Entries in network security (3)


Digital Spying for the Citizen: Available and Cheap

NYTimes article highlights the relative ease with which a citizen can monitor the digital activities of other citizens.  It's not that this is necessarily legal, and can easily cross the line into the (US) Computer Fraud and Abuse Act.  But, it does demonstrate how easily and inexspensively it can be accomplished.

A Cheap Spying Tool With a High Creepy Factor - NYTimes.com:

Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?
Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones. …



Does advance in mathematics threaten security?

It's always interesting to see what does (and does not) get picked up by the technology press each year after a Black Hat Conference. This work from Alex Stamos of Artemis has not been widely reported, but that's mostly because the threat is not imminent.

Math Advances Raise the Prospect of an Internet Security Crisis | MIT Technology Review:

Alex Stamos, chief technology officer of the online security company Artemis, led a presentation describing how he and three other security researchers studied recent publications from the insular world of academic cryptopgraphy research, which covers trends in attacking common encryption schemes. “Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years,” said Stamos, referring to the two most commonly used encryption methods.



Where ARE the Network Virtual Appliances?

A good friend of mine ping'd me by email on Friday, asking me about Allan Leinwand's article on GigaOM entitled

Where Are the Network Virtual Appliances?

As server virtualization moves into the enterprise and cloud data centers, networking needs to follow with virtual appliances.

I'm a long-standing believer in Allan's vision for network virtual appliances.

Yep. I've often taken to the soapbox and extolled the virtues of network appliances (though I tend to start with firewalls rather than routers and switches). I'm completely taken with the concept of appliances that can be virtualized and 'scaled up' to deal with demand, and 'scaled back' when demand was not great.

Allan's also making this very important point: the providers are making a real mistake with virtual network appliances by taking the images that have previously been poured into hardware and simply package them up as a virtual appliance (... i.e., without the hardware). That is a dry hole.

If a vendor is going to sell network virtual appliances, the nva's should be designed from the get-go to be scalable (both 'up' and 'out'), and designed with the notion that the 'appliance' is not just a physical appliance without the box. That is 'horseless carriage' product design, which casts new technologies in exactly the same roles as their precursors.

What Allan doesn't say is that this may require the wider deployment of network infrastructure designed specifically for virtualized appliances and converged IO. It's not just whitebox, commodity x86 hardware running general purpose virtual machine environments for server virtualization. Cisco's Datacenter 3.0 and UCS is a good place to look for guidance about how operating environments for network virtual appliances might evolve. Some interesting potential directions are showing up in product lines like Arista's vEOS and those of companies like 3Leaf. Yet another alternative future for nva's comes from the chip makers ... Intel in particular ... as they start putting more specialized virtualization support into their chipsets, so that running virtual network appliances on 'commodity' infrastructure is encouraged and enhanced.

Now's the time to develop the principles on which those virtual firewalls, load balancers, port filters, distributed virtual switches, etc. get designed and the building starts. If there's one area that clearly must be addressed, and for which network virtualization may also be the answer, it's security. The notion of 'spreading traffic', like DDOS attacks, across multiple firewalls that one can spin up or down at will is arguably the way all kinds of network-oriented defense and access control should be done.   I look to the efforts of people like Chris Hoff, Rich Mogull and Craig Baldling not only to throw light on the specific demands for network security that result from the adoption of virtualization and clouds, but also to help think outside the box on how virtual networks and virtual network appliances can be the basis of solutions.