penalties and fines for lost or stolen PHI and PII data is not only devastating to the patients, but to the Healthcare organization as well.  The Ponemon Institute Annual Benchmark Study on Privacy & Security of Healthcare Data has shown that nearly 50 percent of Healthcare organizations, up 5 percent from a previous study, that criminal attacks are the leading cause of Healthcare breaches.  [1]  With breaches on the rise and Healthcare organizations feeling the pain, how can we help Healthcare start layering security approaches on their most critical business applications that contain this highly critical data?

The principle of least privilege is to provide only the necessary minimal privileges for a process, user, or program to perform a task.  With NSX, we can provide a network least privilege for the applications that run on the vSphere hypervisor using a concept called Micro-segmentation. NSX places a stateful firewall at the virtual network card of every virtual machine allowing organizations to control very granularly how virtual machines communicate or don’t communicate with each Continue reading

Down the Rabbit Hole: The Making of Cloudflare Warp

Down the Rabbit Hole: The Making of Cloudflare Warp

In the real world, tunnels are often carved out from the mass of something bigger - a hill, the ground, but also man-made structures.

Down the Rabbit Hole: The Making of Cloudflare WarpCC BY-SA 2.0 image by Matt Brown

In an abstract sense Cloudflare Warp is similar; its connection strategy punches a hole through firewalls and NAT, and provides easy and secure passage for HTTP traffic to your origin. But the technical reality is a bit more interesting than this strained metaphor invoked by the name of similar predecessor technologies like GRE tunnels.

Relics

Generic Routing Encapsulation or GRE is a well-supported standard, commonly used to join two networks together over the public Internet, and by some CDNs to shield an origin from DDoS attacks. It forms the basis of the legacy VPN protocol PPTP.

Establishing a GRE tunnel requires configuring both ends of the tunnel to accept the other end’s packets and deciding which IP ranges should be routed through the tunnel. With this in place, an IP packet destined for any address in the configured range will be encapsulated within a GRE packet. The GRE packet is delivered directly to the other end of the tunnel, which removes the encapsulation and forwards the original Continue reading

Can IoT platforms from Apple, Google and Samsung make home automation systems more secure?

In August 2017, a new botnet called WireX appeared and began causing damage by launching significant DDoS attacks. The botnet counted tens of thousands of nodes, most of which appeared to be hacked Android mobile devices.

There are a few important aspects of this story.

First, tracking the botnet down and mitigating its activities was part of a wide collaborative effort by several tech companies. Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations cooperated to combat this botnet. This is a great example of Collaborative Security in practice.

Second, while researchers shared the data, analysed the signatures, and were able to track a set of malware apps, Google played an important role in cleaning them up from the Play Store and infected devices.

Its Verify Apps is a cloud-based service that proactively checks every application prior to install to determine if the application is potentially harmful, and subsequently rechecks devices regularly to help ensure they’re safe. Verify Apps checks more than 6 billion instances of installed applications and scans around 400 million devices per day.

In the case of WireX, the apps had previously passed the checks. But thanks to the researcher’s findings, Google Continue reading

1 116 117 118 119 120 182