Making STIG Automation Possible: A Technical Deep Dive
Ansible architect and craft beer connoisseur Jonathan Davila played a critical role in working with our trusted security partner MindPoint Group to get our joint automated security baseline project off the ground. With our release this week of the DISA STIG for RHEL 6, we’ve immediately improved the lives of Government IT admins that struggle to ensure their systems are compliant.
Merely building the Ansible role for Red Hat Enterprise Linux 6 (And CentOS variants) STIG required more than writing and organizing a collection of playbooks. In order to ensure that the role actually achieved the remediation goal, we needed to validate and verify updates through a continuous integration testing process that leverages the DISA-provided SCAP/OVAL definitions.
You can learn more about the mechanics of how Jonathan and the MindPoint Group built the STIG Role, along with technical details about how to replicate this testing method in your own environment here.
Want to learn more about the how and why? Jonathan also penned a LinkedIn article with his own thoughts about why this is an important step in the right direction for any IT organization that’s concerned about automagically applying and validating security baselines.
Learn more about automated baseline testing.
Continue reading
VCDX-NV Interview: Chris Wahl
Chris Wahl is a Senior Solutions Architect at Ahead, located in Chicago, Ill. He has more than 14 years of experience as an IT Pro. Chris originally went to school for networking, and has a bachelor’s degree in networking and communications 
management. More recently he’s been doing sys admin work in sys admin engineering, architecture, and data center focused projects. His certifications include VMware VCDX #104, Cisco CCNA data center and CCNP router and switch certifications for which he also teaches classes, and several other VMware, Cisco, Microsoft, and HP certifications. He is also one of the first VCDX-NV certified professionals
What excites you about network virtualization?
I spent quite a few of years managing every type of virtualized infrastructure you can imagine, ranging from very small and medium sized businesses, to a 16,000 person enterprise with over 1,000 virtual machines. In every instance, the roadblock was always the network to the point where in the large deployment that I managed, we would just plan that any network change would take three weeks even if it was just a VLAN on a port. We could pretty much guarantee that it would be about two weeks to make Continue reading
New F5 Load Balancer & Volume Licensing Aim to Enhance App Delivery
F5 continues adding to its Synthesis framework.
IPv6 Cheat Sheet
Just in case you're new to IPv6 and struggle with the essentials: here's an excellent cheat sheet by Jeff Carrell… and don't forget to check the amazing Cheat Sheet Library @ packetlife.net.What ever it is, CISA isn’t cybersecurity
In the next couple months, Congress will likely pass CISA, the Cybersecurity Information Sharing Act. This is a bad police-state thing. It will do little to prevent attacks, but do a lot to increase mass surveillance.They did not consult us security experts when drafting this bill. If they had, we would have told them the idea doesn’t really work. Companies like IBM and Dell SecureWorks already have massive “cybersecurity information sharing” systems where they hoover up large quantities of threat information from their customers. This rarely allows them to prevent attacks as the CISA bill promises.
In other words, we’ve tried the CISA experiment, and we know it doesn’t really work.
While CISA won’t prevent attacks, it will cause mass surveillance. Most of the information produced by countermeasures is in fact false-positives, triggering on innocent anomalies rather than malicious hackers. Your normal day-to-day activities on the Internet occasionally trigger these false-positives. When this information gets forwarded to law enforcement, it puts everyone in legal jeopardy. It may trigger an investigation, or it may just become evidence about you, for example, showing which porn sites you surf. It’s mass surveillance through random sampling.
That such mass surveillance is the goal Continue reading
Cumulus Networks, sFlow and data center automation
Cumulus Networks and InMon Corp have ported the open source Host sFlow agent to the upcoming Cumulus Linux 2.1 release. The Host sFlow agent already supports Linux, Windows, FreeBSD, Solaris, and AIX operating systems and KVM, Xen, XCP, XenServer, and Hyper-V hypervisors, delivering a standard set of performance metrics from switches, servers, hypervisors, virtual switches, and virtual machines – see Visibility and the software defined data center.
The Cumulus Linux platform makes it possible to run the same open source agent on switches, servers, and hypervisors – providing unified end-to-end visibility across the data center. The open networking model that Cumulus is pioneering offers exciting opportunities. Cumulus Linux allows popular open source server orchestration tools to also manage the network, and the combination of real-time, data center wide analytics with orchestration make it possible to create self-optimizing data centers.
Install and configure Host sFlow agent
The following command installs the Host sFlow agent on a Cumulus Linux switch:
sudo apt-get install hsflowd
Note: Network managers may find this command odd since it is usually not possible to install third party software on switch hardware. However, what is even more radical is that Cumulus Linux allows users to download source Continue reading