Showing posts with label network. Show all posts
Showing posts with label network. Show all posts
Two cool new exploits have been released complete with cool names and graphics. Welcome Meltdown and Spectre, these critical vulnerabilities exploit pretty much all modern processors. Even though these hardware vulnerabilities have been around forever, four independent groups of researchers discovered these vulnerabilities simultaneously. Meltdown and Spectre at a high level allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. But what about our network and security equipment using modern processors, are they vulnerable? Below is a list I put together of links to vendors sites and their responses to the vulnerabilities. I imagine most of them will keep these pages up to date as they discover new information. This is a complicated and low level issue so most vendors are going to need time to really evaluate their products and create patches.
Luckily in most cases it is an attack that is performed through the management access, so if you follow the best practice of limiting device management access from only trusted IPs or networks you should be good until the patches are released.
PaloAlto Networks
"Our initial review of the vulnerabilities disclosed in the research concludes that all PAN-OS/Panorama platforms are not directly impacted by these attacks. There are no immediate plans to release a software update to PAN-OS in response to these issues at this time"F5
"ImpactFor products with None in the Versions known to be vulnerable column, there is no impact. For products with ** in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Technical Support has no additional information about this issue.
BIG-IP
All three vulnerabilities require an attacker capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. The only administrative roles on a BIG-IP system that can execute binary code or exploitable analogs, such as JavaScript, are the Administrator and Resource Administrator roles. These users already have nearly complete access to the system and all secrets on the system not protected by hardware-based encryption. F5 believes that the attack with the highest impact may occur in multi-tenancy Virtual Clustered Multiprocessing (vCMP) configurations, running single-core guests owned by different administrative domains on a single BIG-IP system. In this scenario, Spectre Variant 2 may allow an attacker in one administrative domain to collect privileged information from the host or guests owned by another administrative domain, if the attacker's guest is configured as a single-core guest. The BIG-IP system always maps both hyper-threads of a given core to any guest with the "Cores Per Guest" configuration set to 2 or more, but single-core guests may execute on the same processor core as another single-core guest or host code. This threat may be mitigated by setting the "Cores Per Guest" configuration to 2 or more for all guests."
Cisco
"Cisco is investigating its product line to determine which products may be affected by these vulnerabilities. As the investigation progresses, Cisco will update this advisory with information about affected products, including the Cisco bug ID for each affected product."Juniper
"Juniper SIRT is actively investigating the impact on Juniper Networks products and services.”Brocade
Citrix/Netscaler
"Citrix NetScaler SDX: Citrix believes that currently supported versions of Citrix NetScaler SDX are not at risk from malicious network traffic. However, in light of these issues, Citrix strongly recommends that customers only deploy NetScaler instances on Citrix NetScaler SDX where the NetScaler admins are trusted."
Captive portals have become synonymous with guest Wi-Fi in enterprise environments. From Starbucks to your doctor's office people expect free and easy to use Wi-Fi, but what was once easy to do is getting more difficult. Browser security is always improving which has made the goal of HTTPS redirects even more difficult. Captive portal redirection for users going to HTTPS websites has always created SSL related errors -- this has helped create a cry wolf scenario when it comes to HTTPS redirection errors. This error rich environment has helped HSTS errors fly under the radar.
At a high level HSTS (HTTP Strict Transport Security) is a policy that, when enabled, forces a browser to use an HTTPS connection over a HTTP and allows for the SSL certificate to be cached on the browser for a predetermined length of time. With HSTS enabled, clients are protected from protocol downgrading, man in the middle attacks, and cookie hijacking. Most modern browsers (Google Chrome, Mozilla Firefox, Microsoft Edge) come preloaded with a list of sites supporting STS (Strict Transport Security). Along with the pre-configured list built into browsers, developers can take it upon themselves to enable this policy on their sites. Once enabled a timeout will be sent with the HTTPS header that contains a HSTS TTL “
For a more in depth HSTS description check out Troy Hunt's post Understanding HSTS.
So how does HSTS break captive portals? HSTS enforces the use of HTTPS. It enforces this using two methods that where mentioned earlier the HSTS header or STS preload lists in the browser. When a user connects to a captive portal and launches their browser, normally the wireless controller would intercept their Internet request and a redirect is sent back to the client. This redirect to the captive portal will obviously be a different CN than their original request so, many times, this creates an SSL error. Many users have become numb; accepting the error and continuing to the portal. But HSTS is a little different.
Because HSTS already knows the website should be using HTTPS the browser issues an internal HTTP 307 redirect redirecting the traffic to HTTPS even before it attempts to connect to the server. Once it connects to the server it attempts to validate the HSTS valid certificate. In the case of a redirection the captive portal would not be insuring the same HTTPS HSTS validated certificates. When this happens the browser will assume something nefarious is going on and not allow the redirection to occur. I know one vendor has a bug report filed for this issue - even though its not really a bug - and I don't know if its a fix the wireless vendors can provide.
Bottom line for users connected to a captive portal today:
This issue of not being redirected to a captive portal affects every wireless vendor. As more and more sites use HSTS, getting a proper redirect becomes harder. Hopefully the wireless vendors are sitting on the working group for this new standard and are pushing hard to get it ratified.
At a high level HSTS (HTTP Strict Transport Security) is a policy that, when enabled, forces a browser to use an HTTPS connection over a HTTP and allows for the SSL certificate to be cached on the browser for a predetermined length of time. With HSTS enabled, clients are protected from protocol downgrading, man in the middle attacks, and cookie hijacking. Most modern browsers (Google Chrome, Mozilla Firefox, Microsoft Edge) come preloaded with a list of sites supporting STS (Strict Transport Security). Along with the pre-configured list built into browsers, developers can take it upon themselves to enable this policy on their sites. Once enabled a timeout will be sent with the HTTPS header that contains a HSTS TTL “
Strict-Transport-Security: max-age=31536000”. The certificate received from the site will be honored until the timeout expires. Future attempts to access the site will reference the certificate and, if the certificate does not match, the browser will not allow the connection to site to be established.For a more in depth HSTS description check out Troy Hunt's post Understanding HSTS.
So how does HSTS break captive portals? HSTS enforces the use of HTTPS. It enforces this using two methods that where mentioned earlier the HSTS header or STS preload lists in the browser. When a user connects to a captive portal and launches their browser, normally the wireless controller would intercept their Internet request and a redirect is sent back to the client. This redirect to the captive portal will obviously be a different CN than their original request so, many times, this creates an SSL error. Many users have become numb; accepting the error and continuing to the portal. But HSTS is a little different.
Bottom line for users connected to a captive portal today:
- If the user visits an HTTP site, they are immediately redirected to the captive portal. This works regardless of what browser they are using
- If the user visits an HTTPS site that does not use HSTS, they receive a warning. If they click "Continue" they are redirected to the captive portal. This works regardless of browser
- If the user visits an HTTPS site that does use HSTS and they are using the browser that supports HSTS they are dead-ended. The only way to get redirected to the captive portal is to visit a different site. Many people have https://www.google.com or Facebook set as their homepage. Both of these sites use HSTS so this might confuse some users.
This issue of not being redirected to a captive portal affects every wireless vendor. As more and more sites use HSTS, getting a proper redirect becomes harder. Hopefully the wireless vendors are sitting on the working group for this new standard and are pushing hard to get it ratified.
In the long run, if something is not done, enterprises will quit using captive portals if it becomes really tough to get a proper redirect. But for now, being forced to use captive portals, I have not seen a sure fire technical way of getting around the issue. But you can get around the HSTS errors through communication and policy.
For example:
I am considering turning off HTTPS redirection all together. What this does is create a predictable environment for the users and the system admins. By not redirecting HTTPS you take the confusion of redirection issues based on SSL certificates, HSTS, or any new security the browsers builds in and level the playing field. Then in the case of using a sponsored portal, the email notification that is sent to visitor and/or person being visited can include the verbiage, "If you are not redirected to the guest portal please type a non secured HTTP website into your browser".
Bluetooth Serial Adapter (set up)
Working in a data center allot of the time you are bouncing from one pice of equipment to another. Plugged into a console-port buried in a cabinet or behind cabling impossible to get to. So I thought I would share my wireless serial setup.
Most new laptops do not have the DB-9 serial ports of yesteryear, and managing network equipment often times requires that old school 9600 Baud serial connection. So here are the components I used to set up my own bluetooth serial rig.
If you are weary as I was don't worry. I have been using mine for almost a year now and it works great. In fact it has worked on devices that my USB serial adapter wouldn't , i.e. Cisco CSS. I have used it with a MacBook Pro running OSX 10.6 & 10.7, as well as Windows 7 with no problems. I have found it to be a little bit more stable in OSX, I think because Windows 7 Bluetooth can be kind of finicky. Let me know if you have a different Bluetooth serial setup and I will add a link.
Serial Bluetooth Adapter UCBT232B
Energizer Mini-USB Portable Charger for BlackBerry - Black
C2G / Cables to Go - 02782 - DB9 M/M Mini Gender Changer
With the prevalence of cloud computing and companies growing dependencies, environments such as Amazon Web Services have become a huge points of failure. The interdependency on web service companies and cloud infrastructure has created a complicated and confusing web. The average Joe knows Netflix doesn't work, but there is no way for him to find out why it doesn't work. Some companies are proactive and do a pretty decent job updating clients on outages, but a majority of them are happy with keeping their customers in the dark. The goal of this post is to give some helpful links that may give you some visibility into this mysterious haze they call The Cloud.
Amazon does a pretty good job here is there AWS Service Health Dashboard:
AWS Amazon Service Health Dashoard
AWS Twitter Feed
Netflix which runs almost exclusivaly on AWS:
Netflix Twitter Feed
Many other companies leverage the Amazon Cloud such as Reddit, Coursera, Flipboard, FastCompany, Foursquare, Pinterest, Airbnb, and more.
Google Apps Status, this page breaks out many of Google core services:
App Status Dashboard
Apple Services such as iCloud, iMessage, Siri, etc.:
Apple Support System Status
Rackspace Cloud Status:
Cloud Status
Amazon does a pretty good job here is there AWS Service Health Dashboard:
AWS Amazon Service Health Dashoard
AWS Twitter Feed
Netflix which runs almost exclusivaly on AWS:
Netflix Twitter Feed
Many other companies leverage the Amazon Cloud such as Reddit, Coursera, Flipboard, FastCompany, Foursquare, Pinterest, Airbnb, and more.
Google Apps Status, this page breaks out many of Google core services:
App Status Dashboard
Apple Services such as iCloud, iMessage, Siri, etc.:
Apple Support System Status
Rackspace Cloud Status:
Cloud Status
For everyone who has worked on a Cisco ACE you have experienced the pains of troubleshooting, especially in a long complicated config. Often you are reverse engineering from the policy-map multi-match to the r servers and probes to find all the pieces that make up the service. We have asked people within Cisco is there a command that will show everything related to a policy-map multi-match class and the answer has always been no, until recently. A colleague of mine was working with a Cisco TAC engineer via a webex and came across a most useful undocumented command. Here is what the TAC engineer entered:
show run filter policy-map multi-match class name
ex. show run filter L4_SLB_CLASS
This returned most of the associated parts of the service i.e. class-map, load-balance, server-farm, real server etc. Sounds like a dream right? Here is the kicker, I am not sure what platforms are supported. I know it worked on a 4710 appliance running A3 code, but I have attempted it on an ACE 20 module running A2 code and it didn't work. So if anyone has any info about this command send me an email and if I find any more documentation I will link it to this post.
I have had the iPhone a week now and I am still amazed by the LTE speeds. When you have full signal, this phone is blazing fast. I am a network geek and I work with a bunch network guys and our jaws hit the floor when I ran my first speedtest.
To be far we did not test it against a Verizon LTE phone, but we did test them against AT&T 4G HSPA+ and it crushed their 2Mbps down and 800k up. So far this is the best iPhone I have owned.
Final note on battery life. I have had it a week and I have noticed that compared to my iPhone 4 the battery does not last quit as long. At least that's my perception. When the phone gets low 8 or 9 percent the iPhone 4 would live on for hours. The iPhone 5 doesn't quit have the same will for life and just keeps chugging away on that battery. To be far though I am running LTE, location, wifi, and I sill get a full day+ out of it. Really it barley noticeable to me but i did notice it.
To be far we did not test it against a Verizon LTE phone, but we did test them against AT&T 4G HSPA+ and it crushed their 2Mbps down and 800k up. So far this is the best iPhone I have owned.
Final note on battery life. I have had it a week and I have noticed that compared to my iPhone 4 the battery does not last quit as long. At least that's my perception. When the phone gets low 8 or 9 percent the iPhone 4 would live on for hours. The iPhone 5 doesn't quit have the same will for life and just keeps chugging away on that battery. To be far though I am running LTE, location, wifi, and I sill get a full day+ out of it. Really it barley noticeable to me but i did notice it.
Living where I do I have two choices, AT&T which is cool if I wasn't 3+ miles from their central office, and Comcast. So when I saw that Kansas City residents where pre registering for fiber I was a bit jealous. Gig up and down, fiber to their homes for 70 dollars a month, or TV and Internet for $120 dollars, sign me up. Plus I doubt they will steadily see their bills increase like Comcast tends to do. Oh ya and no data cap.... Hopefully this is the direction we are moving playing catchup with allot of the world. I want to see our country succeed and lead the world by example not ruin what we helped create, by censoring the internet and letting companies like Comcast do what they do.
Here is a link to Google's fiber page so you can read all about it for your self.
With the popularity of the iPhones and iPads, the Mac has become practically viral among technology professionals. Even without official company support many of these users have banded together to create user-support communities within their companies. I was recently at a large network hardware company and they threw out some statistics about Mac adoption. Only 4 years ago they began to allow staff to purchase Apple devices, and since then almost 45% of their employees run a Mac. This is with no official technical support. So how do they make the Mac Network engineer friendly?
There are several things a Network engineer needs.
There are several things a Network engineer needs.
- Serial Terminal App - The Mac has several options including the built in terminal app. But many of us like to have something more. Secure CRT $99.00 - Great app kinda expensive though. There is also CoolTerm, it's free and so far so good, really clean interface and easy to use.
- SSH Client - Once again the built in Mac SSH app is great and some cleaver developer out there created an app to manage multiple telnet and SSH connections. JellyfiSSH $3.99, in the Apple app store, is a really easy and intuitive way of bookmarking all those connections.
- TFTP Server - I haven't really explored TFTP on the mac, but I found TFTP Client $1.99, in the Apple app store. I haven't had a chance to use it and I have to admit I love tftp32 for windows, but let me know what you find.
- Serial Port - Steve Job's obsession with sleek industrial design killed off the com port a long time ago. Without a com port a network engineer is practically dead in the water. There have been some really good USB serial adapters like the Keyspan by Tripp Light USA-19H, but recently I have been on the hunt for a Bluetooth serial adapter. After looking online, Bluetooth serial adapters range from $40 to $250 dollars. I am not looking to spend a ton of money so, luckily, I found a great post by Chris Marget on fragmentationneeded.net. In his post he highlights the UConnect BT232B from US Converters. He says it's a slam dunk for Mac or PC and it seems very reasonably priced at $45.00. I can't wait to give it a try and update once I get a look at it.
- Text Editor - The text editor in the Mac is as good as notepad but you may want more. Syntax highlighting is kinda like crack for those who are look at code or configs all day. I wanted to list a couple text editor I have found invaluable. The first is Ultra Edit a robust text editor with a ton of extras and at $59 bucks well worth it. They also provide a ton of free extras such as the Cisco IOS language pack found here. There is also a pretty good free alternative called Text Wrangler, it is the freeware version of BBEdit which i have not used, but it to also has a Cisco IOS language pack that can be downloaded from here.










