Archive

Category Archives for "Security"

BGPSEC: Protections Offered

In my last post on the subject of BGPSEC, I explained the basic operation of the modifications to BGP itself. In this post, I’ll begin looking at some of the properties — both good and bad — of these extensions to BGP. To being, we’ll look at the simple network illustrated here, and see what […]

Author information

Russ White

Principal Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about — or don't really care about. You can find Russ at 'net Work, the Internet Protocol Journal, and his author page on Amazon.

The post BGPSEC: Protections Offered appeared first on Packet Pushers Podcast and was written by Russ White.

FYI: Snowden made things worse

Snowden appeared at a #CatoSpyCon, and cited evidence of how things have improved since his disclosures (dislaimer: as Libertarian, I'm a fan of both CATO and Snowden). He cited some pretty compelling graphs, such as a sharp increase of SSL encryption. However, at the moment, I'm pretty sure he's made things worse.

The thing is, governments didn't know such surveillance was possible. Now that Snowden showed what the NSA was doing, governments around the world are following that blueprint, dramatically increasing their Internet surveillance. Not only do they now know how to do it, they are given good justifications. If the United States (the moral leader in "freedoms") says it's okay, then it must be okay for more repressive governments (like France). There is also the sense of competition, that if the NSA knows what's going on across the Internet, then they need to know, too.

This is a problem within the United Sates, too. The NSA collected everyone's phone records over the last 7 years. Before Snowden, that database was accessed rarely, and really for only terrorism purposes. However, now that everyone else in government knows the database exists, they are showing up at the NSA with warrants to Continue reading

EFF: We’ve always been at war with EastAsia

As a populist organization, the EFF is frequently Orwellian. That's demonstrated in their recent post about the "Declaration of Independence of Cyberspace", where they say:

"The Declaration resounds eerily today. We live in an era where net neutrality is threatened by corporations that want to remove competition and force customers to pay more to have equal access to some sites."

This is self-contradictory. The Declaration says, unequivocally, that governments should not regulate cyberspace ("You have no sovereignty where we gather"), and should not make it into a public utility. The current EFF position is exactly the opposite, that government needs to regulate cyberspace as a public utility.

It is like that bit in 1984 where Orwell's government changes allegiances, going from being an ally with Eastasia to becoming their enemy, and then claim that they had always been at war with Eastasia. They made the change in mid-rally. Orwell describes how the mob quickly switched their beliefs, agreeing that they'd always been at war with Eastasia.

When I read 1984, I thought this was a bit over the top, that the mob would not behave so illogically. But we see the EFF mob today acts exactly that way Continue reading

RPKI: BGP Security Hammpered by a Legal Agreement

Resource Public Key Infrastructure (RPKI) is a relatively new standard for establishing BGP route origination. I wrote a brief introductory article here. Apologies  for the self-promotion, but rather than rehash the basics here, I raise another issue that needs community attention: ARIN’s Relying Party Agreement (RPA: PDF link). Having said that, some basics are needed. […]

Author information

Andrew Gallo

Senior Information Systems Engineer

Andrew Gallo is a Washington, DC based Senior Information Systems Engineer
and Network Architect, responsible for design and implementation of the
enterprise network for a large university.

Areas of specialization include the University's wide area connections,
including a 150 kilometer DWDM ring, designing a multicampus routing
policy, and business continuity planning for two online datacenters.

Andrew started during the internet upswing of the mid to late 90s
installing and terminating fiber. As his career progressed, he has had
experience with technologies from FDDI to ATM, and all speeds of Ethernet,
including a recent deployment of several metro area 100Gbps circuits.

Focusing not only on data networks, Andrew has experience in traditional
TDM voice, VoIP, and real-time, unified collaboration technologies.

Areas of interest include optical transport, network virtualization and
software defined networking, and network science and graph Continue reading

War Stories: Unix Security

A different kind of war story this time: Unix security blunders. Old-school Unix-types will mutter about how much more secure Unix systems are than Windows, but that glosses over a lot. In a former life I worked as an HP-UX sysadmin, and I saw some shocking default configurations. I liked HP-UX – so much better laid out than Solaris – but it was very insecure by default. Here’s a few things I’ve come across:

Gaining Root

We’d lost the root password for a test HP-UX server. We had user access, but not root. The server was located in a different DC, and we didn’t really feel like going and plugging in a console cable to reset the root password. So we started looking around at how we might get access. After a while I found these two things:

  1. Root’s home directory was ‘/‘ – this was the default on HP-UX
  2. The Remote Login service was running

And now for the kicker:

hpux lhill$ ls -ld /
drwxrwxrwx 30 root wheel 1020 1 Nov 13:57 /

Put those together, and you can see it’s easy to gain root. All we needed to do was create /.rhosts, and add whatever Continue reading

The Pando Tor conspiracy troll

Tor, also known as The Onion Router, bounces your traffic through several random Internet servers, thus hiding the source. It means you can surf a website without them knowing who you are. Your IP address may appear to be coming from Germany when in fact you live in San Francisco. When used correctly, it prevents eavesdropping by law enforcement, the NSA, and so on. It's used by people wanting to hide their actions from prying eyes, from political dissidents, to CIA operatives, to child pornographers.

Recently, Pando (and Internet infotainment site) released a story accusing Tor of being some sort of government conspiracy.

This is nonsense, of course. Pando's tell-all exposé of the conspiracy contains nothing that isn't already widely known. We in the community have long joked about this. We often pretend there is a conspiracy in order to annoy uptight Tor activists like Jacob Appelbaum, but we know there isn't any truth to it. This really annoys me -- how can I troll about Tor's government connections when Pando claims there's actually truth to the conspiracy?

The military and government throws research money around with reckless abandon. That no more means they created Tor than it means they created the Continue reading

That wraps it up for end-to-end

The defining feature of the Internet back in 1980 was "end-to-end", the idea that all the intelligence was on the "ends" of the network, and not in middle. This feature is becoming increasingly obsolete.

This was a radical design at the time. Big corporations and big government still believed in the opposite model, with all the intelligence in big "mainframe" computers at the core of the network. Users would just interact with "dumb terminals" on the ends.

The reason the Internet was radical was the way it gave power to the users. Take video phones, for example. AT&T had been promising this since the 1960s, as the short segment in "2001 A Space Odyssey" showed. However, getting that feature to work meant replacing all the equipment inside the telephone network. Telephone switches would need to know the difference between a normal phone call and a video call. Moreover, there could be only one standard, world wide, so that calling Japan or Europe would work with their video telephone systems. Users were powerless to develop video calling on their own -- they would have to wait for the big telcom monopolies to develop it, however long it took.

That changed with Continue reading

Juniper SRX-110H EoL

Somehow I missed this when it was announced, but the Juniper SRX-110H-VA is End of Life, and is no longer supported for new software releases.

End of Life announcement is here, with extra detail in this PDF. Announcement was Dec 10 2013, with “Last software engineering support” date Dec 20 2013.

This is now starting to take effect, with 12.1X47 not supported on this platform:

Note: Upgrading to Junos OS Release 12.1X47-D10 or later is not supported on the J Series devices or on the low-memory versions of the SRX100 and SRX200 lines. If you attempt to upgrade one of these devices to Junos OS 12.1X47-D10, installation will be aborted with the following error message:

ERROR: Unsupported platform <platform-name >for 12.1X47 and higher

The replacement hardware is the SRX-110H2-VA, which has 2GB of RAM instead of 1GB. Otherwise it’s exactly the same, which seems a missed opportunity to at least update to local 1Gb switching.

Michael Dale has a little more info here, along with tips for tricking a 240H into installing 12.1X47.

So I decided to see if I could work around this and trick JunOS into installing on my 240H, I Continue reading

Complexity vs Security

Many of the ‘security’ measures in our networks add complexity. That may be an acceptable tradeoff, if we make a meaningful difference to security. But often it feels like we just add complexity for no real benefit.

Here’s some examples of what I’m talking about:

  • Multiple Firewall Layers: Many networks use multiple layers of firewalls. If you have a strong policy that says all traffic must go via a server within a DMZ, this makes sense. But often we end up with the same connections going through multiple firewalls. We end up configuring the same rules in multiple places. No security benefit, but increased chance of making mistakes, and added troubleshooting complexity.
  • Chained proxies: It’s pretty common to use a proxy server, to enforce HR and security controls on what users browse. But some organisations have chained proxies, where an internal proxy server connects to an upstream proxy server to get Internet access. The upstream proxy doesn’t add anything from a policy or control perspective. It’s just another point to configure and troubleshoot.
  • NAT/Routing: First let me be clear: NAT is not complete security in itself, but it can form a valid part of your overall network security policy. That Continue reading

Getting started with Cisco ASA

First StepsEven with people who work in networking, as soon as you say the word “firewall” a lot of people tend to stare at that far away place that only exists in their minds. I think some of this comes from the fact that “it’s not a router”. Another reason is that people just haven’t taken the time to get familiar with firewalls. The ASA is Ciscos firewall or VPN device. Though the ASA can do a lot of things, in this post I will cover the basics such as how you set it up and connect the device to the Internet.
Continue reading

Scaling the Cloud Security Groups

Most overlay virtual networking and cloud orchestration products support security groups more-or-less-statefulish ACLs inserted between VM NIC and virtual switch.

The lure of security groups is obvious: if you’re willing to change your network security paradigm, you can stop thinking in subnets and focus on specifying who can exchange what traffic (usually specified as TCP/UDP port#) with whom.

Read more ...

Don’t mistake masturbation for insight [NOT SAFE FOR WORK]

Stroking prejudices isn't insight. I mention this because people keep sending me this Oatmeal cartoon that does nothing but furiously stroke its supporters until they ejaculate all over the screen.


The comic claims NetNeutrality is a bipartisan issue. By bipartisan it means that Democrats and the Green Party overwhelming support it. The comic is certainly not referring to Republicans, who overwhelming oppose NetNeutrality, as any googling of "republican net neutrality" would demonstrate. I suspect the problem here is that Oatmeal readers are in a filter-bubble (a technical term for "sitting in a circle jerking each other off") and therefore don't seriously believe Republicans exist.


The comic seriously says this: support for NetNeutrality is bipartisan, but opposition is partisan. I suspect they like words like "shit smear" because they are so accustomed to having their heads up their own asses.


The Oatmeal claims NetNeutrality won't mean the feds can dictate how much your ISP charges. I suspect that's because the comic's fingering of his own ass distracts him from reading. Obama's proposal today is to reclassify the Internet as a common-carrier under section II of the Telecommunication's Act. Luckily, we have something called the "Internet" were we can  Continue reading

This Vox NetNeutrality article is wrong

There is no reasoned debate over NetNeutrality because the press is so biased. An example is this article by Timothy B. Lee at Vox "explaining" NetNeutrality. It doesn't explain, it advocates.

1. Fast Lanes

Fast-lanes have been an integral part of the Internet since the beginning. Whenever somebody was unhappy with their speeds, they paid money to fix the problem. Most importantly, Facebook pays for fast-lanes, contrary to the example provided.

One prominent example of fast-lanes is "channels" in the local ISP network to avoid congestion. This allows them to provide VoIP and streaming video over their own private TCP/IP network that won't be impacted by the congestion that everything else experiences. That's why during prime-time (7pm to 10pm), your NetFlix streams are low-def (to reduce bandwidth), while your cable TV video-on-demand are hi-def.

Historically, these channels were all "MPEG-TS", transport streams based on the MPEG video standard. Even your Internet packets would be contained inside the MPEG streams on channels.

Today, the situation is usually reversed. New fiber-optic services have TCP/IP network everywhere, putting MPEG streams on top of TCP/IP. They just separate the channels into their private TCP/IP network that doesn't suffer congestion (for voice and video-on-demand), and Continue reading

Andrisoft Wanguard: Cost-Effective Network Visibility

Andrisoft Wansight and Wanguard are tools for network traffic monitoring, visibility, anomaly detection and response. I’ve used them, and think that they do a good job, for a reasonable price.

Wanguard Overview

There are two flavours to what Andrisoft does: Wansight for network traffic monitoring, and Wanguard for monitoring and response. They both use the same underlying components, the main difference is that Wanguard can actively respond to anomalies (DDoS, etc).

Andrisoft monitors traffic in several ways – it can do flow monitoring using NetFlow/sFlow/IPFIX, or it can work in inline mode, and do full packet inspection. Once everything is setup, all configuration and reporting is done from a console. This can be on the same server as you’re using for flow collection, or you can use a distributed setup.

The software is released as packages that can run on pretty much any mainstream Linux distro. It can run on a VM or on physical hardware. If you’re processing a lot of data, you will need plenty of RAM and good disk. VMs are fine for this, provided you have the right underlying resources. Don’t listen to those who still cling to their physical boxes. They lost.

Anomaly Detection

You Continue reading

Technology Short Take #46

Welcome to Technology Short Take #46. That’s right, it’s time for yet another collection of links and articles from around the Internet on various data center-related technologies, products, projects, and efforts. As always, there is no rhyme or reason to my collection; this is just a glimpse into what I’ve seen over the past few weeks. I hope you are able to glean something useful.

Networking

  • This post by Matt Oswalt—the first in a series, apparently—provides a great introduction to 5 development tools for network engineers. I’ve already increased my usage of Git in an effort to become more fluent with this very popular version control tool, and I was already planning on exploring Jinja2 as well (these are both mentioned in Matt’s article). This is a really useful post and I’m looking forward to future posts in this series.
  • Matt also recently posted part 4 (of 5) in his series on SDN protocols; this post covers OpFlex and declarative networking.
  • It was good to read this post on Cumulus Linux first impressions by Jeremy Stretch. I’m a fan of Cumulus, but I’m admittedly a Linux guy (see here) so you might say I’m a bit biased. Jeremy is Continue reading

Chinese Routing Errors Redirect Russian Traffic

traceroute-v4

In recent weeks, Russian President Vladimir Putin announced a plan to enact measures to protect the Internet of Russia. In a speech to the Russian National Security Council he said, “we need to greatly improve the security of domestic communications networks and information resources.” Perhaps he should add Internet routing security to his list because, on a number of occasions in the past year, Russian Internet traffic (including domestic traffic) was re-routed out of the country due to routing errors by China Telecom. When international partners carry a country’s domestic traffic out of the country, only to ultimately return it, there are inevitable  security and performance implications.

Last year, Russian mobile provider Vimpelcom and China Telecom signed a network sharing agreement and established a BGP peering relationship. However, as can often happen with these relationships, one party can leak the routes received from the other and effectively insert itself into the path of the other party’s Internet communications. This happened over a dozen times in the past year between these two providers. This is a general phenomenon that occurs with some regularity but isn’t often discussed in BGP security literature. In this blog post, we’ll explore the issue Continue reading

Using ssldump to Decode/Decrypt SSL/TLS Packets

Who needs the Wireshark GUI right; let’s do this at the command line and be grown up about things. This is a straight copy of my popular Using Wireshark to Decode/Decrypt SSL/TLS Packets post, only using ssldump to decode/decrypt SSL/TLS packets at the CLI instead of Wireshark. Aside from the obvious advantages, immediacy and efficiency of a CLI tool, ssldump also […]

Author information

Steven Iveson

Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and has never been too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife Sam and their four children.

He's worked in the IT industry for over 15 years in a variety of roles, predominantly in data centre environments. Working with switches and routers pretty much from the start he now also has a thirst for application delivery, SDN, virtualisation and related products and technologies. He's published a number of F5 Networks related books and is a regular contributor at DevCentral.

The post Using ssldump to Decode/Decrypt SSL/TLS Packets appeared first on Packet Pushers Podcast and was written by Steven Iveson.

Response: Black Energy 2 Malware Router Abuse – Kaspersky

Kaspersky published a research note on Black Energy malware that uses backdoors and exploits on Cisco routers to install a TCL file, perform surveillance or destruction of the device configuration.   And, they revealed that their Cisco routers with different IOS versions were hacked. They weren’t able to connect to the routers any more by […]


The post Response: Black Energy 2 Malware Router Abuse – Kaspersky appeared first on EtherealMind.

Using Firewalls for Policy Has Been a Disaster

Almost every SDN vendor today talks about policy, how they make it easy to express and enforce network policies. Cisco ACI, VMware NSX, Nuage Networks, OpenStack Congress, etc. This sounds fantastic. Who wouldn’t want a better, simpler way to get the network to apply the policies we want? But maybe it’s worth taking a look at how we manage policy today with firewalls, and why it doesn’t work.

In traditional networks, we’ve used firewalls as network policy enforcement points. These were the only practical point where we could do so. But…it’s been a disaster. The typical modern enterprise firewall has hundreds (or thousands) of rules, has overlapping, inconsistent rules, refers to decommissioned systems, and probably allows far more access than it should. New rules are almost always just added to the bottom, rather than working within the existing framework – it’s just too hard to figure out otherwise.

Why have they been a disaster? Here’s a few thoughts:

  • Traditional firewalls use IP addresses. But there’s no automated connection between server configuration/IP allocation and firewall policies. So as servers move around or get decommissioned, firewall policies don’t get automatically updated. You end up with many irrelevant objects and Continue reading