NetworkingNexus.net

Using Check Point Identity Awareness with NAT

Check Point Identity Awareness is problematic in environments that have multiple customers, overlapping private address space, and NAT. It can be done, if you understand the traffic flows, the connections needed, and how to combine several features. Here’s how I did it.

NB: This post is not a full explanation of Check Point Identity Awareness, nor is it a discussion of the product design decisions, good or bad. It assumes that the reader understands what Identity Awareness is, and focuses on how to implement it when you also need to use NAT. It will be pretty dull reading to everyone else.

Background: Typical Check Point Management Flows

A quick reminder of the traditional flows used for Check Point firewall management:

Check Point Management Clients (e.g. SmartDashboard, SmartLog) connect to the management server to configure policies, view logs, etc.

Policies are compiled and pushed from the management server to the firewall(s). Logs are sent from the firewall back to the management server. All good.

Identity Awareness: Additional Connections

Identity Awareness lets you define rules based upon user identities, rather than IP addresses. So you can say “This AD group is allowed to connect directly to the SQL Server.” Much nicer Continue reading

US proposes tighter export rules for computer security tools

The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology.On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period.The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995, aimed at limiting the spread of “dual use” technologies that could be used for harm.To read this article in full or to leave a comment, please click here

RadioShack, US states reach agreement on sale of customer data

RadioShack has reached agreement with U.S. states over the sale of customer data, by consenting to limit the number of email addresses to be sold, and giving customers the opportunity to be removed from the list.A coalition of 38 U.S. states, led by Texas, objected to the sale of personally identifiable information by the bankrupt electronics retailer, citing its online and in-store privacy policies. The customer data, which was withdrawn from an earlier sale of assets that included RadioShack stores, was included in a second auction this month.The bulk of the consumer data will be destroyed, and no credit or debit card account numbers, social security numbers, dates of birth or phone numbers will be transferred to General Wireless Operations, the winner of both auctions, said Texas Attorney General Ken Paxton in a statement Wednesday.To read this article in full or to leave a comment, please click here

RadioShack, US states reach agreement on sale of customer data

Fun in the Lab: Sniffer Tracing a DMVPN Tunnel Startup

I have seen that for many people new to DMVPN… it seems quite overwhelming and scary. I will admit it was that way for me also. I think really cause of all those nhrp commands. Funny thing about those nhrp is that these items... Read More ›

The post Fun in the Lab: Sniffer Tracing a DMVPN Tunnel Startup appeared first on Networking with FISH.

Logjam: the latest TLS vulnerability explained

log-jam

Yesterday, a group from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania published a deep analysis of the Diffie-Hellman algorithm as used in TLS and other protocols. This analysis included a novel downgrade attack against the TLS protocol itself called Logjam, which exploits EXPORT cryptography (just like FREAK).

First, let me start by saying that CloudFlare customers are not and were never affected. We don’t support non-EC Diffie-Hellman ciphersuites on either the client or origin side. We also won't touch EXPORT-grade cryptography with a 20ft stick.

But why are CloudFlare customers safe, and how does Logjam work anyway?

The image is "Logjam" as interpreted by @0xabad1dea.

Diffie-Hellman and TLS

This is a detailed technical introduction to how DH works and how it’s used in TLS—if you already know this and want to read about the attack, skip to “Enter export crypto, enter Logjam” below. If, instead, you are not interested in the nuts and bolts and want to know who’s at risk, skip to “So, what’s affected?”

To start a TLS connection, the two sides—client (the browser) and server (CloudFlare)—need to agree securely on a secret key. This process is called Continue reading

Health insurer CareFirst reveals cyberattack affecting 1.1 million

A large U.S. health insurer, CareFirst BlueCross BlueShield, has disclosed it fell victim to a cyberattack that affected about 1.1 million people.The attack, which occurred in June last year, targeted a single database that contained information about CareFirst members and others who accessed its websites and services, the company said Monday.The nonprofit has 3.4 million members, mostly around Maryland, Washington, D.C., and Northern Virginia.“We were the subject of a cyberattack,” a somber looking Chet Burrell, the company’s CEO, says in a video posted to its website.CareFirst said customer names, birth dates, user names, email addresses and subscriber ID numbers may have been stolen. The database did not contain Social Security numbers, medical claims or financial information, it said. And member passwords were encrypted and stored in a different system, CareFirst said.To read this article in full or to leave a comment, please click here

Fierce smartphone rivalry driving faster chip development, ARM CEO says

Heated competition in the smartphone and tablet markets has required chip makers to speed up the pace at which they release new processors, the CEO of ARM said in an interview this week.Following in the footsteps of Apple, rivals like Samsung and HTC are upgrading their flagship devices on a near yearly basis, adding better displays, faster chips and more memory to entice customers into buying their products.ARM designs the microprocessors used in most of those devices, and the increased competition means it’s having to push out faster, more power-efficient chips at a quicker pace, CEO Simon Segars said Tuesday.“We’re always going to be looking to deliver more performance, make the best use of manufacturing technology ... and deliver better system-wide efficiency,” he added.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

Four U.S. senators ground the chamber’s business to a halt Wednesday in an effort to prevent lawmakers from voting on a bill to extend portions of the Patriot Act used to collect telephone and business records from the country’s residents.Time is running out for the Senate to extend the telephone records collection section of the Patriot Act before it expires at the end of the month. In an effort to block a vote, Senator Rand Paul, a Kentucky Republican, took control of the Senate floor in a filibuster mid-Wednesday, with Senators Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat, joining him later in the day.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

U.S. Senator Rand Paul spoke on the chamber's floor for more than nine hours Wednesday during a filibuster to prevent lawmakers from voting on a bill to extend portions of the law used by the National Security Agency to collect telephone and business records from the country's residents.Paul, a Kentucky Republican, continued to talk on the Senate floor at 10:25 p.m. EST, after taking control of the chamber earlier in the day. Nine other senators joined him for short stretches throughout the day, including Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat.Time is running out for the Senate to extend the section of the Patriot Act that the NSA uses as authorization to collect telephone and other business records. Section 215 of the Patriot Act expires at the end of the month, and lawmakers are scheduled to take an extended Memorial Day break next week.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

Racist query terms in Google Maps trigger the White House in results

Google Maps lists the White House among top search results for certain queries containing racist terms against African-Americans.The Washington Post first reported the issue after a reader alerted the newspaper that entering a well-known racial slur while Google Maps is focused on the nation’s capital yielded the White House as the first result. The result comes up when using Google’s mobile Maps app, as well as its Maps website.Regardless of the user’s location within Maps, a search for another racially insulting term against blacks listed the Underground Railroad TV station in Chicago as the top result, with the White House coming in second. Other similarly racist query terms also gave the White House as the top result, along with the Jim Crow Museum of Racist Memorabilia in Big Rapids, Michigan.To read this article in full or to leave a comment, please click here

Bigger, better, faster: What does Wave 2 of 802.11ac have in store?

"Bigger, better, faster" is a mantra with which many of us are now familiar. Even if it isn't something we have printed on a t-shirt, it can be how we strive to live without often realizing it. Improvement is a part of life. You don't have to look hard to see examples of certain things that have already realized their great potential for improvement. But what about things we take for granted, like wireless? Wireless is all around us, but it's something we take for granted. Sometimes it’s harder to find a business or public location without Wi-Fi than it is to find one with it. So can wireless actually advance? Whether it's in the boardroom or the living room, we have expectations of buttery-smooth audio and video. As the number of wireless devices grows at a profound rate, how can we shore up the wireless network to provide service to all that’s connected? Wireless AC may be the light at the end of the tunnel. With Wave 1 speeds of 1.3Gbps (your mileage may vary) we're offered a chance to handle the larger amount of requests constantly bombarding our access points (APs). Still, the struggle in dense environments Continue reading

Building a Fully Automated Ubuntu Installation Process

Recently on Twitter, I mentioned that I had managed to successfully create a fully automated process for installing Ubuntu Server 14.04.2, along with a method for bootstrapping Ansible. In this post, I’m going to describe the installation process I built and the components that went into making it work. I’ll discuss the Ansible bootstrap process in a separate post. I significantly doubt that there is anything new or unique here, but hopefully this information will prove helpful to others facing similar challenges.

Before I continue, allow me to briefly discuss why I didn’t use a system like Cobbler instead of putting together my own system. Cobbler is a great tool. For me, though, this was also about deepening my own knowledge. I wanted to better understand the various components involved and how they interacted, and I didn’t feel I would really be able to do that with a “prebuilt” system like Cobbler. If you are more interested in getting something up and running as opposed to learning more about how it works (and that’s OK), then I’d recommend you skip this post and go download Cobbler. If, on the other hand, you want to make this into more Continue reading

Alcatel-Lucent uses SDN to meld IP, optical services

Alcatel-Lucent this week extended its carrier SDN product line with an automation and network control system designed to accelerate service provisioning from multivendor IP and optical infrastructure.The company’s Network Services Platform combines Alcatel-Lucent’s SDN-based software with its 5260 service-aware management system, Service Router operating system and the 1830 Photonic Service Switch GMPLS routing engine algorithms from Bell Labs. It also has a REST API interface to the Nuage Networks Virtual Services Platform SDN controller for data center networks so the IP/MPLS/optical network can be quickly provisioned based on the needs of data center interconnection and virtual machine mobility.To read this article in full or to leave a comment, please click here

Alcatel-Lucent uses SDN to meld IP, optical services

Hot stuff: The coolest drones

DronesImage by Northrop Grumman/Chad Slattery/Handout via ReutersThe world of drones – military and public – is changing so fast it’s hard to keep up with the changes. Here we take a look at some of the most recent advancements, such as getting drones to fly as a group, deliver orders in restaurants and take advanced technology into space. Read on:To read this article in full or to leave a comment, please click here

Hot stuff: The coolest drones

Orhan Ergun July 2015 CCDE Training

I am glad to announce that my next Online CCDE Training will start at second week of July. It will be Online through Webex , all the sessions will be recorded and you can download them to watch later as well. Also , when you pay the ccde training cost, you can attend my every… Read More »

The post Orhan Ergun July 2015 CCDE Training appeared first on Network Design and Architecture.

« Previous 1 … 3,411 3,412 3,413 3,414 3,415 … 3,773 Next »