Yubikey 4 for SSH with physical presence proof

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.

Install yubico-c, ykpersonalization, and yubico-piv-tool

sudo apt-get install help2man gengetopt libtool  Continue reading

Using Docker with macvlan Interfaces

In this post, I’m going to show you how to use macvlan interfaces with Docker for networking. The use of macvlan interfaces presents an interesting networking configuration for Docker containers that may (depending on your use case) address issues with the standard Linux bridge configuration.

Macvlan interfaces, if you’re unfamiliar with them, are a (somewhat) recent addition to the Linux kernel that enables users to add multiple MAC address-based logical interfaces to a single physical interface. These logical interfaces must reside in the same broadcast domain as the associated physical interface, which means that Docker containers attached to macvlan interfaces also will be in the same broadcast domain as the associated physical interface. In other words, the Docker containers will be on the same network as the host—no IPTables rules, no Linux bridge, just attached directly to the host’s network. This introduces some interesting possibilities (and potential challenges), but I’ll save that discussion for a future post.

Right now, macvlan supported is implemented via an unsupported Docker Network plugin hosted on GitHub. However, I suspect that the macvlan functionality found in this plugin will find its way into the core of Docker Network, and probably sooner rather than later.

You’ll Continue reading

Yubikey 4 for SSH with physical presence proof

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.

Install yubico-c, ykpersonalization, and yubico-piv-tool

sudo apt-get install help2man gengetopt libtool  Continue reading

Big Switch Meets Ansible

Big Switch offers on demand labs to get instant access to Big Cloud Fabric (BCF) and Big Monitoring Fabric (BMF). Using these labs, it’s quite easy to experience the products first hand and see what they are all about. The labs also come with lab guides that walk you through step-by-step on how to get started using BMF and BCF.

For me, one of the more appealing aspects of these labs is that Big Switch also exposes the APIs such that you can access them directly from your personal machine. This makes it possible to not only test the product, but also test the API on each controller platform (BMF and BCF).

The best part is, you don’t even need to use any docs because they offer a command that shows the API calls being made by certain show commands.

controller> debug rest
***** Enabled display rest mode *****
REST-SIMPLE: GET http://127.0.0.1:8080/api/v1/data/controller/core/controller/role
controller> 

Like the output from a show version? Ensure debug rest is enabled, and then just issue the command to grab the APIs being called to generate the text output on the CLI.

controller> show version
REST-SIMPLE: GET http://127.0.0.1:8080/api/v1/data/controller/core/version/appliance
REST-SIMPLE: http://127.0. Continue reading

Juniper Likes Its 2016 Chances. It Just Doesn’t Like Q1

No one product or market is at fault; Juniper just thinks Q1 will be stormy all 'round.

HyTrust CTO Interview: Operations Challenges for the SDDC

Operations teams are at the front lines of incident response. HyTrust CTO describes the challenges these teams face in the SDDC.

Juniper Pummeled by a Conservative Q1 Forecast

That darned macroeconomy has Juniper hedging its bets in its Q1 outlook.

Make Like A Tree And Branch Out

Alright, so you’ve decided to branch out and you may be wondering what else you can do to help things along. You can always try your friendly neighborhood blog or message board, but there’s always the problem of whether or not you’re getting good information. You should also check to see if your company has […]

The post Make Like A Tree And Branch Out appeared first on Packet Pushers.

Make Like A Tree And Branch Out

Alright, so you’ve decided to branch out and you may be wondering what else you can do to help things along. You can always try your friendly neighborhood blog or message board, but there’s always the problem of whether or not you’re getting good information. You should also check to see if your company has […]

The post Make Like A Tree And Branch Out appeared first on Packet Pushers.

Forget Super Bowl 50: Let’s crown the cabling Installer of the Year!

There will be bonding. There will be splicing. And there will be firestopping.Yes, it’s time to roll up your sleeves, de-fog your goggles, climb your ladder and get ready for the 9th annual BICSI Cabling Skills Challenge next week in Orlando, where the Installer of the Year will be crowned and awarded a $5K prize (not to mention a towering trophy). This will definitely beat the NFL’s Pro Bowl as a competition fix during the seemingly endless lead-up to Super Bowl 50 on Feb. 7.The Installer of the Year needs to be versatile, good with his or her hands, and smart to boot. To read this article in full or to leave a comment, please click here

Forget Super Bowl 50: Let’s crown the cabling Installer of the Year!

There will be bonding. There will be splicing. And there will be firestopping.Yes, it’s time to roll up your sleeves, de-fog your goggles, climb your ladder and get ready for the 9th annual BICSI Cabling Skills Challenge next week in Orlando, where the Installer of the Year will be crowned and awarded a $5K prize (not to mention a towering trophy). This will definitely beat the NFL’s Pro Bowl as a competition fix during the seemingly endless lead-up to Super Bowl 50 on Feb. 7.The Installer of the Year needs to be versatile, good with his or her hands, and smart to boot. To read this article in full or to leave a comment, please click here

User behavior analytics is key to identifying nefarious use of insider credentials

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.Almost all data breaches involve use of legitimate logon credentials. Guarding against these “insider threats” requires the ability to detect when cybercriminals are using stolen credentials. Sadly, traditional network security tools are not effective in identifing or mitigating these threats.  However, a new breed of user behavior analytics solutions has been designed for this specific purpose and is proving effective.The expression “insider threat” usually conjures up images of rogue employees or criminally minded contractors or business partners that are authorized to access company data. But the term is also used in a much broader sense to mean any threat or attack that abuses the logon credentials or privileges of legitimate employees or other insiders.To read this article in full or to leave a comment, please click here

Juniper Networks Reports Preliminary Fourth Quarter and Fiscal Year 2015 Financial Results

SUNNYVALE, CA–(Marketwired – January 27, 2016) –  Juniper Networks (:), the industry leader in network innovation, today reported preliminary financial results for the three months and twelve months ended Dec. 31, 2015 and provided its outlook for the three months ending March 31, 2016. Net revenues for the fourth quarter of 2015 were $1,319.6 million, an... Read more →

VMware, Cisco SDNs Bring Home the Bacon

In the scramble for SDN supremacy, Cisco and VMware usually bark about users who opt for one of their solutions over the other. In all the noise, it’s rare to hear from one that plans to implement both. But that’s what SugarCreek, a $650 million, privately-held food processing and packing company based in Washington Court House, OH, is doing in its software-defined data centers (SDDC). VMware’s NSX network virtualization software will be used to secure and automate the VMware-virtualized server environment, while Cisco’s Application Centric Infrastructure (ACI) will be deployed to manage the physical network infrastructure.To read this article in full or to leave a comment, please click here

VMware, Cisco SDNs Bring Home the Bacon

In the scramble for SDN supremacy, Cisco and VMware usually bark about users who opt for one of their solutions over the other. In all the noise, it’s rare to hear from one that plans to implement both. But that’s what SugarCreek, a $650 million, privately-held food processing and packing company based in Washington Court House, OH, is doing in its software-defined data centers (SDDC). VMware’s NSX network virtualization software will be used to secure and automate the VMware-virtualized server environment, while Cisco’s Application Centric Infrastructure (ACI) will be deployed to manage the physical network infrastructure.To read this article in full or to leave a comment, please click here

VMware, Cisco SDNs bring home the bacon

In the scramble for SDN supremacy, Cisco and VMware usually bark about users who opt for one of their solutions over the other.In all the noise, it’s rare to hear from one that plans to implement both.But that’s what SugarCreek, a $650 million, privately-held food processing and packing company based in Washington Court House, OH, is doing in its software-defined data centers (SDDC). VMware’s NSX network virtualization software will be used to secure and automate the VMware-virtualized server environment, while Cisco’s Application Centric Infrastructure (ACI) will be deployed to manage the physical network infrastructure.To read this article in full or to leave a comment, please click here

VMware, Cisco SDNs bring home the bacon

In the scramble for SDN supremacy, Cisco and VMware usually bark about users who opt for one of their solutions over the other.In all the noise, it’s rare to hear from one that plans to implement both.But that’s what SugarCreek, a $650 million, privately-held food processing and packing company based in Washington Court House, OH, is doing in its software-defined data centers (SDDC). VMware’s NSX network virtualization software will be used to secure and automate the VMware-virtualized server environment, while Cisco’s Application Centric Infrastructure (ACI) will be deployed to manage the physical network infrastructure.To read this article in full or to leave a comment, please click here

New Android ransomware uses clickjacking to gain admin privileges

File-encrypting ransomware applications that target Android devices are becoming increasingly sophisticated. One new such program is using clickjacking techniques to trick users into granting it administrator privileges.Clickjacking is a method that involves manipulating the user interface in a way that allows attackers to hijack users' clicks and trigger unauthorized actions. It is mostly used in Web-based attacks, where various technologies allow creating invisible buttons and positioning them on top of seemingly harmless page elements.Due to the restrictive application permissions system in Android, ransomware apps targeting the OS have historically been less effective than on Windows. For example, many of the early Android ransomware threats only displayed a persistent window on the screen with an alert intended to scare users into paying fictitious fines. Most of them impersonated law enforcement agencies and claimed that the devices were locked because illegal content was found on them.To read this article in full or to leave a comment, please click here

Net ring-buffers are essential to an OS

Cisco Merging IOS-XE Code Trains

Reliable sources tell me that Cisco is undergoing a huge internal transformation now that Chuck Robbins is in charge. I haven’t been able to see any evidence of this transformation and have been wondering when customers would see the results. Cisco Enterprise was presenting at Network Field Day 11 and this particular presentation from Cisco Enterprise […]

The post Cisco Merging IOS-XE Code Trains appeared first on EtherealMind.