Friday, March 27, 2015

Security, Cloud and Networking Weekly News Roundup: March 30 - April 3

This week's news in cloud, networking, and security - week of March 30th: 


German cloud provider ProfitBricks attempts to attract customers from other public cloud providers with price/performance guarantees and an offer to credit users with the difference in price if others offers services at a lower cost. ProfitBricks has vowed to match the price and performance of any workload that users have running in Amazon, Google or Microsoft’s clouds. ProfitBricks ignites cloud pricing war with AWS, Google and Microsoft via Computer Weekly

A new Cloud Security Alliance survey of financial companies found that more than 40% of small companies (<=500 employees) had adopted cloud and 61% of institutions are developing cloud strategies. There is still room for improvement, with only 42% reporting actively implemented data encryption solutions for the cloud. Financial firms searching for cloud strategy via Business Cloud

“The most commonly expressed cloud security concerns revolve around the lack of visibility into the data protection measures employed by service providers,” a new report from Ovum states.  With 80% of enterprises are now using some form of cloud technology, service providers need to set up security measures and user control. Ovum urges service providers to get serious about cloud security via Computer Weekly

Google's Cloud Platform now offers Cloud Launcher, a calalog of applications that can be deployed with one click. The service's set includes common applications such as WordPress, LAMP and stack components like Nginx and Node.js. Google Cloud Launcher deploys VM-based apps in a snap via InfoWorld

From the Open Data Center Alliance Cloud Adoption Survey 2014, published this month, reports that ODCA members are focusing on internal clouds over public cloud, and exploring both software defined networking and hybrid cloud.
According to the ODCA, respondents who have greater than 60% of operations in an internal cloud has increased from 10% in 2012 to 24% in 2014.

Image credit: ODCA Cloud Adoption Survey 2014


Upcoming events Cohesive is hosting and attending:
  • 8 April CloudCamp Chicago FinTech
  • 15 April attending the AWS Summit London at ExCel 
  • 20 - 24 April - attending RSA Conference in San Francisco
  • 30 April - Cohesive Sponsoring & hosting the Secret Service Chicago Electronic Crimes Task Force April meeting
  • 2 - 4 June InfoSec London
  • 1 July AWS Summit Chicago 

Friday, March 20, 2015

Security, Cloud and Networking Weekly News Roundup: March 16 - 20

This week's news in cloud, networking, and security - week of March 16th: 


A global Tata Communications study found that organizations with more than 500 employees are seeing tangible benefits from cloud computing.  Cloud Computing Reducing Costs, Improving Productivity  via eweek
  • 85% say cloud has lived up to industry hype and are seeing benefits they did not expect
  • 23% responded that cloud has exceeded their expectations
  • 58% estimate they will have their compute and data storage in the cloud in 10 years, compared with 28% currently

OpenSSL releases a patch fixing 14 security flaws  via the InfoSec Handlers Diary Blog

Security experts say law firms are perfect targets for hackers. Research from Mandiant reports at least 80 of the 100 biggest law firms in the US, by revenue, have been hacked since 2011. Cyber Attacks Upend Attorney-Client Privilege
via Bloomberg

VMware's vSphere 6 enters availability. "The company announced Monday general availability of VMware vSphere 6, its flagship suite of software tools for building cloud, its own OpenStack flavor, and the VMware Virtual SAN 6."  vSphere 6, VMware’s ‘One Cloud’ Strategy Centerpiece, Enters Availability via DataCenter Knowledge

After the 2013 breach that leaked 40 million card records, has agreed to settle the irclass-action lawsuit. Target will allocate $10 million to all the victims whose credit and debit card information had been stolen. According to official statements, the company will pay victims up to $10,000 in damages, although the terms of the allocation and the sums allocated are confidential at the moment. Target Finally Settles Class Action via SurfWatch

Upcoming events Cohesive is hosting and attending:
  • 8 April CloudCamp Chicago FinTech
  • 20 - 24 April - attending RSA Conference in San Francisco
  • 30 April - Cohesive Sponsoring & hosting the Secret Service Chicago Electronic Crimes Task Force April meeting

Wednesday, March 18, 2015

How to customize VNS3 with our API: Clientpack

VNS3 sits at the confluence of network function virtualisation (NFV) - networks made out of software, and software defined networking (SDN) - networks configured by software. The key to that configuration is our API, which is thoroughly documented in the VNS3 3.5 API Instructions.

The aim of this blog series is to provide some practical examples of using the API to perform typical administration tasks with VNS3. Each example will be illustrated by a simple shell script.
Image credit: API Academy "What is an API"

Firstly some conventions


All of these scripts need to connect to the manager and make use of the API password. Each example will use a manager IP (MGRIP) of '10.0.0.10' and an API password (APIPW) set to 'pa55Word'. Please substitute the correct values in your own scripts, and note that the manager IP will generally need to be its internal IP address.

Dependencies


OpenVPN should be installed, and this script needs bash and curl to be present.

Getting client packs


#!/bin/bash  
command -v openvpn >/dev/null 2>&1 || { echo "OpenVPN should be installed first. Aborting." >&2; exit 1; }  
command -v curl >/dev/null 2>&1 || { echo "This script requires curl, but it's not installed. Aborting." >&2; exit 1; }  
MGRIP=10.0.0.10   
APIPW=pa55Word   
NAME=$1   
if [ -e /etc/openvpn/clientpack.ip ]; then   
  echo "VNS3 Clientpack already installed"   
else   
  CLIENTPACKJSON=`curl -k -X POST -u api:$APIPW -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpacks/next_available`   
  CLIENTPACKNAME=$(echo $CLIENTPACKJSON | grep -Po '"name":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   
  CLIENTPACKIP=$(echo $CLIENTPACKJSON | grep -Po '"overlay_ipaddress":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   
  curl -k -X GET -H 'Content-Type: application/json' -d '{"name":'$CLIENTPACKNAME',"format":"conf"}' https://api:$APIPW@$MGRIP:8000/api/clientpack -o /etc/openvpn/"${CLIENTPACKNAME//\"}".conf   
  if [ "$NAME" != "" ]; then   
    curl -k -X POST -u api:$APIPW -d '{"key":"name", "value":"'$NAME'"}' -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpack/${CLIENTPACKNAME//\"}   
  fi   
  echo "${CLIENTPACKIP//\"}" > /etc/openvpn/clientpack.ip  
  service openvpn stop && service openvpn start  
fi  
View or download this script from GitHub Gist

If this script is run without parameters it will simply download the next available clientpack.
 $ sudo ./clientpack.sh  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100  509 100  509  0   0  2533   0 --:--:-- --:--:-- --:--:-- 2557  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100 7336 100 7295 100  41 51820  291 --:--:-- --:--:-- --:--:-- 52482  
  * Stopping virtual private network daemon(s)...                 *  No VPN is running.  
  * Starting virtual private network daemon(s)...                 *  Autostarting VPN '192_168_56_132'  

If it's run with a parameter then that will be used as the name tag for the clientpack which can then be seen in the VNS3 console.
 $ sudo ./clientpack.sh demo  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100  509 100  509  0   0  2463   0 --:--:-- --:--:-- --:--:-- 2482  
  % Total  % Received % Xferd Average Speed  Time  Time   Time Current  
                  Dload Upload  Total  Spent  Left Speed  
 100 7340 100 7299 100  41 49831  279 --:--:-- --:--:-- --:--:-- 50337  
 {"response":{"name":"192_168_56_133","tags":{"name":"demo"}}} * Stopping virtual private network daemon(s)...                          *  No VPN is running.  
  * Starting virtual private network daemon(s)...                 *  Autostarting VPN '192_168_56_133'   

Picking the script apart


If you just want to use the script then hopefully all you need to do is set the variables at the beginning to work with your VNS3 IP and password (and you might also choose to replace the tests for openvpn and curl with the package manager instructions to install them e.g. 'apt-get install -y openvpn curl' if you're using Debian or Ubuntu). If you want to customise it then read on for an explanation of what's going on. I'll start after the test for whether a client pack is already installed, as it's all pretty obvious up to that point.

Firstly we call the next_available clientpack API, which returns a lump of JSON
CLIENTPACKJSON=`curl -k -X POST -u api:$APIPW -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpacks/next_available`   

In order to avoid extra dependencies that would be introduced by using a proper JSON parser the name and IP of the clientpack are pulled out by string slicing:
CLIENTPACKNAME=$(echo $CLIENTPACKJSON | grep -Po '"name":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   
CLIENTPACKIP=$(echo $CLIENTPACKJSON | grep -Po '"overlay_ipaddress":.*?[^\\]"' | awk '{split($0,a,":"); print a[2]}')   

The clientpack itself is then downloaded:
curl -k -X GET -H 'Content-Type: application/json' -d '{"name":'$CLIENTPACKNAME',"format":"conf"}' https://api:$APIPW@$MGRIP:8000/api/clientpack -o /etc/openvpn/"${CLIENTPACKNAME//\"}".conf  

If a name parameter was passed then the clientpack is tagged:
if [ "$NAME" != "" ]; then   
 curl -k -X POST -u api:$APIPW -d '{"key":"name", "value":"'$NAME'"}' -H 'Content-Type: application/json' https://$MGRIP:8000/api/clientpack/${CLIENTPACKNAME//\"}   
fi  

and to finish off the clientpack IP  is written to a file (with the quotes around it stripped out), which might be useful for other automation scripts:
echo "${CLIENTPACKIP//\"}" > /etc/openvpn/clientpack.ip  

Finally the OpenVPN service is restarted in order to pick up the new clientpack:
service openvpn stop && service openvpn start  

Tuesday, March 10, 2015

Bastion hosts and the new perimeter

TL;DR


Wikipedia describes a Bastion host as 'a special purpose computer on a network specifically designed and configured to withstand attacks'. This is a great description of how many of our customers use our VNS3 network manager, and is even more apt for our new VNS3:turret Application Security Controller.

Background

I first came across the term 'Bastion host' when working at a large Swiss bank where such things were an essential part of the DMZ design. These would be the first machines that web traffic from the Internet would hit (having come straight through the firewalls that were of course configured to allow web traffic). They were of course *very* well hardened, and very stripped down as they had two simple roles in life:
  1. Pass allowable traffic on to the next link in the application delivery chain (and drop all other traffic)
  2. Don't get compromised and become part of an attacker's 'kill chain'.

What changed in the cloud?

Not a lot really. The physical firewalls have been replaced by security groups that work at a VM or VPC level, and the Bastion host is now a VM rather than a physical box.


What really changed in the cloud?

There's a lot more to a modern DMZ than just the perimeter firewall and the Bastion host serving front of house. The last couple of decades have brought us NIDS/NIPS, dedicated SSL/TLS termination, web application firewalls (WAFs), edge caching and ever more sophisticated load balancing. Each of these things started life as a standalone network box (which was often just an x86 server delivered as an appliance), but over time industry convergence and economic pressures have squeezed these functions into 'unified threat management' (UTM) in some cases or an 'application delivery controller' (ADC) in others.

Whether it's made from a bunch of different special purpose boxes, or one unified appliance, these tools have always been deployed at a network choke point, which has a couple of serious design consequences:

  1. The network appliance has to keep up with everything going through the choke point, meaning that for anything beyond small scale deployments it must go fast - very fast.
  2. The network appliance has to deal with every application beyond the choke point, which is basically every application in the enterprise (or at least that geography), meaning a kitchen sink full of (sometime contradictory) rules.
Cloud changes this model a lot:
  1. There is nowhere to install a physical network box in any normal cloud, everything has to be on a VM (or a bunch of VMs).
  2. Cloud networks tend to be naturally segmented around individual applications (rather than the intranet style deployment of everything on one network), which means that the throughput requirement is lower and the rules scope is much smaller.
The key here is a shift from one huge centralised choke point to a distributed array of smaller, application specific choke points.

This is what we call the Application Security Controller - it's something that does similar functions to a UTM or ADC, but that's deployed completely differently because it creates an application perimeter rather than an enterprise perimeter.

So how does VNS3 fit into this?

At the most basic level the firewall on VNS3 can be configured to forward appropriate traffic back to application serving hosts in the network behind it (which might be an encrypted overlay network or could just be a VPC).

Containers, containers, containers

Containment approaches like chroot have often been used to provide isolation between services, and as container capabilities have got more sophisticated and accessible (with tools like Docker) it's become more practical to put more network application services into containers.

The container subsystem on VNS3 can be used for the full range of application security controller functions, such as proxy, reverse proxy, cache, load balancer, SSL/TLS termination, NIDS and more. For many customers this means taking what might otherwise run in small VMs on the Internet edge of an application and moving that functionality into containers that are co-resident with the core network manager thus shrinking the security surface area, management complexity and of course cost.

So what is VNS3:turret

VNS3:turret is an Application Security Controller. The core network manager is the same as VNS3:net, but it comes with a set of preconfigured network application services and the corresponding rule sets, updates and support services so that it can be tailored to the application(s) it's protecting.

Conclusion

After all this time a strong Bastion host is still a very relevant part of any network perimeter - it's a concept that's survived the transition that's presently happening from enterprise perimeters to more segmented application perimeters. That transition is being driven my a migration to cloud (both public and private) and an ever more attentive regulatory and compliance environment. As that transition happens we see a shift towards the Application Security Controller model, which is why we built one - VNS3:turret.


Friday, March 6, 2015

Security, Cloud and Networking Weekly News Roundup: March 2 - 6

This week's news in cloud, networking, and security - the week of March 2nd: 


The FREAK bug in TLS/SSL - what you need to know via Naked Security

NTT is now the 3rd largest data center operator in Europe. NTT Communications Corp. payed about $830M to quickly expand European footprint, adding a campus in Frankfurt and data centers in Munich, Hamburg, Berlin, Zurich and Vienna. Two thirds of NTT's data center footprint is now outside Japan.  NTT Making Aggressive Data Center Push via Light Reading

"Both the FBI's James Comey and UK Prime Minister David Cameron recently proposed limiting secure cryptography in favor of cryptography they can have access to. But here's the problem: technological capabilities cannot distinguish based on morality, nationality, or legality." - The Democratization of Cyberattack via Schneier on Security

Over the last few years, network attacks have subsided in favor of attacks by hackers on firewalls. Active SSL exploits and growing cloud storage have made the typical intrusion detection and intrusion prevention systems (IDS/IPS) solutions less capable of analyzing traffic higher than Layer 3. Web applications will become "the main arena for battles of hacking vs. security." Web Application Firewalls: Next Big Thing in Security via eSecurity Planet

Aliyun, Alibaba’s cloud computing arm, built a new data center in California. Alibaba likely will use the data center to target Chinese companies based in the U.S. and to expand from that base. If you thought cloud competition couldn’t get hotter, think again via Gigaom




Upcoming events Cohesive is hosting and attending:
  • 11 - 12 March - exhibiting and speaking at CloudExpo in London
    • Wed at 1pm Chris Swan is on the panel "Panel: Is the future containers, virtualization, or both?" in the Service Provider & Cloud Ecosystem Theatre – Technology
    • Thurs at 1.15pm Chris Swan is presenting "The Application Security Controller" in Software Defined Data Centre and Networks Theatre
  • 8 April CloudCamp Chicago FinTech
  • 20 - 24 April - attending RSA Conference in San Francisco
  • 30 April - Cohesive Sponsoring & hosting the Secret Service Chicago Electronic Crimes Task Force April meeting

Share this Post

Related Posts Plugin for WordPress, Blogger...