Archive

Category Archives for "Security"

A kindly lesson for you non-techies about encryption

The following tweets need to be debunked:



The answer to John Schindler's question is:
every expert in cryptography doesn't know this
Oh, sure, you can find fringe wacko who also knows crypto that agrees with you but all the sane members of the security community will not.


Telegram is not trustworthy because it's closed-source. We can't see how it works. We don't know if they've made accidental mistakes that can be hacked. We don't know if they've been bribed by the NSA or Russia to put backdoors in their program. In contrast, PGP and Signal are open-source. We can read exactly what the software does. Indeed, thousands of people have been reviewing their software looking for mistakes and backdoors.

Encryption works. Neither the NSA nor the Russians can break properly encrypted content. There's no such thing as "military grade" encryption that is better than consumer grade. There's only encryption that nobody can hack vs. encryption that your neighbor's teenage kid can easily hack. There's essentially nothing in between. Those scenes in TV/movies about breaking encryption is as realistic as sound in space: good for dramatic presentation, but not how things work in the real world.

In particular, end-to-end encryption works. Continue reading

Security Here I Come!

The announcement has been made!  It is completely official!  I can finally share the awesome great news I am so excited about.  Security will be my absolute #1 focus now. 

Security has always fascinated me.  My entire career.  ….. It’s just that the fundamentals of routing and design intrigued me even more.  🙂

But now?  Yeah baby!  Now I get to flip a switch… dive into and completely surround myself with all things Security.  And I just could not be any more tickled pink and excited.  I feel like all my years of networking have been a build up towards this.

Am I leaving my CPOC lab and job I adore so much?  Nah… I’d go through withdrawal.  LOL.  Nah… wouldn’t be pretty.  It is just my role that will be changing.

Woot woot!  Security here I come!  ROCK!

 

 

 

 

Technology Short Take #84

Welcome to Technology Short Take #84! This episode is a bit late (sorry about that!), but I figured better late than never, right? OK, bring on the links!

Networking

  • When I joined the NSX team in early 2013, a big topic at that time was overlay protocols (VXLAN, STT, etc.). Since then, that topic has mostly faded, though it still does come up from time to time. In particular, the move toward Geneve has prompted that discussion again, and Russell Bryant tackles the discussion in this post.
  • Sjors Robroek describes his nested NSX-T lab that also includes some virtualized network equipment (virtualized Arista switches). Nice!
  • Colin Lynch shares some details on his journey with VMware NSX (so far).
  • I wouldn’t take this information as gospel, but here’s a breakdown of some of the IPv6 support available in VMware NSX.

Servers/Hardware

  • Here’s an interesting article on the role that virtualization is playing in the network functions virtualization (NFV) space now that ARM hardware is growing increasingly powerful. This is a space that’s going to see some pretty major changes over the next few years, in my humble opinion.

Security

Technology Short Take #84

Welcome to Technology Short Take #84! This episode is a bit late (sorry about that!), but I figured better late than never, right? OK, bring on the links!

Networking

  • When I joined the NSX team in early 2013, a big topic at that time was overlay protocols (VXLAN, STT, etc.). Since then, that topic has mostly faded, though it still does come up from time to time. In particular, the move toward Geneve has prompted that discussion again, and Russell Bryant tackles the discussion in this post.
  • Sjors Robroek describes his nested NSX-T lab that also includes some virtualized network equipment (virtualized Arista switches). Nice!
  • Colin Lynch shares some details on his journey with VMware NSX (so far).
  • I wouldn’t take this information as gospel, but here’s a breakdown of some of the IPv6 support available in VMware NSX.

Servers/Hardware

  • Here’s an interesting article on the role that virtualization is playing in the network functions virtualization (NFV) space now that ARM hardware is growing increasingly powerful. This is a space that’s going to see some pretty major changes over the next few years, in my humble opinion.

Security

Notes on open-sourcing abandoned code

Some people want a law that compels companies to release their source code for "abandoned software", in the name of cybersecurity, so that customers who bought it can continue to patch bugs long after the seller has stopped supporting the product. This is a bad policy, for a number of reasons.


Code is Speech

First of all, code is speech. That was the argument why Phil Zimmerman could print the source code to PGP in a book, ship it overseas, and then have somebody scan the code back into a computer. Compelled speech is a violation of free speech. That was one of the arguments in the Apple vs. FBI case, where the FBI demanded that Apple write code for them, compelling speech.

Compelling the opening of previously closed source is compelled speech. Sure, demanding new products come with source would be one thing, but going backwards demanding source for products sold before 2017 is quite another thing.

For most people, "rights" are something that only their own side deserves. Whether something deserves the protection of "free speech" depends upon whether the speaker is "us" or the speaker is "them". If it's "them", then you'll find all sorts of reasons Continue reading

CCIE/CCDE Re-certification: An Opportunity to Learn and Grow

I did not pass my CCDE re-certification last week.  Why write a blog about a “failure”?  Honestly?  Because I think we as an IT industry overly focus and give too many kudos to the passing only.  Not to the hours and hours of studying and learning… not to the lessons learned… not to the growth gained from the studying journey.  Just to the “pass/fail”.  Well damn… no wonder people cheat.  Their focus isn’t on the learning or the journey.  Just the passing.

I thoroughly believe the expression –

Sometimes you win….. Sometimes you learn.

Did I want to pass last week?  ROFL!  Are you kidding?  Of course I did!  Did I “deserve” to pass?  Well…. um…. err… not exactly.

See that 10% at the bottom of the “Written Exam Topics v2.1?”   Truth be told I didn’t quite exactly study that part very much.

So what is my plan now?

LEARN

Honestly in my job I am not doing much Cloud, SDN, or IoT.  AND I have to admit I am quite happy I am now essentially forced to learn these to a Continue reading

More notes on US-CERTs IOCs

Yet another Russian attack against the power grid, and yet more bad IOCs from the DHS US-CERT.

IOCs are "indicators of compromise", things you can look for in order to order to see if you, too, have been hacked by the same perpetrators. There are several types of IOCs, ranging from the highly specific to the uselessly generic.

A uselessly generic IOC would be like trying to identify bank robbers by the fact that their getaway car was "white" in color. It's worth documenting, so that if the police ever show up in a suspected cabin in the woods, they can note that there's a "white" car parked in front.

But if you work bank security, that doesn't mean you should be on the lookout for "white" cars. That would be silly.

This is what happens with US-CERT's IOCs. They list some potentially useful things, but they also list a lot of junk that waste's people's times, with little ability to distinguish between the useful and the useless.

An example: a few months ago was the GRIZZLEYBEAR report published by US-CERT. Among other things, it listed IP addresses used by hackers. There was no description which would be useful IP Continue reading

Security as an Enabler?

I have often wondered why the “security as an enabler” model is as unique as unicorns in the wild. I think the logic works in a vacuum and it would be great if it held true. However when humans and politics (layer 8 stuff) come into the mix, it seems that the cybersecurity team tend to be viewed as the  naysayers that block progress. Quite honestly, the “security as an enabler” mantra only seems to work for those organizations that are directly profiting from the sale of cybersecurity. Those that understand the role cybersecurity plays in a typical organization realize that this is unfortunate.

With this thought in mind, I was reading through an article about the traits of CEO’s and found identified points that I think contribute to these challenges for information security:

  • Bias toward action
  • Forward Thinking

By no means am I criticizing CEO’s for these traits—they are primary contributors to keeping a given business relevant in its industry. I’m just using these to help explain the fallacy of a “security as an enabler” mindset within a given organization.

CEO’s are the highest single point of authority within an organization. They often appoint CSO’s (Chief Security Officers) or CISO’s Continue reading

VMware NSX and Check Point vSEC

One of the current challenges of data center security is the East-West traffic that has become so pervasive as modern applications communicate a great deal between their different components.  Conventional perimeter security is poorly placed to secure these lateral flows, to promote a zero-trust model in order to prevent threats moving within each application layer.  VMware NSX addresses this, providing virtual firewall at the virtual NIC of each VM with a management framework where micro-segmentation is achievable with a sensible level of overhead.  Check Point vSEC can be deployed in conjunction to provide threat and malware protection.

The VMware NSX Distributed Firewall (DFW) protects East-West L2-L4 traffic within the virtual data center. The DFW operates in the vSphere kernel and provides a firewall at the NIC of every VM.  This enables micro-segmented, zero-trust networking with dynamic security policy leveraging the vCenter knowledge of VMs and applications to build policy rather than using IP or MAC addresses that may change.  Tools for automation and orchestration as well as a rich set of APIs for partner and customer extensibility complete the toolset for security without impossible management overhead.  While this is a dramatic improvement in the security Continue reading