A Use Case for an SSH Bastion Host

In this post, I’m going to explore one specific use case for using an SSH bastion host. I described this configuration and how to set it up in a previous post; in this post, though, I’d like to focus on one practical use case.

This use case is actually one I depicted graphically in my earlier post:

SSH bastion host diagram

This diagram could represent a couple different examples. For example, perhaps this is an AWS VPC. Security best practices suggest that you should limit access from the Internet to your instances as much as possible; unless an instance needs to accept traffic from the Internet, don’t assign a public IP address (or an Elastic IP address). However, without a publicly-accessible IP address, how does one connect to and manage the instance? You can’t SSH to it without a publicly-accessible IP address—unless you use an SSH bastion host.

Or perhaps this diagram represents an OpenStack private cloud, where users can deploy instances in a private tenant network. In order for those instances to be accessible externally (where “externally” means external to the OpenStack cloud), the tenant must assign each instance a floating IP address. Security may not be as much of a concern Continue reading

Free digital certificate project opens doors for public beta

Let's Encrypt, the project offering free digital certificates for websites, is now issuing them more broadly with the launch of a public beta on Thursday.The beta label will eventually be dropped as the software they've developed is refined, wrote Josh Aas, executive director of the Internet Security Research Group (ISRG), which runs Let's Encrypt."Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms," he wrote.Digital certificates use the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols to encrypt traffic exchanged between a user and a service, adding a higher level of privacy and security.To read this article in full or to leave a comment, please click here

Wait: Did I just detect a flicker of personality in the enterprise IT industry?

Long gone are the days of the colorful enterprise networking industry I knew filled with provocative personalities like Cabletron Systems President Bob Levine and 3Com’s Bob Metcalfe. But at this week’s Xconomy Enterprise Tech Strikes Back event held at the Fidelity Center for Applied Technology in Boston, I actually detected some real-life individuality and swagger to go along with good business ideas being touted by the industry’s latest batch of young companies.To read this article in full or to leave a comment, please click here

The Ansible Support Mailbox

genericblog

Hi, I'm David Federlein and you may know me from such tickets to the Customer Success Team as “How does Tower’s Dynamic Inventory use Private IPs?" and “How do I import my Ansible inventory to Tower?" Or perhaps you just knew me from grade school. If that’s the case I’d like to apologize for that incident with the fake perfume that smelled like farts and further reassure you that I never again ordered any novelty items from the back of comic books.

In regards to Tower and Ansible, I am here today to share some tips that may be of help in your endeavor for automated nirvana. Perhaps after I’ve shared some of this with you I can one day have someone call me “Sir” without adding “you’re making a scene.” Let’s get down to business.

By now you should be familiar with our love of cowsay, but cows can be dangerous! Don't kid yourself: If a cow ever got the chance, he'd eat you and everyone you care about! So if you’d like to turn off the bovines throwing taunting barbs as you run your playbook, remember two things:

1) That cow is judging Continue reading

The Ansible Support Mailbox

support header

Hi, I'm David Federlein and you may know me from such tickets to the Customer Success Team as “How does Tower’s Dynamic Inventory use Private IPs?" and “How do I import my Ansible inventory to Tower?" Or perhaps you just knew me from grade school. If that’s the case I’d like to apologize for that incident with the fake perfume that smelled like farts and further reassure you that I never again ordered any novelty items from the back of comic books.

In regards to Tower and Ansible, I am here today to share some tips that may be of help in your endeavor for automated nirvana. Perhaps after I’ve shared some of this with you I can one day have someone call me “Sir” without adding “you’re making a scene.” Let’s get down to business.

By now you should be familiar with our love of cowsay, but cows can be dangerous! Don't kid yourself: If a cow ever got the chance, he'd eat you and everyone you care about! So if you’d like to turn off the bovines throwing taunting barbs as you run your playbook, remember two things:

1) That cow is judging Continue reading

IDG Contributor Network: The future of virtualization: Don’t forget the so-called ‘old’

This is an exciting moment for data virtualization. The options available for virtualization are expanding, and are providing advances in processing speed around big data and data integration. This is just one of many areas around virtualization getting attention…and usually with the words "new" and "future" close by. But if the technology that pioneered virtualization – mainframes – is mentioned at all, it is usually dismissed. Why? Usually, the motivation is to serve the interests of the people who are trying to sell their product.Do you remember the classic sci-fi movie Logan's Run? In it, anyone who reaches the age of 30 meets his or her end in a public ceremony. Sometimes it feels like our industry has the same attitude towards existing software and hardware. This shortsighted approach does a disservice to technology, new and old. Let's look at the reasons why from the perspective of mainframes and virtualization.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Self-healing gel breakthrough could lead to flexible electronics

The fact that circuits are not designed to flex hinders product design, causes maintenance issues in the field, and is slowing the move towards bendable, rollable gadgets.However, some scientists think they've got a solution. Researchers in the Cockrell School of Engineering at The University of Texas at Austin say they've invented a healing gel that doesn't need an application of light or heat to fix a broken connection.Until now, you'd need "external stimuli" to mend cracks or breaks in circuits, Guihua Yu, the UT Assistant Professor who developed the gel, said in an article at UT News.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Self-healing gel breakthrough could lead to flexible electronics

The fact that circuits are not designed to flex hinders product design, causes maintenance issues in the field, and is slowing the move towards bendable, rollable gadgets.However, some scientists think they've got a solution. Researchers in the Cockrell School of Engineering at The University of Texas at Austin say they've invented a healing gel that doesn't need an application of light or heat to fix a broken connection.Until now, you'd need "external stimuli" to mend cracks or breaks in circuits, Guihua Yu, the UT Assistant Professor who developed the gel, said in an article at UT News.To read this article in full or to leave a comment, please click here

Congress joins battle against ticket bots

Some members of Congress apparently think that by passing a law, they can beat ticket bots.The response of IT experts: Good luck with that.The intentions are the best, of course. Companion bills now pending in the House and Senate are aimed at stopping online ticket scalpers by banning the use of bots – software that can buy hundreds or even thousands of tickets or reservations before the average individual buyer even gets started.But a law isn’t going to stop the scalpers, according to experts including Rami Essiad, cofounder and CEO of Distil Networks. “You’re trying to combat an enemy you can’t see,” he said. “Making it illegal doesn’t allow you to see them. There’s a lot of legislation saying it’s illegal to hack, but there’s plenty of hacking still going on.”To read this article in full or to leave a comment, please click here

Protocol Spotlight: DLEP

Dynamic Link Exchange Protocol is a mechanism by which link layer devices (probably radio modems) can communicate neighbor reachability information to IP routers using those radios.

Radio interfaces are frequently variable sub-rate interfaces. Path selection is a huge challenge with this sort of handoff, because not only is the available bandwidth less than the speed of the handoff interface, it's a moving target based on RF conditions from moment-to-moment. DLEP provides a flexible framework for communicating link performance and other parameters to the router so that it can make good path selection decisions.

It's obviously handy for point-to-point links, but that's not where it gets really interesting.

Consider the following network topology:


We have four routers sharing a broadcast network (10.0.0.0/24), each with a satellite backup link. Simple stuff, right?

But what if that 10.0.0.0/24 network isn't an Ethernet segment, but was really an ad-hoc mesh of microwave radio modems, and the routers were scattered among various vehicles, drones and robots?

The radios know the topology of the mesh in real time, but the routers plugged into those radios do not.

Wasting microwave bandwidth with BFD packets would be silly because it won't tell Continue reading

No more security fixes for older OpenSSL branches

The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches they will likely be the last security updates.This could spell trouble for some enterprise applications that bundle the 0.9.8 or 1.0.0 versions of OpenSSL and for older systems -- embedded devices in particular -- where updates are rare.OpenSSL 1.0.0t and 0.9.8zh, which were released Thursday, are expected to be the last updates because support for these these two branches will end on Dec. 31, as listed in the organization's release strategy document.To read this article in full or to leave a comment, please click here

Docker at Connect(); // 2015

Connect(); //2015, Microsoft’s virtual event devoted to developers, happened one day after DockerCon EU 2015, and started with an epic demo where Scott Hanselman deployed an ASP.NET 5 app from Visual Studio to a Docker container on Azure on Linux. … Continued
1 3,221 3,222 3,223 3,224 3,225 3,836