Archive

Category Archives for "Security"

OpenFlow and Firewalls Don’t Mix Well

In one of my ExpertExpress engagements the customer expressed the desire to manage their firewall with OpenFlow (using OpenDaylight) and I said, “That doesn’t make much sense”. Here’s why:

Obviously if you can't imagine your life without OpenDaylight, or if your yearly objectives include "deploying OpenDaylight-based SDN solution", you can use it as a REST-to-NETCONF translator assuming your firewall supports NETCONF.

Read more ...

Docker Datacenter @ DockerCon 2016: Image security, Engine 1.12 and Burning Man…

Interested in learning more about our plans for Docker in the Enterprise and getting involved in an upcoming Docker Datacenter beta? Let’s take a deeper look. On the second day of DockerCon, the keynote used different situations to discuss enterprise use of Docker. Our CEO Ben Golub broke down several fallacies in IT, CTO Keith Fulton of ADP painted a delicious picture of microservices as chicken nuggets, and Lily and I… well, we averted a massive security disaster and got our costumes ready for Burning Man.

Aside from shiny sequined jackets (not my normal wardrobe, I promise) and Ben’s enthusiastic “business guy” cameo, we presented a prototype of the next version of Docker Datacenter, our commercial solution for running containers-as-a-service (CaaS) in an on-premises or public cloud enterprise environment. Docker Datacenter is an integrated CaaS platform to securely ship, orchestrate and manage Dockerized apps and system resources. The sneak peek during the keynote shows a prototype UI and features. Some of the things you saw may change as we get to launch but what’s important are the capabilities we are bringing to the enterprise platform.

In the keynote presentation we demonstrated these enterprise use cases:

Absorbing DDoS with Communities

Distributed Denial of Service attacks can damage your business—and they can be difficult to manage or counter. While there are a number of tools available to counter DDoS attacks, particularly in the commercial space, and there are a number of widely available DDoS protection services, sometimes it’s useful to know how to counter a DDoS on your own. One option is to absorb attacks across a broader set of inbound nodes. Let’s use the network below to illustrate (though often the scale needs to be quite a bit larger for this solution to be useful in the real world).

ddos-spreading

Assume, for the moment, that the attacker is injecting a DDoS stream from the black hat, sitting just behind AS65004. There are customers located in AS65001, 2, 3, 4, and 5. For whatever reason, the majority of the attacker’s traffic is coming in to site C, through AS65003. Normally this is a result of an anycast based service (such as active-active data centers, or a web based service, or a DNS service), combined with roughly geographical traffic patterns. Even a DDoS attack from a mid sized or large’ish botnet, or reflection off a set of DNS servers, can end up being Continue reading

Poland’s Poznań Science and Technology Park Upgrades Its Infrastructure-as-a-Service Model with VMware NSX

Poznań Science and Technology Park—known in Polish as Poznańskiego Parku Naukowo-Technologicznego, or PPNT—supports the incubation of start-ups and technology companies in Poland through co-operation with science, business, and technology enterprises. Its facilities and services include laboratories, office space, and specialized research equipment, as well as IT infrastructure services like server colocation and hosting, system monitoring servers, storage space, and data transmission infrastructure leasing.

To build a virtual, multi-tenant, private infrastructure-as-a-service cloud, on a flexible billing schedule, for its demanding customers, PPNT opted for an integrated solution that included VMware vSphere, VMware vCloud Director, and VMware NSX. The business benefits became clear immediately. PPNT’s new, high-performance environment enabled robust management capabilities, and guaranteed security and fault-tolerant access. Plus, resource provisioning time was reduced from days to seconds.

Says manager of the PPNT DataCenter Tomasz Łukaszewicz: “VMware NSX, the network virtualization platform for the Software-Defined Data Center, enables our customers to create, save, delete, and restore virtual networks on demand, without reconfiguring the physical network. It also provides a better security model.”

Read the complete case study

The post Poland’s Poznań Science and Technology Park Upgrades Its Infrastructure-as-a-Service Model with VMware NSX appeared first on The Network Virtualization Blog.

Technology Short Take #68

Welcome to Technology Short Take #68, my erratically-published collection of links, articles, and posts from around the web—all focused on today’s major data center technologies. I’ve been trying to stick to a schedule that has these posts published on a Friday, but given the pending holiday weekend I wanted to get this out a bit early. As always, I hope that something I’ve included here proves useful to you.

Networking

Split Tunnel Insecurities

I really dislike corporate VPNs that don’t allow split tunneling—disconnecting from the VPN to print on a local printer, or access a local network attached drive, puts a real crimp in productivity. In the case of services reachable over both IPv6 and IPv4, particularly if the IPv6 path is preferred, split tunneling can be quite dangerous, as explained in RFC7359. Let’s use the network below to illustrate.

rfc7359-illustrated

In this network, host A is communicating with server B through a VPN, terminated by the VPN concentrator marked as “VPN.” Assume the host is reachable on both 192.0.2.1 and 2001:fb8:0:1::1. The host, the upstream router, the network in the cloud, and the server are all IPv6 reachable. When the host first connects, it will attempt both the IPv6 and IPv4 connections, and choose to use the IPv6 connection (this is what most current operating systems will do).

The problem is: the VPN connection doesn’t support IPv6 at all—it only supports IPv4. Because IPv6 is preferred, the traffic between the host and the server will take the local IPv6 connection, which is not encrypted—the blue dash/dot line—rather than the encrypted IPv4 tunnel—the red dashed line. The user, host, and Continue reading

1 146 147 148 149 150 182