What’s new in BIG-IP version 14.0

From my point of view, the BIG-IP version 13.1 is ready for production. In fact, BIG-IP version 13.1.1.4 is the best version for production right now. However, BIG-IP version 14.0 is already out and it’s time to know the new features and enhancements. I like reading and writing about new versions such as What’s new in BIG-IP version 13.1, What’s new in FortiOS 5.6 or What’s new in FortiOS 6.0. Today, I’m going to highlight the new features included in BIG-IP 14.0 which are useful and cool.

BIG-IP LTM v14.0 has new features such as Default Passwords Expiry, Password Policy Enforcement, New HTML-Based Dashboard and Support full dual-stack IPv4 and IPv6 addresses on the Management Port. The new HTML-Based Dashboard is the best feature by far because it’s no longer needed Flash software to show the system dashboard. On the other hand, security has improved because Default Passwords have to be changed and we can also configure a Password Policy to create strong administrator passwords.

HTML-Based Dashboard

BIG-IP Advanced WAF v14.0 has lots of interesting security features such as Enforcing Use of Parent Policies, Threat Campaigns Subscription and Secure Client-Side Transactions with DataSafe to named of few. Enforcing use of Parent Policies is useful to eliminate repetitive configurations and management of the same settings across individual policies. In addition, the Threat Campaigns Subscription is interesting to detect specific threat actors, web attacks and vulnerabilities. The Threat Campaigns Subscription can complement any existing security policy and DoS profile already deployed. Finally, the Secure Client Side Using DataSafe is able to obfuscate user data, encrypt user data or protect against keyloggers using a new DataSafe profile assign to the virtual server.

Enforcing Use of Parent Policies

 

BIG-IP APM v14.0 has also included new features and enhancements such as Access Guide Configuration, OpenID Connect Authorization Server, VMware Blast Extreme or Multi-Factor Authentication for Native Microsoft Clients. Guided Configuration uses iApps and it’s designed to make complicated configurations much simpler for BIG-IP administrators. What’s more, BIG-IP APM v14 supports OpenID authentication, which is similar to SAML, and it also supports VMware Blast for Virtual Desktop Infrastructures (VDI).

Access Guided Configuration

 

BIG-IP DNS v14.0 has also been improved with new features such as EDNS0 Client Subnet Support and it’s also able to add DNS Devices via iControl REST. For instance, BIG-IP DNS v14 places the client IP address into the EDNS0 field, if empty, and determines the topology proximity of the client. This new feature improves Global Server Load Balancing.

With EDNS0 Client Subnet Support

 

There are lots of new features and enhancements in BIG-IP v14.0. It’s up to you testing these new features and reading about it. Regards my friends! Be happy!

Security on the Internet for teenagers

From time to time I have to give a speech about security, networking or technology. This week, my colleague Marco has scheduled a talk about “Security on the Internet for teenagers” where I’m going to speak about best practices and risks there are on the net. Actually, there are lots of things I can tell about Security on the Internet. I can speak about Social Networks, Privacy, Sexting, Cyber Bullying, Grooming, etc, etc.

Poster

Social Networks are well known by most teenagers. Most of them know WhatsApp, Snapchat, Pinterest or even Tik Tok. They know the benefits of using this kind of applications. We can be in touch with friends. We can share pictures. We can meet people with the same hobbies. There are lots of benefits. However, it’s important to highlight there are also risks we have to take into account. The severity of these risks can be very dangerous. From a fight to commit suicide. For this reason the use of social networks must be done carefully.

Privacy seems something boring. Most teenagers don’t mind the privacy. There are lots of letters to read. There are lots of sentences to understand. Nobody read them. However, privacy is not like stuff, which we can recover if someone else picks them up. I mean, if someone steal your bike, you can recover it but if someone steal your identity, your pictures or your information, you’ll never recover it.

Social Networks and Privacy are just two topics I’m going to speak in the talk but I will also speak about Sexting, Bullying, Grooming, etc where I’m going to play videos and ask lots of questions to teenagers. We’ll see the feedback of the audience. I hope this talk will be rewarding for the future of teenagers on the net.

We will see on the stage!! ;-)

ISA-95 levels for Industrial Systems

One of the first certification exams I applied was the ITIL Foundation 8 years ago, where I learnt about IT Service Management (ITSM). Afterwards, I worked for Ariadnex to get ISO 20000, where I learnt more about IT Service Management. I also worked for Ariadnex to get ISO 27001, where I learnt a lot about Information Security. These last two years I’ve also been working with PCI-DSS and ISO 22301. I mean, I think reading standards and applying best practices is important, and much of the time, mandatory to do a good job.

Today, I want to write about a new standard I’m reading lately. It’s the ISA99 standard. I didn’t know this standard till four or five months ago when I started working on a new project. If you know the ISA99 standard, you’ll know I’m talking about an industrial project. Actually, the ISA99 committee has developed the ISA/IEC 62443 series of standards and, then, the ISA99 standard is no longer developed by the committee. What I would like to highlight today is the levels defined by the ISA95 and ISA88 standards.

ISA-95 levels

The first two levels, level 0 and level 1, of process control are focused on the control of equipments which execute the production processes. On the one hand, level 0 is the equipment and human resources which are required for the industrial process. Level 0 is a set of physical assets into the enterprise. On the other hand, automations-systems such as PLCs, DCSs or RTUs are in the level 1. These automations-systems work with the physical assets, which are in the level 0. The level 1 devices are electric and control devices.

PLC - Programmable Logic Controller

The next level, level 2, is very good defined by the ISA88 standard. HMI and SCADA systems are in this second level. HMI are operation monitors to control specific processes while SCADA systems are applications to control and monitor the whole industrial system. As a rule, a PLC is controlled by an HMI while lots of PLCs are monitored with an SCADA system. Therefore, the first interaction between the human being and the hardware is in the level 2.

SCADA - Supervisory Control And Data Acquisition

The next two levels, level 3 and level 4, are well defined by the ISA95 standard. We have the Batch, Historian and MES in the third level. The Batch is like an SCADA with databases for batch production. The Historian is a database where industrial data is store. The MES is the interface between the level 2 and level 4. Therefore, the level 4 is where the business intelligence is located. For instance, ERPs and CRMs are in the level 4.

MES - Manufacturing Execution System

Once all levels are defined, how can we protect an industrial enterprise? The bottom levels can be secured with an Intrusion Prevention System (IPS) with industrial signatures which block attacks against communication protocols (e.g. Modbus, PROFIBUS, Conitel, etc) while the up levels can be secured with Application Control and Web Filtering. In addition, I would like to highlight the importance to segment the network into zones.

FortiGate Rugged

Keep learning and keep studying my friends!! All comments are welcome.

A Forensic Challenge

I finished the training on Networks, Systems, Hacking and Forensics last week where students have learned a lot about Security, or I think they have learned a lot! This last course about Forensics has been funny because three challenges have had to be resolved by students. The first one was interesting for reinforce the importance of looking at metadata. The second one was a little bit more difficult, which used steganography techniques. I have to admit the third one is difficult for a newbie because it contains a mix of steganography and obfuscation techniques.

The last challenge is about steganography and obfuscation where students have checked the image metadata, hex dumped the file contents and extracted a hidden zip archive. They also have had to look at the start of the file, the end of the file and the middle of the file to extract another file. Finally, students have had to read about esoteric programming language to look for the final flag.

There are lots of CTF (Capture The Flag) challenges on the Internet which are useful for learning about hacking and forensics. You just have to keep studying, reading books and learning what you want!

MLAG vs vPC vs Stacking

I’m working these days with Mellanox Switches, which I think they are awesome because, thanks to the Spectrum ASIC, these switches provide low latency, zero packet loss, and non-blocking traffic. In fact, it’s one of the first manufacturer I know with 400 GbE interfaces. I mean, one network interface at 400 Gbps. It’s amazing. In addition, Mellanox switches support the RDMA over Converged Ethernet (RoCE) technology which is a great benefit for Hyperconverged Infrastructures (HCI).

Mellanox SN3510 with 6 QSFP-DD 400GbE

Once they are installed, it’s time for network configuration. I’m right now thinking about clustering and I’m also looking for the best technology to deliver high throughput. I’ve already written about Multi-Chassis Link Aggregation (MLAG) and I think this will be the best technology to configure a clustering of switches with high throughput. MLAG is a non-standard protocol which is useful to create port groups between switches of the same vendor. We can create LAGs to servers from different switches. Therefore, the MLAG technology is recommended for high availability and high throughput.

Multi-Chassis Link Aggregation

Maybe, if you know Cisco, you are thinking about Cisco Nexus vPC. This is also a great technology for clustering switches where we can create Link Aggregations (LAG) between two switches. In addition, switches keep control planes separated thus better performance is delivered. However, Cisco Nexus vPC is a Cisco specific protocol which can’t be configured in other kind of switches.

Cisco Nexus vPC

 

At a first glance, MLAG and vPC is the same. Both are able to create Link Aggregations (LAG) between two switches and both are managed and configured independently but they are not really the same. For instance, MLAG is easier to configure than vPC because MLAG concepts are the same in all platforms while vPC is a vendor technology with their own concepts. In addition, MLAG mainly enables Layer 2 multipathing while vPC enables Layer 2 and Layer 3 multipathing. However, if we want to enable Layer 3 multipathing, we could also use the Multi-Active Gateway Protocol (MAGP).

On the other hand, stacking is a well-known technology which is useful for an easy configuration of switches because all switches can be configured from an unique point of management interface. Thus, there is only one management plane. In addition, the stacking technology is able to create Link Aggregations (LAG) between switches like MLAG and vPC does. However, there are much more limitations in the stacking technology than in the MLAG or vPC technologies. For instance, there is always a limited number of switches that can be added to the stack. What’s more, it’s not able to stack remote switches which are geographically separated. Therefore, stacking makes sense for the edge of smaller sites while MLAG or vPC make sense for the core or distribution layer.

Stacking

 

To sum up, there are three types of technologies to create Link Aggregations (LAG) between switches to servers. MLAG, vPC and Stacking. Which one to choose? It’s up to you.

Keep learning and keep studying my friends!! Any comments are welcome.