Weekend Reads 121120

Giant tech companies have come under a great deal of well-deserved criticism from across the political spectrum on a variety of concerns over their actions. On market power, privacy, political bias and disinformation, they are under a microscope. One area where their actions deserve even more scrutiny — and opposition — is their war on the patent rights of inventors and startups.

If we look at previous mobile generations and perhaps start at 3G, we can see that with this technology, it became possible to access the Internet — however that was far from adequate for the technology explosion that happened around smartphones in the late 00s.

The Data Center Frontier Show podcast tells the story of the data center industry and its future. Our podcast is hosted by Rich Miller, editor of Data Center Frontier, who is your guide to the ongoing digital transformation.

Working remotely was growing more common even before the coronavirus pandemic accelerated the trend. As workers increasingly settle into their home offices, they still need access to company networks and office hardware — particularly printers. In fact, the pandemic led to a spike in the sale of home office printers, according to Deloitte.

In a previous blog on Getting Started with Modern Data Center Fabrics, we discussed the common modern DC architecture of an IP fabric to provide base connectivity, overlaid with EVPN-VXLAN to provide end-to-end networking. Before rolling out your new fabric, you will design your overlay. In this blog, we discuss the Collapsed Spine/Core architecture.

Following the pandemic, at least 70% of companies will permit a significant portion of their employees to work from home at least two days a week — requiring a revamped cybersecurity model, according to a new report by Forrester Research.

A recent review of nearly a dozen inexpensive video doorbells sold via online markets such as Amazon and eBay uncovered multiple security vulnerabilities in each device. The most serious among them was the practice by some of the devices to send Wi-Fi names, passwords, location information, photos, video, email, and other data back to the manufacturer for no obvious reason.

HTTPS resource records (HTTPS RRs) are a new type of Domain Name System (DNS) record. The standard is still in progress and covers various intended use cases, mostly around delivering configuration information and parameters for how to access a service.

The rising demand for cybersecurity professionals is fueling the development of undergraduate security degree programs at colleges and universities across the country. Many programs are thinking beyond traditi

For many in the African region, Internet interruptions or service degradations occur frequently, which results in a disjointed Internet experience. In order to help improve this experience, we need to track and measure various Internet characteristics through network telemetry.

Congress last week did something that it rarely does: It passed a meaningful cybersecurity bill.

A group of major telecommunications companies — Vodafone, BT, Telefonica and Deutsche Telekom — recently announced something a bit unexpected. In the Open BNG Operator Position Paper, they call for a fundamental, industry-wide change to the way broadband networks are built.

Privacy is in for a turbulent 2021, with companies facing more privacy regulations, continued attempts to create backdoors in encrypted communications, and the introduction of a variety of privacy-focused technologies.

For a group that works on network technologies it was always a bit odd that the IETF met in person three times a year. Didn’t we have enough trust in the efficacy in the technologies that we work on? I don’t think that is the case. I think the bandwidth of in-person meetings is exceptionally high, and we just cannot cram all that into a virtual world. In this rather exceptional year the IETF has joined its conference brethren in virtual meetings. The latest, IETF 109, was held in mid-November. I’m going to pick just one presentation from each of a small collection of the week’s working group meetings and explore that topic in a little more detail.

Researchers at Huntress Labs have uncovered what they described as a really clever use of Windows batch scripting by the authors of Trickbot to try and sneak the latest version of their malware past automated detection tools.

Every three years, the Copyright Office holds a rulemaking process where it grants the public permission to bypass digital locks for lawful purposes. In 2018, the Office expanded existing protections for jailbreaking and modifying your own devices to include voice-activated home assistants like Amazon Echo and Google Home, but fell far short of the broad allowance for all computerized devices that we’d asked for.

Juniper Networks developed the Junos OS® Evolved disaggregated network operating system (NOS) building on the strengths of the Junos operating system, to bring industry leading routing and switching solutions to a native Linux environment. Junos OS Evolved provides a modern, programmable, highly available and resilient platform and at the same time, delivers a secure execution environment.

The Data Center Frontier Show podcast tells the story of the data center industry and its future. Our podcast is hosted by Rich Miller, editor of Data Center Frontier, who is your guide to the ongoing digital transformation.

The artificial intelligence (AI) ethics field is booming. According to the Council of Europe, there are now more than 300 AI policy initiatives worldwide. Professional societies such as the ACM and the IEEE have drafted frameworks, as have private companies and national governments.

As IT organizations struggle with the security implications of remote working arrangements and the already lackadaisical attitudes about security that permeate across the enterprise user base, now is the time to change how security teams influence their users’ behavior.

The Hedge 63: Anycast with Andree Toonk

Anycast is a bit of a mystery to a lot of network engineers. What is it, and what is it used for? Andree Toonk joins Tom and Russ on this episode of the Hedge to discuss the many uses of anycast, particularly in the realm of the Domain Name Service (DNS). Andree helped build the OpenDNS network and service, so he has deep experience with anycast routing on the DFZ.


Current Work in BGP Security

I’ve been chasing BGP security since before the publication of the soBGP drafts, way back in the early 2000’s (that’s almost 20 years for those who are math challenged). The most recent news largely centers on the RPKI, which is used to ensure the AS originating an advertisements is authorized to do so (or rather “owns” the resource or prefix). If you are not “up” on what the RPKI does, or how it works, you might find this old blog post useful—its actually the tenth post in a ten post series on the topic of BGP security.

Recent news in this space largely centers around the ongoing deployment of the RPKI. According to Wired, Google and Facebook have both recently adopted MANRS, and are adopting RPKI. While it might not seem like autonomous systems along the edge adopting BGP security best practices and the RPKI system can make much of a difference, but the “heavy hitters” among the content providers can play a pivotal role here by refusing to accept routes that appear to be hijacked. This not only helps these providers and their customers directly—a point the Wired article makes—this also helps the ‘net in a larger way by blocking attackers access to at least some of the “big fish” in terms of traffic.

Leslie Daigle, over at the Global Cyber Alliance—an organization I’d never heard of until I saw this—has a post up explaining exactly how deploying the RPKI in an edge AS can make a big difference in the service level from a customer’s perspective. Leslie is looking for operators who will fill out a survey on the routing security measures they deploy. If you operate a network that has any sort of BGP presence in the default-free zone (DFZ), it’s worth taking a look and filling the survey out.

One of the various problems with routing security is just being able to see what’s in the RPKI. If you have a problem with your route in the global table, you can always go look at a route view server or looking glass (a topic I will cover in some detail in an upcoming live webinar over on Safari Books Online—I think it’s scheduled for February right now). But what about the RPKI? RIPE NCC has released a new tool called the JDR:

Just like RP software, JDR interprets certificates and signed objects in the RPKI, but instead of producing a set of Verified ROA Payloads (VRPs) to be fed to a router, it annotates everything that could somehow cause trouble. It will go out of its way to try to decode and parse objects: even if a file is clearly violating the standards and should be rejected by RP software, JDR will try to process it and present as much troubleshooting information to the end-user afterwards.

You can find the JDR here.

Finally, the folks at APNIC, working with NLnet Labs, have taken a page from the BGP playbook and proposed an opaque object for the RPKI, extending it beyond “just prefixes.” They’ve created a new Resource Tagged Attestations, or RTAs, which can carry “any arbitrary file.” They have a post up explaining the rational and work here.

Weekend Reads 120420

CrowdSec is an open source security engine that analyzes visitor behavior and provides an adapted response to all kinds of attacks. It parses logs from any source and applies heuristic scenarios to identify aggressive behavior and protect against most attack classes.

The “network perimeter” is an increasingly meaningless term; the perimeter is everywhere and the network is constantly interacting with employees, workloads and even the networks of both suppliers and customers. Integration enables success, but it also means that prevention of information security compromise events.

As cryptographic analysis and related technologies advance, the signing algorithms at the heart of DNSSEC have to keep up. Moritz Müller and colleagues take a look at barriers on the road to more secure algorithms and discuss ways to make the journey faster.

When a website you visit asks permission to send notifications and you approve the request, the resulting messages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically show up in the bottom right corner of the screen — just above the system clock. These so-called “push notifications” rely on an Internet standard designed to work similarly across different operating systems and web browsers.

Open source repositories form the backbone of modern software development — nearly every software project includes at least one component — but security experts increasingly worry that attackers are focused on infecting systems by inserting malicious code into popular repositories.

In previous ransomware scenarios, an organization just had to decide whether to pay a ransom to get the key to unencrypt the data. But now it must consider making what is essentially a “forever promise” with a criminal organization. The threat actors are demanding payment in exchange for alleged proof that they deleted the data. In practice, they are saying “trust us” to delete data that they previously threatened to publish. It’s not a great situation to find yourself in.

Textbooks tell us that cache requests result in one of two possible outcomes: cache hits and misses. However, when the cache miss latency is higher than the inter-arrival time between requests, it produces a third possibility, delayed hits.

In both the traditional HPC simulation and modeling market and the adjacent AI market including machine learning and data analytics, the GPU has become the compute engine of choice because of the price/performance, memory bandwidth, and varied forms of calculation that it enables.

In August 2019, the Internet Society supported the Mutually Agreed Norms for Routing Security (MANRS) initiative by creating a platform to visualize its members’ routing security data from around the globe. The MANRS Observatory’s interactive dashboard allows networks to check their progress in improving their routing security.

George Gilder and Robert J. Marks discuss blockchain, Bitcoin, quantum and carbon computing, and George Gilder’s new book Gaming AI: Why AI Can’t Think but Can Transform Jobs (which you can get for free here).

Dubbed “SAD DNS attack” (short for Side-channel AttackeD DNS), the technique makes it possible for a malicious actor to carry out an off-path attack, rerouting any traffic originally destined to a specific domain to a server under their control, thereby allowing them to eavesdrop and tamper with the communications.

At the 2020 (ISC)² Security Congress, SCADAfence CEO Elad Ben-Meir took the virtual stage to share details of a targeted industrial ransomware attack against a large European manufacturer earlier this year. His discussion of how the attacker broke in, the collection of forensic evidence, and the incident response process offered valuable lessons to an audience of security practitioners.

Renowned military strategist John Boyd conceived the “OODA loop” to help commanders make clear-headed decisions during the Korean War. We’ll look at how one might apply the OODA loop OODA — that stands for observe, orient, decide, and act — specifically to secure cloud-native deployments and prevent breaches before they occur.

As our recent election security research showed, domain spoofing is a preferred attack vector. According to the Oregon FBI in their Tech Tuesday, “Cyber actors set up spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word (‘electon’ instead of ‘election’), or use ‘[.]com’ in place of ‘[.]gov.'”

Despite dedicating the majority of my life to protective intelligence in the private and public sectors, I still find it hard to believe when I see companies that have thousands of employees and dozens of offices and facilities — but a scant few physical security professionals using legacy tools and processes to try to keep the business harm-free. It’s almost an exercise in futility.

BGP Training on Ignition

The first hour of material in my new BGP course over at Ignition dropped this week. I’m not going to talk about configuration and other operational things—this is all about understanding how BGP works, why it works that way, and thinking about design. This course will apply to cloud, Internet edge, DC fabric, and other uses of BGP. From the official site:

BGP is one of the fundamental protocols for routing traffic across the Internet. This course, taught by networking expert and network architect Russ White, is designed to take you from BGP basics to understanding BGP at scale. The 6-hour course will be divided into several modules. Each module will contain multiple video courses of approximately 15 minutes each that drill into key concepts. The first module contains four videos that describe how BGP works. They cover basics including reachability, building loop-free paths, BGP convergence, intra-AS models, and route reflectors.

Available here.

The Hedge 62: Jacob Hess and the Importance of History

At first glance, it would seem like the history of a technology would have little to do with teaching that technology. Jacob Hess of NexGenT joins us in this episode of the Hedge to help us understand why he always includes the history of a technology when teaching it—a conversation that broadened out into why learning history is important for all network engineers.


You can find the history of networking here.

Data Center Master Classes

I’m doing a series of three master classes through Juniper on various DC fabric topics—

Join Juniper’s Russ White, a widely published 30-year network engineering veteran, in a three-part masterclass exploring the data center. Choose from classes on data center fabric, physical topologies, or data center security.

You can register here.

From the schedule—

  • Class 1: Data Center Fabric, December 2, 12 PM EST
  • Class 2: Physical Topologies, January 13, 12 PM EST
  • Class 3: Security in the Data Center, February 10, 12 PM EST