CCDE – Firewall And IPS Design Considerations
Introduction
This post will discuss different design options for deploying firewalls and Intrusion Prevention Systems (IPS) and how firewalls can be used in the data center.
Firewall Designs
Firewalls have traditionally been used to protect inside resources from being accessed from the outside. The firewall is then deployed at the edge of the network. The security zones are then referred to as “outside” and “inside” or “untrusted” and “trusted”.
Anything coming from the outside is by default blocked unless the connection initiated from the inside. Anything from the inside going out is allowed by default. The default behavior can of course be modified with access-lists.
It is also common to use a Demilitarized Zone (DMZ) when publishing external services such as e-mail, web and DNS. The goal of the DMZ is to separate the servers hosting these external services from the inside LAN to lower the risk of having a breach on the inside. From the outside only the ports that the service is using will be allowed in to the DMZ such as port 80, 443, 53 and so on. From the DMZ only a very limited set of traffic will be allowed Continue reading
FireEye Falls 14% on a Tepid Q4 Forecast
A hot streak gets cut short by China, of all things.
We should all follow Linus’s example
Yet another Linus rant has hit the news, where he complains about how "your shit code is fucking brain damaged". Many have complained about his rudeness, how it's unprofessional, and part of the culture of harassment in tech. They are wrong. Linus Torvalds is the nicest guy in tech. We should all try to be more like him.The problem in tech isn't bad language ("your shit code"), but personal attacks ("you are shit").
A good example is Brendan Eich, who was fired from his position as Mozilla CEO because people disagreed with his political opinions. Another example is Nobel prize winner Tim Hunt who was fired because people took his pro-feminist comments out of context and painted him as a misogynist. Another example is Pax Dickinson, who was fired as CTO of Business Insider because of jokes he made before founding the company. A programmer named Curtis Yavin* was booted from a tech conference because he's some sort of monarchist. Yet more examples are the doxing and bomb threats that censor both sides of the GamerGate fiasco. The entire gamer community is a toxic cesspool of personal attacks. We have another class of people, the "SJW"s, Continue reading
The Godwin fallacy
As Wikipedia says:Godwin's law and its corollaries would not apply to discussions covering known mainstays of Nazi Germany such as genocide, eugenics, or racial superiority, nor to a discussion of other totalitarian regimes or ideologies, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate, in effect committing the fallacist's fallacy, or inferring that an argument containing a fallacy must necessarily come to incorrect conclusions.An example is a discussion whether waving the Confederate flags was "hate speech" or "fighting words", and hence undeserving of First Amendment protections.
Well, consider the famous march by the American Nazi party through Skokie, Illinois, displaying the Swastika flag, where 1 in 6 residents was a survivor of the Holocaust. The Supreme Court ruled that this was free-speech, that the Nazi's had a right to march.
Citing the Skokie incident isn't Godwin's Law. It's exactly the precedent every court will cite when deciding whether waving a Confederate flag is free-speech.
I frequently discuss totalitarianism, as it's something that cyberspace can both enable and defeat. Comparisons with other totalitarian regimes, notably Soviet Russia and Nazi Germany, are inevitable. They aren't Godwin hyperbole, they are on point. Continue reading
Ixia Secures the Connected Car
Car connectivity is on the rise, but with that connectivity comes vulnerability. Ixia looks at how to secure access points into connected cars.
CloudFlare is now PCI 3.1 certified
The Payment Card Industry Data Security Standard (PCI DSS) is a global financial information security standard that keeps credit card holders safe. It ensures that any company processing credit card transactions adheres to the highest technical standards.
PCI certification has several levels. Level one (the highest level) is reserved for those companies that handle the greatest numbers of credit cards. Companies at level one PCI compliance are subject to the most stringent checks.
CloudFlare’s mission leads it to provide security for some of the most important companies in the world. This is why CloudFlare chose to be audited as a level one service provider. By adhering to PCI’s rigorous financial security controls, CloudFlare ensures that security is held to the highest standard and that those controls are validated independently by a recognised body.
If you are interested in learning more, see these details about the Payment Card Industry Data Security Standard.
This year’s update from PCI 2.0 to 3.1 was long overdue. PCI DSS 2.0 was issued in October 2010, and the information security threat landscape does not stand still—especially when it comes to industries that deal with financial payments or credit cards. New attacks are almost Continue reading
Prez: Rick Perry selling his mailing list
I created separate email accounts to receive email from each of the 25 presidential candidates (and donated money to all them). This allows me to track their behavior -- or misbehavior.Rick Perry exited the race 50 days ago. Today, I got two emails to my special Perry address. One email was from Ted Cruz, another presidential candidate. The other was from Paul Ryan, the new Speaker of the House.
Here's Ted Cruz's email, sent to my Perry account. It's actually identical to one I received on my Cruz account. (I've hidden the To: address, except for the 'rick' part).
The email headers look like:
Received: from mail3.postup.targetedvictory.com (mail3.postup.targetedvictory.com [69.56.54.35])
by projectp (Postfix) with ESMTP id 1266C26041B
for; Fri, 30 Oct 2015 16:28:59 +0000 (UTC)
Rick Perry uses the company "TargetedVictory" for his mass emailings, where Ted Cruz uses another company. This shows that Perry didn't give his address list to Cruz, but instead let Cruz use the address list.
I saved a copy of Perry's privacy policy when I made the donation. It implies that he won't give out my private information to somebody else, but nothing in the Continue reading
Prez: donation numbers
I've given $10 to every candidate to monitor what they do. As I blogged before, just before the quarterly filing deadline, I got emails from all the candidates begging for money, to impress people how much money they've gathered. Well, here are amount each candidate received last quarter:| Hillary | 29,921,653.91 |
| Bernie | 26,216,430.38 |
| Carson | 20,767,266.51 |
| Jeb! | 13,384,832.06 |
| Cruz | 12,218,137.71 |
| Walker | 7,379,170.56 |
| Carly | 6,791,308.76 |
| Rubio | 5,724,784.46 |
| Kasisch | 4,376,787.95 |
| Christie | 4,208,984.49 |
| Trump | 3,926,511.65 |
| Rand | 2,509,251.63 |
| O'Malley | 1,282,820.92 |
| Huckabee | 1,241,737.51 |
| Graham | 1,052,657.62 |
| Lessig | 1,016,189.22 |
| Webb | 696,972.18 |
| Jindal | 579,438.39 |
| Santorum | 387,985.42 |
| Perry | 287,199.29 |
| Pataki | 153,513.89 |
Of course Hillary and Bernie are at the top, since they are the only two major contenders on the Democrat side, so split the pool between them.
What's interesting is that how Scott Walker exited the race, and Jeb! scaled back his spending, because their donations dropped precipitously. Even though they got huge donations last quarter, they spent the money as fast as they could. Presidential campaigns are like venture capital that way: you spend money aggressively in order to make more money. If you are right, this Continue reading
Yes, the CNBC moderation was biased
In anger over CNBC's left-wing bias, the Republican party has suspended them from moderating future debates. Is there something to this?Yes and no. CNBC, like most of the media, has a strong left-wing bias. On the other hand, the Republicans are quick to label legitimate criticism as examples of bias.
There is an easy way to detect improper bias. The principle of journalism is that there are two reasonable sides to any debate. One side may be wrong, of course, but both sides are reasonable. Partisan bias, however, involves arguing that one side in the debate is unreasonable. When the press calls somebody a "comic book clown", then it's bias. Merely saying they are "wrong" is not bias.
That's what happened many times during the CNBC moderated debate of Republican candidates, most egregiously when they called Trump a "comic book" version of a candidate. We all know that Trump is a demagogue, that he appeals to the ignorant masses more than intelligent people. But when you drill down on Trumps ideas, what you'll find is that he's usually merely wrong rather than irrational. For example, a couple months ago, Trump was attacked in the press for saying "the constitution Continue reading
The Threat of Telecom Sabotage
Earlier this week, an article in New York Times captured the world’s imagination with the prospect of secret Russian submarines possessing the ability to sabotage undersea communication cables (with perhaps Marko Ramius at the helm, pictured above). While it is a bit of a Hollywood scenario, it is still an interesting one to consider, although, as we’ll see, perhaps an unrealistic one, despite the temptation to exaggerate the risk.
Submarine cable cuts occur with regularity and the cable repair industry has considerable experience dealing with these incidents. However, the vast majority of these failures are the result of accidents occurring in relatively shallow water, and not due to a deliberate actor intending to maximize downtime. There is enormous capacity and resiliency among the cables crossing the Atlantic (the subject of the New York Times article), so to even make a dent, a saboteur would need to take out numerous cables in short order.
A mass telecom sabotage event involving the severing of many submarine cables (perhaps at multiple hard-to-reach deep-water locations to complicate repairs) would be profoundly disruptive to international communications — Internet or otherwise. For countries like the U.S. with extensive local hosting, the impact Continue reading
F5 Networks’ Shares Drop After Q4 Results
Shares slide 9% on a light Q1 forecast.
OMG, the machines are breeding! Mankind is doomed! DOOMED!!!
My Tesla has the same MAC address vendor code as an AR Drone. These are two otherwise unrelated companies, yet they share the same DNA. Flying drones are mating with land-based autonomous vehicles. We are merely months away from Skynet gaining self-awareness and wiping out mankind.You can see this in the screenshot below, were we see the output of a hacking program that monitors the raw WiFi traffic. The AR Drone acts as an access-point so that your iPhone can connect to it in order to fly the drone's controls. The Tesla, on the other hand, is looking for an access-point named "Tesla Service", so that when you drive it in for service, it'll automatically connect to their office and exchange data. As you can see, both devices have the same vendor code of "90:03:B7" for Parrot SA.
Here is a picture of the AR Drone cavorting with the car. The top arrow points to the drone, the bottom arrow points to the car.
So why the relationship? Why does the Tesla look like a drone on WiFi?
The company Parrot SA started out creating kits for cars that contain WiFi, Bluetooth, and voice control. Since they were already Continue reading
Cato Networks Secures $20M in Funding
The security as-a-service startup aims to launch in February.
Another Security Deal: Cisco Buys Lancope for $452M
Cisco knows what it's getting after previously working with Lancope.
Getting Started with VMware NSX Distributed Firewall – Part 2
In Part 1, I covered traditional segmentation options. Here, I introduce VMware NSX Distributed Firewall for micro-segmentation, showing step-by-step how it can be deployed in an existing vSphere environment.
Now, I have always wanted a distributed firewall. Never understood why I had to allow any more access to my servers than was absolutely necessary. Why have we accepted just network segmentation for so long? I want to narrow down allowed ports and protocols as close to the source/destination as I can.
Which brings me to my new favorite tool – VMware NSX Distributed Firewall. Continue reading
Former NSA Chief’s IronNet Security Startup Raises $32.5M
The year-old startup is stocked with former government security experts.
Dumb, dumber, and cybersecurity
The reason you got hacked is because you listen to dumbasses about cybersecurity, like Microsoft.An illustrative example is this article on "10 steps to protect" yourself. The vast majority of cyber threats to a small business are phishing, password reuse, and OWASP threats like SQL injection. That article addressed none of these threats.
But it gets better.
At the bottom of that article is a link to this "Cyber Security IQ" quiz at Microsoft's small-business website. The first question asks about password sharing. I show their "right" answer here:
Their correct answer is "None of the above", meaning that it's not okay to share your passwords with anybody. But this is nonsense. For your work account, of course it's okay to share your password with your boss. In fact, it's often necessary.
There have been several court cases where IT administrators have been fired, where the companies later found that the fired employee is the only one with passwords to certain critical systems. The (former) administrators were prosecuted for refusing to give their former bosses the passwords.
If your boss demands your password to your corporate accounts, of course you must give them your password.
But it Continue reading
Ethics of killing Hitler
But it's the ethical question that comes up the most often, and it has real-world use. It's pretty much the question Edward Snowden faced: should he break his oath and disclose the NSA's mass surveillance of Americans?
I point this out because my ethical response is "yes, and go to jail". The added "and go to jail" makes it a rare response -- lots of people are willing to kill Hitler if they don't suffer any repercussions.
For me, the hypothetical question is "If you went back in time and killed Hitler, would you go to jail for murder?". My answer is "yes". I'd still do my best to lessen the punishment. I'd hire the best lawyer to defend me. It's just that I would put judgement of my crime or heroism in the hands of others. I would pay Continue reading
Getting Started with VMware NSX Distributed Firewall – Part 1
Who saw it coming that segmentation would be a popular term in 2015?!? Gartner analyst Greg Young was almost apologetic when he kicked off the Network Segmentation Best Practices session at the last Gartner Security Summit.
As a professional with a long history in the enterprise firewall space, I know I found it odd at first. Segmentation is such a basic concept, dovetailing with how we secure networks – historically on network boundaries. Network segmentation is the basis for how we write traditional firewall rules – somehow get the traffic TO the firewall, and policy can be executed. How much more can we say about network segmentation?
But there is a problem with the reach of segmentation based on network. If traffic does not cross the firewall, you are blind. All hosts in the same network, commonly the same VLAN, can abuse each other at will. Perhaps netflow or IPS sensors are throughout your network – just to catch some of this internal network free-for-all. And the DMZ? I like to think of all these networks as blast-areas, where any one compromise could potentially take everything else on the same network down.
It’s not really network segmentation that’s all the Continue reading
Car hacking is as fake as the moonlanding
 |
| How can the flag stay up? There's no wind on the moon!! #fake |
Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.
Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.
The Continue reading