The Future State of Security Starts with Virtualization: VMware at the 2016 RSA Conference
It’s no secret that by transforming networking into a software industry, network virtualization has accelerated innovation. But what does virtualization mean for security more broadly? Can virtualization be a key weapon in the arsenal for improving IT security? If so, how?
Tom Corn, & Guido Appenzeller, VMware Inc.
Lawfare thinks it can redefine π, and backdoors
There is gulf between how people believe law to work (from watching TV shows like Law and Order) and how law actually works. You lawyer people know what I'm talking about. It's laughable.The same is true of cyber: there's a gulf between how people think it works and how it actually works.
This Lawfare blogpost thinks it's come up with a clever method to get their way in the crypto-backdoor debate, by making carriers like AT&T responsible only for the what ("deliver interpretable signal in response to lawful wiretap order") without defining the how (crypto backdoors, etc.). This pressure would come in the form of removing current liability protections they now enjoy for not being responsible for what customers transmit across their network. Or as the post paraphrases the proposal:
Don’t expect us to protect you from liability for third-party conduct if you actively design your systems to frustrate government efforts to monitor that third-party conduct.The post is proud of its own smarts, as if they've figured out how to outwit mathematicians and redefine pi (π). But their solution is nonsense, based on a hopelessly naive understanding of how the Internet works. It appears all Continue reading
Advanced VMware NSX Security Services with Check Point vSEC
VMware NSX provides an integrated Distributed Firewall (DFW), which offers L2-L4 security at the vNIC level and protects East-West traffic, and an Edge Firewall provided by the Edge Services Gateway (ESG), which offers L2-L4 security at the edge and protects North-South traffic in and out of the Software Defined Data Center (SDDC).
Figure 1: VMware NSX DFW and Edge Firewall Logical Design Example
The DFW is a kernel-level module and allows for enhanced segmentation and security across a virtualized environment. DFW enables a distributed security architecture allowing for micro-segmentation.
In addition to the DFW and ESG Firewall, there are many third party integrations with well-known security partners such as Check Point and Palo Alto Networks. In this blog, we’ll focus on the Check Point vSEC solution for NSX. For a complete list of security partner solutions and more information, see the supported NSX third party security products on the VMware NSX Technical Partners Webpage.
For this blog, the following VMware and Check Point components and corresponding versions are used:
- VMware vSphere 5.5
- VMware vCenter 5.5
- VMware NSX 6.1.4
- Check Point Management Server R77.30
- Check Point SmartConsole R77.30
- Check Point vSEC Controller R77.30
- Check Point Continue reading
Security ‘net 0x1339ECB: Who let the malware out?
According to ScadaFence, as quoted by Computer Weekly, industrial control systems are up next on hacker’s lists as a prime malware target. Apparently, they’ve grown tired of just defacing web sites and the like, and are moving to hard targets in meat space. What kind of damage could they do? Well, consider this attack, by way of Bruce Schneier:
Bruce Schneier moves the needle a little farther, discussing the current security model of confidentiality, integrity, and availability, and how it won’t work in the world that we’re building. Instead, he argues that it’s time to rethink our Continue reading
Midokura Monitors the Virtual Side of the OpenStack Cloud
Someone has to watch those network overlays.
They are deadly serious about crypto backdoors
Julian Sanchez (@normative) has an article questioning whether the FBI is serious about pushing crypto backdoors, or whether this is all a ploy pressuring companies like Apple to give them access. I think they are serious -- deadly serious.The reason they are only half-heartedly pushing backdoors at the moment is that they believe we, the opposition, aren't serious about the issue. After all, the 4rth Amendment says that a "warrant of probable cause" gives law enforcement unlimited power to invade our privacy. Since the constitution is on their side, only irrelevant hippies could ever disagree. There is no serious opposition to the proposition. It'll all work itself out in the FBI's favor eventually. Among the fascist class of politicians, like the Dianne Feinsteins and Lindsay Grahams of the world, belief in this principle is rock solid. They have absolutely no doubt.
But the opposition is deadly serious. By "deadly" I mean this is an issue we are willing to take up arms over. If congress were to pass a law outlawing strong crypto, I'd move to a non-extradition country, declare the revolution, and start working to bring down the government. You think the "Anonymous" hackers were bad, Continue reading
Is packet-sniffing illegal? (OmniCISA update)
In the news recently, Janet Napolitano (formerly head of DHS, now head of California's university system) had packet-sniffing software installed at the UC Berkeley campus to monitor all its traffic. This brings up the age old question: is such packet-sniffing legal, or a violation of wiretap laws.Setting aside the legality question for the moment, I should first point out that's its perfectly normal. Almost all organizations use "packet-sniffers" to help manage their network. Almost all organizations have "intrusion detection systems" (IDS) that monitor network traffic looking for hacker attacks. Learning how to use packet-sniffers like "Wireshark" is part of every network engineer's training.
Indeed, while the news articles describes this as some special and nefarious plot by Napolitano, the reality is that it's probably just an upgrade of packet-sniffer systems that already exist.
Ironical, much packet-sniffing practice comes from UC Berkele. It's famous for having created "BPF", the eponymously named "Berkeley Packet Filter", a standard for packet-sniffing included in most computers. Whatever packet-sniffing system Berkeley purchased to eavesdrop on its networks is almost certainly including Berkeley's own BPF software.
Now for the legal question. Even if everyone is doing it, it doesn't necessarily mean it's legal. But the wiretap Continue reading
Skyport Systems: Fortress Infrastructure
The attitude of breach presumption is one that has fostered a family of seek-and-destroy security products. Find the infected system and fix it. Fair enough. Breach presumption is perhaps a wise posture to take, but it doesn’t mean we have to give up the perimeter. While some security consultants I’ve talked to tell me they […]
The post Skyport Systems: Fortress Infrastructure appeared first on Packet Pushers.
Skyport Systems: Fortress Infrastructure
The attitude of breach presumption is one that has fostered a family of seek-and-destroy security products. Find the infected system and fix it. Fair enough. Breach presumption is perhaps a wise posture to take, but it doesn’t mean we have to give up the perimeter. While some security consultants I’ve talked to tell me they […]
The post Skyport Systems: Fortress Infrastructure appeared first on Packet Pushers.
Debug Generator – Fortigate Flow Trace
I’ve found that when working with Fortigate firewalls and needing to be able to use the debug flow command set, it takes a bit too long to manually type out the commands. If you’re in a pressurised environment saving a few seconds here and there can be valuable. First we need to grab the script […]
The post Debug Generator – Fortigate Flow Trace appeared first on Packet Pushers.
Debug Generator – Fortigate Flow Trace
I’ve found that when working with Fortigate firewalls and needing to be able to use the debug flow command set, it takes a bit too long to manually type out the commands. If you’re in a pressurised environment saving a few seconds here and there can be valuable. First we need to grab the script […]
The post Debug Generator – Fortigate Flow Trace appeared first on Packet Pushers.
Should Firewalls Track TCP Sequence Numbers?
It all started with a tweet by Stephane Clavel:
@ioshints @BradHedlund I'm puzzled NSX dFW does not track connections seq #. Still true? To me this is std fw feature.
— stephaneclavel (@stephaneclavel) January 31, 2016Trying to fit my response into the huge Twitter reply field I wrote “Tracking Seq# on FW should be mostly irrelevant with modern TCP stacks” and when Gal Sagie asked for more elaboration, I decided it’s time to write a blog post.
Read more ...Some notes on the Norse collapse
Recently, cybersec company "Norse Security" imploded. Their leaders and most the employees were fired, and their website is no longer available. I thought I'd write up some notes on this.All VC-funded startups are a scam
Here's how VCs think. They see that there is a lot of industry buzz around "threat intel". They'll therefore fund a company in that space. This company will spend a 5% of that money to create a cool prototype, and 95% in marketing and sales. They'll have fancy booths at trade shows. They'll have a PR blitz to all the reporters who cover the industry. They'll bribe Gartner to be named a Cool Vendor or Magic Quadrant Leader. They'll win industry kudos. They have some early sales 'wins' with some major customers. These customers will give glowing reviews of the product they bought -- even before turning it on.
In other words, it's a perfect "Emperor Has No Clothes" story, where neither customers, nor Gartner, nor the press is competent to realize the Emperor is not wearing clothes.
VCs know it's a scam, but they are hoping it'll become real. As a well-known leader in this space, employees with the needed expertise will flock Continue reading
Inspecting East-West Traffic in vSphere Environments
Harry Taluja asked an interesting question in his comment to one of my virtualization blog posts:
If vShield API is no longer supported, how does a small install (6-8 ESXi hosts) take care of east/west IPS without investing in NSX?
Short answer: It depends, but it probably won’t be cheap ;) Now for the details…
Read more ...Feds May Have Caused Juniper’s Security Breach & Suffered From It Too
If only the right hand knew what the left hand was doing.
Yubikey 4 for SSH with physical presence proof
This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.
This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).
What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.
Intro
Most of this is a repeat of official docs (see references).
If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.
The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.
Install yubico-c, ykpersonalization, and yubico-piv-tool
sudo apt-get install help2man gengetopt libtool Continue readingHyTrust CTO Interview: Operations Challenges for the SDDC
Operations teams are at the front lines of incident response. HyTrust CTO describes the challenges these teams face in the SDDC.
Net ring-buffers are essential to an OS
Even by OpenBSD standards, this rejection of 'netmap' is silly and clueless.BSD is a Linux-like operating system that powers a lot of the Internet, from Netflix servers to your iPhone. One variant of BSD focuses on security, called "OpenBSD". A lot of security-related projects get their start on OpenBSD. In theory, it's for those who care a lot about security. In practice, virtually nobody uses it, because it makes too many sacrifices in the name of security.
"Netmap" is a user-space network ring-buffer. What that means is the hardware delivers network packets directly to an application, bypassing the operating system's network stack. Netmap currently works on FreeBSD and Linux. There are projects similar to this known as "PF_RING" and "Intel DPDK".
The problem with things like netmap is that it means the network hardware no longer is a shareable resource, but instead must be reserved for a single application. This violates many principles of a "general purpose operating system".
In addition, it ultimately means that the application is going to have to implement it's own TCP/IP stack. That means it's going to repeat all the same mistakes of the past, such as "ping of death" when a Continue reading
How not to be a better programmer
Over at r/programming is this post on "How to be a better programmer". It's mostly garbage.Don't repeat yourself (reuse code)
Trying to reuse code is near the top of reasons why big projects fail. The problem is that while the needs of multiple users of a module may sound similar, they are often different in profound ways that cannot be reconciled. Trying to make the same bit of code serve divergent needs is often more complex and buggy than multiple modules written from the ground up for each specific need.
Yes, we adhere to code cleanliness principles (modularity, cohesion) that makes reuse easier. Yes, we should reuse code when the needs match close enough. But that doesn't mean we should bend over backwards trying to shove a square peg through a round hole, and the principle that all pegs/holes are the same.
Give variables/methods clear names
Programmers hate to read other code because the variable names are unclear. Hence the advice to use "clear names" that aren't confusing.
But of course, programmers already think they are being clear. No programmer thinks to themselves "I'm going to be deliberately obtuse here so that other programmers won't understand". Therefore, Continue reading
Security ‘net: Digital Copyright Edition
The world of digital copyright is somewhat tangential to “real” security, but it’s a culture issue that impacts every network engineer in myriad ways. For instance, suppose you buy a small home router, and then decide you really want to run your own software on it. For instance, let’s say you really want to build your own router because you know what you can build will outperform what’s commercially available (which, by the way, it will). But rather than using an off box wireless adapter, like the folks at ARS, you really want to have the wireless on board.
Believe it or not, this would be considered, by some folks, as a pretty large act of copyright infringement. For instance, the hardware manufacturer may object to you replacing their software. Or the FCC or some other regulatory agency might even object because they think you’re trying to hog wireless spectrum, or because you don’t like what the wireless providers are doing. The EFF has a good piece up arguing that just such tinkering as replacing the operating system on a commercially purchased device is at the heart of digital freedom.
One of the most crucial issues in the fight for Continue reading