Nuage Networks Security Report Webinar Q&A: SDN & Security Policy Automation
Check out the post-event Q&A from Nuage on SDN, Security & Policy!
Accessing ASA CLI in Firepower Threat Defence
I’ve recently loaded Firepower Threat Defense on an ASA5525 for my home Internet firewall. For those unfamiliar with FTD, it is basically a combination of critical ASA features and all of the Cisco Firepower features in a single image and execution space. So unlike Firepower Services, which runs separately inside the same ASA sheet metal, FTD takes over the hardware. Once the image installed onto the hardware, the firewall is attached to and managed by a Firepower Management Console.
For those that still want to (or need to) get under the covers to understand the underpinnings or do some troubleshooting of the ASA features, it is still possible to access the familiar CLI. The process first requires an ssh connection to the management IP of the FTD instance, then access expert mode and enter the lina_cli command.
MacBook:~ paulste$ ssh [email protected] Password: Last login: Thu Jun 23 18:16:43 2016 from 192.168.1.48 Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. Cisco Fire Linux OS v6.0.1 (build 37) Cisco ASA5525-X Threat Defense v6.0.1 Continue reading
Use the freakin’ debugger
This post is by a guy who does "not use a debugger". That's stupid. Using a friendly source-level debugger (Visual Studio, XCode, Eclipse) to step line-by-line through working code is what separates the 10x programmers from the wannabes. Yes, it's a bit of a learning hurdle, and creating "project" files for small projects is a bit of a burden, but do it. It'll vastly improve your coding skill.That post quotes people like Rob Pike saying that stepping line-by-line is a crutch, that instead you should be able to reason about code. And that's true, if you understand what you are doing completely.
But in the real world, you never do. Programmers are constantly forced to stretch and use unfamiliar languages. Worse yet, they are forced to use unfamiliar libraries. Documentation sucks, there's no possible way to understand APIs than to step through code -- either watching the returned values, or compiling their source and stepping into it.
As an experienced programmer, it's true I often don't step through every line. The lines I understand completely, the ones I can fully reason about, I don't bother. But the programmer spends only a small percentage of their time on things Continue reading
On differential privacy
Over the past several weeks, there’s been a lot of talk about something called “differential privacy.” What does this mean, how does it work, and… Is it really going to be effective? The basic concept is this: the reason people can identify you, personally, from data collected off your phone, searches, web browser configuration, computer configuration, etc., is you do things just different enough from other people to create a pattern through cyber space (or rather data exhaust). Someone looking hard enough can figure out who “you” are by figuring out patterns you don’t even think about—you always install the same sorts of software/plugins, you always take the same path to work, you always make the same typing mistake, etc.
The idea behind differential security, considered here by Bruce Schneier, here, and here, is that you can inject noise into the data collection process that doesn’t impact the quality of the data for the intended use, while it does prevent any particular individual from being identified. If this nut can be cracked, it would be a major boon for online privacy—and this is a nut that deserves some serious cracking.
But I doubt it can actually be cracked Continue reading
Reverse Turing testing tech support
So I have to get a new Windows license for a new PC. Should I get Windows 10 Home or Windows 10 Professional? What's the difference?So I google the question, which gives me this website:
Ooh, a button that says "Download Table". That's exactly what I want -- a technical list without all the fluff. I scroll down to the parts that concern me, like encryption.
Wait, what? What's the difference between "Device Encryption" and "BitLocker"? I though BitLocker was Device Encryption?? Well, the purchase screen for Windows 10 has this friendly little pop out offering to help. Of course, as a techy, I know that such things are worse than useless, but I haven't tried one in a while, so I thought if I'd see if anything changed.
So up pops a chat window and we start chatting:
So at first he says they are the same. When I press him on the difference, he then admits they are different. He can't read the document I'm reading, because it's on a non-Microsoft "third party" site. While it's true it's on "windows.net", that's still a Microsoft site, but apparently he's not allowed to access it. Continue reading
128 Technology Raises $36M to Simplify Virtual Routers
Session-aware and deterministic routers are the key.
DockerCon 2016 Vendor Meetings
While at DockerCon 2016 in Seattle today, I took some time on the expo floor to talk to a number of different vendors, mostly focused on networking solutions. Here are some notes from these discussions. I may follow up with additional posts on some of these technologies; it will largely depend on time and the ease by which the technologies/products may be consumed.
Plumgrid
My first stop was the Plumgrid booth. I’d heard of Plumgrid, but wanted to take this time to better understand their architecture. As it turns out, their architecture is quite interesting. Plumgrid is one of the primary commercial sponsors behind the IO Visor project, a Linux Foundation project, which leverages the extended Berkeley Packet Filter (eBPF) subsystem in the Linux kernel. Using eBPF, Plumgrid has created in-kernel virtual network functions (VNFs) that do things like bridging, routing, network address translation (NAT), and firewalling. Combined with a scale-out central control plane and leveraging the Linux kernel’s built-in support for VXLAN, this enables Plumgrid to create overlay networks and apply very granular security policies to attached workloads (which could be VMs or containers).
Project Calico
Next, I stopped by the Calico booth. Unlike many of the networking Continue reading
A Look at Key SDN Deployments
While the SDN market isn’t taking off as much as everybody would like, it’s being implemented in many customer deployments for key data center use cases.
Tesla review: What you need to know about charging
Before you buy an electric car, you need to understand charging. It’s a huge deal. You think it works almost like filling the gas tank. It doesn’t. Before going on long trips, you first need to do math and a bit of planning.The Math
Like BMW model numbers indicate engine size, Tesla model numbers indicate the size of the battery, so my "Tesla S P90D" has a 90kwh (killowatt-hour) battery, with a 286mile range. Their lowest end model is the “Tesla S 60”, which has a 60kwh hour battery, or a 208mile advertised range.In the United States, a typical plug is a 120volt circuit with a maximum of 15amps. Doing the math, this is how long it’ll take for me to recharge the battery:
That’s right, 1.4 days (or 2.1 days for a 90kwh car). This is the absolute worse case scenario, mind you, but it demonstrates that you have to pay attention to charging. You can't simply drive up to a station, fill up the tank in a couple minutes, and drive away.
Let’s say you live in Austin, Texas, and you have a meeting in Dallas. You think that you can drive up to Continue reading
Ethereum/TheDAO hack simplified
The news in the Bitcoin world is the Ethereum/DAO hack. I thought I'd write up a simplified explanation.What is Bitcoin?
I'm sure you know, or have an idea what Bitcoin is, but I'll explain it again in terms that are important here.
Bitcoin is just a public ledger (the "blockchain"), of all transaction there ever was. This ledger is huge (80-gigabytes) and growing, but Moore's Law says computers grow even faster, so that shouldn't be a problem.
Each entry in the ledger says to move the coins received in these previous entries, and give them to this recipient. In other words:
move these coins I received there, to this guy here
In the future when that guy spends the coin in a new transaction, he'll refer back to this transaction here. That's why it's called a "chain" -- every transaction refers to a previous one, back to the original creation of the coins.
Actually, these transactions aren't fixed as simply moving money around. Instead, a script is used, written in a bitcoin-specific programming language that can do things like add, multiply, and compare numbers. However, it's not a full programming language. It can't call functions or execute loops. It's Continue reading
Big Chain Deep Dive on Software Gone Wild
A while ago Big Switch Networks engineers realized there’s a cool use case for their tap aggregation application (Big Tap Monitoring Fabric) – an intelligent patch panel traffic steering solution used as security tool chaining infrastructure in DMZ… and thus the Big Chain was born.
Curious how their solution works? Listen to Episode 58 of Software Gone Wild with Andy Shaw and Sandip Shah.
DNS Cookies and DDoS Attacks
DDoS attacks, particularly for ransom—essentially, “give me some bitcoin, or we’ll attack your server(s) and bring you down,” seem to be on the rise. While ransom attacks rarely actually materialize, the threat of DDoS overall is very large, and very large scale. Financial institutions, content providers, and others regularly consume tens of gigabits of attack traffic in the normal course of operation. What can be done about stopping, or at least slowing down, these attacks?
To answer, this question, we need to start with some better idea of some of the common mechanisms used to build a DDoS attack. It’s often not effective to simply take over a bunch of computers and send traffic from them at full speed; the users, and the user’s providers, will often notice machine sending large amounts of traffic in this way. Instead, what the attacker needs is some sort of public server that can (and will) act as an amplifier. Sending this intermediate server should cause the server to send an order of a magnitude more traffic towards the attack target. Ideally, the server, or set of servers, will have almost unlimited bandwidth, and bandwidth utilization characteristics that will make the attack appear Continue reading
Virtualized Networks Invite Cyber Espionage
The cybersecurity and security solutions landscape is in constant flux.
The Cost Of “Sales” Isn’t Free
Why should you care how much a company spends on sales? Because the actual cost of selling products is paid for by the customer in the price of the product.
The post The Cost Of “Sales” Isn’t Free appeared first on Packet Pushers.
Scanning for ClamAV 0day
Last week an 0day was released for ClamAV. Well, not really an 0day so much as somebody noticed idiotic features in ClamAV. So I scanned the Internet for the problem.The feature is that the daemon listens for commands that tell it to do things like scan files. Normally, it listens only locally for such commands, but can be reconfigured to listen remotely on TCP port 3310. Some packages that include ClamAV sometimes default to this.
It's a simple protocol that consists of sending a command in clear text, like "PING", "VERSION", "SHUTDOWN", or "SCAN
So I ran masscan with the following command:
masscan 0.0.0.0/0 -p3310 --banners --hello-string[3310] VkVSU0lPTg==Normally when you scan and address range (/0) and port (3310), you'd just see which ports are open/closed. That's not useful in this case, because it finds 2.7 million machines. Instead, you want to establish a full TCP connection. That's what the --banners option does, giving us only 38 thousand machines that successfully establish a connection. The remaining machines are large ranges on the Internet where firewalls are configured to respond with SYN-ACK, with the express purpose of frustrating port scanners.
But of those 38k machines, most are actually Continue reading
VMware Acquires Arkin to Boost NSX
Arkin's customers already use NSX.
Who Needs an IPO? Blue Coat Gets a $4.65B Bid from Symantec
So much for going public.
Establishing a confidential Service Boundary with Avaya’s SDN Fx
Security is a global requirement. It is also global in the fashion in which it needs to be addressed. But the truth is, regardless of the vertical, the basic components of a security infrastructure do not change. There are firewalls, intrusion detection systems, encryption, networking policies and session border controllers for real time communications. These components also plug together in rather standard fashions or service chains that look largely the same regardless of the vertical or vendor in question. Yes, there are some differences but by and large these modifications are minor.
So the questions begs, why is security so difficult? As it turns out, it is not really the complexities of the technology components themselves, although they certainly have that. It turns out that the real challenge is deciding exactly what to protect and here each vertical will be drastically different. Fortunately, the methods for identifying confidential data or critical control systems are also rather consistent even though the data and applications being protected may vary greatly.
In order for micro-segmentation as a security strategy to succeed, you have to know where the data you need to protect resides. You also need to know how it flows through Continue reading
Security Startup Infocyte Widens Its Threat Hunting Scope
Former Air Force officers now hunt for malware.
Big Switch & Blue Coat Partner to Fortify Security
The combo targets attacks hidden in SSL traffic.