Security Requirements Are Driving Identity Management

Anyone familiar with identity management knows that it can be extremely messy – lots of tactical tools, access policies, multiple data repositories, manual processes, etc. Furthermore, user authentication continues to be anchored by user names and passwords making nearly every organization vulnerable to credentials harvesting, identity theft, and cyber attacks.These persistent IAM problems remain, even though identity management is becoming a bigger component of enterprise security. This is true because, as organizations embrace cloud and mobile computing, they lose some control over their IT infrastructure. As one CISO mentioned to me, “when we lose control in some areas we need to get better control over others as compensating controls.” To read this article in full or to leave a comment, please click here

OED Tolls: Linux “at”

Another post on Linux commands, short and simple but very useful: at. The problem As IT pros we are all comfortable with the change window concept. This window usually opens at night or during the week-end and sometimes the change actually just requires a few commands on a Linux machine. The automation The at command […]

April 2016 CCDE Bootcamp

CCDE Bootcamp – This is an Online Cisco CCDE exam preparation training. Probably you all know the success of Orhan Ergun’s CCDE Bootcamps and how it has been helping so many engineer become a better network engineer/designer. If you don’t know, please just take a tour on the website. Check the Success Stories, Why Orhan and […]

The post April 2016 CCDE Bootcamp appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

April 2016 CCDE Bootcamp

CCDE Bootcamp – This is an Online Cisco CCDE exam preparation training. Probably you all know the success of Orhan Ergun’s CCDE Bootcamps and how it has been helping so many engineer become a better network engineer/designer. If you don’t know, please just take a tour on the website. Check the Success Stories, Why Orhan and […]

The post April 2016 CCDE Bootcamp appeared first on Orhanergun.

CCIE Skill Transformation to SDN Survey

I’m conducting “CCIE Skill Transformation to SDN” survey, to capture the perceived impact of SDN & NFV to CCIEs, as well as to understand how CCIEs think about their readiness to these new technologies. The result will be presented during my session at Cisco Live Berlin (BRKSDN-4005) on 16 February 2016. Only those who have passed CCIE lab can participate in the survey (regardless of your current CCIE status e.g. inactive or Emeritus). The information you provide is confidential and will not be disclosed as individual answer. No personal data will be exposed and shared to any parties. Thank you in advance for your support
https://www.surveymonkey.com/r/ccie-to-sdn

Oracle is planning to kill an attacker’s favorite: the Java browser plug-in

Oracle will retire the Java browser plug-in, frequently the target of Web-based exploits, about a year from now. Remnants, however, will likely linger long after that."Oracle plans to deprecate the Java browser plugin in JDK 9," the Java Platform Group said in a blog post Wednesday. "This technology will be removed from the Oracle JDK and JRE in a future Java SE release."The Java Development Kit (JDK) 9, the reference implementation for the next version of Java SE, is expected to reach general availability in March 2017. By then, however, most modern browsers will no longer accept the Java browser plug-in anyway.To read this article in full or to leave a comment, please click here

Help! My Boss is Scared of Automation!!!

A reader asked “What can I do if my boss won’t let me automate my tasks?” Sadly some people still have a fear of automating even common, well-understood tasks. They’re worried about automation run amok. They think it’s safer to have a human typing in commands. But you know better. Humans have a place. But that place is not executing the same sequence of steps, over and over.

You need to prepare for change. Continuing to do repetitive tasks manually does not have a future. Either your boss will have a change of heart, or you’re going to change jobs. You have to prepare yourself for either eventuality. Here’s some thoughts on what to do.

Just Do It

First option: Just do it. Don’t bother asking, just get on with automating things you do often. You should be doing this anyway.

Last year we heard the story of a Russian hacker that had taken automation a little further than usual, with gems such as:

  • kumar-asshole.sh – scans the inbox for emails from “Kumar” (a DBA at our clients). Looks for keywords like “help”, “trouble”, “sorry” etc. If keywords are found – the script SSHes into the clients server and rolls back Continue reading

Google’s VirusTotal now picks out suspicious firmware

Google's VirusTotal service has added a new tool that analyzes firmware, the low-level code that bridges a computer's hardware and operating system at startup.Advanced attackers, including the U.S. National Security Agency, have targeted firmware as a place to embed malware since it's a great place to hide. Since antivirus programs "are not scanning this layer, the compromise can fly under the radar," wrote Francisco Santos, an IT security engineer with VirusTotal, in a blog post on Wednesday.Also, malware hidden in firmware often can't be easily erased and can survive reboots and fresh installs of an OS, Santos wrote.To read this article in full or to leave a comment, please click here

Big Switch Meets Ansible

Big Switch offers on demand labs to get instant access to Big Cloud Fabric (BCF) and Big Monitoring Fabric (BMF). Using these labs, it’s quite easy to experience the products first hand and see what they are all about. The labs also come with lab guides that walk you through step-by-step on how to get started using BMF and BCF.

For me, one of the more appealing aspects of these labs is that Big Switch also exposes the APIs such that you can access them directly from your personal machine. This makes it possible to not only test the product, but also test the API on each controller platform (BMF and BCF).

The best part is, you don’t even need to use any docs because they offer a command that shows the API calls being made by certain show commands.

controller> debug rest
***** Enabled display rest mode *****
REST-SIMPLE: GET http://127.0.0.1:8080/api/v1/data/controller/core/controller/role
controller>

Like the output from a show version? Ensure debug rest is enabled, and then just issue the command to grab the APIs being called to generate the text output on the CLI.

controller> show version
REST-SIMPLE: GET http://127.0.0.1:8080/api/v1/data/controller/core/version/appliance
REST-SIMPLE: http://127.0. Continue reading

Yubikey 4 for SSH with physical presence proof

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.

Install yubico-c, ykpersonalization, and yubico-piv-tool

sudo apt-get install help2man gengetopt libtool  Continue reading

Using Docker with macvlan Interfaces

In this post, I’m going to show you how to use macvlan interfaces with Docker for networking. The use of macvlan interfaces presents an interesting networking configuration for Docker containers that may (depending on your use case) address issues with the standard Linux bridge configuration.

Macvlan interfaces, if you’re unfamiliar with them, are a (somewhat) recent addition to the Linux kernel that enables users to add multiple MAC address-based logical interfaces to a single physical interface. These logical interfaces must reside in the same broadcast domain as the associated physical interface, which means that Docker containers attached to macvlan interfaces also will be in the same broadcast domain as the associated physical interface. In other words, the Docker containers will be on the same network as the host—no IPTables rules, no Linux bridge, just attached directly to the host’s network. This introduces some interesting possibilities (and potential challenges), but I’ll save that discussion for a future post.

Right now, macvlan supported is implemented via an unsupported Docker Network plugin hosted on GitHub. However, I suspect that the macvlan functionality found in this plugin will find its way into the core of Docker Network, and probably sooner rather than later.

You’ll Continue reading

1 3,085 3,086 3,087 3,088 3,089 3,763