Archive

Category Archives for "Security"

Is web-scale networking secure? This infographic breaks it down.

At Cumulus Networks, we take a lot of pride in the fact that web-scale networking using Cumulus Linux can have an immense impact on an organization’s ability to scale, automate and even reduce costs. However, we know that efficiency and growth are not the only things our customers care about.

In fact, many of our customers are interested first and foremost in the security of web-scale networking with Cumulus Linux. Many conclude that a web-scale, open environment can be even more secure than a closed proprietary one. Keep reading to learn more or scroll to the bottom to check out our infographic “The network security debate: Web-scale vs. traditional networking”

Here are some of the ways web-scale networking with Cumulus Linux keeps your data center switches secure:

  • Cumulus Linux uses the same standard secure protocols and procedures as a proprietary vendor: For example, Openssh is used by both traditional closed vendors and Cumulus Linux. The standardized MD5 is used for router authentication, and Cumulus supports management VRF.
  • Web-scale networking has more “eyes” on the code with community support: Linux has a large community of developers from different backgrounds and interests supporting the integrity of the code. Since an entire community of Continue reading

No, it’s Matt Novak who is a fucking idiot

I keep seeing this Gizmodo piece entitled “Snowden is a fucking idiot”. I understand the appeal of the piece. The hero worship of Edward Snowden is getting old. But the piece itself is garbage.

The author, Matt Novak, is of the new wave of hard-core leftists intolerant of those who disagree with them. His position is that everyone is an idiot who doesn’t agree with his views: Libertarians, Republicans, moderate voters who chose Trump, and even fellow left-wingers that aren’t as hard-core.

If you carefully read his piece, you’ll see that Novak doesn’t actually prove Snowden is wrong. Novak doesn’t show how Snowden disagrees with facts, but only how Snowden disagrees with the left-wing view of the world. It’s only through deduction that we come to the conclusion: those who aren’t left-wing are idiots, Snowden is not left-wing, therefore Snowden is an idiot.

The question under debate in the piece is:
technology is more important than policy as a way to protect our liberties
In other words, if you don’t want the government spying on you, then focus on using encryption (use Signal) rather than trying to change the laws so they can’t spy on you.

On a Continue reading

The false-false-balance problem

Until recently, journalism in America prided itself on objectivity -- to report the truth, without taking sides. That's because big debates are always complexed and nuanced, and that both sides are equally reasonable. Therefore, when writing an article, reporters attempt to achieve balance by quoting people/experts/proponents on both sides of an issue.

But what about those times when one side is clearly unreasonable? You'd never try to achieve balance by citing those who believe in aliens and big-foot, for example.Thus, journalists have come up with the theory of false-balance to justify being partisan and one-sided on certain issues.

Typical examples where journalists cite false-balance is reporting on anti-vaxxers, climate-change denialists, and Creationists. More recently, false-balance has become an issue in the 2016 Trump election.

But this concept of false-balance is wrong. It's not that anti-vaxxers, denialists, Creationists, and white supremacists are reasonable. Instead, the issue is that the left-wing has reframed the debate. They've simplified it into something black-and-white, removing nuance, in a way that shows their opponents as being unreasonable. The media then adopts the reframed debate.


Let's talk anti-vaxxers. One of the policy debates is whether the government has the power to force vaccinations on people (or on Continue reading

Reverese Shell on Linux

Reverse shell is technique when a client connects to a server and the client provides its shell to the server. Clients is typically a host hidden behind the NAT or a firewall having an access to the server but not vice versa. Thanks to a reverse shell the server controls a client's shell having an access to the client's network even the client is hidden behind the NAT. They are several methods how to create a reverse shell used depending on software available on the client. I will show how to create a reverse shell using SSH, Ncat and Bash.

picture1-network_topology

Picture 1 - Network Topology

Picture 1 shows our testing topology. The client (Ubuntu Server 16.04) is located behind the NAT with the IP address 192.168.1.4/24. The server (Kubuntu 16.04) has assigned the IP address 172.17.100.7/16.

1. Reverse Shell Using SSH Reverse Tunnel

This method is based on the fact that the client has knowledge of the server SSH login credentials and vice versa. SSH server must be running on both the server and client. Client must be allowed to access server through firewall.

Client:
$ ssh -R 10000:127.0.0.1:22 [email protected]. Continue reading

Technology Short Take #73

Welcome to Technology Short Take #73. Sorry for the long delay since the last Technology Short Take; personal matters have been taking quite the toll (if you follow me on Twitter, you’ll know to what personal matters I’m referring). In any case, enough of that—here’s some data center-related content that I hope you find useful!

Networking

  • Ansible has made some good progress in supporting network automation in the latest release (2.2), according to this blog post. This is an area where I hope to spend more time in the coming weeks before years’ end.
  • Tomas Fojta shows how to use a PowerShell script to monitor the health of NSX Edge gateways.
  • Jeremy Stretch mulls over the (perceived) problem of getting traffic into and out of overlay networks. I recommend reading this article, as well as reading the comments. Many commenters suggest just using L3 and having the hosts participate in a routing protocol like BGP, but as Jeremy points out many switches don’t have the capacity to handle that many routes. (Or, if they do, they’re quite expensive.) Seems like there’s this company in Palo Alto making a product that handles this issue pretty decently…(hint).
  • Cumulus Continue reading

Reactive Malicious Domain Detection (ENTRADA)

One interesting trend of the last year or two is the rising use of data analytics and ANI (Artificial Narrow Intelligence) in solving network engineering problems. Several ideas (and/or solutions) were presented this year at the IETF meeting in Seoul; this post takes a look at one of these. To lay the groundwork, botnets are often controlled through a set of domain names registered just for this purpose. In the same way, domain names are often registered just to provide a base for sending bulk mail (SPAM), phishing attacks, etc. It might be nice for registrars to make some attempt to remove such domains abused for malicious activities, but it’s difficult to know what “normal” activity might look like, or for the registrar to even track the usage of a particular domain to detect malicious activity. One of the papers presented in the Software Defined Network Research Group (SDNRG) addresses this problem directly.

The first problem is actually collecting enough information to analyze in a useful way. DNS servers, even top level domain (TLD) servers collect a huge amount of data—much more than most engineers might suspect. In fact, the DNS system is one of those vast sources of information Continue reading

1 136 137 138 139 140 182