Flexible, secure SSH with DNSSEC

Flexible, secure SSH with DNSSEC

If you read this blog on a regular basis, you probably use the little tool called SSH, especially its ubiquitous and most popular implementation OpenSSH.

Maybe you’re savvy enough to only use it with public/private keys, and therefore protect yourself from dictionary attacks. If you do then you know that in order to configure access to a new host, you need to make a copy of a public key available to that host (usually by writing it to its disk). Managing keys can be painful if you have many hosts, especially when you need to renew one of the keys. What if DNSSEC could help?

Flexible, secure SSH with DNSSEC CC BY 2.0 image by William Neuheisel

With version 6.2 of OpenSSH came a feature that allows the remote host to retrieve a public key in a customised way, instead of the typical authorized_keys file in the ~/.ssh/ directory. For example, you can gather the keys of a group of users that require access to a number of machines on a single server (for example, an LDAP server), and have all the hosts query that server when they need the public key of the user attempting to log in. This saves Continue reading

CCDE – MPLS-TE Auto Tunnels

This post will briefly discuss the challenges of manually setting up MPLS-TE tunnels and how Auto Tunnels can lessen the burden of MPLS-TE tunnels.

One of the main challenges with traffic engineering and MPLS-TE is the number of tunnels that will be needed. To setup tunnels between all PE’s may not be a scalable solution. For a provider with 200 PE’s, 199 tunnels would have to be configured on each PE and that is if only one traffic class is used. This would mean that 39800 tunnels would be present in the network. If you then want to add a tunnel for voice at each PE you end up with 398 tunnels per PE and a total of 79600 tunnels.

Another option is to enable tunnels only on the P routers. If the number of P routers are 20, then each P router would need 19 tunnels and we would have 380 tunnels in total or 760 if adding an extra tunnel for voice. This is a much more reasonable number. It would require to enable LDP over the tunnels if MPLS L3VPNs are in use to have an end to end LSP. With the P to P tunnels we Continue reading

Doing right in the VAR role!

This post is my follow-up on a recent discussion on twitter.

Working for a VAR (Value Added Reseller) is not always the glamours life some make it out to be.

Working as a consultant, what you are really doing, is being the CEO of your own service company.
What you are selling, is basically your own services. The fact that your paycheck is being signed by someone else doesnt/shouldnt really matter.

The customer is building a relationship with you, as much as the company you are working for.
On top of that, you are continually building rapor in the networking world, so in my opinion, I would rather leave the customer with a good solution, rather than having to stick with the insane budgets that sales people end up shaving a project down to, just to get the contract.

So what can you do to create the outcome that is beneficial for all parties concerned (The customer, Your employer and yourself)?

Well, what I have tried in the past, is try and emphasize the importance of leaving the customer with the right solution based on his/her requirements and constraints. This discussion should involve both the technical side of things, as Continue reading

Upcoming Events: Troopers 2016

Last autumn’s SDN roadtrip left me totally exhausted – at the moment it’s so bad that I can’t push myself to work on non-urgent things – but there are some conferences are that so awesome that I wouldn’t skip them no matter what.

Troopers 16 (March 14th – 18th in Heidelberg, Germany) is a must-go-to security conference. Past events were fantastic, and when Enno Rey asked me what I’d like to talk about this year it wasn’t hard to come up with three interesting topics:

Read more ...

EFF says Cisco shouldn’t get off the hook for torture in China

Cisco Systems built a security system for the Chinese government knowing it would be used to track and persecute members of the Falun Gong religious minority, according to the Electronic Frontier Foundation technology rights group.Falun Gong practitioners alleged the same thing in a lawsuit that a federal judge in Northern California dismissed in 2014. That case is being appealed, and on Monday the EFF, Privacy International and free-speech group Article 19 filed a brief that supports the appeal.The case highlights the risks technology companies take by selling software and hardware to customers around the world. Some of those customers may use the technology in ways that raise objections in other countries, creating legal problems or just tarnishing a vendor's reputation.To read this article in full or to leave a comment, please click here

EFF says Cisco shouldn’t get off the hook for torture in China

Cisco Systems built a security system for the Chinese government knowing it would be used to track and persecute members of the Falun Gong religious minority, according to the Electronic Frontier Foundation technology rights group.Falun Gong practitioners alleged the same thing in a lawsuit that a federal judge in Northern California dismissed in 2014. That case is being appealed, and on Monday the EFF, Privacy International and free-speech group Article 19 filed a brief that supports the appeal.The case highlights the risks technology companies take by selling software and hardware to customers around the world. Some of those customers may use the technology in ways that raise objections in other countries, creating legal problems or just tarnishing a vendor's reputation.To read this article in full or to leave a comment, please click here

Android malware steals one-time passcodes

One-time passcodes, a crucial defense for online banking applications, are being intercepted by a malware program for Android, according to new research from Symantec.The malware, called Android.Bankosy, has been updated to intercept the codes, which are part of so-called two-factor authentication systems.Many online banking applications require a login and password plus a time-sensitive code in order to gain access. The one-time passcode is sent over SMS but also can be delivered via an automated phone call.Some banks have moved to call-based delivery of passcodes. In theory, that provides better security since SMS messages can be intercepted by some malware, wrote Dinesh Venkatesan of Symantec in a blog post on Tuesday.To read this article in full or to leave a comment, please click here

Robotic falconry to foil unwanted drones

Described as “Robotic Falconry”, a new way to deal with drones that need to be removed from the air has been demonstrated by Michigan Tech. What’s so neat about this solution to controlling unwanted drones in your airspace is that the system, which uses a net that is fired at the target drone from another drone, snags the intruder and then hauls it away to a secure area so that any payload (for example, drugs or explosives)  can be dealt with. Here's the system in testing:To read this article in full or to leave a comment, please click here

Seven weeks later, here’s your Cisco UCS password!

This might be up there with the cable connector boot that hit the reset button on Cisco switches…For seven weeks, Cisco’s been shipping UCS servers with a default password unknown to its systems administration customers, the company said in a field notice posted yesterday. The Register was first to report on the situation.The default password when initially configuring these servers is supposed to be “password.” But Cisco changed that to “Cisco1234” back in November, apparently without telling customers.To read this article in full or to leave a comment, please click here

Patch Tuesday: Microsoft released 9 security updates, 6 rated critical, 7 for RCE

To start off 2016 Patch Tuesdays, Microsoft released nine security bulletins, six of which are rated as critical and seven resolve remote code execution vulnerabilities.While that many RCEs don’t set any records, Bobby Kuzma, CISSP, systems engineer at Core Security, said, “It still distresses me. Web browsers are not safe, and everyone should be using some kind of content filtering on their networks. It's like wearing a seat belt. Just do it.”Rated criticalFirst up is MS16-001, the cumulative fix for flaws in Internet Explorer which an attacker could exploit to gain remote code execution and have the same rights as the user. The patch is meant to modify how VBScript handles objects in memory and to help ensure that cross-domain policies are properly enforced in Internet Explorer.To read this article in full or to leave a comment, please click here

Wall Street Technology Association introduces its board

The Wall Street Technology Association, which provides a forum for financial industry technology professionals, vendors, service providers, and consultants learn from one another, has introduced its board of directors for the new year.Having been around since 1967, the group is one of the oldest organizations catering to IT professionals, so we figure it's a good thing to give those volunteering as leaders to get a bit of attention. Here's the board:*President : James Kostulias, Chief Information Officer, TD Ameritrade To read this article in full or to leave a comment, please click here

Will your car become a mini-data center? IBM thinks that’s just the beginning

In the not too distant future many consumers expect autonomous, self-driving cars that repair problems without human intervention, implement cognitive computing to adapt the car to a particular driver’s behaviors and react to the vehicle’s environment.Those are at least some of the conclusions gleaned from IBM’s “Auto 2025: A New Relationship – People and Cars” research involving 16,000 global consumers who were asked how they expect to use vehicles in the next ten years.+More on Network World: 20 years ago: Hot sci/tech images from 1995+To read this article in full or to leave a comment, please click here

Will your car become a mini-data center? IBM thinks that’s just the beginning

In the not too distant future many consumers expect autonomous, self-driving cars that repair problems without human intervention, implement cognitive computing to adapt the car to a particular driver’s behaviors and react to the vehicle’s environment.Those are at least some of the conclusions gleaned from IBM’s “Auto 2025: A New Relationship – People and Cars” research involving 16,000 global consumers who were asked how they expect to use vehicles in the next ten years.+More on Network World: 20 years ago: Hot sci/tech images from 1995+To read this article in full or to leave a comment, please click here

1 3,153 3,154 3,155 3,156 3,157 3,809