Juniper NetScreen firewall should be patched now

The Internet Storm Center has upgraded its warning about the corruption of Juniper ScreenOS firewalls to yellow, which means it’s imperative to patch them today, literally, given that details on how to exploit the flaws has been published and that it’s a holiday week when applying firewall patches can be easily overlooked. According to the ISC warning, the upgraded yellow warning was made because Juniper’s NetScreen firewalls are popular and that the “'backdoor’ password is now known, and exploitation is trivial at this point,” and for most businesses, this “being a short week for many of us, addressing this issue today is critical.”To read this article in full or to leave a comment, please click here

Gartner Data Center, Infrastructure and Operations Management Conference

I had the opportunity to attend this year’s Gartner Data Center Infrastructure and Operations Management Conference in Las Vegas December 7th – 10th.  The sessions were very informative, providing insight into both high-level trends and tactical topics, including bimodal IT, cloud (both public and private) and converged/ hyperconverged infrastructure. I leveraged Twitter at the conference as a means of taking, and sharing, copious notes (@RobertNoel3). Here’s a look at the conference’s main themes:

Bimodal IT:

Bimodal IT is a topic that Gartner has been discussing at length in recent years. The concept of bimodal IT is that organizations need to behave in two modes simultaneously (mode1 and mode 2). According to Ray Paquet, Managing VP at Gartner, mode 1 is predictable where orders are taken from customers of IT and delivered upon.  This is the process of “keeping the lights on” and supporting legacy tools and processes. Mode 2 is exploratory where new tools and processes are considered hand-in-hand with customers of IT.  Mode 2 is all about moving fast and taking risks as a means to support the agility required for the next generation of IT. As a metaphor, Paquet described mode 1 Continue reading

Google joins Mozilla, Microsoft in pushing for early SHA-1 crypto cutoff

Google is considering banning certificates signed with the SHA-1 cryptographic function in Google Chrome starting Jul. 1. This follows similar announcements from Mozilla and Microsoft over the past two months.The browser vendors had previously decided to stop trusting SHA-1-signed certificates presented by HTTPS websites on Jan. 1, 2017, a year after certificate authorities are supposed to stop issuing new ones.However, due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months.To read this article in full or to leave a comment, please click here

5 information security trends that will dominate 2016

Every year, it seems, the threats posed by cybercriminals evolve into new and more dangerous forms while security organizations struggle to keep up.As 2015 draws to a close, we can expect the size, severity and complexity of cyber threats to continue increasing in 2016, says Steve Durbin, managing director the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members."For me, 2016 is probably the year of cyber risk," Durbin says. "I say that because increasingly I think we are seeing a raised level awareness about the fact that operating in cyber brings about its own peculiarities."To read this article in full or to leave a comment, please click here

Juniper updates list of backdoored enterprise firewall OS versions

Juniper revised the list of ScreenOS versions that contain a backdoor allowing attackers to bypass authentication and gain administrative access to NetScreen enterprise firewall devices.The networking equipment manufacturer announced last week that it found, during an internal audit, two instances where rogue code was added to its ScreenOS operating system without authorization. The code could be used by attackers to gain privileged access to NetScreen firewall devices and to decrypt VPN connections.The company said at the time that ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 were vulnerable, but an analysis by researchers from security firm Rapid7 revealed that not all listed versions are vulnerable to both issues.To read this article in full or to leave a comment, please click here

Juniper updates list of backdoored enterprise firewall OS versions

Juniper revised the list of ScreenOS versions that contain a backdoor allowing attackers to bypass authentication and gain administrative access to NetScreen enterprise firewall devices.The networking equipment manufacturer announced last week that it found, during an internal audit, two instances where rogue code was added to its ScreenOS operating system without authorization. The code could be used by attackers to gain privileged access to NetScreen firewall devices and to decrypt VPN connections.The company said at the time that ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 were vulnerable, but an analysis by researchers from security firm Rapid7 revealed that not all listed versions are vulnerable to both issues.To read this article in full or to leave a comment, please click here

Docs Spotlight: Keeping the FM in RTFM

blog-header-docspotlight

Crafting and maintaining high quality documentation is something we all know is very important. Reputable documentation is much more than the result of fantastic product or project management - especially when we're talking about community-driven documentation. Open source communities in particular like to reference "RTFM" (Read the Fine Manual, for the cleaner acronym explanation), but that's only helpful when the "Fine Manual" contains quality documentation. For projects like Ansible, it is our active users that make all the difference, and with their contributions and efforts we are able to help provide the great documentation that supports Ansible.  But, that also comes with some caveats.

Many people contribute to open source projects so that they may "scratch their own itch." Whether this works well or creates clunky and cluttered code is not up for debate in this blog post, but how well it works in relation to open source documentation is debatable. Often contributions boil down to very bare bones coverage of a feature or implementation, other times the only contribution made is a typo fix. And while even the small fixes are helpful, these are not the contributions that make the docs great (better, yes, but not yet reaching Continue reading

Docs Spotlight: Keeping the FM in RTFM

blog-header-docspotlight

Crafting and maintaining high quality documentation is something we all know is very important. Reputable documentation is much more than the result of fantastic product or project management - especially when we're talking about community-driven documentation. Open source communities in particular like to reference "RTFM" (Read the Fine Manual, for the cleaner acronym explanation), but that's only helpful when the "Fine Manual" contains quality documentation. For projects like Ansible, it is our active users that make all the difference, and with their contributions and efforts we are able to help provide the great documentation that supports Ansible.  But, that also comes with some caveats.

Many people contribute to open source projects so that they may "scratch their own itch." Whether this works well or creates clunky and cluttered code is not up for debate in this blog post, but how well it works in relation to open source documentation is debatable. Often contributions boil down to very bare bones coverage of a feature or implementation, other times the only contribution made is a typo fix. And while even the small fixes are helpful, these are not the contributions that make the docs great (better, yes, but not yet reaching Continue reading

OED Tools: NetSetMan

The problem I manage many networks and quite often I work at customer site. For every site I need and IP address, gateway, Wi-Fi network, sometimes proxy, a printer and many other unique network settings. Change IP address on Windows is a process that takes too much time and many clicks. The automation I used […]

What’s inside net/http? Late binding in the Go standard library

It's well known that we're heavy users of the Go programming language at CloudFlare. Our work often involves delving into the standard library source code to understand internal code paths, error handling and performance characteristics.

Recently, I looked at how the standard library's built-in HTTP client handles connections to remote servers in order to provide minimal roundtrip latency.

Athletics track CC By 2.0 Image by Dean Hochman

Connection pooling

A common pattern that aims to avoid connection setup costs (such as the TCP handshake and TLS setup) and confer control over the number of concurrently established connections is to pool them. net/http maintains a pool of connections to each remote host which supports Connection: keep-alive. The default size of the pool is two idle connections per remote host.

More interestingly, when you make a request with net/http, a race happens. Races in code are often an unwanted side effect, but in this case it's intentional. Two goroutines operate in parallel: one that tries to dial a connection to the remote host, and another which tries to retrieve an idle connection from the connection pool. The fastest goroutine wins.

To illustrate, let's look at the code executed when transport.RoundTrip(req) is Continue reading

1 3,221 3,222 3,223 3,224 3,225 3,857