Webinar Fun

Saturday, February 18th, 2012

At my job I am very lucky to get to work with so many interesting people. I work on designs, breaches, and pushing products to their limits on a daily basis. This is very fun but there is a drawback. Being that I work primarily with security designs I often can’t share the details of my work. Even a bit of architectural knowledge about my customers could give an attacker the edge. While I can’t talk about the details and who it was for I often do get a chance to speak out on my work in a generic fashion. There are a few ways I get to do this. Most of my work stays hidden inside of my company but occasionally I get to do work outside and share my thoughts. One of my favorite ways to do this is via a webinar. Its a short one hour (or less) to review a particular topic of interest and takes some questions and answers.

Next Tuesday I will be giving another webinar. This one will is of particular interest to me as it will cover a hot industry topic, application security. Application security in the sense of how we came to focus on applications and where security will go to next. I love it because it talks a bit more toward some future ideas of security rather than just covering the products. While I love the products I think people can get a good marketing pitch anywhere. I rather talk about those deeply burning technical ideas that lead people to think. In a world where we are surrounded by advertisements its nice to get some substance.

As I said my next webinar will be on Tuesday February 21st at 9am PST. If you would like to join click on the link below to register. I will be doing a Twitter Q&A as well after the event. I will give everyone 24 hours to tweet me at @junipernetworks, @junipersecurity, or @robwcam with the hash tag #jnprq (Juniper Question) and I will write a blog giving all my answers by the end of the week. I look forward to hearing from you after the webinar. My good college and friend Bill Pfeifer (@webguppy) will also be joining me to talk security.

Webinar Registration

 

Securing IPSec Traffic with IPS

Wednesday, February 1st, 2012

I received a great question through the Twitterverse about IPS with IPSec. The question comes from @brian38401 “@robWcam Any thoughts on inspecting #IPSec traffic with an #IPS?  Since inspection tends to mis order frames…performance problem?”. This is a great question Brian and we will be glad to help out. I asked my team about this and here is what we came up with.

Generally we do not see people utilizing IPS to protect IPSec terminating gateways. Generally IPSec does a pretty good job of securing itself. IPSec has built in protections to ensure that the remote gateway is who it says it is and it does its best at preventing injected packets. There always could be issues with the vendor’s IPSec implementation and this could lead to possible exploitation. For this reason you may want to consider implementing IPS, but in the ~90 years with of security experience on my team we don’t typically see this being done. If you did choose to use IPS with IPSec it would introduce additional latency (based upon the IPS device) but for most vendors this would be sub millisecond and really wouldn’t impact your service.

Now there are some good things you can do to mitigate risks with IPSec. The first is to lock down who can terminate IPSec connections to you. If possible use an upstream router to put hard access lists about which sources can terminate to you (assuming static sites). You would want to limit this to IKE, ESP, and AH (if your using it). This way only the gateways you want to negotiate with you can access your IPSec gateway. Secondly you want to rate limit IKE connections going toward your IPSec gateway. This can be done and should be done for all gateways. It could be possible to ramp up invalid IKE connections and this would exhaust resources on the IPSec gateway. This is an attack that you would want to prevent against. I won’t say that its common, but it is something we do see quite often.

Thanks again for the question Brian, we here at @JuniperNetworks are always happy to help!

Node Summit SF: Day Two/Wrap Up

Monday, January 30th, 2012

I wanted to get back and offer a recanting of the rest of my time at Node Summit SF. Over the remainder of the week and weekend I reflected on my times with Node Summit. Day two was primarily focused on NodeJam, a contest to see who can show Node off in the best light. There were several discussions during the day as well. I really appreciated the “Evolution of JavaScript” panel most of all. As I was watching the panel I though “these are the unsung heros of the Internet era.” I am a huge buff on computer history and what I saw in front of me were the leaders that brought us the web that we know. Of course most people wouldn’t recognize this because I think that you would think about names like Jobs, Gates, Zuckerburg, or Brin as people that make the computing world turn. All of those stories and dramatized movies are great (they fueled my journey to the valley), but what about the people that moved JavaScript. To see Brendan Eich (creator of JavaScript) and Ryan Dahl (creator of Node) discuss the evolution of JavaScript was really invigorating.

NodeJam offered me several interesting insights into the world of startups. It showed me the importance of getting to the point with sharing your idea. I  feel that all of the contestants proposed great uses for Node, but the way in which they were presented were most interesting. The winner of NodeJam had the most intriguing way to demonstrate their product. Quizlet, a tool to help you learn and study, had the audience join together in a game to up vote the most interesting use of a particular word. Immediately you could see the value in the platform, you could experience the scale, the smooth UX, it sold  itself. People were hooting and hollering it was really a gas. They used the tried and true “wow factor” that has been used for generations since its popularization on the Atlantic City board walk. My hat, in this case my wizard’s hat, goes off to Quizlet and their amazing product.

Geeklist was another Node Jam contestant. The premise behind Geeklist is to use it as an online resume of sorts. You can easily login via your Twitter account and once allowed into the beta you can start sharing your success stories. I really like it because it shows the use cases for your work. It allows people to read through your experiences and get to know more about them. I feel the traditional resume and job hunting experience is boring so this is a welcome tool. While this was focused around programmers I think the networking community should give it a whirl.

Overall I saw that while people may still be cautious to use Node I hope the summit gave folks a better feeling that Node is ready. Don’t be the last person to jump on this tool, its something that just can’t be ignored.

Security: Its Everyone’s Job

Wednesday, January 25th, 2012

Today I attended Node Summit. Node Summit is a conference to discuss the ecosystem around Node. Node is a very important tool. If you have not heard of Node then today is the day you need to start paying attention to it. You can find my summary of the first day of Node Summit here to learn more. Back to the topic at hand. One of the speakers today made the statement that security is everyone’s job. That speaker was Steve Pawlowski. Steve is a senior fellow and CTO at Intel. I can tell you that he is definitely a smart guy. He gave a talk discussing many aspects of the cloud. This ranged from measuring pico joules per execution on processors to cloud designs. His comments around security really hit home for me.

One of my tasks at Juniper Networks is to help with customer designs. The scope of these designs varies from mobile service providers to banking institutions but all of them involve security. What particularly hit home for me is how often we try to compensate for application security by using the network. Now I think that we can agree that you need security in your network. However you never want to put all your eggs in one basket. Also you don’t want to try to over compensate in a single area. I mean you would never stick your foot out of your car to stop it going 70 MPH would you? Well maybe if your last name was Flintstone. I often have people say “well My web app has lots of issues but you can just use a firewall to secure it”. While a firewall, Intrusion Prevention System (IPS), or Web Application Firewall (WAF) are great tools, starting with an application developed with security in mind is what you want. A security minded application PLUS security tools is really what you need.

Of course when the networking or security team asks me to use our products to secure an application often they are put in that position. I completely sympathize with them, they didn’t design the application they just need to secure it. However the responsibility for application security covers everyone in the organization. Much like the saying from that famous bear: Only you can prevent a security breach.

%d bloggers like this: