Archive

Category Archives for "Security"

Ethernet-over-VPN: What Could Possibly Go Wrong?

One of my readers sent me a link to SoftEther, a VPN solution that

[…] penetrates your network admin's troublesome firewall for overprotection. […] Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage.

What could possibly go wrong with such a great solution?

Read more ...

OpenFlow and Firewalls Don’t Mix Well

In one of my ExpertExpress engagements the customer expressed the desire to manage their firewall with OpenFlow (using OpenDaylight) and I said, “That doesn’t make much sense”. Here’s why:

Obviously if you can't imagine your life without OpenDaylight, or if your yearly objectives include "deploying OpenDaylight-based SDN solution", you can use it as a REST-to-NETCONF translator assuming your firewall supports NETCONF.

Read more ...

Docker Datacenter @ DockerCon 2016: Image security, Engine 1.12 and Burning Man…

Interested in learning more about our plans for Docker in the Enterprise and getting involved in an upcoming Docker Datacenter beta? Let’s take a deeper look. On the second day of DockerCon, the keynote used different situations to discuss enterprise use of Docker. Our CEO Ben Golub broke down several fallacies in IT, CTO Keith Fulton of ADP painted a delicious picture of microservices as chicken nuggets, and Lily and I… well, we averted a massive security disaster and got our costumes ready for Burning Man.

Aside from shiny sequined jackets (not my normal wardrobe, I promise) and Ben’s enthusiastic “business guy” cameo, we presented a prototype of the next version of Docker Datacenter, our commercial solution for running containers-as-a-service (CaaS) in an on-premises or public cloud enterprise environment. Docker Datacenter is an integrated CaaS platform to securely ship, orchestrate and manage Dockerized apps and system resources. The sneak peek during the keynote shows a prototype UI and features. Some of the things you saw may change as we get to launch but what’s important are the capabilities we are bringing to the enterprise platform.

In the keynote presentation we demonstrated these enterprise use cases:

Absorbing DDoS with Communities

Distributed Denial of Service attacks can damage your business—and they can be difficult to manage or counter. While there are a number of tools available to counter DDoS attacks, particularly in the commercial space, and there are a number of widely available DDoS protection services, sometimes it’s useful to know how to counter a DDoS on your own. One option is to absorb attacks across a broader set of inbound nodes. Let’s use the network below to illustrate (though often the scale needs to be quite a bit larger for this solution to be useful in the real world).

ddos-spreading

Assume, for the moment, that the attacker is injecting a DDoS stream from the black hat, sitting just behind AS65004. There are customers located in AS65001, 2, 3, 4, and 5. For whatever reason, the majority of the attacker’s traffic is coming in to site C, through AS65003. Normally this is a result of an anycast based service (such as active-active data centers, or a web based service, or a DNS service), combined with roughly geographical traffic patterns. Even a DDoS attack from a mid sized or large’ish botnet, or reflection off a set of DNS servers, can end up being Continue reading