Archive

Category Archives for "Security"

Now You Can Setup Centrify, OneLogin, Ping and Other Identity Providers with Cloudflare Access

Now You Can Setup Centrify, OneLogin, Ping and Other Identity Providers with Cloudflare Access

We use Cloudflare Access to secure our own internal tools instead of a VPN. As someone that does a lot of work on the train, I can attest this is awesome (though I might be biased). You can see it in action below. Instead of having to connect to a VPN to reach our internal jira, we just login with our Google account and we are good to go:

Now You Can Setup Centrify, OneLogin, Ping and Other Identity Providers with Cloudflare Access
Before today, you could setup Access if you used GSuite, Okta or Azure AD to manage your employee accounts. Today we would like to announce support for two more Identity Providers with Cloudflare Access: Centrify and OneLogin.

We launched Cloudflare Access earlier this year and have been overwhelmed by the response from our customers and community. Customers tell us they love the simplicity of setting up Access to secure applications and integrate with their existing identity provider solution. Access helps customers implement a holistic solution for both corporate and remote employees without having to use a VPN.

If you are using Centrify or OneLogin as your identity provider you can now easily integrate them with Cloudflare Access and have your team members login with their accounts to securely reach your internal Continue reading

Introducing a New MANRS IXP Programme for Routing Security

Today, we are pleased to announce that the Mutually Agreed Norms for Routing Security (MANRS) is getting a new category of members – IXPs. The MANRS IXP Programme introduces a separate membership category for IXPs with a set of security actions to address the unique needs and concerns of IXPs.
The ten founding participants are Asteroid (International), CABASE (Argentina), CRIX (Costa Rica), DE-CIX (Germany), INEX (Ireland), MSK-IX (Russia), Netnod (Sweden), RINEX (Rwanda), TorIX (Canada), and YYCIX (Canada).
Programme participation provides an opportunity for an IXP to demonstrate its attention to the security and sustainability of the Internet ecosystem and, therefore, its dedication to providing high-quality services.
The IXP Action set was developed by a group of IXPs from all around the world and was presented at multiple IXP fora for discussion and feedback. We hope that with IXPs as partners, their ISP members will also join the Network Operator category of MANRS.
Participation in the MANRS IXP Programme requires an IXP to implement and document a majority of the IXP Programme Actions (at least three out of five). Actions 1 and 2 are mandatory, and the IXP must implement at least one additional Action. Here are the five Actions:
  1. Facilitate Continue reading

OMG The Stupid It Burns

This article, pointed out by @TheGrugq, is stupid enough that it's worth rebutting.




The article starts with the question "Why did the lessons of Stuxnet, Wannacry, Heartbleed and Shamoon go unheeded?". It then proceeds to ignore the lessons of those things.

Some of the actual lessons should be things like how Stuxnet crossed air gaps, how Wannacry spread through flat Windows networking, how Heartbleed comes from technical debt, and how Shamoon furthers state aims by causing damage.

But this article doesn't cover the technical lessons. Instead, it thinks the lesson should be the moral lesson, that we should take these things more seriously. But that's stupid. It's the sort of lesson people teach you that know nothing about the topic. When you have nothing of value to contribute to a topic you can always take the moral high road and criticize everyone for being morally weak for not taking it Continue reading

Micro-segmentation Starter Kit

Traditional security solutions are designed to protect the perimeter.  As applications and data are becoming increasingly distributed, they are often spanning not only multiple sites, but also multiple clouds.  This is making it harder to identify where the perimeter actually is in order to secure it.  But even if the perimeter can be reliably identified, securing it alone is not enough. The east-west traffic inside of the environment must be secured as well. VMware NSX makes security an intrinsic part of the infrastructure that applications and data live on, rather than a bolted-on afterthought; security is built in Day 0.

VMware created a Micro-segmentation Starter Kit to help you get started with securing your network from Planning to Enforcement to Troubleshooting.  Each kit includes 6 CPUs of both NSX ADV and vRealize Network Insight ADV at 25% off the global list price.

  • Plan: Take the manual and subjective process out of determining what security policies to put in place and where. vRealize Network Insight provides a comprehensive net flow assessment and analysis to model and recommend security groups and firewall rules across your physical, virtual, and cloud environments.
  • Enforce: Micro-segmentation, the implementation of security policy Continue reading

It’s Time For Security Apprenticeships

Breaking into an industry isn’t easy. When you look at the amount of material that is necessary to learn IT skills it can be daunting and overwhelming. Don’t let the for-profit trade school ads fool you. You can’t go from ditch digger to computer engineer in just a few months. It takes time and knowledge to get there.

However, there is one concept in non-technical job roles that feels very appropriate to how we do IT training, specifically for security. And that’s the apprenticeship.

Building For The Future

Apprenticeship is a standard for electricians and carpenters. It’s the way that we train new people to do the work of the existing workforce. It requires time and effort and a lot of training. But, it also fixes several problems with the current trend of IT certification:

  1. You Can’t Get a Job Without Experience – Far too often we see people getting rejected for jobs at the entry level because they have no experience. But how are they supposed to get the experience without doing the job? IT roles paradoxically require you to be cheap enough to hire for nothing but expect you to do the job on day one. Apprenticeships fix Continue reading

Keeping Drupal sites safe with Cloudflare’s WAF

Keeping Drupal sites safe with Cloudflare's WAF

Cloudflare’s team of security analysts monitor for upcoming threats and vulnerabilities and where possible put protection in place for upcoming threats before they compromise our customers. This post examines how we protected people against a new major vulnerability in the Drupal CMS, nicknamed Drupalgeddon 2.

Two weeks after adding protection with WAF rule ID D0003 which mitigates the critical remote code execution Drupal exploit (SA-CORE-2018-002/CVE-2018-7600), we have seen significant spikes of attack attempts. Since the 13th of April the Drupal security team has been aware of automated attack attempts and it significantly increased the security risk score of the vulnerability. It makes sense to go back and analyse what happened in the last seven days in Cloudflare’s WAF environment.

What is Drupalgeddon 2

The vulnerability potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could make a site completely compromised.

Drupal introduced renderable arrays, which are a key-value structure, with keys starting with a ‘#’ symbol, that allows you to alter data during form rendering. These arrays however, did not have enough input validation. This means that an attacker could inject a custom renderable array on one of these keys in the form structure.

Continue reading

mmproxy – Creative Linux routing to preserve client IP addresses in L7 proxies

mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies

In previous blog post we discussed how we use the TPROXY iptables module to power Cloudflare Spectrum. With TPROXY we solved a major technical issue on the server side, and we thought we might find another use for it on the client side of our product.

mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies
This is Addressograph. Source Wikipedia

When building an application level proxy, the first consideration is always about retaining real client source IP addresses. Some protocols make it easy, e.g. HTTP has a defined X-Forwarded-For header[1], but there isn't a similar thing for generic TCP tunnels.

Others have faced this problem before us, and have devised three general solutions:

(1) Ignore the client IP

mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies

For certain applications it may be okay to ignore the real client IP address. For example, sometimes the client needs to identify itself with a username and password anyway, so the source IP doesn't really matter. In general, it's not a good practice because...

(2) Nonstandard TCP header

A second method was developed by Akamai: the client IP is saved inside a custom option in the TCP header in the SYN packet. Early implementations of this method weren't conforming to any standards, e.g. using option field 28 Continue reading

1 94 95 96 97 98 178