“Split and smear” your security policies: Static Unidimensional vs. Dynamic Multi-Dimensional Policies

In my previous post I explained why current security architectures aiming at inspecting all inline traffic via hardware appliances are failing to provide proper segmentation and scale in modern day data centers.  As I described, this has nothing to do with the type of security technology being deployed but rather with engineering security services that can answer the requirements of scale, high bandwidth, micro-segmentation and distributed applications.

We have to remind ourselves why we are having these architectural discussions: the application and service landscape has been virtualized, generally in excess of 70%, while entertaining any cloud solution will force you down the path of moving to 100% virtualization.  Yes, there are still physical servers and legacy applications to which we will extend security services to.  But instead of being the norm, we now have to consider their place in the overall architecture as exceptions and design security and networking services around what makes up the bulk of the workloads, i.e. virtualized applications in the form of VMs and containers.

With this understanding, let’s discuss how years of deploying hardware security architectures have boxed us in a complex unidimensional, sequential approach to security policies and how we can now move beyond this implementation scheme with virtualization and the proper software tools. Continue reading

Pim Sparse Mode

Pim sparse mode – Multicast is used to send the data to the multiple receivers at the same time. Multicast reduces the load on the servers (Senders/Source in multicast term), provides efficient capacity usage on the network links. Figure – 1 Unicast vs Multicast Flows Multicast runs on top of UDP. Multicast uses Class D […]

The post Pim Sparse Mode appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Pim Sparse Mode

Pim sparse mode – Multicast is used to send the data to the multiple receivers at the same time. Multicast reduces the load on the servers (Senders/Source in multicast term), provides efficient capacity usage on the network links. Figure – 1 Unicast vs Multicast Flows Multicast runs on top of UDP. Multicast uses Class D […]

The post Pim Sparse Mode appeared first on Orhanergun.

Apple wants government to form commission over FBI demand

Apple CEO Tim Cook has asked the U.S. government to withdraw its court action demanding tools that will allow the FBI to hack the passcode of an iPhone, and instead set up a commission of tech, intelligence and civil liberties experts to discuss "the implications for law enforcement, national security, privacy and personal freedoms.""We have done everything that’s both within our power and within the law to help in this case. As we’ve said, we have no sympathy for terrorists," Cook said in an email Monday to Apple employees. Apple said it would gladly participate in the commission.The FBI has sought help from Apple for a workaround to the auto-erase function in an iPhone 5c, running iOS 9, which was used by Syed Rizwan Farook, one of the terrorists involved in the San Bernardino, California, attack on Dec. 2. The FBI is concerned that without this workaround from Apple it could accidentally erase data, while trying to break the passcode by "brute force" techniques.To read this article in full or to leave a comment, please click here

New products of the week 2.22.2016

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Skytap Provider for VagrantKey features: The Skytap Vagrant plugin provides a common interface for all Vagrant resources, and offers software engineering teams the ability to instantly synchronize a local development stack with on-demand cloud-based environments. More info.To read this article in full or to leave a comment, please click here

New products of the week 2.22.2016

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Skytap Provider for VagrantKey features: The Skytap Vagrant plugin provides a common interface for all Vagrant resources, and offers software engineering teams the ability to instantly synchronize a local development stack with on-demand cloud-based environments. More info.To read this article in full or to leave a comment, please click here

The disingenuous question (FBIvApple)

I need more than 140 characters to respond to this tweet:

It's an invalid question to ask. Firstly, it's asking for the emotional answer, not the logical answer. Secondly, it's only about half the debate, when the FBI is on your side, and not against you.


The emotional question is like ISIS kidnappings. Logically, we know that the ransom money will fund ISIS's murderous campaign, killing others. Logically, we know that paying this ransom just encourages more kidnappings of other people -- that if we stuck to a policy of never paying ransoms, then ISIS would stop kidnapping people.

If it were my loved ones at stake, of course I'd do anything to get them back alive and healthy, including pay a ransom. But at the same time, logically, I'd vote for laws to stop people paying ransoms. In other words, I'd vote for laws that I would then happily break should the situation ever apply to me.

Thus, the following question has no meaning in a policy debate over paying Continue reading

Comey says the FBI doesn’t want to break anyone’s encryption

FBI Director James Comey claims the agency doesn't want to break anyone’s encryption or set loose a master key to devices like the iPhone.The comment Sunday by Comey on Lawfare Blog comes as both Apple and the government last week appeared to have pulled out all the stops to defend their stands on an FBI demand in a court that Apple provide the technology to help the agency crack the passcode of a locked iPhone 5c used by Syed Rizwan Farook, one of the terrorists involved in the attack in San Bernardino, California, on Dec. 2.The FBI is concerned that without the workaround from Apple, it could accidentally erase data, while trying to break the passcode, because of the possible activation on the phone after 10 failed tries of an auto-erase feature. “We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly,” Comey wrote.To read this article in full or to leave a comment, please click here

Source code for powerful Android banking malware is leaked

The source code for a powerful Android malware program that steals online banking credentials has been leaked, according to researchers with IBM.The malware family is known by several names, including GM Bot, Slempo, Bankosy, Acecard, Slempo and MazarBot. GM Bot has been sold on underground hacking forums for around US$500. But it appears someone who bought the code then leaked it on a forum in December, perhaps to increase his standing, wrote Limor Kessem, a cybersecurity analyst with IBM Trusteer.The person included an encrypted archive file containing the source code of GM Bot, according to Kessem.To read this article in full or to leave a comment, please click here

CloudFlare DDoS Mitigation Pipeline

The Usenix Enigma 2016 talk from Marek Majkowski describes CloudFlare's automated DDoS mitigation solution. CloudFlare provides reverse proxy services for millions of web sites and their customers are frequently targets of DDoS attacks. The talk is well worth watching in its entirety to learn about their experiences.
Network switches stream standard sFlow data to CloudFlare's "Gatebot" Reactive Automation component, which analyzes the data to identify attack vectors. Berkeley Packet Filter (BPF) rules are constructed to target specific attacks and apply customer specific mitigation policies. The rules are automatically installed in iptables firewalls on the CloudFlare servers.
The chart shows that over a three month period CloudFlare's mitigation system handled between 30 and 300 attacks per day.
Attack volumes mitigated regularly hit 100 million packers per second and reach peaks of over 150 million packets per second. These large attacks can cause significant damage and automated mitigation is critical to reducing their impact.

Elements of the CloudFlare solution are readily accessible to anyone interested in building DDoS mitigation solutions. Industry standard sFlow instrumentation is widely supported by switch vendors. Download sFlow-RT analytics software and combine real-time DDoS detection with business policies to automate mitigation actions. A number of DDoS mitigation examples are Continue reading

Attackers hack Linux Mint website to add ISO with backdoor

“I’m sorry I have to come with bad news,” wrote Clement Lefebvre, head of the Linux Mint project, before announcing Linux Mint suffered an intrusion; on February 20, “hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.”It’s not all Linux Mint, ranked by DistroWatch as the most popular Linux distribution for the last year, that were affected, but only the ISO for Linux Mint 17.3 Cinnamon edition downloaded from the site on Saturday. Lefebvre noted that other ISO releases downloaded from the site on Feb. 20 as well as the Cinnamon edition ISOs downloaded via torrents or a direct HTTP link should not be affected.To read this article in full or to leave a comment, please click here

Cisco Live 2016 Europe

Hi CLEUR! This year, for the fourth year in a row, I’ve attended Cisco Live Europe. I’ve earned the “Netvet” status, that means my name was on the wall before the keynote, ain’t that great? ;-) Aesthetics apart, this year’s event was the biggest I’ve attended so far, twelve thousands people in a huge venue […]
1 3,141 3,142 3,143 3,144 3,145 3,853