Ads 468x60px

Featured Posts

31 de julio de 2017

Five years ago …

Five years ago I opened this blog to write about networking and security, and because I wanted to improve my writing skills and this was a good idea to be updated about technologies, standards, protocols, attacks, etc. In addition, I’ve been writing in English language for two years and I want to keep writing in English language because I don’t want to forget this language. Who knows if I’m going to be writing in French language in the future because I really love languages and I've started to learn French as well.

What have I done in the last year? I’ve done many things, as always, and I like it. I’ve been reading, studying, testing and teaching new datacenter technologies like Shortest Path Bridging (SPB), Virtual Extensible LAN (VXLAN) and Software-Defined WAN (SD-WAN). On the other hand, I’ve also installed, configured and/or supported load balancer appliances, SIEM appliances and firewall appliances, even I’ve been at FortiXpert (again) and ForoCiber conferences. Everybody has heard about WannaCry, which was just another cyberattack, and the Apache Struts Vulnerability, that I analysed and read about them to know how they work. Troubleshooting network performance issues and improving SSL VPN performance with DTLS are another two things which are improved my knowledge about networking, as well as studying the DTLS protocol for configuring SSL VPN over UDP. In addition, I’ve also been reading a lot about CIA hacking tools, the Security Directives for the EU, the cyber rights from the new GDPR, or books like the Steve Jobs biography and the truth about you future. So much reading and studying have done that I achieved the level of F5 Certified BIG-IP Administrator. What’s more, once again, I’ve been abroad in a workcamp for two weeks, working for free, in a small town of Czech Republic where I met interesting and kind people. Finally, I would also like to highlight the speech at CUM University where I returned to speak about security.

An overview about the most widely read posts in the last five years is the next:

With regard about from where the blog is visited, we can find the statistics next:

Last and not less important, I would like to thank to everybody who read this blog and support me because they are the main reason why I have already written 244 posts with almost 180000 views. If someone has something to say for improving this blog, it is welcome.

Regards my friends and I hope to see you again back in September after a great holiday.

24 de julio de 2017

Throw away your firewalls!!

I usually install firewall appliances with UTM (Unified Threat Management) features to protect the network and the information of our customer against virus, malicious websites, spam, attacks, etc. Most of these firewalls are installed in the perimeter of the network and most of them have VPN capabilities as well. Therefore, SSL VPN or IPSec VPN are used to connect to the organization from untrusted networks like coffee shops, airports, hotel, etc. Actually, this is a good way to give to remote users access to internal services.

However, Google wants to break the schemas, architecture and design that we are used to seeing with a new concept called BeyondCorp. They are working with a new approach to enterprise security where everything is untrusted, also called Zero Trust, and where access control are shifted from the perimeter to individual devices and users allowing employees to work securely from any location without the need for a traditional VPN. As a result, employees don’t have to install any VPN client, which is a great benefit, and internal services are no longer internal services but they are accessible from any location, even from Internet.

BeyondCorp components and access flow
As we can see, this new approach has many components. As it trusts in individual devices and users instead of networks, there are two important databases, device inventory database and user/group database, where trustworthy users and devices are stored. However, the trust of a user or device can change over the time, for example if the device doesn’t have applied the last OS patch, the device doesn’t have the last antivirus signatures or the certificate is in the blacklist, that device is not trustworthy and it’s moved to untrusted network. All of these tasks are done by the trust inference component, the certificate issuer and the pipeline. On the other hand, the access control engine along with the access proxy provides service-level authorization to enterprise applications on a per-request basis. This new security model also has a Radius component to move users and devices from one VLAN to another inside Google buildings, and a Single Sign-On component for user authentication to all applications.

This new security approach of protecting our corporate security perimeter without firewalls has to publish all our internal services to Internet. As we can see, Google has resources like domain name registered in public DNS with a CNAME pointing to the access proxy:

DNS Intranet resources

Moma is the Intranet of Google employees and lots of resources are accessible from Internet through the access proxy with BeyondCorp:

MOMA Single Sign-On

From my point of view, firewalls aren’t going to disappear yet but we’ll go to the 4th generation of firewalls where we’ll configure firewall policies by users and devices easily instead of networks because any location and network will be untrusted. In addition, we’ll have better integration between all IT devices (servers, desktops, BBDD, WiFi, switches, mail, web, firewall, etc) for better security protection such as Fortinet is doing with his Fortinet Security Fabric.

Regards my friends and remember, the world is changing very fast and the IT security as well.
Related Posts Plugin for WordPress, Blogger...

Entradas populares