Network Virtualization Makes it Easier to Enforce Security Policy
Defining a set of security and compliance policies is a key first step. But enforcing security policy is not as easy.
Lack of Experience May Plague IoT Security Startups
Eighty-five percent of businesses plan to implement IoT by 2019.
Using CGNAT to Navigate the Path from IPv4 to IPv6
A new A10 Networks white paper provides an overview of the various components required for a complete CGNAT and IPv6 migration solution that encompasses the entire lifecycle of the transition to IPv6.
Some non-lessons from WannaCry
This piece by Bruce Schneier needs debunking. I thought I'd list the things wrong with it.The NSA 0day debate
Schneier's description of the problem is deceptive:When the US government discovers a vulnerability in a piece of software, however, it decides between two competing equities. It can keep it secret and use it offensively, to gather foreign intelligence, help execute search warrants, or deliver malware. Or it can alert the software vendor and see that the vulnerability is patched, protecting the country -- and, for that matter, the world -- from similar attacks by foreign governments and cybercriminals. It's an either-or choice.The government doesn't "discover" vulnerabilities accidentally. Instead, when the NSA has a need for something specific, it acquires the 0day, either through internal research or (more often) buying from independent researchers.
The value of something is what you are willing to pay for it. If the NSA comes across a vulnerability accidentally, then the value to them is nearly zero. Obviously such vulns should be disclosed and fixed. Conversely, if the NSA is willing to pay $1 million to acquire a specific vuln for imminent use against a target, the offensive value is much greater than the Continue reading
Better Security Conversations – Thoughts for a Series
As many PacketU readers know, I have held the role as a vendor SE for a couple of years. In this role, a primary function is to correctly position our products into customer environments. What I’ve come to realize is that many of our conversations actually start incorrectly. I think we need to change that. I will be sharing, as well as structuring, my own thoughts with an upcoming series of posts on security.
I firmly believe that products are only tools and we need to back up to better understand the problems we are trying to solve. One analogy I use on a regular basis when talking about autonomous vehicles is that “no one needs a car [they only need the transportation].” So if technology can provide autonomous cars, transportation can become a service instead of a depreciating asset in our garage.
Although it isn’t a parallel thought or analogy, no organization needs an NGFW for the sake of owning an NGFW. There is a need to provide proper tools required to enable the organization’s security program. Thinking in these terms guides the conversations to a more appropriate solution. My goal with this upcoming series is to help anyone that touches cybersecurity Continue reading
How to track that annoying pop-up
In a recent update to their Office suite on Windows, Microsoft made a mistake where every hour, for a fraction of a second, a black window pops up on the screen. This leads many to fear their system has been infected by a virus. I thought I'd document how to track this down.The short answer is to use Mark Russinovich's "sysinternals.com" tools. He's Windows internals guru at Microsoft and has been maintaining a suite of tools that are critical for Windows system maintenance and security. Copy all the tools from "https://live.sysinternals.com". Also, you can copy with Microsoft Windows Networking (SMB).
Of these tools, what we want is something that looks at "processes". There are several tools that do this, but focus on processes that are currently running. What we want is something that monitors process creation.
The tool for that is "sysmon.exe". It can monitor not only process creation, but a large number of other system events that a techy can use to see what the system has been doing, and if you are infected with a virus.
Sysmon has a fairly complicated configuration file, and if you enabled everything, you'd soon be Continue reading
Don’t Miss out on These 5 Spotlights on Security at vForum Online Summer 2017
You’ve likely heard it before: “All businesses are now digital businesses.” But since the business has expanded into digital space, shouldn’t something as critical as business security digitally expand too? That’s where the VMware ubiquitous software layer comes into play — sitting across the application infrastructure and endpoints, no matter where they are.
Now more than ever, it’s clear that security expertise is a must-have for IT. To further enhance your own security knowledge, make sure to join us at vForum Online on June 28th — right from your own desk. As our largest virtual conference, vForum Online is a must-attend event for IT professionals, and especially for those looking to improve their approach to security.
For returning attendees, you may notice we’ve made some alterations to the structure of vForum Online: Now, the conference is divided into several goal-oriented tracks, to ensure we’re aligned to your IT aims.
With this free, half-day event just a few weeks away, we’re counting down the days — and counting up all the reasons you should attend. Get a preview of these five security spotlights you can expect at the conference:
- A Modern Approach to IT Security
In our “Transform Security — Reduce Continue reading
Docker for AWS and Azure: Secure By Default Container Platform
Docker for AWS and Docker for Azure are much more than a simple way to setup Docker in the cloud. In fact they provision by default an infrastructure with security in mind to give you a secure platform to build, ship and run Docker apps in the cloud. Available for free in Community Edition and as a subscription with support and integrated management in Enterprise Edition, Docker for AWS and Docker for Azure allow you to leverage pre-configured security features for your apps today – without having to be a cloud infrastructure expert.
You don’t have to take our word for it – in February 2017, we engaged NCC Group, an independent security firm, to conduct a security assessment of Docker for AWS and Docker for Azure. Included in this assessment is Docker for AWS and Docker for Azure Community Edition and Enterprise Edition Basic. This assessment took place from February 6-17. NCC Group was tasked with assessing whether these Docker Editions not only provisioned secure infrastructure with sensible defaults, but also leveraged and integrated the best security features of each cloud. We’d like to openly share their findings with you today.
NCC Group evaluated our security model and defaults, including:
- Cloud-specific Continue reading
Portnox Updates Security Platform to Include Subscription Plan Management
MSPs can now rebrand the security platform.
Businesses Rethinking Security Software Strategy, Gartner Says
AI, machine learning driving new security strategies.
Online meetup recap: Introduction to LinuxKit
At DockerCon 2017 we introduced LinuxKit: A toolkit for building secure, lean and portable Linux subsystems. Here are the key principles and motivations behind the project:
- Secure defaults without compromising usability
- Everything is replaceable and customizable
- Immutable infrastructure applied to building Linux distributions
- Completely stateless, but persistent storage can be attached
- Easy tooling, with easy iteration
- Built with containers, for running containers
- Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
- Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
- Designed to be managed by external tooling, such as Infrakit or similar tools
- Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
For this Online Meetup, Docker Technical Staff member Rolf Neugebauer gave an introduction to LinuxKit, explained the rationale behind its development and gave a demo on how to get started using it.
Watch the recording and slides
You’ll find below a list of additional questions asked by attendees at the end of the online meetups:
You said the ONBOOT containers are run sequentially, does it wait for one to finish before it Continue reading
Research: Network Security Using ntopng
Presentation on using NTOP-NG as a security tool
The post Research: Network Security Using ntopng appeared first on EtherealMind.
Mitigating Security Attacks in Container Environments
SDN is well suited to address the security requirements in container environments.
I want to talk for a moment about tolerance
This post is in response to this Twitter thread. I was going to do a series of tweets in response, but as the number grew, I thought it'd better be done in a blog.
She thinks we are fighting for the rights of Nazis. We aren't -- indeed, the fact that she thinks we are is exactly the problem. They aren't Nazis.
The issue is not about a slippery slope that first Nazi's lose free speech, then other groups start losing their speech as well. The issue is that it's a slippery slope that more and more people get labeled a Nazi. And we are already far down that slope.
The "alt-right" is a diverse group. Like any group. Vilifying the entire alt-right by calling them Nazi's is like lumping all Muslims in with ISIS or Al Qaeda. We really don't have Nazi's in America. Even White Nationalists don't fit the bill. Nazism was about totalitarianism, real desire to exterminate Jews, lebensraum, and Aryan superiority. Sure, some of these people exist, but they are a fringe, even among Continue reading
I want to talk for a moment about free speech advocacy. This'll be a thread, 1/many.— Jillian (@jilliancyork) May 30, 2017
She thinks we are fighting for the rights of Nazis. We aren't -- indeed, the fact that she thinks we are is exactly the problem. They aren't Nazis.
The issue is not about a slippery slope that first Nazi's lose free speech, then other groups start losing their speech as well. The issue is that it's a slippery slope that more and more people get labeled a Nazi. And we are already far down that slope.
The "alt-right" is a diverse group. Like any group. Vilifying the entire alt-right by calling them Nazi's is like lumping all Muslims in with ISIS or Al Qaeda. We really don't have Nazi's in America. Even White Nationalists don't fit the bill. Nazism was about totalitarianism, real desire to exterminate Jews, lebensraum, and Aryan superiority. Sure, some of these people exist, but they are a fringe, even among Continue reading
Tanium Raises $100M: ‘Vote of Confidence’ or ‘Liquidity Event’ After Bad Press?
CEO Orion Hindawi says bullying reports are untrue.
Progressive Dutch Municipality Protects Citizen Data and Meets Compliance with VMware NSX
Summary: Municipality of Zoetermeer implements Zero-Trust model with VMware NSX-enabled micro-segmentation for advanced security inside data centers. Zoetermeer follows the Dutch BIG (Baseline Information Security Dutch Municipalities) regulations
Zoetermeer is a modern, fast-growing municipality in the province of South Holland. It provides local services such as water supply, sewage and garbage disposal to around 125,000 residents. As a forward-thinking organization, the municipality of Zoetermeer recognizes that the increasing volume of cyber attacks against organizations today has shown that traditional, perimeter-centric security models are no longer effective.
The municipality responded by working with VMware partner ON2IT IT Services on a solution that wouldn’t treat everything inside the network as trusted. Zoetermeer deployed VMware NSX® network virtualization to facilitate a Zero Trust security model. This Zero Trust model is enabled by the unique micro-segmentation capabilities of VMware NSX. Zoetermeer is now compartmentalizing different segments of its network and applying automated, fine-grained security policies to individual applications.
“The municipality of Zoetermeer is committed to delivering digital services to our citizens, and also digital tools to enable the best experience for our employees,” said Mr. Van Gaalen, IT Manager, Municipality of Zoetermeer. “But security must remain paramount. Thanks to VMware, we can Continue reading
Technology Short Take #83
Welcome to Technology Short Take #83! This is a slightly shorter TST than usual, which might be a nice break from the typical information overload. In any case, enjoy!
Networking
- I enjoyed Dave McCrory’s series on the future of the network (see part 1, part 2, part 3, and part 4—part 5 hadn’t gone live yet when I published this). In my humble opinion, he’s spot on in his viewpoint that network equipment is increasingly becoming more like servers, so why not embed services and functions in the network equipment? However, this isn’t enough; you also need a strong control plane to help manage and coordinate these services. Perhaps Istio will help provide that control plane, though I suspect something more will be needed.
- Michael Kashin has a handy little tool that functions like
ssh-copy-idon servers, but for network devices (leveraging Netmiko). Check out the GitHub repository. - Anthony Shaw has a good comparison of Ansible, StackStorm, and Salt (with a particular view at applicability in a networking context). This one is definitely worth a read, in my opinion.
- Miguel Gómez of Telefónica Engineering discusses maximizing performance in VXLAN overlay networks.
- Nicolas Michel has a good Continue reading
Bastion Hosts and Custom SSH Configurations
The idea of an SSH bastion host is something I discussed here about 18 months ago. For the most part, it’s a pretty simple concept (yes, things can get quite complex in some situations, but I think these are largely corner cases). For the last few months, though, I’ve been trying to use an SSH bastion host and failing, and I could not figure out why it wouldn’t work. The answer, it turns out, lies in custom SSH configurations.
In my introduction on using SSH bastion hosts (linked above)—or in just about any tutorial out there on using SSH bastion hosts—brief mention is made of adding configuration information to SSH to use the bastion host. Borrowing from my original post, if you had an instance named “private1” that you wanted to access via a bastion named “bastion”, the SSH configuration information might look like this:
Host private1
IdentityFile ~/.ssh/rsa_private_key
ProxyCommand ssh user@bastion -W %h:%p
Host bastion
IdentityFile ~/.ssh/rsa_private_key
Normally, that information would go into ~/.ssh/config, which is the default SSH configuration file.
In my case, I only allow public key authentication to “trusted” systems (I vaguely recall an article I read a while ago about a Continue reading
Technology Short Take #83
Welcome to Technology Short Take #83! This is a slightly shorter TST than usual, which might be a nice break from the typical information overload. In any case, enjoy!
Networking
- I enjoyed Dave McCrory’s series on the future of the network (see part 1, part 2, part 3, and part 4—part 5 hadn’t gone live yet when I published this). In my humble opinion, he’s spot on in his viewpoint that network equipment is increasingly becoming more like servers, so why not embed services and functions in the network equipment? However, this isn’t enough; you also need a strong control plane to help manage and coordinate these services. Perhaps Istio will help provide that control plane, though I suspect something more will be needed.
- Michael Kashin has a handy little tool that functions like
ssh-copy-idon servers, but for network devices (leveraging Netmiko). Check out the GitHub repository. - Anthony Shaw has a good comparison of Ansible, StackStorm, and Salt (with a particular view at applicability in a networking context). This one is definitely worth a read, in my opinion.
- Miguel Gómez of Telefónica Engineering discusses maximizing performance in VXLAN overlay networks.
- Nicolas Michel has a good Continue reading
Bastion Hosts and Custom SSH Configurations
The idea of an SSH bastion host is something I discussed here about 18 months ago. For the most part, it’s a pretty simple concept (yes, things can get quite complex in some situations, but I think these are largely corner cases). For the last few months, though, I’ve been trying to use an SSH bastion host and failing, and I could not figure out why it wouldn’t work. The answer, it turns out, lies in custom SSH configurations.
In my introduction on using SSH bastion hosts (linked above)—or in just about any tutorial out there on using SSH bastion hosts—brief mention is made of adding configuration information to SSH to use the bastion host. Borrowing from my original post, if you had an instance named “private1” that you wanted to access via a bastion named “bastion”, the SSH configuration information might look like this:
Host private1
IdentityFile ~/.ssh/rsa_private_key
ProxyCommand ssh user@bastion -W %h:%p
Host bastion
IdentityFile ~/.ssh/rsa_private_key
Normally, that information would go into ~/.ssh/config, which is the default SSH configuration file.
In my case, I only allow public key authentication to “trusted” systems (I vaguely recall an article I read a while ago about a Continue reading