Reaction; Do we really need a new Internet?
The other day several of us were gathered in a conference room on the 17th floor of the LinkedIn building in San Francisco, looking out of the windows as we discussed some various technical matters. All around us, there were new buildings under construction, with that tall towering crane anchored to the building in several places. We wondered how that crane was built, and considered how precise the building process seemed to be to the complete mess building a network seems to be.
And then, this week, I ran across a couple of articles arguing that we need a new Internet. For instance—
What we really have today is a Prototype Internet. It has shown us what is possible when we have a cheap and ubiquitous digital infrastructure. Everyone who uses it has had joyous moments when they have spoken to family far away, found a hot new lover, discovered their perfect house, or booked a wonderful holiday somewhere exotic. For this, we should be grateful and have no regrets. Yet we have not only learned about the possibilities, but also about the problems. The Prototype Internet is not fit for purpose for the safety-critical and socially sensitive types of Continue reading
You don’t need printer security
So there's this tweet:The guy at the HP printer security booth seriously told a customer that he needs print security "because stuxnet exploits the print spooler" pic.twitter.com/WRyfEGj9hR— Jake Williams (@MalwareJake) February 15, 2017
What it's probably refering to is this:
This is an obviously bad idea.
Well, not so "obvious", so some people have ask me to clarify the situation. After all, without "security", couldn't a printer just be added to a botnet of IoT devices?
The answer is this:
Fixing insecurity is almost always better than adding a layer of security.Adding security is notoriously problematic, for three reasons
- Hackers are active attackers. When presented with a barrier in front of an insecurity, they'll often find ways around that barrier. It's a common problem with "web application firewalls", for example.
- The security software itself can become a source of vulnerabilities hackers can attack, which has happened frequently in anti-virus and intrusion prevention systems.
- Security features are usually snake-oil, sounding great on paper, with with no details, and no independent evaluation, provided to the public.
It's the last one that's most important. HP markets features, but there's no guarantee they work. In particular, similar features in Continue reading
Intent-Based Security Gains Momentum at RSA
Fortinet, vArmour, and Twistlock give 'intent' some RSA air time.
Security for Serverless Functions Boils Down to the Basics
You'll have to write things down and (gasp!) talk to people.
Technology Short Take #78
Welcome to Technology Short Take #78! Here’s another collection of links and articles from around the Internet discussing various data center-focused technologies.
Networking
- The rise of the disaggregated network operating system (NOS) marches on: this time, it’s Big Switch Networks announcing expanded hardware support in Open Network Linux (ONL), upon which its own NOS is based.
- The Pivotal Engineering blog has an article that shows how to use BOSH with the vSphere CPI to automate adding servers to an NSX load balancing pool.
- Mircea Ulinic has a nice article describing the combination of NAPALM and Salt for network automation.
- Here’s a post by Ron Fuller on changing the IP address of NSX Manager.
Servers/Hardware
Nothing this time around, sorry!
Security
- As part of some research around my Linux migration, I came across this write-up on how to do encrypted instant messaging on OS X with Adium and Off the Record (OTR). I’ve been using OTR with Adium for a while so this wasn’t new to me, but I wanted to share it here for others who may not be familiar with the solution. (I use OTR with Adium on OS X, and OTR with Pidgin on my Fedora Linux Continue reading
Why Tech Should Get Involved in Regulating IoT Security
If the industry doesn't act, lawyers will.
Cisco’s Switching and Routing Revenue Dragged in Q2
Routing was down 10% and switching 5%.
Metaswitch Acquires OpenCloud to Extend VoLTE Portfolio
OpenCloud's Rhino TAS will mix with Clearwater and Perimeta.
Ixia Vision ONE – Tap the Planet
Whenever I start talking about network visibility and aggreagation taps I can’t help but think of The Matrix. Millions of packets flowing through your network every minute of every day, tapping into that can be a daunting exercise. Luckily we have some new blood in this space, at least in my view, Ixia Vision ONE. For those of you that recognize the name, yes I’m talking about that Ixia.. previously one of the leaders in the load testing market, they’ve moved into the network packet broker space.
Vision ONE is Ixia’s all-in-one product attempts to provide assurance that the network traffic you want to reach your monitoring and security tools is actually reaching your tools. Vision ONE is able to take the input from your device, and send it out in several directions, applying filters to the traffic as needed. This means that you can filter out specific traffic and send it to a monitoring / security tool with traffic it doesn’t need to process. All of this is managed through a clean, easy to user interface that displays the connections between the TAP’s physical ports, filters, and tool ports.
Take a look at the Vision One demo here.
My Continue reading
Microsoft President Calls for a Digital Geneva Convention
As nation-states attack civilians, someone needs to draw the line, Brad Smith says.
9 Security Startups Worth Watching In 2017
Legacy security products are not keeping up.
Juniper Enlists Partners for Software-Defined Secure Networks
The network is your security tool. Sound familiar?
ExtraHop Creates Addy for Real-Time Network Security
Addy draws interpretations from the data ExtraHop is picking up real-time.
Security Startup Curtail Makes its Debut
Curtail shuts down infected servers and moves customers to a fresh copy.
IBM Intros the Cognitive Security Center, Starring Watson
Watson can spot anomalies in the network.
Blocking a DDoS Upstream
In the first post on DDoS, I considered some mechanisms to disperse an attack across multiple edges (I actually plan to return to this topic with further thoughts in a future post). The second post considered some of the ways you can scrub DDoS traffic. This post is going to complete the basic lineup of reacting to DDoS attacks by considering how to block an attack before it hits your network—upstream.
The key technology in play here is flowspec, a mechanism that can be used to carry packet level filter rules in BGP. The general idea is this—you send a set of specially formatted communities to your provider, who then automagically uses those communities to create filters at the inbound side of your link to the ‘net. There are two parts to the flowspec encoding, as outlined in RFC5575bis, the match rule and the action rule. The match rule is encoded as shown below—
There are a wide range of conditions you can match on. The source and destination addresses are pretty straight forward. For the IP protocol and port numbers, the operator sub-TLVs allow you to specify a set of conditions to match on, and whether to AND the Continue reading
VMware NSX Micro-segmentation Day 1 Book Available!
VMware NSX Micro-segmentation Day 1 is available for free download! VMware NSX Micro-segmentation Day 1 is a concise book that provides the necessary information to guide organizations interested in bolstering their security posture through the implementation of micro-segmentation.VMware NSX Micro-segmentation Day 1 highlights the importance of micro-segmentation in enabling better data center cyber hygiene. It also provides the knowledge and guidance needed to effectively design and implement a data center security strategy around micro-segmentation.
VMware NSX Micro-segmentation covers the following topics.
Micro-segmentation Definition- Micro-segmentation and Cybersecurity standards
- NSX components enabling micro-segmentation
- Design considerations for micro-segmentation
- Creating a grouping framework for micro-segmentation
- Policy creation tools for micro-segmentation
So be sure to download a copy today and learn more about micro-segmentation and how to make it a foundational part of your security strategy. If you are attending RSA 2017, there will be promotional copies being handed out at the VMware booth, so be sure to stop by!
The post VMware NSX Micro-segmentation Day 1 Book Available! appeared first on The Network Virtualization Blog.
NSX-V 6.3: Cross-VC NSX Security Enhancements
NSX-V 6.2 introduced the Cross-NSX feature to allow for NSX logical networking and security across multiple vCenter domains. The ability to apply consistent networking and security across vCenter domains provides for mulitple use cases for Cross-VC NSX: workload mobility, resource pooling, multi-site security, ease of automation across sites, and disaster avoidance/recovery. With the recent release of NSX-V 6.3, several enhancements have been added to the Cross-VC NSX feature to provide for additional capabilities and overall robustness of the solution. In this blog post I’ll discuss the new Cross-VC NSX security enhancements in NSX-V 6.3. For additional information on Cross-VC NSX check-out my prior Cross-VC NSX blog posts.
The security enhancements for Cross-VC NSX can be grouped into two categories:
- General Enhancements (Apply Across both Active/Active and Active/Standby deployment models)
- Enhancements for Active/Standby Use Case
Active/Active and Active/Standby above refers to if the application is active at both sites or if it is active at one site and standby at another site (ex: disaster recovery). Enhancements for both of these respective categories are discussed in more detail below.
1.) General Enhancements (Apply Across both Active/Active and Active/Standby deployment models)
Figure 1: Cross-VC NSX Active/Standby and Continue reading
Locking Down Docker To Open Up Enterprise Adoption
It happens time and time again with any new technology. Coders create this new thing, it gets deployed as an experiment and, if it is an open source project, shared with the world. As its utility is realized, adoption suddenly spikes with the do-it-yourself crowd that is eager to solve a particular problem. And then, as more mainstream enterprises take an interest, the talk turns to security.
It’s like being told to grow up by a grownup, to eat your vegetables. In fact, it isn’t like that at all. It is precisely that, and it is healthy for any technology …
Locking Down Docker To Open Up Enterprise Adoption was written by Timothy Prickett Morgan at The Next Platform.
Security Company Demisto Raises $20M
Demisto's platform automates triage among third-party security tools.