Archive

Category Archives for "Security"

E-Rate Dollars Can Now Be Used To Take Advantage of SDN with VMware NSX

The need for substantive network security in schools has never been greater. According to ID vmw-phto-nsx-erate-420x276-tnAnalytics, more than 140,000 minors are victims of identity fraud per year—and when their data is exposed, it is misused more frequently. One reason for this is that minors’ clean credit reports can make them extra attractive to identity thieves.

“The educational space is extremely concerned about ensuring [that] Personally Identifiable Information (PII) about students, and their respective data, is kept safe, secure, and only used for the learning environment,” says Jason Radford, head of operations for IlliniCloud. Continue reading

Firewall – Some Insight into the Cisco ASA Failover Process

I’m currently working on a design and needed to verify some failover behavior of the Cisco ASA firewall.

The ASA can run in active/active or active/standby mode where most deployments I see run in active/standby mode. When in a failover pair the firewalls will share an IP address and MAC address, very similar to HSRP or VRRP but it also synchronizes the state of TCP sessions, IPSec SA’s, routes and so on. The secondary firewall gets its config from the primary firewall so everything is configured exactly the same on both firewalls.

To verify if the other firewalls is reachable and to synchronize state, a failover link is used between the firewalls. The firewalls use a keepalive to verify if the other firewall is still there. This works just like any routing protocol running over a link where you expect to see a hello from your neighbor and if you miss 3 hello’s, the other firewall is gone. This timer can be configured and in my tests I used a hello of 333 ms and a holdtime of 999 ms which means that convergence should happen within one second.

The first scenario I was testing was to manually trigger a Continue reading

Twitter has to change

Today, Twitter announced that instead of the normal timeline of newest messages on top, they will prioritize messages they think you'll be interested in. This angers a lot of people, but my guess it's it's something Twitter has to do.

Let me give you an example. Edward @Snowden has 1.4 million followers on Twitter. Yesterday, he retweeted a link to one of my blogposts. You'd think this would've caused a flood of traffic to my blog, but it hasn't. That post still has fewer than 5000 pageviews, and is only the third most popular post on my blog this week. More people come from Reddit and news.ycombinator.com than from Twitter.

I suspect the reason is that the older twitter gets, the more people people follow. (...the more persons each individual Twitter customer will follow). I'm in that boat. If you tweeted something more than 10 minutes since the last time I checked Twitter, I will not have seen it. I read fewer than 5% of what's possible in my timeline. That's something Twitter can actually measure, so they already know it's a problem.

Note that the Internet is littered with websites that were once dominant in Continue reading

The Future State of Security Starts with Virtualization: VMware at the 2016 RSA Conference

It’s no secret that by transforming networking into a software industry, network virtualization has accelerated innovation. But what does virtualization mean for security more broadly? Can virtualization be a key weapon in the arsenal for improving IT security? If so, how?

Tom Corn, & Guido Appenzeller, VMware Inc.

Tom Corn, & Guido Appenzeller, VMware Inc.

Continue reading

Lawfare thinks it can redefine π, and backdoors

There is gulf between how people believe law to work (from watching TV shows like Law and Order) and how law actually works. You lawyer people know what I'm talking about. It's laughable.

The same is true of cyber: there's a gulf between how people think it works and how it actually works.

This Lawfare blogpost thinks it's come up with a clever method to get their way in the crypto-backdoor debate, by making carriers like AT&T responsible only for the what ("deliver interpretable signal in response to lawful wiretap order") without defining the how (crypto backdoors, etc.). This pressure would come in the form of removing current liability protections they now enjoy for not being responsible for what customers transmit across their network. Or as the post paraphrases the proposal:
Don’t expect us to protect you from liability for third-party conduct if you actively design your systems to frustrate government efforts to monitor that third-party conduct.
The post is proud of its own smarts, as if they've figured out how to outwit mathematicians and redefine pi (π). But their solution is nonsense, based on a hopelessly naive understanding of how the Internet works. It appears all Continue reading

Advanced VMware NSX Security Services with Check Point vSEC

VMware NSX provides an integrated Distributed Firewall (DFW), which offers L2-L4 security at the vNIC level and protects East-West traffic, and an Edge Firewall provided by the Edge Services Gateway (ESG), which offers L2-L4 security at the edge and protects North-South traffic in and out of the Software Defined Data Center (SDDC).

Figure 1: VMware NSX DFW and Edge Firewall Logical Design Example

Figure 1: VMware NSX DFW and Edge Firewall Logical Design Example

The DFW is a kernel-level module and allows for enhanced segmentation and security across a virtualized environment. DFW enables a distributed security architecture allowing for micro-segmentation.

In addition to the DFW and ESG Firewall, there are many third party integrations with well-known security partners such as Check Point and Palo Alto Networks. In this blog, we’ll focus on the Check Point vSEC solution for NSX. For a complete list of security partner solutions and more information, see the supported NSX third party security products on the VMware NSX Technical Partners Webpage.

For this blog, the following VMware and Check Point components and corresponding versions are used:

  • VMware vSphere 5.5
  • VMware vCenter 5.5
  • VMware NSX 6.1.4
  • Check Point Management Server R77.30
  • Check Point SmartConsole R77.30
  • Check Point vSEC Controller R77.30
  • Check Point Continue reading

Security ‘net 0x1339ECB: Who let the malware out?

According to ScadaFence, as quoted by Computer Weekly, industrial control systems are up next on hacker’s lists as a prime malware target. Apparently, they’ve grown tired of just defacing web sites and the like, and are moving to hard targets in meat space. What kind of damage could they do? Well, consider this attack, by way of Bruce Schneier:

We’re heading toward a world where driverless cars will automatically communicate with each other and the roads, automatically taking us where we need to go safely and efficiently. The confidentiality threats are real: Someone who can eavesdrop on those communications can learn where the cars are going and maybe who is inside them. But the integrity threats are much worse. Someone who can feed the cars false information can potentially cause them to crash into each other or nearby walls. Someone could also disable your car so it can’t start. Or worse, disable the entire system so that no one’s car can start.

Bruce Schneier moves the needle a little farther, discussing the current security model of confidentiality, integrity, and availability, and how it won’t work in the world that we’re building. Instead, he argues that it’s time to rethink our Continue reading

They are deadly serious about crypto backdoors

Julian Sanchez (@normative) has an article questioning whether the FBI is serious about pushing crypto backdoors, or whether this is all a ploy pressuring companies like Apple to give them access. I think they are serious -- deadly serious.

The reason they are only half-heartedly pushing backdoors at the moment is that they believe we, the opposition, aren't serious about the issue. After all, the 4rth Amendment says that a "warrant of probable cause" gives law enforcement unlimited power to invade our privacy. Since the constitution is on their side, only irrelevant hippies could ever disagree. There is no serious opposition to the proposition. It'll all work itself out in the FBI's favor eventually. Among the fascist class of politicians, like the Dianne Feinsteins and Lindsay Grahams of the world, belief in this principle is rock solid. They have absolutely no doubt.

But the opposition is deadly serious. By "deadly" I mean this is an issue we are willing to take up arms over. If congress were to pass a law outlawing strong crypto, I'd move to a non-extradition country, declare the revolution, and start working to bring down the government. You think the "Anonymous" hackers were bad, Continue reading

Is packet-sniffing illegal? (OmniCISA update)

In the news recently, Janet Napolitano (formerly head of DHS, now head of California's university system) had packet-sniffing software installed at the UC Berkeley campus to monitor all its traffic. This brings up the age old question: is such packet-sniffing legal, or a violation of wiretap laws.

Setting aside the legality question for the moment, I should first point out that's its perfectly normal. Almost all organizations use "packet-sniffers" to help manage their network. Almost all organizations have "intrusion detection systems" (IDS) that monitor network traffic looking for hacker attacks. Learning how to use packet-sniffers like "Wireshark" is part of every network engineer's training.

Indeed, while the news articles describes this as some special and nefarious plot by Napolitano, the reality is that it's probably just an upgrade of packet-sniffer systems that already exist.

Ironical, much packet-sniffing practice comes from UC Berkele. It's famous for having created "BPF", the eponymously named "Berkeley Packet Filter", a standard for packet-sniffing included in most computers. Whatever packet-sniffing system Berkeley purchased to eavesdrop on its networks is almost certainly including Berkeley's own BPF software.


Now for the legal question. Even if everyone is doing it, it doesn't necessarily mean it's legal. But the wiretap Continue reading

Skyport Systems: Fortress Infrastructure

The attitude of breach presumption is one that has fostered a family of seek-and-destroy security products. Find the infected system and fix it. Fair enough. Breach presumption is perhaps a wise posture to take, but it doesn’t mean we have to give up the perimeter. While some security consultants I’ve talked to tell me they […]

The post Skyport Systems: Fortress Infrastructure appeared first on Packet Pushers.

Skyport Systems: Fortress Infrastructure

The attitude of breach presumption is one that has fostered a family of seek-and-destroy security products. Find the infected system and fix it. Fair enough. Breach presumption is perhaps a wise posture to take, but it doesn’t mean we have to give up the perimeter. While some security consultants I’ve talked to tell me they […]

The post Skyport Systems: Fortress Infrastructure appeared first on Packet Pushers.

Debug Generator – Fortigate Flow Trace

I’ve found that when working with Fortigate firewalls and needing to be able to use the debug flow command set, it takes a bit too long to manually type out the commands. If you’re in a pressurised environment saving a few seconds here and there can be valuable. First we need to grab the script […]

The post Debug Generator – Fortigate Flow Trace appeared first on Packet Pushers.

Debug Generator – Fortigate Flow Trace

I’ve found that when working with Fortigate firewalls and needing to be able to use the debug flow command set, it takes a bit too long to manually type out the commands. If you’re in a pressurised environment saving a few seconds here and there can be valuable. First we need to grab the script […]

The post Debug Generator – Fortigate Flow Trace appeared first on Packet Pushers.

1 151 152 153 154 155 178