CCDE – Firewall And IPS Design Considerations

Introduction

This post will discuss different design options for deploying firewalls and Intrusion Prevention Systems (IPS) and how firewalls can be used in the data center.

Firewall Designs

Firewalls have traditionally been used to protect inside resources from being accessed from the outside. The firewall is then deployed at the edge of the network. The security zones are then referred to as “outside” and “inside” or “untrusted” and “trusted”.

CCDE basic firewall inside and outside
CCDE basic firewall inside and outside

Anything coming from the outside is by default blocked unless the connection initiated from the inside. Anything from the inside going out is allowed by default. The default behavior can of course be modified with access-lists.

It is also common to use a Demilitarized Zone (DMZ) when publishing external services such as e-mail, web and DNS. The goal of the DMZ is to separate the servers hosting these external services from the inside LAN to lower the risk of having a breach on the inside. From the outside only the ports that the service is using will be allowed in to the DMZ such as port 80, 443, 53 and so on. From the DMZ only a very limited set of traffic will be allowed Continue reading

Risky Business #388 — Cyber shrinkery, IoT shenanigans and guest Troy Hunt

This week's feature interview is with Troy Hunt of HaveIBeenPwned.com. And he's noticing something pretty weird. It's common for people to deface websites for bragging rights, and yeah, it's not new that data dumps are the new bragging fodder. But it seems like these days attackers are seeing Troy's site as the definitive place to get cred. Now they'll steal a bunch of data and Troy is their first stop.

Life is strange on the internets. That's this week's feature interview.

read more

Apple wages battle to keep App Store malware-free

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace. Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices. While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so.  Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.To read this article in full or to leave a comment, please click here

Apple wages battle to keep App Store malware-free

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.To read this article in full or to leave a comment, please click here

Microsoft follows Mozilla in considering early ban on SHA-1 certificates

Microsoft is considering advancing the blocking of the SHA-1 hashing algorithm on Windows to as early as June next year, taking a cue from a similar decision by Mozilla. The Redmond-based software maker had earlier said that Windows would block SHA-1 signed TLS (Transport Layer Security) certificates from Jan. 1, 2017, but is now mulling moving up the date in view of recent advances in attacks on the SHA-1 algorithm, a cryptographic hash function designed by the U.S. National Security Agency. There have been concerns about the security of the algorithm, which led Microsoft, Google and Mozilla to announce that their browsers would stop accepting SHA-1 SSL (Secure Sockets Layer) certificates.To read this article in full or to leave a comment, please click here

We should all follow Linus’s example

Yet another Linus rant has hit the news, where he complains about how "your shit code is fucking brain damaged". Many have complained about his rudeness, how it's unprofessional, and part of the culture of harassment in tech. They are wrong. Linus Torvalds is the nicest guy in tech. We should all try to be more like him.

The problem in tech isn't bad language ("your shit code"), but personal attacks ("you are shit").

A good example is Brendan Eich, who was fired from his position as Mozilla CEO because people disagreed with his political opinions. Another example is Nobel prize winner Tim Hunt who was fired because people took his pro-feminist comments out of context and painted him as a misogynist. Another example is Pax Dickinson, who was fired as CTO of Business Insider because of jokes he made before founding the company. A programmer named Curtis Yavin* was booted from a tech conference because he's some sort of monarchist. Yet more examples are the doxing and bomb threats that censor both sides of the GamerGate fiasco. The entire gamer community is a toxic cesspool of personal attacks. We have another class of people, the "SJW"s, Continue reading

Wi-Fi Alliance touts survey numbers as LTE-U showdown looms

The Wi-Fi Alliance, an industry group that certifies Wi-Fi products for interoperability, has highlighted the importance of the technology to the daily lives of Americans ahead of a testing summit that will try to shed some light on potential conflicts between Wi-Fi and a carrier technology called LTE-U. LTE-U is a technology that some U.S. wireless carriers want to use to take the pressure off their networks – using the same unlicensed spectrum as Wi-Fi networks. While LTE-U proponents insist that the coexistence features built into the technology will avoid any conflicts, critics aren’t convinced, arguing that LTE-U could disrupt Wi-Fi networks.To read this article in full or to leave a comment, please click here

What’s behind the odd couple Microsoft-Red Hat partnership

No, hell has not frozen over, but yes Microsoft and Red Hat have announced a major partnership today.In a collaboration that would have been unthinkable just a few years ago, Microsoft – the purveyor of the mainstream and proprietary Windows OS – has partnered with Red Hat, the champion of an enterprise-class iteration of Linux. And analysts say the move is good for both companies.+MORE AT NETWORK WORLD: You built a cloud and now they want containers? | Microsoft pumps up Azure ahead of Amazon’s big cloud conference +To read this article in full or to leave a comment, please click here

What does Donald Trump have to say about technology? Not much

Donald Trump isn't much of a technophile. The surprise frontrunner for the Republican nomination in the 2016 U.S. Presidential election said he hadn't adopted email as late as 2007, and was only using it "very rarely" by 2013, according to The New York Times, which published these admissions among many other revealing statements Trump has made under oath in depositions over the past decade.Trump still reads hard-copy news and magazine articles, and even dictates his oft-controversial Tweets to a team of PR underlings who send them out on his account, according to The Washington Post.To read this article in full or to leave a comment, please click here

Federal prison system wants anti-drone technology

Looking to counter the threat unmanned aircraft might bring to Federal prison guards and prisoners, the Federal Bureau of Prisons is looking at what types of technology could be used to defeat the drones.The group, which is an agency of the Department of Justice issued a Request for Information specifically targeting what it called a fully integrated systems that will allow for the detection, tracking, interdiction, engagement and neutralization of small -- less the 55lb -- unmanned aerial system.+More on Network World: The International Space Station: Reveling at 15+To read this article in full or to leave a comment, please click here

The Godwin fallacy

As Wikipedia says:
Godwin's law and its corollaries would not apply to discussions covering known mainstays of Nazi Germany such as genocide, eugenics, or racial superiority, nor to a discussion of other totalitarian regimes or ideologies, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate, in effect committing the fallacist's fallacy, or inferring that an argument containing a fallacy must necessarily come to incorrect conclusions.
An example is a discussion whether waving the Confederate flags was "hate speech" or "fighting words", and hence undeserving of First Amendment protections.

Well, consider the famous march by the American Nazi party through Skokie, Illinois, displaying the Swastika flag, where 1 in 6 residents was a survivor of the Holocaust. The Supreme Court ruled that this was free-speech, that the Nazi's had a right to march.

Citing the Skokie incident isn't Godwin's Law. It's exactly the precedent every court will cite when deciding whether waving a Confederate flag is free-speech.

I frequently discuss totalitarianism, as it's something that cyberspace can both enable and defeat. Comparisons with other totalitarian regimes, notably Soviet Russia and Nazi Germany, are inevitable. They aren't Godwin hyperbole, they are on point. Continue reading

Trojanized Android apps flood third-party stores, compromise phones

Attackers are creating rogue versions of popular Android applications that compromise the security of devices and are extremely hard to remove.Researchers from mobile security firm Lookout have found more than 20,000 samples of such trojanized apps. They're typically fully functional copies of top Android applications like Candy Crush, Facebook, Google Now, NYTimes, Okta, SnapChat, Twitter or WhatsApp, but with malicious code added to them.The goal of these rogue apps is to aggressively display advertisements on devices. A scary development though is that, unlike traditional adware, they root the devices where they get installed in order to prevent users from removing them.To read this article in full or to leave a comment, please click here

1 3,257 3,258 3,259 3,260 3,261 3,840