Archive

Category Archives for "Security"

BGP Security and SPAM

Spam might seem like an annoyance in the US and other areas where bandwidth is paid for by the access rate—and what does spam have to do with BGP security? In many areas of the world, however, spam makes email practically unusable. When you’re paying for Internet access by the byte transmitted or received, spam costs real money. The normal process for combating spam involves a multi-step process, one step of which is to assess the IP address of the mail server’s previous activity for a history of originating spam. In order to avoid classifiers that rely on the source IP address, spammers have turned to hijacking IP address space for short periods of time. Since this address space is normally used for something other than email (or it’s not used at all), there is no history on which a spam detection system can rely.

The evidence for spam related hijacking, however, is largely anecdotal, primarily based in word of mouth and the rare widely reported incidents. How common are these hijacks, really? What sort of address space is really used? To answer this question, a group of researchers from Symantec and the Qatar Computing Research Center undertook a project Continue reading

Technology betrays everyone

Kelly Jackson Higgins has a story about how I hacked her 10 years ago, by sniffing her email password via WiFi and displaying it on screen. It wasn't her fault -- it was technology's fault. Sooner or later, it will betray you.

The same thing happened to me at CanSecWest around the year 2001, for pretty much exactly the same reasons. I think it was HD Moore who sniffed my email password. The thing is, I'm an expert, who writes tools that sniff these passwords, so it wasn't like I was an innocent party here. Instead, simply opening my laptop with Outlook running the background was enough for it to automatically connect to WiFi, then connect to a POP3 server across the Internet. I thought I was in control of the evil technology -- but this incident proved I wasn't.

By 2006, though, major email services were now supporting email wholly across SSL, so that this would no longer happen -- in theory. In practice, they still left the old non-encrypted ports open. Users could secure themselves, if they tried hard, but they usually weren't secured.

Today, in 2016, the situation is much better. If you use Yahoo! Mail Continue reading

Still Using Perimeter Defenses To Protect Your Data Center? Stop, Drop, and Defend—With Micro-Segmentation

There are a lot of reasons that IT organizations are virtualizing their networks more and more—and chief among them is micro-segmentation.

Micro-segmentation, which comes hand-in-hand with network virtualization, divides the data center into distinct segments. Each segment can be secured separately. When security controls and network services are separately defined and communications is isolated, an attacker’s movements are restricted even if a breach in your data center perimeter occurs.

Micro-segmentation doesn’t just improve on traditional perimeter defenses. It is a whole new way of securing the data center.

Sign up to get our FREE “Micro-segmentation for Dummies” eBook, and check out our infographic below to find out more about how it works.

Security

The post Still Using Perimeter Defenses To Protect Your Data Center? Stop, Drop, and Defend—With Micro-Segmentation appeared first on The Network Virtualization Blog.

Thinking about side channel attacks

When Cyrus wanted to capture Babylon, he attacked the river that flows through the city, drying it out and then sending his army under the walls through the river entrance and exit points. In a similar way, the ventilator is a movie favorite, used in both Lord of the Rings and Star Wars, probably along with a thousand other movies and stories throughout time. What do rivers and ventilators have to do with network security?

Side channel attacks. Now I don’t know if the attacks described in these papers, or Cyrus’ attack through the Euphrates, are considered side channel, or just lateral, but either way: the most vulnerable point in your network is just where you assume you can’t be attacked, or that point where you haven’t thought through security. Two things I read this week reminded me of the importance of system level thinking when it comes to security.

security-netThe first explores the Network Time Protocol (NTP), beginning with the general security of the protocol. Security in a time protocol is particularly difficult, as the entire point of encryption is to use algorithms that take a lot of time for an attacker to calculate—and there’s probably some relationship between Continue reading

RadiUID: Palo Alto User-ID and RADIUS

The Palo Alto User-ID feature is awesome as long as you can feed it IP-to-User mappings. PAN provides agents to do this which work in many environments, but not usually without Active Directory. I wrote RadiUID to perform this function is situations where all you have is RADIUS. Approx Reading Time: 5-15 Minutes You see, […]

The post RadiUID: Palo Alto User-ID and RADIUS appeared first on Packet Pushers.

RadiUID: Palo Alto User-ID and RADIUS

The Palo Alto User-ID feature is awesome as long as you can feed it IP-to-User mappings. PAN provides agents to do this which work in many environments, but not usually without Active Directory. I wrote RadiUID to perform this function in situations where all you have is RADIUS. Approx Reading Time: 5-15 Minutes You see, […]

The post RadiUID: Palo Alto User-ID and RADIUS appeared first on Packet Pushers.

Securing BGP: A Case Study

What would it take to secure BGP? Let’s begin where any engineering problem should begin: what problem are we trying to solve? This series of posts walks through a wide range of technical and business problems to create a solid set of requirements against which to measure proposed solutions for securing BGP in the global Internet, and then works through several proposed solutions to see how they stack up.

Post 1: An introduction to the problem space
Post 2: What can I prove in a routing system?
Post 3: What I can prove in a routing system?
Post 4: Centralized or decentralized?
Post 5: Centralized or decentralized?
Post 6: Business issues with centralization
Post 7: Technical issues with centralization
Post 8: A full requirements list
Post 9: BGPSEC (S-BGP) compared to the requirements
Post 10: RPKI compared to the requirements

I will continue updating this post as I work through the remaining segments of this series.

LinkedInTwitterGoogle+FacebookPinterest

The post Securing BGP: A Case Study appeared first on 'net work.

Technology Short Take #66

Welcome to Technology Short Take #66! In this post you’ll find a collection of links to articles about the major data center technologies. Hopefully something I’ve included here will be useful to you. Enjoy!

Networking

  • I recently spoke at Interop 2016 in Las Vegas, and while I was there I scribbled down some notes pertaining to how decomposing applications into microservices-based architectures was similar in some respects to decomposing networks into an overlay network and an underlay (physical) network. It’s still something I’m exploring, but I hope to get something written up soon. In the meantime, I’d love to hear your thoughts about it. Feel free to hit me up on Twitter or drop me an e-mail.
  • While I’m talking about the overlay/underlay model, I found this article by Tom Nolle discussing how using the overlay/underlay model could enable agile infrastructure. It’s a good post, well worth reading (in my opinion).

Servers/Hardware

Nothing this time around. Maybe next time?

Security

  • In the event you’re interested in an idea of how much latency the use of in-kernel hypervisor firewalling (such as that offered by VMware NSX) adds, have a look at this article by Sean Howard.

Cloud Computing/Cloud Management