Multi-datacenter Firewall Automation – Part 2

 

In my last post, I described the logical model I decided to use in order that I might be able to compute the path between endpoints using the Dijkstra shortest path algorithm. I’ve already discovered the handy Perl module module Paths::Graph that implements Dijkstra for me, so now all I need to do is to turn the network model into a data format that Paths::Graph will accept.

The Model

As a reminder, this is the model I’m using for my two-datacenter network:

Firewall - Two DCs

To model this network, I need to allocate a cost to every network link. It turns out that Paths::Graph wants me to create separate links in each direction; this is a huge pain, and makes an already risk-laden process doubly painful. After initially creating the data model directly in the code, I realized that it would be much simpler (hah!) to model the network using YAML, and to remove the requirement to include both directions of any link. In my new YAML mode, a link from A->B automatically implies a link from B->A with the same cost; this halves the number of link descriptions required, which I’ll take as a win. The format is dead simple:

 Continue reading

Packets of Interest (2015-06-19)

It’s been a while since I’ve done a POI so here we go.

The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns

https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/

Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them.

Diffie-Hellman Key Exchange

Diffie-Hellman (DH) is the world’s first public key crypto system. It’s used in everything from secure browsing, to secure shell. This video visually demonstrates how the Diffie-Hellman key exchange works. The best part is that you don’t need to know anything about crypto to follow along.

Passphrases That You Can Memorize – But That Even the NSA Can’t Guess

https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

Use this informative guide to generate secure, human-memorizable passphrases that are suitable for protecting your private PGP key, your private SSH key, and your master key for your password safe.

Encrypting Your Laptop Like You Mean It

https://firstlook.org/theintercept/2015/04/27/encrypting-laptop-like-mean/

A well written article about encrypting one’s laptop. Covers topics such as what disk encryption does and does not protect against, attacks against disk encryption, and Continue reading

Worth Reading 06:19

Much as I’ve been trying to keep up on interesting stuff to read on the right column, I still seem to have built a long list of bookmarks! Having nothing better to do on a Friday morning, I’m dumping them on your.

So there! :-)

I’ve posted in the past on the problems of the IT job market. Primarily I think it’s too much about “what narrow set of skills do you have,” rather than, “are you a good engineer,” and I think we engineers are as much to blame as anyone else for this. “Yeah, but do you know about the latest gobberfubble embedded fingernail pick API??” we say with pride, trying to find something we know about the person we’re interviewing does. Interviews shouldn’t be about making yourself feel better about your technical skill — they should be about finding a good engineer for your team. Okay, I’ve ranted long enough — it’s time for Infoworld to take over on this score with more practical advice.

The Midyear State of the IT Job Market.

By the way, I know my response to the esoteric game won’t work for everyone, but whenever someone gets me into this position of Continue reading

The Upload: Your tech news briefing for Friday, June 19

Google’s data centers grow so fast it has to build its own networksGoogle has been building its own software-defined data-center networks for 10 years because traditional gear can’t handle the scale of what are essentially warehouse-sized computers. The company hasn’t said much before about that homegrown infrastructure, but one of its networking chiefs provided some details this week about the current network design that powers all of Google’s data centers and has a maximum capacity of a whopping 1.13 petabits per second.To read this article in full or to leave a comment, please click here

Enterprises hesitant on SDNs

SANTA CLARA -- Even though service providers are well on their way with SDNs, enterprise adoption of the technology is slowed by a host of issues. Chief among them is cultural inertia. Large enterprises in particular are loathe to change anything, be it technology, operational processes or organizational structure, especially if the need to do so is unclear or viewed as potentially risky.To read this article in full or to leave a comment, please click here

EFF, CloudFlare Ask Federal Court Not To Force Internet Companies To Enforce Music Labels’ Trademarks

This blog was originally posted by the Electronic Frontier Foundation who is represents CloudFlare in this case.

alt

JUNE 18, 2015 | BY MITCH STOLTZ

This month, CloudFlare and EFF pushed back against major music labels’ latest strategy to force Internet infrastructure companies like CloudFlare to become trademark and copyright enforcers, by challenging a broad court order that the labels obtained in secret. Unfortunately, the court denied CloudFlare’s challenge and ruled that the secretly-obtained order applied to CloudFlare. This decision, and the strategy that led to it, present a serious problem for Internet infrastructure companies of all sorts, and for Internet users, because they lay out a blueprint for quick, easy, potentially long-lasting censorship of expressive websites with little or no court review. The fight’s not over for CloudFlare, though. Yesterday, CloudFlare filed a motion with the federal court in Manhattan, asking Judge Alison J. Nathan to modify the order and put the responsibility of identifying infringing domain names back on the music labels.

We’ve reported recently about major entertainment companies’ quest to make websites disappear from the Internet at their say-so. The Internet blacklist bills SOPA and PIPA were part of that strategy, along with the Department of Homeland Security’s Continue reading

Build your own network simulator using open-source DevOps tools

Open-source DevOps tools are used to deploy applications and services in datacenter server networks, but they may also enable researchers or students to simulate networks. In this post, we will survey popular open-source DevOps tools and provide links to information that shows how to use them to create network simulation scenarios.

Most open-source network simulators simplify the setup and configuration of virtual machines and the networking connections between virtual machines. DevOps tools such as OpenStack do the same things, although they expose more of the complexities of the virtualized infrastructure to the user.

If you are already using DevOps tools for other activities you may find it useful to also use them when you need to create a simulated network instead of learning to use a network simulator.

Comparing simulators to DevOps tools

Both open-source network simulators and a coordinated set of DevOps tools perform the same role: they orchestrate the setup, interconnection, and configuration of virtual nodes in a virtual network.

Open-source simulators are built to support small-scale simulation scenarios on one computer, although some can run in a distributed mode across multiple computers. DevOps tools are designed to work in datacenters composed of hundred or thousands of servers, Continue reading

iOS gets a first in Microsoft’s OneNote: New to-do list feature

Microsoft has rolled out a new OneNote feature to the iPhone first before any other platform, showing off the company’s interest in promoting cross-platform use of its note-taking system.OneNote users with Apple’s smartphones will now be able to convert notes with checklists in them into a special list mode that will organize items based on whether they’re checked off or not. A note formatted as a list also includes an “add item” button at the top that will create a new blank to-do.The feature is designed to make it easier for people to quickly interact with their checklists on touch devices without having to deftly pick out a single checkbox in a long column of little boxes. At any time, notes that have been converted to the new checklist format can be converted back without much fuss, and the notes will still be readable by other versions of OneNote as long checklists.To read this article in full or to leave a comment, please click here

Packets of Interest (2015-06-19)

It's been a while since I've done a POI so here we go. The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them. Diffie-Hellman Key Exchange Diffie-Hellman (DH) is the world's first public key crypto system.

Google’s driverless car fleet to double as it prepares for new tests

Google’s autonomous car fleet is undergoing a major expansion. In the last month, the number of cars it is permitted to drive on public streets has more than doubled, and Google now accounts for more than half of the driverless cars that are legal in California.As of Wednesday, the company has been issued 48 permits for driverless vehicles, according to records at California’s Department of Motor Vehicles. About a month earlier, on May 15, Google held just 23 permits.The additional 25 permits are for a new fleet of prototype cars that are undergoing testing on private roads, the company said. The cars, tiny two-seaters, are designed for neighborhood driving and have a top speed of 25 miles per hour. They’ll be hitting public streets some time over the summer near Google’s headquarters in Mountain View.To read this article in full or to leave a comment, please click here

Samsung to plug security hole on Galaxy smartphones

Samsung will update the security software on its Galaxy smartphones to address a flaw that researchers warned could let attackers access people’s devices.Earlier in the week, researchers at NowSecure, a mobile security company, identified the flaw in SwiftKey, a keyboard application that comes preloaded on Galaxy smartphones. The flaw could be exploited even when SwiftKey was not used as the default keyboard, NowSecure said.On Thursday, Samsung said it would issue a fix that would roll out over the coming days to owners of the Galaxy S4, released in 2013, and later models. Those devices have Samsung’s Knox security platform installed by default and can receive over-the-air security policy updates. Users must have automatic updates activated in their phone’s settings, Samsung said on its website.To read this article in full or to leave a comment, please click here

Samsung to plug security hole on Galaxy smartphones

Samsung will update the security software on its Galaxy smartphones to address a flaw that researchers warned could let attackers access people’s devices.Earlier in the week, researchers at NowSecure, a mobile security company, identified the flaw in SwiftKey, a keyboard application that comes preloaded on Galaxy smartphones. The flaw could be exploited even when SwiftKey was not used as the default keyboard, NowSecure said.On Thursday, Samsung said it would issue a fix that would roll out over the coming days to owners of the Galaxy S4, released in 2013, and later models. Those devices have Samsung’s Knox security platform installed by default and can receive over-the-air security policy updates. Users must have automatic updates activated in their phone’s settings, Samsung said on its website.To read this article in full or to leave a comment, please click here

Chinese university opens Microsoft-backed U.S. outpost

China’s Tsinghua University has teamed up with the University of Washington and Microsoft to launch the Global Innovation Exchange (GIX)—a tech-focused graduate school that’s the first of its kind.The program, which was announced Thursday afternoon, will bring people from around the world to a new facility in Bellevue, Washington, near Seattle, to learn and work together. The launch marks the first time a Chinese research institution has opened a physical presence in the U.S., the backers said.Tsinghua is a prestigious, Beijing-based institution that counts current Chinese President Xi Jinping and his predecessor Hu Jintao as alumni. UW is a key player in the tech industry with alumni including U.S. Deputy Chief Technology Officer Ed Felten and Apple Vice President Bud Tribble.To read this article in full or to leave a comment, please click here

Oracle taps former HP exec Donatelli for key hardware role

Confirming rumors dating back to as early as March, Oracle announced on Thursday it has appointed former Hewlett-Packard executive David Donatelli as executive vice president for converged infrastructure.Donatelli will report directly to Oracle CEO Mark Hurd and will be responsible for infrastructure offerings including the company’s engineered systems, server, storage, networking and tape products. He will also help oversee Oracle hardware products designed for hybrid cloud environments.Donatelli joined HP in 2009 and served as executive vice president and general manager of HP’s Enterprise Group, with responsibility for the enterprise hardware business, including storage, server, networking and converged infrastructure products. He reportedly was considered a contender for HP’s CEO role before the appointment of Meg Whitman.To read this article in full or to leave a comment, please click here

Virtual Mobile Infrastructure: Secure the data and apps, in lieu of the device

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Corporate use of smartphones and tablets, both enterprise- and employee-owned (BYOD), has introduced significant risk and legal challenges for many organizations.

Other mobile security solutions such as MDM (mobile device management) and MAM (mobile app management) have attempted to address this problem by either locking down or creating “workspaces” on users’ personal devices. For BYOD, this approach has failed to adequately secure enterprise data, and created liability issues in terms of ownership of the device – since it is now BOTH a personal and enterprise (corporate)-owned device.

To read this article in full or to leave a comment, please click here

SAP Hana users warned of security vulnerability

Hard on the heels of the release of a newly updated version of SAP Hana, a security researcher has warned of a potentially serious vulnerability in the in-memory platform.“If an attacker can exploit this vulnerability, he can get access to all encrypted data stored in an SAP Hana database,” said Alexander Polyakov, CTO with ERPScan, which presented the details Thursday at the Black Hat Sessions XIII conference in the Netherlands.Polyakov’s firm specializes in testing enterprise resource planning (ERP) software from companies such as Oracle and SAP for security purposes. Last year, it had already found SAP Hana installations to be vulnerable to SQL injection attacks, he said.To read this article in full or to leave a comment, please click here

NSA uses OpenFlow for tracking… its network

SANTA CLARA -- Just as the industry is becoming more comfortable with SDNs, the NSA says it’s using them too.The embattled National Security Agency, which has been surreptitiously collecting phone records on all of us for many years as part of a secret surveillance operation, is implementing an OpenFlow SDN for its own internal operations. No mention was made whether an OpenFlow SDN also supports the agency’s surveillance operations – it’s doubtful the NSA would open up on the underpinnings of its spy network.But internally, the agency faces the same issues any large enterprise IT shop faces: do more, faster and at less cost with fewer people. And with a lot of oversight.To read this article in full or to leave a comment, please click here