How do you explain the unreasonable effectiveness of cloud security?

With the enormous attack surface of cloud providers like AWS, Azure, and GCP, why aren't there more security problems? Data breaches and cyber attacks occur daily. How do you explain the unreasonable effectiveness of cloud security?

Google has an ebook on their security approach; Microsoft has some web pages. Both are the equivalent of that person who is disgustingly healthy and you ask them how they do it and they say "I don't know. I just eat right, exercise, and get plenty of sleep." Not all that useful. Most of us want a hack, a trick to good health. Who wants to eat right? 

I'm sure Amazon also eats right, exercises, and gets plenty of sleep (probably not the people who work there), but AWS also has a secret that when that disgustingly healthy person starts talking about at a party, you just can't help leaning in and listening. 

What's the trick to 6-pack security? Proving systems correct. Does your datacenter do that? I didn't think so. AWS does. 

Dr. Byron Cook gave an enthusiastic talk on Formal Reasoning about the Security of Amazon Web Service. He's clearly excited about finally applying his research in a Continue reading

BrandPost: Security and the Cloud Go Hand-in-Hand: Are You Prepared?

Just because you’ve tapped into the vast resources of a cloud service provider to replace previously on-premises IT assets doesn’t lessen your management or cybersecurity burden. In fact, cloud migration creates new issues for network admins to focus on: migrations are inherently risky from a cyber perspective – data on the move is data that can be exploited in transit.Cloud providers are prone to proclaiming that their security is better than any single business can achieve, simply because they have more resources to apply to the issue. By now, we all know that simply throwing money at the challenge is no guarantee of success, so maybe take that with a dose of skepticism.To read this article in full, please click here

Windows Server 2008 Cutoff: How Docker Enterprise Cures Migration Headaches

The coming end-of-support for Windows Server 2008 is the perfect opportunity for IT organizations to tap Docker Enterprise to modernize and secure legacy applications while saving millions in the process.

THE END IS NIGH (FOR WINDOWS SERVER 2008)

The coming end-of-support for Windows Server 2008 in January 2020 leaves IT organizations with a few viable options: migrate to a supported operating system (OS), rehost in Azure, or pay for an extended support contract (up to 75% of the license fee per year) to receive security updates beyond the cut-off date. The option of doing nothing (running applications on unsupported OS versions) is a non-starter for the vast majority of businesses, as this poses a significant security and compliance risk. We saw the impact of this last year when a massive ransomware attack that affected nearly 100 countries spread by targeting end-of-life and unpatched systems.

THE APPLICATION MIGRATION MIGRAINE

Upgrading will be no small feat as roughly 80% of all enterprise applications run on Windows Server. Of those applications, 70% still run on Windows Server 2008 or earlier versions*. Migrating all of these critical applications to a supported version of Windows Server is painful and costly, due to rigid legacy Continue reading

Episode 35 – Do You Really Need Good Engineers?

IT staffing budgets are shrinking and consequently many organizations are forgoing having strong engineering talent on staff. In this episode we explore the dynamics of staffing good engineers and whether or not it’s possible to remove that cost in modern networks.

 

Denise Donohue
Guest
Alia Atlas
Guest
Pete Welcher
Guest

Jordan Martin
Host
Eyvonne Sharp
Host
Russ White
Host


Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

The post Episode 35 – Do You Really Need Good Engineers? appeared first on Network Collective.

We’ve Added a New Cisco CCNA Certification Course To Our Library!

Tune into Gabe Rivas’s most recent course release, Network Foundation Protection: Management Plane, the second in a series of eight CCNA security courses.

Network Foundation Protection is a security framework that provides with strategies to protect three functional areas of a device: Management Plane, Control Plane, and Data plane. In this Course we will focus on the management plane functionality and we will look at ways to protect and secure management access to network devices. We will compare the Pros and Cons of using an in-band vs an out-of-band management network and we will learn how to use network management protocols such as SNMP, NTP, SCP, RADIUS, TACACS+, Telnet, SSH, HTTP, and HTTPS to name a few. We will also learn the difference between the Cisco ACS and ISE servers and configure TACACS+ on ISE and an IOS device to provide with AAA for device administration. As a bonus, we will look at commonly used tools that can help you determine Cisco product vulnerabilities, best recommended software, and how to search bugs.

Prerequisites

If this was a single course covering the entire CCNA Security blueprint, the pre-requisite would have been the CCENT Certification or equivalent knowledge. Since this is Continue reading

Learning by Doing: Have You Heard of the Suusamyr Community Network in Kyrgyzstan?

Last week, the Internet Society together with our Kyrgyz chapter and the wider local community held discussions about Internet connectivity in remote areas in Bishkek, Kyrgyzstan. Approximately 35% of the Kyrgyz population use the Internet (ITU data, 2017) and most users are located in cities and urban areas.

In cooperation with its Kyrgyz chapter, the Internet Society is piloting the community networks approach in the village of Suusamyr, located some 150 kilometers south of the capital city Bishkek. We had an opportunity to visit this village of about 4000 people, tucked away in a wide valley surrounded by high mountains. The economic activity revolves around farming, horse and cattle keeping, and tourism.

While the final phase of the Suusamyr community network is still under implementation, we can already draw some lessons learnt from the preparatory and testing phases.

Partnerships

As a starting point, the Internet Society Kyrgyz chapter consolidated a partnership with the government, Internet Service Providers (ISP), and the local community in Suusamyr. The Kyrgyz government saw the opportunity for local economic development. Two ISPs agreed to lease their existing backbone infrastructure to connect the last mile. And most importantly, the local community embraced this initiative with a Continue reading

38 – DCNM 11 and VXLAN EVPN Multi-site

Hot networks served chilled, DCNM style

When I started this blog for Data Center Interconnection purposes some time ago, I was not planning to talk about network management tools. Nevertheless, I recently tested DCNM 11 to deploy an end-to-end VXLAN EVPN Multi-site architecture, hence, I thought about sharing with you my recent experience with this software engine. What pushed me to publish this post is that I’ve been surprisingly impressed with how efficient and time-saving DCNM 11 is in deploying a complex VXLAN EVPN fabric-based infrastructure, including the multi-site interconnection, while greatly reducing the risk of human errors caused by several hundred required CLI commands. Hence, I sought to demonstrate the power of this fabric management tool using a little series of tiny videos, even though I’m usually not a fan of GUI tools.

To cut a long story short, if you are not familiar with DCNM (Data Center Network Manager), DCNM is a software management platform that can run from a vCenter VM, a KVM machine, or a Bare metal server. It focuses on Cisco Data Center infrastructure, supporting a large set of devices, services, and architecture solutions. It covers multiple types of Data Center Fabrics; from the Storage Continue reading

RPKI and BGP: our path to securing Internet Routing

RPKI and BGP: our path to securing Internet Routing
RPKI and BGP: our path to securing Internet Routing

This article will talk about our approach to network security using technologies like RPKI to sign Internet routes and protect our users and customers from route hijacks and misconfigurations. We are proud to announce we have started deploying active filtering by using RPKI for routing decisions and signing our routes.

Back in April, articles including our blog post on BGP and route-leaks were reported in the news, highlighting how IP addresses can be redirected maliciously or by mistake. While enormous, the underlying routing infrastructure, the bedrock of the Internet, has remained mostly unsecured.

At Cloudflare, we decided to secure our part of the Internet by protecting our customers and everyone using our services including our recursive resolver 1.1.1.1.

From BGP to RPKI, how do we Internet ?

A prefix is a range of IP addresses, for instance, 10.0.0.0/24, whose first address is 10.0.0.0 and the last one is 10.0.0.255. A computer or a server usually have one. A router creates a list of reachable prefixes called a routing table and uses this routing table to transport packets from a source to a destination.  

On the Internet, network Continue reading

RPKI – The required cryptographic upgrade to BGP routing

RPKI - The required cryptographic upgrade to BGP routing

We have talked about the BGP Internet routing protocol before. We have talked about how we build a more resilient network and how we can see outages at a country-level via BGP. We have even talked about the network community that is vital to the operation of the global Internet.

Today we need to talk about why existing operational practices for BGP routing and filtering have to significantly improve in order to finally stop route leaks and hijacks; which are sadly pervasive in today’s Internet routing world. In fact, the subtle art of running a BGP network and the various tools (both online and within your a networks subsystems) that are vital to making the Internet routing world a safe and reliable place to operate need to improve.

Internet routing and BGP and security along with its operational expertise must improve globally.

RPKI - The required cryptographic upgrade to BGP routing
photo by Marco Verch by/2.0

Nothing specific triggered today’s writing except the fact that Cloudflare has decided that it's high-time we took a leadership role to finally secure BGP routing. We believe that each and every network needs to change its mindset towards BGP security both on a day-by-day and a long-term basis.

It's time to stop Continue reading

Windows XP OpenVPN TAP installation, “devcon.exe failed”

Although this article mainly targets OpenVPN TAP driver installation issue, The problem is likely not limited to that specific driver.

You may want to continue reading and give the very easy solution at the end of the article a try.

Recently I had to install OpenVPN on a system running Windows XP (Don’t ask). The installation went smoothly up until TAP driver installation and then suddenly things went haywire:

An error occurred installing the TAP device driver

The yellow marked status with the code of 28 in the device manager was not promising either:

The drivers for this device are not installed. (Code 28)

In Windows XP, to install its inf file, TAP driver installation uses the built-in Windows Device Console (Devcon.exe). Pretty simple stuff, you just use devcon.exe with the install argument, supply the inf file and then provide the device’s Hardware ID.

This is the command being used to install each TAP NIC:
"C:\Program Files\TAP-Windows\bin\devcon.exe" install "C:\Program Files\TAP-Windows\driver\OemWin2k.inf" tap0901

Which gave a mundane error:

devcon.exe failed.

Devcon however, leaves a log file of its operation behind in %windir%\setupapi.log which included these lines:

#E122 Device install failed. Error 2: The system cannot find Continue reading

Infrastructure-as-Code, NETCONF and REST API

This is the third blog post in “thinking out loud while preparing Network Infrastructure as Code presentation for the network automation course” series. You might want to start with Network-Infrastructure-as-Code Is Nothing New and Adjusting System State blog posts.

As I described in the previous blog post, the hardest problem any infrastructure-as-code (IaC) tool must solve is “how to adjust current system state to desired state described in state definition file(s)”… preferably without restarting or rebuilding the system.

There are two approaches to adjusting system state:

Read more ...

Relational inductive biases, deep learning, and graph networks

Relational inductive biases, deep learning, and graph networks Battaglia et al., arXiv’18

Earlier this week we saw the argument that causal reasoning (where most of the interesting questions lie!) requires more than just associational machine learning. Structural causal models have at their core a graph of entities and relationships between them. Today we’ll be looking at a position paper with a wide team of authors from DeepMind, Google Brain, MIT, and the University of Edinburgh, which also makes the case for graph networks as a foundational building block of the next generation of AI. In other words, bringing back and re-integrating some of the techniques from the AI toolbox that were prevalent when resources were more limited.

We argue that combinatorial generalization must be a top priority for AI to achieve human-like abilities, and that structured representation and computations are key to realizing this objective… We explore how using relational inductive biases within deep learning architectures can facilitate learning about entities, relations, and the rules for composing them.

Relational reasoning and structured approaches

Human’s represent complex systems as compositions of entities and their interactions. We use hierarchies to abstract away fine-grained differences, manage part-whole associations and other more Continue reading

VMware NSX-T Data Center in Evaluation for Common Criteria EAL4+ Certification

VMware NSX-T Data Center 2.x is now under evaluation for Common Criteria certification at Evaluation Assurance Level 4+ with BSI, Germany’s Federal Office for Information Security. Common Criteria is an internationally recognized standard (ISO-15408) that defines, validates, and assures security features and capabilities of IT security products. To see the evaluation status for VMware NSX-T 2.x, visit the German BSI certification website and reference certificate # BSI-DSZ-CC-1099.

VMware NSX-T was introduced to help organizations meet the stringent security demands of containerized workloads, multi-hypervisor, and multi-cloud. And this latest milestone for NSX-T 2.x reinforces VMware’s continuing commitment to deliver secure software to our customers. During the Common Criteria certification process, VMware NSX-T will undergo a thorough and rigorous evaluation methodology, with testing performed by a commercial Common Criteria Evaluation Facility under the oversight of the Certification Body. The Common Criteria certification acts as a seal of assurance for the federal government, its agencies, contractors and other organizations and assures that the product complies with strict security requirements specified within the designated level.

Within the VMware NSX portfolio, we have a long history of investing in certification efforts. For example, VMware NSX Data Center for vSphere 6.x also Continue reading

Kernel of Truth episode 7: data center networking in APAC and EMEA

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

We wanted to give this podcast a bit of international flair, so we invited some overseas guests into the recording booth. I’m joined by Attilla de Groot (Sales Engineer for EMEA) and Sutharsan Sivapalan (Sales Engineer for APAC), who filled me in on the networking customers, trends and challenges that are cropping up in their respective regions. There are definitely differences between these two ends of the world, but you’d be surprised how much these regions have in common despite the distance.

Tweet any questions, feedback or topics you want us to discuss at @cumulusnetworks and use the hashtag #KernelOfTruth — let us know if you like what you’re hearing!

Guest bios

Sutharsan Sivapalan: CCIE #40322 (Data Center), is a Senior Systems Engineer covering the US West and Asia-Pacific regions for Cumulus Networks. Prior to joining Cumulus, Sutharsan spent 6 years at Cisco designing and troubleshooting some of the most complex networks in the world, as a member of their Technical Services organisation. In that role, he supported the entire Data Centre portfolio, including UCS, the Nexus Continue reading