After quite a break I will be back blogging here. I used to blog for my old role at Juniper Networks and focused my efforts there. Now that I no longer work there and I have a bit more mental freedom you will start to see new posts here. One of my first pieces will be the review of my System 76 laptop.
Archive for the ‘Uncategorized’ Category
Its been one heck of a year so far in the security industry. With Q2 upon us we have had no shortage of DoS attacks, data breaches, and seemingly utter chaos on the Internet. So with all of this going on where has all the security gone? Security sales grow year over year, products become more advanced and yet how can we STILL have all of these breaches, breakdowns and complete Internet chaos occurring?
Well its simple really, its people. I don’t want to start this and make it sound that the products have gotten it right and the people using them are wrong. Sure we have made significant improvements in products but the hard part is that they have become more complex to use. When I first started in the industry there was always this one person in the organization that could seemingly manage the entire network including the user infrastructure. Today its seems like everything is a speciality. No one understands two or more topics. Its because the depth of any one topic is so much more today than ever. Even within a firewall you can be a L4, L7, or App specific guru. Within one product you can have specialties and subspecialties to the point where the “god boxes” with dozens of features need to be operated by a team.
If anything I think this plays greatly against us in security. It lessens the effectiveness of any ONE person as they are so specialized. Now we will always need people that go into the weeds on a topic. We do need the person that is a master of DFA tables within IPS or the ASIC guru that can minimize the number of operations on a packet. But in security administration if it isn’t simplified, if it isn’t easy we are going to create trouble for ourselves. Its great to say that you have oodles of logs and mounds of metrics but who the heck wants to troll through them looking for the answers? You do get the super nerds who like that but even a super nerd wants to go howe and play the latest patch in Star Wars: The Old Republic. Why can’t we have tools that tell us what is going on in the network?
I don’t mean log aggregators or network traffic graphs. I want something that at a glance will tell me what is going on. I want to know what has happened and what will happen within my network. Can you tell me what is going on within your firewall? What if that firewall had 20 million sessions and 16 Interfaces each with a dozen subinterfaces? Its tough to imagine a dashboard that can solve that problem. But the need is there and now is the time we have to make this easier.
Its not a lack of skill on the security admins part. I meet about a thousand people a year and I hear their stories. Most if not all of the people that I meet are exceptionally bright. The one downside is that they are the user and not the creator of these products. They don’t have time to muck with APIs to get the data they needs. They want results, fast, now, and the have to be accurate. People do pay and are willing to pay good money for this so vendors please listen and make these clairvoyant tools for the admins.
I am going to shortly transition to a new role within my company and this analytics topic is one that is close to my heart. After scrolling through logs for nearly 15 years and mining data manually I want to provide a bit of clarity for the security world. I want you to go home early and spend time with your family, I want you to finish your level 50 character in Star Wars: The Old Republic. I am vowing to help fix this issue of network visibility because I am tired of the SecOps people getting beat up for not defending from the latest breach. The tools to defeat the breach are available today, but the tools to help you configure them are not.
By translating information into an easy to understand format if gives the admin the information they need to configure the devices to secure their network. Isn’t this what we want? An easier way to know what we need to do? Isn’t this what the smart phones do for our lives, simplify the handling of all of today’s tasks? Why not this but for security? If any important advancements need to be made its security analytics. Or the simplification of massive amounts of data to make your enforcement decisions easier. If we had all of correct data in front of us we would make better decisions around what to secure. Do you know why the hacker/cracker wins today? Its because they know more about your network than you do. Change that equation and it translates into a more secure world.
I hate bilateral debates. Coke is better than Pepsi, PS3 has .374% sharper graphics then the Xbox 360, or that sandals are better than shoes. I bring up my hate for this hate around two topics for this rant: networking config syntax and programing languages. While these are very different topics they, much like the age old Coke vs Pepsi, are one in the same. Let me start with programing languages since that started this blog for me and I will end with networking configs since that made it blow up in my mind.
Arguing over the value of programing langages has been onc of those epic nerd debates since the beginning of time. I am sure that even Grace Hopper had some classic jokes in her time. If anything defines nerds is passion and humor. To be a nerd (geek, dweeb, or any sort of you focus too much on one thing adjetives) you must deeply love something beyond the point of rational thought this is the passion part. Also you must have humor around what you love. The passion can be so intense that it can jade your vision around the other topics within the same genre. It can make anything that tries to harm your “precious” an act of war. I get it, just try and ask me a question about something. I like to say with me there are no short answers and too often thats true. But I like to look at things objectively. I feel that everything has value relative to itself.
To draw a parallel lets look at networking devices. Most networking devices have a “flavor” to its syntax and mechanics. All of which were derived at different times for different needs. Cisco’s IOS defined the standard in networking CLI. Its the friend almost all of us grew up with. Its familiar and loving but often not forgiving. I could write a book just on the syntax and its impact to networking as its so iconic. At the time it made perfect sense to its operation where as today it may be missing some key features that are preferred. Cisco has also moved on by adding more modern features to its newer CLI operating systems. ScreenOS, the OS for NetScreen firewalls, copied its operation nearly 1:1 due to the fact that people were familiar with it.
When Junos came out in the late 90’s it changed the game by adding some new key features. These features were added because at the time there were some huge pain points to the IOS operational model. For the networking world this was huge as new developments in CLI were so rare. Over time Cisco and other vendors added the “Junos-like” features back into their CLIs to create an equilibrium in the CLI community. The important point I want to draw is that things evolve to meet the needs of today. If not we will all still be wearing powered wigs and monocles (unless your an ultra classy chap today). We don’t need to throw dookie at each other over these debates. As there are two important items to note: things are created for whats appropriate for the time and over time mechanics evolve.
I title this blog “Monoglot Heros” or those of you that are lucky enough to use one language to get your job done. For those of you that are lucky enough to be able to use one thing and be amazing at it please don’t hate us polyglots. You know who you are polyglots. Those that must configure Junos, IOS, PanOS, Check Point, Adtran and all the other network operating systems out there. Those who must program in a dozen languages due to working in a schizophrenic environment or because you rapidly evolve with the world and want to learn all there is to know. Each language is a tool and its a tool to solve a problem. Some of us have more problems than others to deal with so please love us, embrace us, understand that we need to live the life of a polyglot.
When being passionate have humility. There was a time no seeming oh so long ago when I didn’t have humility. For me my wake up call was a large group of upset union workers. I found my humility and luckily kept my legs in fine working order. I haven’t seen these violent threats in the networking or programming communities and I hope it doesn’t come to that. Keep an open mind around what your brothers/sisters in arms do and come to understand more of the WHY people are passionate about something. It will help you understand the other language/config and where the other person is coming from. Take a lesson from the Jedi and don’t deal in absolutes, search your feelings and you will know what is true.
I received a great question through the Twitterverse about IPS with IPSec. The question comes from @brian38401 “@robWcam Any thoughts on inspecting #IPSec traffic with an #IPS? Since inspection tends to mis order frames…performance problem?”. This is a great question Brian and we will be glad to help out. I asked my team about this and here is what we came up with.
Generally we do not see people utilizing IPS to protect IPSec terminating gateways. Generally IPSec does a pretty good job of securing itself. IPSec has built in protections to ensure that the remote gateway is who it says it is and it does its best at preventing injected packets. There always could be issues with the vendor’s IPSec implementation and this could lead to possible exploitation. For this reason you may want to consider implementing IPS, but in the ~90 years with of security experience on my team we don’t typically see this being done. If you did choose to use IPS with IPSec it would introduce additional latency (based upon the IPS device) but for most vendors this would be sub millisecond and really wouldn’t impact your service.
Now there are some good things you can do to mitigate risks with IPSec. The first is to lock down who can terminate IPSec connections to you. If possible use an upstream router to put hard access lists about which sources can terminate to you (assuming static sites). You would want to limit this to IKE, ESP, and AH (if your using it). This way only the gateways you want to negotiate with you can access your IPSec gateway. Secondly you want to rate limit IKE connections going toward your IPSec gateway. This can be done and should be done for all gateways. It could be possible to ramp up invalid IKE connections and this would exhaust resources on the IPSec gateway. This is an attack that you would want to prevent against. I won’t say that its common, but it is something we do see quite often.
Thanks again for the question Brian, we here at @JuniperNetworks are always happy to help!