vArmour Becomes a Security Option for Cisco ACI
Little security company has been latching onto some big names.
Versa’s Software-Defined Security Wins Business With a Systems Integrator
Versa recently added SD-security to its SD-WAN.
RSA 2016: There Are Way Too Many Security Companies
Let's face it, security is overcrowded.
RPKI ARIN Agreement Update
In December of 2014 I wrote an article about a legal agreement that was discouraging network operators from implementing an important Internet security function. I am happy to report, the situation has improved: ARIN no longer requires operators explicitly accept a click-through agreement in order to access the Trust Anchor Locator (TAL). Resource Public Key […]
The post RPKI ARIN Agreement Update appeared first on Packet Pushers.
RPKI ARIN Agreement Update
In December of 2014 I wrote an article about a legal agreement that was discouraging network operators from implementing an important Internet security function. I am happy to report, the situation has improved: ARIN no longer requires operators explicitly accept a click-through agreement in order to access the Trust Anchor Locator (TAL). Resource Public Key […]
The post RPKI ARIN Agreement Update appeared first on Packet Pushers.
Security Analytics: Let’s Assume Every Perimeter Gets Breached
Firewalls are nice, but the security industry is turning its gaze inward.
Docker Security – part 4(Container image)
This is the fourth part of my Docker security series. In this blog, we will cover ways to secure Container images. Following are the other parts (1, 2, 3) Docker image signing: Docker Container images can be stored either in public or private registry. It is needed to sign Container images so that the client knows that image … Continue reading Docker Security – part 4(Container image)
Docker Security – part 3(Engine access)
This is the third part of my Docker security series. In this blog, we will cover ways to securely access Docker engine. Following are the other parts (1, 2, 4) Docker engine access: Docker engine runs as a daemon and by default listens on the Unix socket, “unix:///var/ run/docker.sock”. Docker start options are specified in “/etc/default/docker”. To allow … Continue reading Docker Security – part 3(Engine access)
Docker Security – part 2(Docker Engine)
This is the second part of my Docker security series. In this blog, we will cover security features around Docker engine. Following are the other parts(1, 3, 4) Namespaces: Docker makes use of the following Linux kernel Namespaces to achieve Container isolation: pid namespace mount namespace network namespace ipc namespace UTS namespace To illustrate the … Continue reading Docker Security – part 2(Docker Engine)
Docker Security – part 1(Overview)
There is a general perception that Containers, especially Docker Containers, are insecure. It is true that Containers are not as secure as VM since all Containers in a single machine share the same kernel and compromising one Container can cause host level compromise or compromise with other Containers. There are many ways to harden Containers and … Continue reading Docker Security – part 1(Overview)
SDxCentral Weekly News Roundup — March 4, 2016
Dell's post-EMC lineup, plus headlines from RSA.
Security Gets Better With Linux Containers, Twistlock Claims
Just do the policy math.
Notary 0.2 – Delegations and more!
The Notary project has been continuing to forge towards 1.0 and we’re pleased to announce our 0.2 release. In addition to various minor improvements and bugfixes we have added some significant features. Read on to find out more! Delegations Up … ContinuedIn Open Source Software, Security Still Needs Attention
Developers trust open source a little too much, researchers say.
An open letter to Sec. Ashton Carter
Hi.For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.
The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
These threats are likely standard procedure at the DoD, investigating every major source of scans and shutting down those you might have power over. But the effect of this is typical government corruption, preventing me from reporting the embarrassing detail of how many DoD systems are still vulnerable to Heartbleed (but without stopping the Chinese or Russians from knowing this detail).
Please remove your threats, so that I can scan the DoD in the same way I scan the rest of the Internet. This weekend I'll be scanning the Internet for system susceptible to the DROWN attack. I would like to include DoD in those scans.
I write to you now because you are Continue reading
Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms
So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA). Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]
The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.
Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms
So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA). Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]
The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.
Juniper Introduces Software-Defined Secure Networks, Integrating Threat Detection & Adaptive Policy Control for Network Wide Enforcement
Traditional perimeter-based approaches to security are not enough to protect against increasingly sophisticated attacks that engineer their way into internal networks. Juniper introduces software-defined secure networks, a new model that integrates adaptive policy detection and enforcement into the entire network.
A tale of a DNS exploit: CVE-2015-7547
This post was written by Marek Vavruša and Jaime Cochran, who found out they were both independently working on the same glibc vulnerability attack vectors at 3am last Tuesday.
A buffer overflow error in GNU libc DNS stub resolver code was announced last week as CVE-2015-7547. While it doesn't have any nickname yet (last year's Ghost was more catchy), it is potentially disastrous as it affects any platform with recent GNU libc—CPEs, load balancers, servers and personal computers alike. The big question is: how exploitable is it in the real world?
It turns out that the only mitigation that works is patching. Please patch your systems now, then come back and read this blog post to understand why attempting to mitigate this attack by limiting DNS response sizes does not work.
But first, patch!
Man in the middle attack (MitM)
Let's start with the PoC from Google, it uses the first attack vector described in the vulnerability announcement. First, a 2048-byte UDP response forces buffer allocation, then a failure response forces a retry, and finally the last two answers smash the stack.
$ echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
$ sudo python poc. Continue readingData Center Security Is an Inside Game
Address east-west security by adopting and operationalizing micro-segmentation.