Category: security

What exactly is Zero-Trust architecture? Is it all hype or is there something behind it?

More Information

• Zero Trust Architecture (NIST)
• Zero Trust Shouldn’t Be The New Normal (Dark Reading)
• What Is Zero Trust (CloudFlare)

Options to secure communications between datacenters connected by some ISP or a dedicated dark-fiber.

---

We have 3 DCs connected with a dark-fiber and aerial as a backup. While dark-fiber is a point-to-point with no active devices in between, the aerial backup does traverse the ISP equipment, and we would like to encrypt the communications at network level, while mantaining OSPF or BGP (eVPN?) as control plane.

10 or more years ago I used to do some very simple DDoS prevention with AS:<666> communities and propagating upstream.

Not a solution but took the traffic off our upstream/peering links for everybody else’s benefit.

It would be useful to get an overview of those tech and implementation/approaches.

---

I see that “ddos mitigation with blackholing” in in the list, but I think that BGP Flowspec would be a more interesting and modern topic.

---

I wonder if you could include a discussion on how CloudFlare operate as well as perhaps Arbor, now known as NetScout for scrubbing.

More Information

• What is DDoS blackhole routing?
• BLACKHOLE Community (RFC 7999)
• Configuring BGP to Block Denial-of-Service Attacks (RFC 3882)
• Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (RFC 5635)
• Practical usage of the Blackhole Community

I just watched a YouTube video by a security researcher showing how a five line python script can be used to unilaterally configure a Cisco switch port connected to a host computer into a trunk port. It does this by forging a single virtual trunk protocol (VTP) packet. The host can then eavesdrop on broadcast traffic on all VLANs on the network, as well as prosecute man-in-the-middle of attacks:

https://youtu.be/u5cp_hcwq2c

This was a Cisco switch, and apparently the default configuration permits this. I haven’t delved into the details yet, but I’m hoping that there are straightforward configuration settings that can prevent this kind of attack. I gather, though, that it isn’t as simple as just adding a line code to IOS. It looks like what’s needed is very specific pruning of VLANs to ports for devices that are not switches, and that sounds like a big, ongoing maintenance task prone to human error.

The design clinic would be broader than this specific vulnerability though. We’ve all seen Aruba and Cisco and Juniper and the like checklists explaining how to “harden“ their specific network gear, but I just looked and didn’t see this VLAN thing discussed, for Cisco at least:

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Clearly these checklists need to be updated in the light of more recent hacker machinations. I’d love to see a strategy for proactively designing security measures into networks works for this vulnerability and others recently discovered. Every network I’ve ever worked on, all the security stuff seem to be bolted on after the fact, rather than designed in from the beginning. You could title the clinic “Designing networks for security from the ground up“.

Traditional security has relied on edge filters for ages. I realize today there are solutions for micro segmentation (NSX-T, illumio, edgewise, etc), but they are too new, don’t support every OS or w/ever the limitations are that prevent them from becoming defacto and so we still operate edge firewalls (edge meaning on the VRF edge, not necessarily on the trusted network edge like an Internet connected firewall).

We discourage firewall policies that are based on a host IP in favor of policies that are based on subnet address which by the very nature of it means we dedicated subnets to a particular purpose. We also discourage crossing the boundary of the VRF in the first place through the perimeter firewall. Instead we encourage standing up a load balancer that is multi homed into 2 or more VRFs. I suppose it is very similar to AWS load balancers where they expose workloads in the VPC (one VRF) to the Internet (another VRF).

The main idea here is we want to enable horizontal scalability of throughput capacity between VRFs and routing everything through an edge firewall is the opposite of that (single firewall being the bottle neck for throughput and a SPOF). What do other folks do around the perimeter transit capacity balancing that out with security?