An introduction to Zero Trust virtualization-centric security
This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture. In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping).
Note: Zero Trust as a guiding principle to enterprise wide security is inspired by Forrester’s “Zero Trust Network Architecture”.
What are we trying to accomplish?
We want to be able to secure all traffic in the data center without compromise to performance (user experience) or introducing unmanageable complexity. Most notably the proliferation of East-West traffic; we want to secure traffic between any two VMs, or between any VM and physical host, with the best possible security controls and visibility – per flow, per packet, stateful inspection with policy actions, and detailed logging – in a way that’s both economical to obtain and practical to deploy.
Trust Zones of Insecurity
Until now, it hasn’t been possible (much less economically feasible or even practical) to directly connect every virtual machine to its own port on a firewall. Because of this, the Continue reading
“Fun” with RFC4620 Section 6.4 and discovering IPv4 information over IPv6
As part of a request at work to figure out IPv4 addresses of devices on a network where broadcast pings don’t work, and no administrative access to the switches/routers, I took a look at solving this with IPv6. We know that you can ping6 the all-nodes multicast address, and get DUP! replies from IPv6 enabled hosts on that LAN segment. These will typically be link-local addresses, from which you can determine a MAC address. How to resolve that MAC address on a client host and not the router/switch, I was thinking reverse ARP or something, but support for that wasn’t present in my Ubuntu 13.10 kernel on the main machine I was working with. I started looking around for other options using IPv6 and found RFC4620, Section 6.4.
The gist of it is that you send an ICMPv6 Type 139 packet to an IPv6 address, asking if it has any IPv4 addresses configured either on that interface the target address is on, or any interfaces on the machine itself. And this is why this is disabled by default on hosts, and *IF* you insist on filtering ICMP6 Types, definitely make certain this is one of them. It works Continue reading
Healthy Paranoia Show 15: The Dudes of REN-ISAC
It’s the latest dudilicious episode of Healthy Paranoia! This time we’ll be covering the topic of information sharing and analysis centers (ISAC), specifically in the research and educational networking sector, aka REN-ISAC. Joining Mrs. Y on this adventure into the land of dudeness is Wes Young, REN-ISAC Principal Security Engineer and Architect (El Duderino), Keith […]
Author information
The post Healthy Paranoia Show 15: The Dudes of REN-ISAC appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Network Security and the N00b Meter
This morning I read an article in which the writer thought that wireless security was too inconvenient and difficult, so he simply disabled it, leaving his network wide open. He was tired of his complex password being too hard for guests to use and made the comparison that they didn’t have to use these kinds […]
Author information
The post Network Security and the N00b Meter appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Snowden Media Douchebaggery
Recently the New York Times posted an article stating that while Edward Snowden was at the NSA, he learned to be a hacker by taking a CEH course and getting the certification. But the certification, listed on a résumé that Mr. Snowden later prepared, would also have given him some of the skills he needed […]
Author information
The post Snowden Media Douchebaggery appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Cisco ASA Virtualization with Mixed-Mode Security Contexts
The Cisco ASA firewall has supported multiple security contexts since version 7 was released in 2005. This feature allows you to configure multiple independent logical firewalls in the same ASA hardware. When version 8.5(1) released in July 2011, support was added for mixed mode firewalls in which both routed and transparent contexts can reside on […]
Author information
The post Cisco ASA Virtualization with Mixed-Mode Security Contexts appeared first on Packet Pushers Podcast and was written by Eyvonne Sharp.
Healthy Paranoia Show 14: Digital Forensics and Incident Response with Andrew Case
Get ready for another nerdilicious episode of Healthy Paranoia featuring Andrew Case, digital forensics researcher and a core developer for the Volatility Framework. Liam Randall joins Mrs. Y. as they discuss topics such as: The difference between forensics and incident response. Malware analysis vs. reverse engineering. Why you should treat a compromised system like a […]
Author information
The post Healthy Paranoia Show 14: Digital Forensics and Incident Response with Andrew Case appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Are Forensics Tools the New IDS?
For the past few years, many people have been suggesting that the days of IDS (intrusion detection system) are numbered. When IDS was first launched, it was seen as an answer to a lot of network security problems: deep packet inspection with constant monitoring and alerts. However, one of the biggest problems with IDS is […]
Author information
Centec V330: My Kind of OpenFlow Switch
This is my third and probably last installment of an ongoing story about our quest for OpenFlow 1.0 capable switches with a specific requirement - the capability to modify L3 destination addresses. The background of why Sakura Internet needs such switches for the purpose of DDoS attack mitigation is explained in my first article, along with […]
Author information
The post Centec V330: My Kind of OpenFlow Switch appeared first on Packet Pushers Podcast and was written by Tamihiro Yuzawa.
Thinking About SDN Packet Processing: You’re the One Talking to a Fish
Barbie films (yes, I really am talking about Barbie in a network blog post) are a big hit with my kids, and surprisingly with me too. I’ll possibly regret telling the world that, but anyway, there’s an exchange in one film* that always make me laugh. It goes like this. Human (Australian accent): “You’re bonkers!” […]
Author information
The post Thinking About SDN Packet Processing: You’re the One Talking to a Fish appeared first on Packet Pushers Podcast and was written Continue reading
Fun With Unmanaged Switches + Port Security
I’ve just passed a year of my job working at a smallish non-profit, and one part that I really am enjoying is passing on knowledge to the front-line staff. This week, there was an interesting case, and I had to explain to my colleagues what was happening and why. So, I did a little demo, and […]
Author information
The post Fun With Unmanaged Switches + Port Security appeared first on Packet Pushers Podcast and was written by Matthew Mengel.
Healthy Paranoia Show 13: To CISSP, Or Not To CISSP
Welcome to another lofty episode of Healthy Paranoia where we take on the profound problem of security certifications, specifically the Certified Information Systems Security Professional (CISSP). Joining Mrs. Y and Greg Ferro is an illustrious cast of infosec luminaries, including; well-known security analyst Wendy Nather, Novainfosec.com founder Grecs, IPv6 fanatic Joe Klein, and the enigmatic […]
Author information
The post Healthy Paranoia Show 13: To CISSP, Or Not To CISSP appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Mrs. Y’s Rules for Security Bloggers
Recently Greg Ferro published an e-book for bloggers, “Arse First Method of Technical Blogging.” It has some great suggestions (although I’m not sure what an arse is), but after reading it, I realized it really doesn’t apply to security blogging. Without further ado, here are some of my tips for good infosec blog posts. 1. […]
Author information
The post Mrs. Y’s Rules for Security Bloggers appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Interop: Firewalls, Booth Babes and Unicorn Poop
Now that I’ve returned from the whirlwind that was Interop Las Vegas, I thought I’d share some thoughts about my experience as a speaker and attendee. First the good: The UBM staff was awesome and I appreciated the chance to pontificate on one of my favorite subjects, firewalls. Thanks to some quick thinking by the […]
Author information
The post Interop: Firewalls, Booth Babes and Unicorn Poop appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Healthy Paranoia Show 12: The Saga of Terry Childs
Announcing the latest episode of Healthy Paranoia from Mrs. Y featuring the case of Terry Childs, the infamous former Network Administrator arrested for refusing to provide passwords for San Francisco’s FiberWAN system to management. She’s joined by Jeana Pieralde, Chief Security Officer for the City and County of San Francisco, along with two members of the […]
Author information
The post Healthy Paranoia Show 12: The Saga of Terry Childs appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Machine Fragile
Yesterday, a “breaking news” tweet at 1:07 PM EDT from the Associated Press reported that two explosions had occurred at the White House and President Obama had been injured. The news immediately sent the Dow Jones Industrial Average down 143 points, as this graph at the London Telegraph shows. There’s also a lovely animated display […]
Author information
The post Machine Fragile appeared first on Packet Pushers Podcast and was written by Russ White.
It Works and It Should Be Better
You say, “It works – don’t fix it.” I hear, “It works – don’t touch it.” I’m also thinking that if you don’t touch it, then it’s never upgraded or changed. Is a static, unchanged network the best you can do to support your business ? Are you happy with just doing more of the same […]
Author information
The post It Works and It Should Be Better appeared first on Packet Pushers Podcast and was written by Greg Ferro.
Healthy Paranoia Show 11: Bro – the Outer Limits of IDS
Join Mrs. Y, Taylor Banks and esteemed Nerd Captain Ivan Pepelnjak for another exciting episode of Healthy Paranoia! In this installment, we discover the day the security industry stood still for Bro IDS with expert and project contributor Liam Randall. Just a few of the fun facts you’ll learn include: The real meaning of “bromance.” […]
Author information
The post Healthy Paranoia Show 11: Bro – the Outer Limits of IDS appeared first on Packet Pushers Podcast and was written by Mrs. Y.
A Small Yellow Wooden Door: Thinking Practically About SDN
As I do most days, I took a walk in the woods at the back of my garden after a hearty dinner. I was quite surprised to come across a small wooden yellow door I’d never seen before, set into the trunk of a tree I’d never noticed until today. I opened the door and squeezed […]
Author information
The post A Small Yellow Wooden Door: Thinking Practically About SDN appeared first on Packet Pushers Podcast and was written by Steven Iveson.
Firewalls: Expensive, Broken Routers
In a previous post on IPS, I made a fairly negative comment on the value that you get from enterprise firewalls in the modern environment. At the time, I said that I was just going leave that comment hanging and see what happened. Well, precisely no one challenged me on it, which means either everybody […]
Author information
The post Firewalls: Expensive, Broken Routers appeared first on Packet Pushers Podcast and was written by Neil Anderson.