When Firepower Management Center Goes Offline

A typical Firepower deployment consists of a management component and a managed device. The management component is known as Firepower Management Center (FMC). The managed device is the NGIPS or NGFW itself and would be leveraging the Firepower or the Firepower Threat Defense (FTD) operating system. Both layers of the topology include provisions for redundant deployments. Firepower Management Center is available in a two-node HA configuration. Firepower Threat Defense, the NGFW managed device, can be either HA or clustered.

One question that often comes up is, “What happens when FMC goes offline?” The general response is traffic continues to flow but the managed device cannot be managed. While this is not a good position to be in, it does provide an opportunity to assess the impact of waiting for a maintenance window (or a replacement).

TL;DR

  • Firepower continues to pass traffic when FMC is offline
  • Events captured on the Firepower device will be passed to the FMC when it is available
  • Event Storage on the managed device is finite, events may be lost during an extended outage
  • Malware Cloud Lookups/Block functionality depends on FMC, plan HA and File Policy accordingly
  • Firepower managed device cannot be managed until FMC is available

Continue reading

Tracking DNSSEC: See the Deployment Maps

Did you know the Internet Society Deploy360 Programme provides a weekly view into global DNSSEC deployment? Each Monday, we generate new maps and send them to a public DNSSEC-Maps mailing list. We also update the DNSSEC Deployment Maps page periodically, usually in advance of ICANN meetings.

DNS Security Extensions — commonly known as DNSSEC — allow us to have more confidence in our online activities at work, home, and school. DNSSEC acts like tamper-proof packaging for domain name data, helping to ensure that you are communicating with the correct website or service. However, DNSSEC must be deployed at each step in the lookup from the root zone to the final domain name. Signing the root zone, generic Top Level Domains (gTLDs) and country code Top Level Domains (ccTLDs) is vital to this overall process. These maps help show what progress the Internet technical community is making toward the overall goal of full DNSSEC deployment.

These maps are a bit different from other DNSSEC statistics sites in that they contain both factual, observed information and also information based on news reports, presentations, and other collected data. For more information about how we track the deployment status of TLDs, please read our page Continue reading

EnclaveDB: a secure database using SGX

EnclaveDB: A secure database using SGX Priebe et al., IEEE Security & Privacy 2018

This is a really interesting paper (if you’re into this kind of thing I guess!) bringing together the security properties of Intel’s SGX enclaves with the Hekaton SQL Server database engine. The result is a secure database environment with impressive runtime performance. (In the read-mostly TATP benchmarks, overheads are down around 15%, which is amazing for this level of encryption and security). The paper does a great job showing us all of the things that needed to be considered to make EnclaveDB work so well in this environment.

One of my favourite takeaways is that we don’t always have to think of performance and security as trade-offs:

In this paper, we show that the principles behind the design of a high performance database engine are aligned with security. Specifically, in-memory tables and indexes are ideal data structures for securely hosting and querying sensitive data in enclaves.

Motivation and threat model

We host databases in all sorts of untrusted environments, potentially with unknown database administrators, server administrators, OS and hypervisors. How can we guarantee data security and integrity in such a world? Or even how Continue reading

Cisco Live 2018 – Yes, I Went Too

It’s been a very busy month or so. June is always like that, it seems. There’s ARRL Field Day, which is always the last rainy weekend in June. This year, Cisco Live was in June, and that typically includes Tech Field Day activities. Right before that, we had the whole family in town for a family reunion. There was all sorts of stuff going on. Now that most of that has blown over, I’ve collected my thoughts and wanted to talk about Cisco Live this year.

Those who are of any importance in the networking world (LOL!) converged on Orlando this to attend the conference. Orlando brings back all sorts of memories — from Taverna Opa to Sizzler to LISP explained with plates — and we’re all familiar with the Orange County Convention Center. It’s a great facility with enough room to handle the largest of gatherings. I don’t think I saw the attendance numbers, but I would guess there were 30,000 attendees at Cisco Live this year. A typical crowd for the event, and the venue was more than adequate.

This year, I went on the Imagine Pass instead of the full conference pass. This pass included Continue reading

Too Old To Rocket Load, Too Young To Die

Too Old To Rocket Load, Too Young To Die

Rocket Loader is in the news again. One of Cloudflare's earliest web performance products has been re-engineered for contemporary browsers and Web standards.

No longer a beta product, Rocket Loader controls the load and execution of your page JavaScript, ensuring useful and meaningful page content is unblocked and displayed sooner.

For a high-level discussion of Rocket Loader aims, please refer to our sister post, We have lift off - Rocket Loader GA is mobile!

Below, we offer a lower-level outline of how Rocket Loader actually achieves its goals.

Prehistory

Early humans looked upon Netscape 2.0, with its new ability to script HTML using LiveScript, and <BLINK>ed to ensure themselves they weren’t dreaming. They decided to use this technology, soon to be re-christened JavaScript (a story told often and elsewhere), for everything they didn’t know they needed: form input validation, image substitution, frameset manipulation, popup windows, and more. The sole requirement was a few interpreted commands enclosed in a <script> tag. The possibilities were endless.

Too Old To Rocket Load, Too Young To Die

Soon, the introduction of the src attribute allowed them to import a file full of JS into their pages. Little need to fiddle with the markup, when all the requisite JS for the page Continue reading

History Of Networking – Christian O’Flaherty – The Latin American Internet

In this episode of the History of Networking, we are joined by Christian O’Flaherty of the Internet Society to discuss the growth of the Internet in Latin America, including the unique role internet exchanges have played in the region, and the resulting connectivity patterns.

 

Christian O'Flaherty
Guest
Donald Sharp
Host
Russ White
Host

Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

The post History Of Networking – Christian O’Flaherty – The Latin American Internet appeared first on Network Collective.

Montenegro: Learning Coding in Primary School

Although coding has yet to be upgraded from an extracurricular activity, a growing number of countries are introducing programming as part of the school syllabus. Coding is considered a new literacy that is becoming more-and-more important as technology innovation is impacting every field of human knowledge. Educators have a key role in teaching primary school children to be passionate about computer science and stimulating their imagination and spirit of competition to solve problems. Learning how to code starting in elementary school helps pupils acquire skills that will be relevant in tomorrow’s labour market and get the highest-paying entry level jobs as they become college graduates.

Motivated by a successful programming course held in 2017, the Internet Society Montenegro Chapter decided to organize a CodeWeek Java Programming and applied for the Beyond the Net Funding Programme Chapter Small Projects, an initiative intended to assist Internet Society Chapters with financial support to fund small projects such as events, learning opportunities, skill development, and networking with local entities.

“This was more than great. I had fun in every sense of that word. I would recommend this course to every friend. Can’t wait till next year!”

“I like this way of studying. Continue reading

Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU

Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU Frigo et al., IEEE Security & Privacy

The general awareness of microarchitectural attacks is greatly increased since meltdown and spectre earlier this year. A lot of time and energy has been spent in defending against such attacks, with a threat model that assumes attacks originate from the CPU. Frigo et al. open up an entirely new can of worms – modern SoCs contain a variety of special purpose accelerator units, chief among which is the GPU. GPUs are everywhere these days.

Unfortunately, the inclusion of these special-purpose units in the processor today appears to be guided by a basic security model that mainly governs access control, while entirely ignoring the threat of more advanced microarchitectural attacks.

I’m sure you know where this is heading…

It turns out the accelerators can also be used to “accelerate” microarchitectural attacks. Once more we find ourselves in a situation with widespread vulnerabilities. The demonstration target in the paper is a mobile phone running on the ARM platform, with all known defences, including any applicable advanced research defences, employed. Using WebGL from JavaScript, Frigo et al. show how to go from e.g. an advert Continue reading

How can web-scale networking improve your campus networks?

When you think of your ideal campus network, the term “web-scale” may not immediately come to mind. After all, the term web-scale is something you’re more likely to associate with the cloud than with your network. But you might be surprised to learn that your ideal campus network fits the definition of a web-scale network to a T.

Fundamentally, a web-scale network functions as a single unit that can grow and change on demand, without requiring hands-on reconfiguration of multiple switches or mass hardware replacement. And because it functions as a single unit, a web-scale network can also give you full visibility into the health of your network, end-to-end.

The primary way web-scale networks achieve this flexibility and visibility is by decoupling or disaggregating the hardware and the network operating system (NOS) that runs on the hardware. Since the advent of specialized hardware networking devices, the operating system and hardware have been tightly coupled together. Proprietary NOSes often have platform-independent code that runs only on specialized hardware. Because of that, upgrading to a new software version often means buying new hardware. In some cases, that may be as simple as buying additional RAM to support the new version. In more Continue reading

1 1,563 1,564 1,565 1,566 1,567 3,859