Archive

Category Archives for "Security"

Industry First Micro-segmentation Cybersecurity Benchmark Released

microsegmentationThe VMware NSX Micro-segmentation Cybersecurity Benchmark report has been released! As previewed in part six of the Micro-segmentation Defined – NSX Securing Anywhere blog series , independent cyber risk management advisor and assessor Coalfire was sponsored by VMware to create an industry first Micro-segmentation Cybersecurity Benchmark report. Coalfire conducted an audit of the VMware NSX micro-segmentation capabilities to develop this benchmark report detailing the efficacy of NSX as a security platform through a detailed “micro-audit” process, testing NSX against simulated zero-day threats.

Testing included five different network design patterns, and demonstrated how NSX micro-segmentation can provide stateful, distributed,  policy-based protection in environments regardless of network topology. Topologies included –

  • Flat L2 network segments
  • L2 and L3 networks with centralized virtual or physical routers, representative of typical data center rack implementations built on hybrid physical and network virtualization platform / distributed virtual switch (dVS)
  • Networks with connection to other physical servers
  • Overlay-based networks using the Distributed Firewalls (DFW) and Distributed Logical Routers (DLR)
  • Physical VLAN and overlay-based networks using service insertion technologies running on dedicated VMs (in our case, Palo Alto Networks NextGen FW with Panorama)

five-micro-seg-design-patterns

Coalfire’s examination and testing of VMware NSX technology utilized simulated exploits that depict likely malware and Continue reading

BackConnect’s Suspicious BGP Hijacks

Earlier this month, security blogger Brian Krebs broke a story about an Israeli DDoS-for-hire service, vDOS, which had been hacked, revealing “tens of thousands of paying customers and their (DDoS) targets.”  Afterwards, Krebs noticed that vDOS itself was also a victim of a recent BGP hijack from a company called BackConnect, which claims to be the “world’s first and leading open source based DDoS and network security provider.”

Bryant Townsend, CEO of BackConnect, confirmed to Krebs that they had indeed conducted a BGP hijack on vDOS, but claimed that it was for “defensive purposes.”  In an email to the NANOG list, Townsend explained that in doing so they “were able to collect intelligence on the actors behind the botnet as well as identify the attack servers used by the booter service,” implying this was a one-time event.  Krebs then contacted Dyn for some assistance in researching what appeared to be a series of BGP hijacks conducted by BackConnect over the past year.  What emerges from this analysis is that the hijack against vDOS probably wasn’t the first time BackConnect used BGP hijacks in the course of its business.  And via the use of Continue reading

Multi-site with Cross-VC NSX and Palo Alto Networks Security

In a prior post, Multi-site with Cross-VC NSX: Consistent Security and Micro-segmentation Across Sites, we discussed how Cross-VC NSX provides micro-segmentation and consistent security across multiple sites. We looked at five reasons to seriously consider Cross-VC NSX for a multi-site solution in terms of security alone: centralized management, consistent security across vCenter domains/sites, security policies follow the workload(s), ease of security automation across vCenter domains/sites, and enhanced disaster recovery use case. In this post, we’ll discuss how advanced third party security services can also be leveraged in a Cross-VC NSX environment. 

Prior Cross-VC NSX Blogs:
Multi-site with Cross-VC NSX: Consistent Security and Micro-segmentation Across Sites
Cross-VC NSX: Multi-site Deployments with Ease and Flexibility
NSX-V: Multi-site Options and Cross-VC NSX Design Guide
Enhanced Disaster Recovery with Cross-VC NSX and SRM
Cross-VC NSX for Multi-site Solutions

NSX provides a solid platform for security in general: inherent isolation via logical networks, micro-segmentation via distributed firewall, edge firewall capabilities, third party guest introspection services, third party network introspection services, and a robust security policy orchestration and automation framework.

With Cross-VC NSX, micro-segmentation and consistent security policies for workloads expands beyond a single vCenter boundary. Typically, customers who have multiple sites also have multiple vCenters – at least one vCenter Continue reading

Why Snowden won’t be pardoned

Edward Snowden (NSA leakerblower) won’t be pardoned. I’m not arguing that he shouldn’t be pardoned, but that he won’t be pardoned. The chances are near zero, and the pro-pardon crowd doesn't seem to be doing anything to cange this. This post lists a bunch of reasons why. If your goal is to get him pardoned, these are the sorts of things you’ll have to overcome.

The tl;dr list is this:
  • Obama hates whistleblowers
  • Obama loves the NSA
  • A pardon would be betrayal
  • Snowden leaked because he was disgruntled, not because he was a man of conscience (***)
  • Snowden hasn’t yet been convicted
  • Snowden leaked too much
  • Snowden helped Russian intelligence
  • Nothing was found to be illegal or unconstitutional


Obama hates whistleblowers

Obama campaigned promising to be the most transparent president in history. Among his campaign promises are:

Protect Whistleblowers: Often the best source of information about waste, fraud, and abuse in government is an existing government employee committed to public integrity and willing to speak out. Such acts of courage and patriotism, which can sometimes save lives and often save taxpayer dollars, should be encouraged rather than stifled as they have been during the Bush administration. We need to empower Continue reading

Docker Weekly Roundup | September 11, 2016

 

weekly-roundup.png

As we arrive at the conclusion of another week, the team at Docker wanted to take a moment to reflect on a few of the top posts you might have missed, while also highlighting a few other Docker stories from around the web. Here’s the weekly roundup for the week of September 11, 2016:

  • Docker Partner Program introducing the new tiered Docker Partner Program designed to address the growing demand by enterprise companies to adopt Containers as a Service environments with Docker Datacenter. 
  • Dockercast Episode 3 in this podcast Docker catches up with Nirmal Mehta at Booz Allen Hamilton. We discuss how large government organizations are modernizing their IT infrastructures and why these types of institutions seem to be early adopters of Docker.
  • IoT Swarm with Docker Machine the new Swarm Mode in Docker 1.12 makes it easy to build a Docker Swarm and connect different ARM devices to an IoT cluster. Instructions on how to build your own by Docker Captain Dieter Reuter.

Review: “Snowden” (2016)

tldr:

  • If you are partisan toward Snowden, you'll like the movie.
  • If you know little about Snowden, it's probably too long/slow -- you'll be missing the subtext.
  • If you are anti-Snowden, you'll hate it of course.


The movie wasn't bad. I was expecting some sort of over-dramatization, a sort of Bourne-style movie doing parkour through Hong Kong ghettos. Or, I expected a The Fifth Estate sort of movie that was based on the quirky character of Assange. But instead, the movie was just a slight dramatization of the events you (as a Snowden partisan) already know. Indeed, Snowden is a boring protagonist in the movie -- which makes the movie good. All the other characters in the movie are more interesting than the main character. Even the plot isn't all that interesting -- it's just a simple dramatization of what happens -- it's that slow build-up of tension toward the final reveal that keeps your attention.

In other words, it's clear that if you like Snowden, understand the subtext, you'll enjoy riding along on this slow buildup of tension.

Those opposed to Snowden, however, will of course gag on the one-side nature of the story. There's always two sides to Continue reading

Security through Community: Introducing the Vendor Security Alliance

Today Docker is proud to announce that we are founding member of the Vendor Security Alliance (VSA), a coalition formed to help organizations streamline their vendor evaluation processes by establishing a standardized questionnaire for appraising a vendor’s security and compliance practices.The VSA was established to solve a fundamental problem: how can IT teams conform to its existing security practices when procuring and deploying third-party components and platforms?

The VSA solves this problem by developing a required set of security questions that will allow vendors to demonstrate to their prospective customers that they are doing a good job with security and data handling. Good security is built on great technology paired with processes and policies. Until today, there was no consistent way to discern if all these things were in place. Doing a proper security evaluation today tends to be a hard, manual process. A large number of key questions come to mind when gauging how well a third-party company manages security.

As an example, these are the types of things that IT teams must be aware of when assessing a vendor’s security posture:

  • Do they securely handle sensitive customer data?
  • Do they have the ability to detect when attacks occur on their Continue reading

SDN Matures – via the Federal Government…

Based on industry research and market assessments such as the most recent from Allied Market Research, we know software-defined networking is growing crazy fast and has a huge upside. The question is…is it maturing to the point the Federal Government will make it a priority?

I think the answer is YES, based on what Lt. Gen. Alan Lynn, director of the Defense Information Systems Agency has said publicly. And, it appears cyber-security is one of the biggest areas he sees SDN helping out. He explains how SDN can provide the ability to create networks on-demand and make them harder to attack.

In order to help Lt. General Lynn, we needed to get past an issue I like to call, “Barrier of Implementation”. The barrier is an approved DISA STIG for SDN. In order for federal agencies to implement a SDN solution it has to go through some sort of security accreditation. Most of all security accreditation rely on DISA STIGs for the checks and balances.

With our announcement yesterday, “VMware Receives STIG-Approval for VMware NSX to Operate on U.S. Department of Defense Networks from Defense Information Systems Agency,” VMware NSX network virtualization became the Continue reading

A Follow Up on SSH Bastion Hosts

This post is a follow-up on my earlier post on using an SSH bastion host. Since that article was published, I’ve gotten some additional information that I wanted to be sure to share with my readers. It’s possible that this additional information may not affect you, but I’ll allow you to make that determination based on your use case and your specific environment.

Agent Forwarding

You may recall that my original article said that you needed to enable agent forwarding, either via the -A command-line switch or via a ForwardAgent line in your SSH configuration file. This is unnecessary. (Thank you to several readers who contacted me about this issue.) I tested this several times using AWS instances, and was able to transparently connect to private instances (instances without a public IP address) via a bastion host without enabling agent forwarding. This is odd because almost every other tutorial I’ve seen or read instructs readers to enable agent forwarding. I’ve not yet determined why this is the case, but I’m going to do some additional testing and I’ll keep readers posted as I learn more.

Note that I’ve updated the original article accordingly.

The “-W” Parameter vs. Netcat

The Continue reading

How Jefferson County’s IT Department Improved Their Security Posture with VMware NSX

Jefferson County, Colorado (“Jeffco”) is a local jurisdiction located against the beautiful Rocky Mountains and adjacent to the state capital in Denver.  Jeffco’s IT jefferson-county-colorado-squarelogo-2organization is charged with meeting the needs not only of the various internal departments of the county, but also of serving its half million residents.

As with most IT departments, Jeffco’s IT team has some key priorities to address, including modernizing application infrastructures and bringing more efficiency to business processes — all while fundamentally enhancing security.  It was these needs that led Jeffco to VMware NSX. “We’re doing as much as we can to simplify our infrastructure, yet provide more security, higher up time, and better performance,” says Matt Alexander, Senior Systems Administrator.

Like many other organizations, Jeffco first considered VMware NSX for micro-segmentation.  Their network had followed the traditional model of data center security: perimeter firewalls, DMZ, internal security zone.  But this legacy security model wasn’t enough.  Jeffco recognized the need to treat all network traffic — regardless of whether it originated inside or outside the data center — as potentially insecure.  “From a micro-segmentation and east-west firewalling perspective, we may have had the ability [in the past] but it was exceptionally expensive with physical Continue reading

What’s the testimonial of passwords?

In this case described by Orin Kerr, the judge asks if entering a password has any testimonial other than "I know the password". Well, rather a lot. A password is content. While it's a foregone conclusion that this encrypted drive here in this case belongs to the suspect, the password may unlock other things that currently cannot be tied to the suspect. Maybe the courts have an answer to this problem, but in case they haven't, I thought I'd address this from a computer-science point of view.


Firstly, we have to address the phrasing of entering a password, rather than disclosing the password. Clearly, the court is interested in only the content of the disk drive the password decrypts, and uninterested in the password itself. Yet, entering a password is the same as disclosing it. Technically, there's no way to enter a password in such a way that it can't be recorded. I don't know the law here, and whether courts would protect this disclosure, but for the purposes of this blog post, "entering" is treated the same as "disclosing".

Passwords have content. This paper focuses on one real, concrete example, but let's consider some hypothetical cases first.

Continue reading

Technology Short Take #71

Welcome to Technology Short Take #71! As always, I have a list of links related to various data center technologies found below; hopefully something here proves useful.

Networking

Servers/Hardware

Security

So Your Username and Password Where in a Data Dump. Now What?

Whether it’s Dropbox, LinkedIn, MySpace, PlayStation, or whatever the latest breach happens to be, it’s almost inevitable that you will be caught up in one of these breaches and have your username, password and possibly other information exposed in a data dump. Here’s how to respond when that happens.

How Does This Happen?

A data dump is what often happens after a website has been breached and information about that site’s users/customers is stolen. All that stolen data is often “dumped” on the Internet for all to see. Once the data is dumped, it’s at that point that all this information becomes public and along with it, your information.

Sometimes, as in the case of the Ashely Madison dump, that information can be personally damaging. Other times the information is limited to usernames and passwords.

This article is going to focus on how to respond if your username and password are part of a data dump.

Step 1 – Reset Your Password

This is obvious, but go and change your password. Do it right now, before something comes along and distracts you. Even if you’re a security concious person and you’re using Two-Factor Authentication Continue reading

1 137 138 139 140 141 178