OpenSSL Security Advisory of 19 March 2015
Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.
Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.
As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.
The individual vulnerabilities included in this announcement are:
- OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
- Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
- Multiblock corrupted pointer (CVE-2015-0290)
- Segmentation fault in DTLSv1_listen (CVE-2015-0207)
- Segmentation fault in ASN1TYPE Continue reading
Ansible Simplicity Keeps Shining
When Ansible was first founded three years ago, the underlying premise was to simplify some of the complexity in the existing DevOps tools. The mere idea of needing a strong developer toolset to automate your IT infrastructure was an overwhelming concept for most. I believe this is one of the underlying reasons that the majority of the IT shops are still using home-crafted scripts to automate updates to their infrastructure and shying away from having to add more complexity to an already complex world.
The well known quote from, Dieter Rams, the famous industrial designer, saying: “Less but Better”, has become somewhat of a guiding principle for Ansible. Being able to achieve in few lines of YAML script, during lunch hour what you can’t do in days of writing code with others.
In fact, not only do we apply that principle to our products in general, but to other operational things we do at Ansible, Inc. - from our internal communication to the onboarding process of new employees to how we handle customer support tickets. We are building an organization and an enterprise product based on simplicity. In fact, I’ve become a strong believer in the notion that complex Continue reading
Can You Still Get To The Top Climbing the Cisco Certification Ladder?
Should you go from the CCNA to the CCIE directly? Why or why not? Considering SDN, is going after the CCIE even a good idea? I opine.Making STIG Automation Possible: A Technical Deep Dive
Ansible architect and craft beer connoisseur Jonathan Davila played a critical role in working with our trusted security partner MindPoint Group to get our joint automated security baseline project off the ground. With our release this week of the DISA STIG for RHEL 6, we’ve immediately improved the lives of Government IT admins that struggle to ensure their systems are compliant.
Merely building the Ansible role for Red Hat Enterprise Linux 6 (And CentOS variants) STIG required more than writing and organizing a collection of playbooks. In order to ensure that the role actually achieved the remediation goal, we needed to validate and verify updates through a continuous integration testing process that leverages the DISA-provided SCAP/OVAL definitions.
You can learn more about the mechanics of how Jonathan and the MindPoint Group built the STIG Role, along with technical details about how to replicate this testing method in your own environment here.
Want to learn more about the how and why? Jonathan also penned a LinkedIn article with his own thoughts about why this is an important step in the right direction for any IT organization that’s concerned about automagically applying and validating security baselines.
Learn more about automated baseline testing.
Continue reading
VCDX-NV Interview: Chris Wahl
Chris Wahl is a Senior Solutions Architect at Ahead, located in Chicago, Ill. He has more than 14 years of experience as an IT Pro. Chris originally went to school for networking, and has a bachelor’s degree in networking and communications 
management. More recently he’s been doing sys admin work in sys admin engineering, architecture, and data center focused projects. His certifications include VMware VCDX #104, Cisco CCNA data center and CCNP router and switch certifications for which he also teaches classes, and several other VMware, Cisco, Microsoft, and HP certifications. He is also one of the first VCDX-NV certified professionals
What excites you about network virtualization?
I spent quite a few of years managing every type of virtualized infrastructure you can imagine, ranging from very small and medium sized businesses, to a 16,000 person enterprise with over 1,000 virtual machines. In every instance, the roadblock was always the network to the point where in the large deployment that I managed, we would just plan that any network change would take three weeks even if it was just a VLAN on a port. We could pretty much guarantee that it would be about two weeks to make Continue reading
New F5 Load Balancer & Volume Licensing Aim to Enhance App Delivery
F5 continues adding to its Synthesis framework.