Considerations for Host-based Firewalls (Part 1)

This is a guest blog post by Matthias Luft, Principal Platform Security Engineer @ Salesforce, and a regular ipSpace.net guest speaker.

Having spent my career in various roles in IT security, Ivan and I always bounced thoughts on the overlap between networking and security (and, more recently, Cloud/Container) around. One of the hot challenges on that boundary that regularly comes up in network/security discussions is the topic of this blog post: microsegmentation and host-based firewalls (HBFs).

Read more …

The Hedge Podcast #49: Karen O’Donoghue and Network Time Security

Time is critical for many of the systems that make the Internet and other operational networks “go,” but we often just assume the time is there and it’s right. In this episode of the Hedge, Karen O’Donoghue joins Alvaro and Russ to talk about some of the many attacks and failures that can be caused by an incorrect time, and current and ongoing work in securing network time in the IETF.

download

Syncing MySQL tables with a custom Ansible module

The community.mysql collection from Ansible Galaxy provides a mysql_query module to run arbitrary MySQL queries. Unfortunately, it does not support check mode nor the --diff flag. It is also unable to tell if there was a change. Let’s write a specific Ansible module to workaround these issues.

Notice

I recommend that you read “Writing a custom Ansible module” as an introduction.

Code

The module has the following signature and it executes the provided SQL statements in a single transaction. It needs a list of the affected tables to be able to detect and show the changes.

mysql_sync:
  sql: |
    DELETE FROM rules WHERE name LIKE 'CMDB:%';
    INSERT INTO rules (name, rule) VALUES
      ('CMDB: check for cats', ':is(object, "CAT")'),
      ('CMDB: check for dogs', ':is(object, "DOG")');
    REPLACE INTO webhooks (name, url) VALUES
      ('OpsGenie', 'https://opsgenie/something/token'),
      ('Slack', 'https://slack/something/token');
  user: monitoring
  password: Yooghah5
  database: monitoring
  tables:
    - rules
    - webhooks

Prerequisites

The module does not enforce idempotency, but it is expected you provide appropriate SQL queries. In the above example, idempotency is achieved because the content of the rules table is deleted and recreated from scratch while the rows in the webhooks table are Continue reading

Syncing SSH keys on Cisco IOS-XR with a custom Ansible module

The cisco.iosxr collection from Ansible Galaxy provides an iosxr_user module to manage local users, along with their SSH keys. However, the module is quite slow, do not display a diff for changed SSH keys, never signal change when a key is modified, and does not delete obsolete keys. Let’s write a custom Ansible module managing only the SSH keys while fixing these issues.

Notice

I recommend that you read “Writing a custom Ansible module” as an introduction.

How to add an SSH key to a user

Adding SSH keys to users in Cisco IOS-XR is quite undocumented. First, you need to encode the key with the “ssh-rsa” key ASN.1 format, like an OpenSSH public key, but without the base64-encoding:

$ awk '{print $2}' id_rsa.pub \
    | base64 -d \
    > publickey_vincent.raw

Then, you upload the key with SCP to harddisk:/publickey_vincent.raw and import it for the current user with the following IOS command:

crypto key import authentication rsa harddisk:/publickey_vincent.b64

However, if you want to import a key for another user, you need to be part of the root-system group:

username vincent
 group root-lr
 group root-system

With the following admin command, you Continue reading

Writing a custom Ansible module

Ansible ships a lot of modules you can combine for your configuration management needs. However, the quality of these modules may vary widely. Sometimes, it may be quicker and more robust to write your own module instead of shopping and assembling existing ones.1

In my opinion, a robust module exhibits the following characteristics:

  • idempotency,
  • diff support,
  • check mode compatibility,
  • correct change signaling, and
  • lifecycle management.

In a nutshell, it means the module can run with --diff --check and shows the changes it would apply. When run twice in a row, the second run won’t apply or signal changes. The last bullet point suggests the module should be able to delete outdated objects configured during previous runs.2

The module code should be minimal and tailored to your needs. Making the module generic for use by other users is a non-goal. Less code usually means less bugs and easier to understand.

I do not cover testing here. It is undeniably a good practice, but it requires a significant effort. In my opinion, it is preferable to have a well written module matching the above characteristics rather than a module that is well tested but without them or a module requiring Continue reading

Updating AWS Credentials in Cluster API

I’ve written a bit here and there about Cluster API (aka CAPI), mostly focusing on the Cluster API Provider for AWS (CAPA). If you’re not yet familiar with CAPI, have a look at my CAPI introduction or check the Introduction section of the CAPI site. Because CAPI interacts directly with infrastructure providers, it typically has to have some way of authenticating to those infrastructure providers. The AWS provider for Cluster API is no exception. In this post, I’ll show how to update the AWS credentials used by CAPA.

Why might you need to update the credentials being used by CAPA? Security professionals recommend that users rotate credentials on a regular basis, and when those credentials get rotated you’ll need to update what CAPA is using. There are other reasons, too; perhaps you started with one set of credentials but now want to move to a different set of credentials. Fortunately, the process for updating the CAPA credentials isn’t too terribly tedious.

CAPA stores the credentials it uses as a Secret in the “capa-system” namespace. You can use kubectl -n capa-system get secrets and you’ll see the “capa-manager-bootstrap-credentials” Secret. The credentials themselves are stored as a key named credentials; you Continue reading

Explore VMware Tanzu Service Mesh at VMworld 2020

VMworld 2020

 

It’s that time of year again — VMworld! And while this year, due to COVID-19, we’re pivoting to a virtual format, we’ll, we still be delivering a top-notch event with great sessions on cutting edge innovations. And the best part is, it’s FREE!

One of the hottest topics these days is service mesh, which is an abstraction that takes care of service to service communication, security, and observability. At VMware, we’re the “abstraction company” — but we’re not just working on the immediate use cases that the rest of the pack are working on, we’re ahead of the game, extracting a lot more value from our unique position vis a vis abstraction.

Service Mesh Sessions You Won’t Want to Miss:

I’ve compiled a list of our service mesh sessions below so you can easily register for them:

  1. Introduction to Tanzu Service Mesh [MAP1231] – This session, delivered by yours truly and Oren Penso, will take you step by step from understanding what service mesh is at the most basic level to understanding the unique value of VMware’s Tanzu Service Mesh. As we usually do, this session will have plenty of good demos.
  2. Connect and Secure Your Applications Through Continue reading

Don’t Forget Cybersecurity on Your Back-to-School List

This opinion piece was originally published in Dark Reading.

School systems don’t seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.

Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.

Before examining cybersecurity needs in school systems, it’s important to understand what’s at stake. On the surface, school systems don’t appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents’ financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.

In recent years, schools have also seen Continue reading

Automation Architect Channel at AnsibleFest 2020

As we continue to expand all the insightful content that our attendees can expect from AnsibleFest 2020, we are excited to share with you our Automation Architect channel. Here is a sneak peek of exactly what to expect from the Automation Architect channel at AnsibleFest 2020.

 

Automation Architect Channel

Automation has become a key discipline in large IT organizations, but introducing automation to new areas is likely going to invoke technical and non-technical challenges. As organizations focus on building end-to-end automation solutions and increasing the automation footprint, Automation Architects will play a pivotal role as the interface with both technologists and business owners. 

In this track, you will learn more about Ansible best practices for building your organization’s automation architecture, how to best collaborate with the business it serves and how it can help in broader corporate initiatives, such as your cloud journey. Whether you are an Enterprise or  Automation Architect today or are interested in developing the skills for this career path, you will learn the best practices to successfully implement an automation initiative at scale. 

Understand how you can use and share automation assets and how customers automate across hybrid, scalable infrastructures. Learn about integrating Continue reading

Day Two Cloud 064: Bringing Ansible Into A Windows Shop

Today's Day Two Cloud podcast makes the case for bringing Ansible into your Windows automation toolkit with guest Josh Duffney. Josh is an SRE, a Microsoft MVP, and author of a book on Ansible. We discuss key elements of Ansible, how it fits in a Windows shop, using Ansible with the Chocolately package manager, and more.

The post Day Two Cloud 064: Bringing Ansible Into A Windows Shop appeared first on Packet Pushers.

The Hedge Podcast #50: The Challenge of Growing People

Many network engineers complain about their companies not giving them opportunities—but how many think about helping the company grow in a way that allows them to have the opportunities they desire? Scott Morris, aka “evil ccie,” joins Tom and Russ on this episode of the Hedge to talk about the challenges of certifications, growing people, and people learning how to grow in a way what improves the business. Sometimes growing means creating opportunities rather than just waiting for them to knock.

download

The Internet Society Welcomes the Comoros Chapter

We are excited to announce the new Internet Society Comoros Chapter! ISOC Comoros officially launched in July in front of an in-person and online audience at the Retaj Hotel.

Journalists joined several distinguished guests, including:

  • Dawit Bekele, Internet Society’s Regional Vice-President for Africa
  • Mohamed Said Abdallah Mchangama, President of the Federation of Comorian Consumers (FCC)
  • Amina Abdallah, Coordinator of the World Bank’s Phase 4 of the Regional Communications Infrastructure Program for Africa (RCIP-4)
  • Hamidou Mhoma, President of the Comorian ICT Association
  • Chamsoudine Soudjay, Secretary General of the Comorian ICT Association
  • Amroine Mouzaoui, Executive Secretary of the Comorian Movement for Entrepreneurs
  • Raymane Ali Matoir, Director of Human Resources of Telma Comores
  • Youssouf Abdoulmadjid, Chief Operating Officer of Comor’Lab
  • Moussa Abdallah Moumine, Coordinator of the General Inspectorate of National Education

Since the country’s very first connection to the Internet in July 1998, the Internet industry has continued to evolve, along with telecommunications. The country is beginning to benefit from the rise in competition in the ICT sector, and as such the establishment of ISOC Comoros brings an added dimension to the development, promotion, and use of the Internet for the greater good of the entire country.

The Internet is for everyone and Continue reading

Example: Securing AWS Deployment

Nadeem Lughmani created an excellent solution for the securing your cloud deployment hands-on exercise in our public cloud online course. His Terraform-based solution includes:

  • Security groups to restrict access to web server and SSH bastion host;
  • An IAM policy and associated user that has read-only access to EC2 and VPC resources (used for monitoring)
  • An IAM policy that has full access to as single S3 bucket (used to modify static content hosted on S3)
  • An IAM role for AWS CloudWatch logs
  • Logging SSH events from the SSH bastion host into CloudWatch logs.
Explore the solution

Many ad hoc Wi-Fi networks from the outset of COVID-19 still in use

The onset of the pandemic caught most organizations unware, and IT departments were no exception. They had to address that workers could suddenly no longer safely come into the office, doctors needed to stand up telemedicine services, and professional and amateur sports were just generally scrambling.Groups like the Information Technology Disaster Resource Center have been at the forefront of many such efforts, particularly those being undertaken by municipalities and school districts. The group helps provide technological know-how through volunteer workers, and help keep organizations connected in the wake of disasters.[Get regularly scheduled insights by signing up for Network World newsletters.] After COVID, the group has been a lot more active, according to operations director Joe Hillis.To read this article in full, please click here

Many ad hocWi-Fi networks from the outset of COVID-19 still in use

The onset of the pandemic caught most organizations unware, and IT departments were no exception. They had to address that workers could suddenly no longer safely come into the office, doctors needed to stand up telemedicine services, and professional and amateur sports were just generally scrambling.Groups like the Information Technology Disaster Resource Center have been at the forefront of many such efforts, particularly those being undertaken by municipalities and school districts. The group helps provide technological know-how through volunteer workers, and help keep organizations connected in the wake of disasters.[Get regularly scheduled insights by signing up for Network World newsletters.] After COVID, the group has been a lot more active, according to operations director Joe Hillis.To read this article in full, please click here

Mitigating the Risks of Instance Metadata in AWS EKS

Compromising a pod in a Kubernetes cluster can have disastrous consequences on resources in an AWS Elastic Kubernetes Service (EKS) account if access to the Instance Metadata service is not explicitly blocked. The Instance Metadata service is an AWS API listening on a link-local IP address. Only accessible from EC2 instances, it enables the retrieval of metadata that is used to configure or manage an instance. Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods.

A recent blog described a scenario where an attacker compromised a pod in an EKS cluster by exploiting a vulnerability in the web application it was running, thus enabling the attacker to enumerate resources in the cluster and in the associated AWS account. This scenario was simulated by running a pod and attaching to a shell inside it.

By querying the Instance Metadata service from the compromised pod, the attacker was able to access the service and retrieve temporary credentials for the identity and access management (IAM) role assigned to the EC2 instances acting as Kubernetes worker nodes. At that point, the attacker was able to pursue multiple exploits, Continue reading

Alleged leaks from AMD indicate big performance gains in upcoming Epyc refresh

A German tech site claims to have internal AMD documents that show the next generation of AMD Epyc server processors will boast a significant performance gain. AMD declined to comment on the veracity of the article.Hardwareluxx posted what it said were details from internal AMD slides revealing the performance potential of AMD's next-gen server processors, codenamed “Milan,” otherwise known as Zen 3, due to ship later this year.According to the slides, Zen 3 is in many ways similar to the Zen 2 generation (aka “Rome”) currently on the market. It will be socket-compatible with the first and second generation of Epycs, so current owners can swap out the older chips for newer. It will have a maximum of 64 cores, which is the same as Rome. It will support DDR4 memory and PCI Express 4.0 interconnects, like Rome. One difference is that instead of two 16MB L3 caches, Milan will have one 32MB L3 cache.To read this article in full, please click here

1 853 854 855 856 857 3,795