Using VMware NSX, Log Insight, and vRealize Orchestator to Improve Security
This post was written by Hadar Freehling, Security & Compliance Systems Engineer Specialist at VMware. The post originally appeared here on the dfudsecurity blog
***
There is a lot of power in having security controls in software. This is what I tell my customer, not just because I work for VMware. Why is that? The reason I find it so powerful is that I can now automate a lot of the security actions that use to be very manual. No more opening tickets to get a SPAN setup on the switch. No more waiting for a firewall change window to lock down a port. Not only that, I have visibility into the VM, like what apps are running and who started them, and what’s on the wire. I can protect different assets with different policies, and these polices can be dynamic.
With the help of my good friend John Dias (vRealize Orchestrator master), we created the follow video to show some of the potential of having everything in software.
Here is the scenario of the workflow. You are a security person and want to stop all server admins and users from launching a putty session once they have RDPed into a server Continue reading
Replacing Central Router with a Next-Generation Firewall?
One of my readers sent me this question:
After reading this blog post and a lot of blog posts about zero trust mode versus security zones, what do you think about replacing L3 Data Center core switches by High Speed Next Generation Firewalls?
Long story short: just because someone writes about an idea doesn’t mean it makes sense. Some things are better left in PowerPoint.
Read more ...How to fix the CFAA
Someone on Twitter asked for a blogpost on how I'd fix the CFAA, the anti-hacking law. So here is my proposal.The major problem with the law is that the term "authorized" isn't clearly defined. You non-technical people think the meaning is obvious, because you can pick up a dictionary and simply point to a definition. However, in the computer world, things are a bit more complicated.
It's like a sign on a store window saying "No shirt, no shoes, no service" -- but you walk in anyway with neither. You know your presence is unwanted, but are you actually trespassing? Is your presence not "authorized"? Or, should we demand a higher standard, such as when the store owner asks you to leave (and you refuse) that you now are trespassing/unauthorized?
What happens on the Internet is that websites routinely make public data they actually don't want people to access. Is accessing such data unauthorized? We saw that a couple days ago, where Twitter accidentally published their quarterly results an hour early on their website. An automated script discovered this and republished Twitters results to a wider audience, ironically using Twitter to do so. This caused $5-billion to drop off Continue reading
Cloud-Managed Security Services Market Hits $7.2B
Cloud security is primed to overtake CPE.
Ultron didn’t save the world
Tony Stark builds "Ultron" to save the world, to bring peace in our time. As a cybernetic creation, Ultron takes this literally, and decides the best way to bring peace is to kill all humans.
The problem, as demonstrated by the movie, isn't that there was a bug in Stark's code. The problem was the hubris thinking that Stark could protect everyone. Inevitably, protecting everyone meant ruling everyone, bringing peace by force. It's the same hubris behind the USA's effort to bring peace to Iraq and Afghanistan.
I mention this because in the cybersecurity industry, there are many who propose to bring security through authority. They want government mandated rules on how to write code, imposed liability requirements, and so on.
This sounds reasonable. After all, nobody wants medical equipment like pacemakers to be hacked. But here's the thing. Computer-controlled devices have the potential to vastly improve health, whether it's Watches monitoring your heart, pacemakers, insulin pumps, and so on. While these devices can be hacked, the practical reality is that if you want Continue reading
Review: Avengers, Age of Ultron
Remember that this movie is part of the Marvel Avengers arc, consisting of Ironman (3 movies), Captain America (2), Thor (2), Hulk, and Avengers (2). This arc also includes two TV series, and also a (so far) unrelated Guardians of the Galaxy movie. Everything is leading to the Infinity Wars movies.
I point this out because while this movie seems like a fine standalone movie for those who have seen none or only a few of the others, the greatest enjoyment will be in seeing it within context. In particular, while Ironman 3 isn't a terribly good movie, it's worth seeing before this movie, as it Continue reading
What Port Is The Most Targeted in Your Network?
Original Post in Solarwinds Thwack Author donthomas Security is an aspect that every organization should give the utmost priority.Some notes on why crypto backdoors are unreasonable
Today, a congressional committee held hearings about 'crypto backdoors' that would allow the FBI to decrypt text messages, phone calls, and data on phones. The thing to note about this topic is that it's not anywhere close to reasonable public policy. The technical and international problems are unsolvable with anything close to the proposed policy. Even if the policy were reasonable, it's unreasonable that law enforcement should be lobbying for it.Crypto is end-to-end
The debate hinges on a huge fallacy, that it's about regulating industry, forcing companies like Apple to include backdoors. This makes it seem like it's a small law. The truth is that crypto is end-to-end. Apple sells a generic computer we hold in our hand. As a user, I can install any software I want on it -- including software that completely defeats any backdoor that Apple would install. Examples of such software would be Signal and Silent Circle.
It seems reasonable that you could extend the law so that it covers any software provider. But that doesn't work, because software is often open-source, meaning that anybody can build their own app from it. Starting from scratch, it would take me about six-months to write my Continue reading
Cisco ACI Integrates Security from Sourcefire
ACI strengthens its security story with a next-generation firewall and IPS.
Hacking Lessons From Security Compass’ Battle School
What I learned in hacking school.
The Walls Are On Fire
There’s no denying the fact that firewalls are a necessary part of modern perimeter security. NAT isn’t a security construct. Attackers have the equivalent of megaton nuclear arsenals with access to so many DDoS networks. Security admins have to do everything they can to prevent these problems from happening. But one look at firewall market tells you something is terribly wrong.
Who’s Protecting First?
Take a look at this recent magic polygon from everyone’s favorite analyst firm:
FW Magic Polygon. Thanks to @EtherealMind.
I won’t deny that Checkpoint is on top. That’s mostly due to the fact that they have the biggest install base in enterprises. But I disagree with the rest of this mystical tesseract. How is Palo Alto a leader in the firewall market? I thought their devices were mostly designed around mitigating internal threats? And how is everyone not named Cisco, Palo Alto, or Fortinet regulated to the Niche Players corral?
The issue comes down to purpose. Most firewalls today aren’t packet filters. They aren’t designed to keep the bad guys out of your networks. They are unified threat management systems. That’s a fancy way of saying they have a whole bunch of software built on top Continue reading
FireHost Picks VMware NSX Over Cisco ACI
In the cloud and security realm, VMware's NSX has landed a notable customer.
The hollow rhetoric of nation-state threats
The government is using the threat of nation-state hackers to declare a state-of-emergency and pass draconian laws in congress. However, as the GitHub DDoS shows, the government has little interest in actually defending us.
It took 25 days to blame North Korea for the Sony hack, between the moment "Hacked by the #GOP" appeared on Sony computers and when President Obama promised retaliation in a news conference -- based on flimsy evidence of North Korea's involvement. In contrast, it's been more than 25 days since we've had conclusive proof the Chinese government was DDoSing GitHub, and our government has remained silent. China stopped the attacks after two weeks on their own volition, because GitHub defended itself, not because of anything the United States government did.
The reason for the inattention is that GitHub has no lobbyists. Sony spends several million dollars every year in lobbying, as well as hundreds of thousands in campaign contributions. When Sony gets hacked, politicians listen. In contrast, GitHub spends zero on either lobbying or contributions.
It's not that GitHub isn't important -- it's actually key infrastructure to the Internet. All computer nerds know the site. It's the largest repository of source-code on the Continue reading
HP Gets Mobile with New Campus Networking Products
HP is taking mobility to the campus with new products it announced today at Interop.
Pop Quiz: Which of These Security Startups Missed RSA?
Winner gets a pair of SDxCentral socks. We're not kidding.
Featured Video: Next-Generation Data Centers Need Next-Generation Security
Automated security policies can help you roll out apps faster, get more granular with your security, and reduce over provisioning.
OMG, VXLAN Encapsulation Has No Security!
Every now and then someone actually looks at the VXLAN packet format and eventually figures out that VXLAN encapsulation doesn’t provide any intrinsic security.
TL&DR Summary: That’s old news, the sky is not falling, and deploying VXLAN won’t make your network less secure than traditional VLAN- or MPLS-based networks.
Read more ...DevOps Breaks Security, and Access Management Could Be the Fix
The speed and scope of DevOps just broadens the network security problem.
Juniper CTO Chris Hoff Makes ‘Epic Fail’ in RSA Keynote
At least there weren't any wild animals.
Feds’ Encryption Key Escrow Plan Meets Resistance
Encryption is a threat to public safety, the Secretary of Homeland Security says.