AWS ABCs — Can I Firewall My Compute Instances?

In a previous post, I reviewed what a public subnet and Internet Gateway (IGW) are and that they allowed outbound and _in_bound connectivity to instances (ie, virtual machines) running in the AWS cloud.

If you're the least bit security conscious, your reaction might be, “No way! I can't have my instances sitting right on the Internet without any protection”.

Fear not, reader. This post will explain the mechanisms that the Amazon Virtual Private Cloud (VPC) affords you to protect your instances.

VMworld EMEA 2018 and Spousetivities

Registration is now open for Spousetivities at VMworld EMEA 2108 in Barcelona! Crystal just opened registration in the last day or so, and I wanted to help get the message out about these activities.

Here’s a quick peek at what Crystal has lined up for Spousetivities participants:

  • A visit to the coastal village of Calella de Palafrugell, the village of Llafranc, and Pals (one of the most well-preserved medieval villages in all of Catalunya), along with wine in the Empordá region
  • Tour of the Dali Museum
  • Lunch and tour of Girona
  • A lunch-time food tour
  • A visit to the Collsera Natural Park and Mount Tibidabo, along with lunch at a 16th century stone farmhouse

For even more details, visit the Spousetivities site.

These activities look amazing. Even if you’ve been to Barcelona before, these unique activities and tours are not available to the public—they’re specially crafted specifically for Spousetivities participants.

Prices for all these activities are reduced thanks to Veeam’s sponsorship, and to help make things even more affordable there is a Full Week Pass that gives you access to all the activities at an additional discount.

These activities will almost certainly sell out, so register today!

Side note: Continue reading

LinkedIn the latest to introduce its own server designs

Whoever thought the chief competitors to HP Enterprise and Dell EMC would wind up being some of their biggest customers? But giant data center operators are in a sense becoming just that — a competitor to the hardware companies that they once and, to some degree still, sell hardware to.The needs of hyperscale data centers have driven this phenomenon. HPE and Dell design servers with maximum, broad appeal, so they don’t have to have many SKUs. But hyperscale data center operators want different configurations and find it cheaper to buy the parts and build the server themselves.Most of them— Google chief among them — don’t sell their designs; it’s just for their own internal use. But in the case of LinkedIn, the company is offering to “open source” the hardware designs it created to lower costs and speed up its data center deployment.To read this article in full, please click here

LinkedIn the latest to introduce its own server designs

Whoever thought the chief competitors to HP Enterprise and Dell EMC would wind up being some of their biggest customers? But giant data center operators are in a sense becoming just that — a competitor to the hardware companies that they once and, to some degree still, sell hardware to.The needs of hyperscale data centers have driven this phenomenon. HPE and Dell design servers with maximum, broad appeal, so they don’t have to have many SKUs. But hyperscale data center operators want different configurations and find it cheaper to buy the parts and build the server themselves.Most of them— Google chief among them — don’t sell their designs; it’s just for their own internal use. But in the case of LinkedIn, the company is offering to “open source” the hardware designs it created to lower costs and speed up its data center deployment.To read this article in full, please click here

Systemd traffic marking

Monitoring Linux services describes how the open source Host sFlow agent exports metrics from services launched using systemd, the default service manager on most recent Linux distributions. In addition, the Host sFlow agent efficiently samples network traffic using Linux kernel capabilities: PCAP/BPF, nflog, and ulog.

This article describes a recent extension to the Host sFlow systemd module, mapping sampled traffic to the individual services the generate or consume them. The ability to color traffic by application greatly simplifies service discovery and service dependency mapping; making it easy to see how services communicate in a multi-tier application architecture.

The following /etc/hsflowd.conf file configures the Host sFlow agent, hsflowd, to sampling packets on interface eth0, monitor systemd services and mark the packet samples, and track tcp performance:
sflow {
  collector { ip = 10.0.0.70 }
  pcap { dev = eth0 }
  systemd { markTraffic = on }
  tcp { }
}
The diagram above illustrates how the Host sFlow agent is able to efficiently monitor and classify traffic. In this case both the Host sFlow agent and an Apache web server are are running as services managed by systemd. A network connection , shown in Continue reading

The Facebook Breach: Some Lessons for the Internet

Last week Facebook found itself at the heart of a security breach that put at risk the personal information of millions of users of the social network.

On September 28, news broke that an attacker exploited a technical vulnerability in Facebook’s code that would allow them to log into about 50 million people’s accounts.

While Facebook was quick to address the exploit and fix it, they say they don’t know if anyone’s accounts actually were breached.

This breach follows the Cambridge Analytica scandal earlier this year that resulted in the serious mishandling of the data of millions of people who use Facebook.

Both of these events illustrate that we cannot be complacent about data security. Companies that hold personal and sensitive data need to be extra vigilant about protecting their users’ data.

Yet even the most vigilant are also vulnerable. Even a single security bug can affect millions of users, as we can see.

There are a few things we can learn from this that applies to the other security conversations: Doing security well is notoriously hard, and persistent attackers will find bugs to exploit, in this case a combination of three apparently unrelated ones on the Facebook platform.

This Continue reading

IPv6 Security Considerations

When rolling out a new protocol such as IPv6, it is useful to consider the changes to security posture, particularly the network’s attack surface. While protocol security discussions are widely available, there is often not “one place” where you can go to get information about potential attacks, references to research about those attacks, potential counters, and operational challenges. In the case of IPv6, however, there is “one place” you can find all this information: draft-ietf-opsec-v6. This document is designed to provide information to operators about IPv6 security based on solid operational experience—and it is a must read if you have either deployed IPv6 or are thinking about deploying IPv6.

The draft is broken up into four broad sections; the first is the longest, addressing generic security considerations. The first consideration is whether operators should use Provider Independent (PI) or Provider Assigned (PA) address space. One of the dangers with a large address space is the sheer size of the potential routing table in the Default Free Zone (DFZ). If every network operator opted for an IPv6 /32, the potential size of the DFZ routing table is 2.4 billion routing entries. If you thought converging on about 800,000 routes is Continue reading

Cisco sets $2.3B deal for unified access, multi-factor authentication security firm Duo

Cisco said today it had closed the $2.35 billion deal it made for network identity, authentication security company Duo.According to Cisco, Duo’s zero-trust security model authorizes secure connections to all applications based on the trustworthiness of users and devices. Duo’s cloud-delivered technology lets IT professionals set and enforce risk-based, adaptive access policies and get enhanced visibility into users’ devices and activities. As more devices come onto the network remotely this issue takes on more importance.“Outdated devices are particularly vulnerable to being compromised, which can easily spiral into a full-blown, major breach,” wrote Richard Archdeacon, Duo Advisory CISO about a recent Duo study on remote access security. “Organizations don’t necessarily need to block individuals from using their personal devices, but they do need to re-shape their security models to fit these evolving working practices. … If you don’t know what’s connecting to the network, how can you protect data from being compromised?"To read this article in full, please click here

Cisco sets $2.3B deal for unified access, multi-factor authentication security firm Duo

Cisco said today it had closed the $2.35 billion deal it made for network identity, authentication security company Duo.According to Cisco, Duo’s zero trust security model authorizes secure connections to all applications based on the trustworthiness of users and devices. Duo’s cloud-delivered technology lets IT professionals set and enforce risk-based, adaptive access policies and get enhanced visibility into users’ devices and activities.  As more devices come onto the network remotely this issue takes on more importance.“Outdated devices are particularly vulnerable to being compromised, which can easily spiral into a full-blown, major breach,” wrote Richard Archdeacon, Duo Advisory CISO about a recent Duo study on remote access security.   “Organizations don’t necessarily need to block individuals from using their personal devices, but they do need to re-shape their security models to fit these evolving working practices…If you don’t know what’s connecting to the network, how can you protect data from being compromised? “To read this article in full, please click here

Cisco sets $2.3B deal for unified access, multi-factor authentication security firm Duo

Cisco said today it had closed the $2.35 billion deal it made for network identity, authentication security company Duo.According to Cisco, Duo’s zero trust security model authorizes secure connections to all applications based on the trustworthiness of users and devices. Duo’s cloud-delivered technology lets IT professionals set and enforce risk-based, adaptive access policies and get enhanced visibility into users’ devices and activities.  As more devices come onto the network remotely this issue takes on more importance.“Outdated devices are particularly vulnerable to being compromised, which can easily spiral into a full-blown, major breach,” wrote Richard Archdeacon, Duo Advisory CISO about a recent Duo study on remote access security.   “Organizations don’t necessarily need to block individuals from using their personal devices, but they do need to re-shape their security models to fit these evolving working practices…If you don’t know what’s connecting to the network, how can you protect data from being compromised? “To read this article in full, please click here

Free to code

This week at the Cloudflare Internet Summit I have the honour of sitting down and talking with Sophie Wilson. She designed the very first ARM processor instruction set in the mid-1980s and was part of the small team that built the foundations for the mobile world we live in: if you are reading this on a mobile device, like a phone or tablet, it almost certainly has an ARM processor in it.

But, despite the amazing success of ARM, it’s not the processor that I think of when I think of Sophie Wilson. It’s the BBC Micro, the first computer I ever owned. And it’s the computer on which Wilson and others created ARM despite it having just an 8-bit 6502 processor and 32k of RAM.

Luckily, I still own that machine and recently plugged it into a TV set and turned it on to make sure it was still working 36 years on (you can read about that one time blue smoke came out of it and my repair). I wanted to experience once more the machine Sophie Wilson helped to design. One vital component of that machine was BBC BASIC, stored in a ROM chip on Continue reading

Worth Reading: The Ecology of Web Browsing Engines

Early in my career when I worked at agencies and later at Microsoft on Edge, I heard the same lament over and over: “Argh, why doesn’t Edge just run on Blink? Then I would have access to ALL THE APIs I want to use and would only have to test in one browser!” Let me be clear: an Internet that runs only on Chrome’s engine, Blink, and its offspring, is not the paradise we like to imagine it to be. —Rachel Nabors @css-tricks

1 1,448 1,449 1,450 1,451 1,452 3,841