Subscribe:

Ads 468x60px

26 July 2021

The last post

… before holiday!! This is the last post because I need to rest. I need to do something else. I need to read. I need to study. I need to be ready in September because there will be lots of things to do. The end of the year will be amazing. I’m sure! I’ll keep working with security appliances such as web application firewall, network firewall and VPN devices. I’ll keep working with DDI devices as well as I’ll keep working with load balancer appliances. Routers, switches and wireless devices will also be in my daily tasks. What's more, I will be the teacher of a mobile security training.

Cependant, je dois étudier cet été parce que je n’ai pas réussi mon examen de francais en juin. Je dois écrire plus souvent et je dois aussi parler en francais. Je parlerai peut-être seul en francais. Je parlerai devant mon ordinateur. Je m’enregistrerai et je m’écouterai. Vous savez que j’aime écrire mais cet été je n’écrirai pas sur la technologie mais j’écrirai sur l’économie, la famille et ce type de choses que les profs veulent lire. Donc, j’espère te dire après l’été que j’ai finalement reussi mon examen.

À bientôt.

19 July 2021

F5 BIG-IP APM – SP Initiated for Office 365

I wrote about IdP Initiated for Office 365 last week. However, there are some people they don’t know yet what is the difference between IdP Initiated and SP Initiated. When we configure an IdP Initiated architecture, firstly users access to the IdP for authentication, secondly, SAML IdP validates credentials and collects data from directory. Finally, after selecting a SAML Resource, SAML IdP redirects user back to the SAML SP with a SAML assertion.

IdP initiated SAML

On the other hand, SP Initiated is a little bit different. Firstly, users access to the SAML SP. Secondly, SAML SP redirects users to SAML IdP where users authenticate. Thirdly, SAML IdP validates credentials and collects data from directory. Finally, SAML IdP redirects user back to SAML SP with SAML assertion. As you can see, the main difference is users access first to the SP instead of the IdP.

SP initiated SAML

We can watch in the next video how to configure SP Initiated for Office 365 with the guided configuration of F5 APM.

Thank you! See you soon!

12 July 2021

F5 BIG-IP APM – IdP Initiated for Office 365

F5 BIG-IP APM is really useful for federation and Microsoft integration thanks to the AGC (Advanced Guided Configuration) for version 15 and SGC (Simplified Guided Configuration) for version 16. It is very easy to configure Application access with Azure AD or federation with Office 365. F5 APM federates user identity and enables single sign-on (SSO) to applications on-premises and in the cloud, including SaaS, because APM supports SAML, OAuth, Kerberos, header-based authentication and other SSO techniques.

I’ve been recording a new video today where you can watch how to configure F5 APM as Identity Provider for Office 365. The configuration is really easy. On one hand, there are some configuration needed on the Windows side such as Azure AD Connect installation on Active Directory for user sincronization, as well as, AzureAD and MSOnline for Windows Federation. On the other hand, we can use the Guided Configuration on F5 APM for configuring easily F5 as Identity Provider for Office 365.

Have a nice day! Would you like to configure federation on Office 365?

5 July 2021

F5 ASM - Sending security logs to BIG-IQ

I'm working deeply with BIG-IQ devices since the end of the last year. These devices are really useful when you have to manage lots of BIG-IP devices because you can search objects easily as well as you can deploy configurations from a central management device. However, BIG-IQ is also increasingly used for monitoring applications and saving events logs because the built-in dashboards are really powerful for applications visibility. For instance, we can know application latencies or bot traffic from a single dashboard.

Bot Traffic Dashboard

I’ve been recording a new video where you can watch how to add a BIG-IP device to the BIG-IQ and how to configure a security log profile to send events to the BIG-IQ. Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port. Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

Have a nice day! Do you like the BIG-IQ?

28 June 2021

What’s new in FortiOS 7.0

You already know I like writing about the new features and enhancements in FortiOS. I think it’s important to know the new features because they will be requirements for new projects and they will be interesting for lots of customers. The new FortiOS 7.0 brings lots of new features and enhancements. I can’t write about all of them in this article because there are more than 300 new features across the Fabric. Therefore, I will write about the most interesting features and improvements from my point of view.

The Fortinet Security Fabric has improved with new integrations for comprehensive protection. The Open Fabric Ecosystem has already more than 400 integrated solutions. There are Fabric Connectors and Fabric APIs for AWS, Aruba, Cisco and many more. We can also integrate FortiWeb, FortiDeceptor and FortiTester to the Security Fabric. What’s more, we can even integrate VDOMs in the Security Fabric. In addition, there are improvements in the automation workflow where we can even send notifications vía Microsoft Teams. 

Fortinet Security Fabric

There are some customers who want to block some features in social networks. For instance, they want to allow users to access social networks but they want to block social networks chats. This can already be configured with application control from previous versions. However, FortiOS 7.0 also allow you to block channels from YouTube, Vimeo or Daily Motion throught the new Video Filters. Therefore, we can configure security policies with a lot of granularity.

Video Filtering

There are another interesting feature I really like which allow you to generate automatically a certificate for a device using ACME (Automated Certificate Management Environment). I like because we can configure a Let’s Encrypt Certificate easily for SSL-VPN access. This new feature provides a simplified way for administrators to assign a certificate to the device, without complexities of manully managing certificates.

Let's Encrypt

I always like to write about the changes of subscription services. The FortiGuard Services have changed a little bit. The IPAM service is EoO (End of Order) thus you can’t buy this service anymore. The FortiGuard IoT Detection Service includes an IoT MAC database for device detection (visibility) WiFi access. The new Video Filtering service has been included in the Unified Threat Protection. In addition, FortiCloud SOCaaS is a new service where the Fortinet SOC Team can help you to protect your systems.

FortiGuard Services

There are many more features and improvements. There are also interesting features for wireless networks, NAC and wired networks with FortiSwitches. However, FortiOS 7.0 should be applied just for a non-production environment because we should wait three or four patches to have a stable version for production environments. Meanwhile, FortiOS 6.4 is the best version for your devices.

Have a nice day! Are you ready to test this new version?

21 June 2021

F5 APM – Assign Resources for AD Groups

F5 APM is increasingly used as a SSL VPN portal access where users have all web applications they need to work daily. Most companies are looking for this kind of architecture because there are lots of users working from home. F5 is really powerful in this kind of architectures. In fact, there are companies they have even configured Single Sign-On (SSO) with 2 Factor Authentication (2FA) in the portal access to allow the user to log in once for all web applications as well as improving security with a token.

One of the requirement for most companies is to assign web applications for AD groups. It is mandatory that users only see their applications in the web portal. Each user should see only the applications the user is going to use. Therefore, there will be lots of SSL VPN portal. One for each user. F5 APM is able to assign resources dinamically thanks to the Advanced Resource Assign and AD Groups. For instance, we can watch in the next video that a user who belongs to two groups can see two applications.


Have you ever needed to assign resources dinamically for AD Groups? Go ahead!

14 June 2021

La télérealité: Un phénomène de société

Bonjour à tous !

Je vous écris pour partager mon opinion sur la télérealité. D’abord, je ne comprends pas vraiment comment il y a autant de chaînes avec des programmes sur la télérealité. Je suis sûr que si j’avais le temps, je ne regarderais jamais ces chaînes. Cependant, il y a beaucoup de personnes qui aiment les regarder. Nous devrions nous demander, pour quoi ? Peut-être, la plupart des personnes aiment regarder l’intimité d’autres.

D’autre part, les gens aiment dévoiler son intimité en public. Aujourd’hui, il y a beaucoup de réseaux sociaux où on peut publier des photos. Nous voulons que nos amis sachent comment nous l’avons passé dans la plage ou qu’est-ce que nous avons mangé. La télérealité est la même que les réseaux sociaux mais elle est en ligne pour tout le monde. Je pense que les gens, qui participent à ce genre d’émissions, le font principalement pour gagner de l’argent. En plus de l’argent, je crois qu’ils le font pour être célèbre.

Qu’est-ce que vous pensez ? J’attends vos réponses.

7 June 2021

Peut-on encore être écolo et prendre l’avion ?

J’ai lu un article récemment à propos de la pollution et de l’urgence climatique. Réellement, il s’agit d’un article à propos de la préservation de la planète et de la tendance flygskam.

À mon avis, nous devrons faire plus attention à la pollution. Ce n’est pas seulement l’avion qui pollue mais aussi les usines, les voitures, etc. Par exemple, je préfère prendre le train pour aller travailler à Mérida au lieu d’aller avec ma propre voiture. Je pense que le transport en commun est très nécessaire et très important pour faire baisser la pollution de la planète. C’est vrai que l’avion pollue trop l’environnement mais je crois que nous ne sommes pas en train de prendre l’avion tous les jours. Alors, nous devrions commencer par les petites choses comme le recyclage, le transport en commun, etc.

Je peux faire beaucoup de propositions pour améliorer la planète mais je pense que les politiciens sont les personnes qui doivent travailler pour faire des lois anti-pollution. Si il n’y a pas de lois pour baisser la pollution, la plupart des personnes ne feront rien pour améliorer notre planète. La solution doit partir de nos politiciens.

Alors, ni flygskan ni rien. Si nous voulons conserver notre planète pendant beaucoup des siècles, nous devrons demander à nos politiciens ce qu’ils pensent à l’avenir.

Salut

31 May 2021

Apocalypse ou pas

Je suis un homme très positif. Donc, je pense que l’avenir sera radieux et libéré de la pauvreté grâce à l’impact des nouvelles technologies. C’est vrai qu’il y a davantage catastrophe écologique et la pollution est très élevée. Principalement, les usines et les voitures polluent la planète.

Cependant, il y a beaucoup de technologies aujourd’hui qui améliorent notre vie et aussi la vie de la planète. Par exemple, les voitures électriques sont déjà disponibles pour la plupart des personnes. Ils ne sont pas très chers. Aussi, il y a beaucoup de logiciels pour faire des appels vidéo. Alors, il n’est pas nécessaire de voyager très souvent.

À mon avis, grâce à l’impact des nouvelles technologies, la planète s’améliorera à l’avenir. Nous devrons faire attention à toutes les catastrophes écologiques mais je suis sûr que nous serons gentils avec lui.

24 May 2021

Quel type de voyageur êtes-vous ?

Pour moi, voyager c’est profiter de la culture. Je ne suis pas sûr si je suis un puriste de la culture ou un voyageur éthique étant donné que j’aime rouler ma bosse afin de connaître des cultures mais, je pense, que la meilleure façon de le faire est de participer à des projets de volontariat vu qu’il est nécessaire de parler et comprendre les personnes étrangère pour partager les tâches du projet.

Lorsque je pars en voyage, c’est pour changer d’air. Je déteste la concentration alors je suis tout à fait favorable à l’étalement des vacances. Dans les voyages, ce que je recherche c’est partir à l’aventure où il n’y a pas de touristes. Mes priorités sont les villages, la nature et les montagnes. J’aime aller dans une petite village pour faire de la randonée à la montagne ou travailler sur un projet local destiné à la reconstruction d’un bâtiment utile à la communauté.

Le plus beau voyage que j’ai fait a été celui que j’ai réalisé à Atabey en Turquie il y a six ans. C’était un projet local pour netoyer et reconstruir un école. Mon meilleur souvenir de ce voyage c’est un drapeau signé par tous les bénévoles. J’aimerais y retourner malheureusement ce n’est pas possible à cause de la pandémie. Par conséquent, mon prochaine voyage sera au nord de l’Espagne pour visiter les Pics d’Europe.

17 May 2021

Side channel AttackeD (SAD) DNS

DNS is a protocol unknown by most users but it’s very important for the Internet because domain names have to be resolved to IP addresses. It’s an essential service. The DNS service is a very important protocol which has to be managed, monitor and protected. I’ve already written about DNS Security, DNS performance testing tools, EDNS(0) - Extension Mechanisms for DNS as well as DNS over HTTPS (DoH) and DNS over TLS (DoT). I’ve even written about how to configure DoH & DoT to DNS Proxy with F5 LTM. I’m going to write today about the SAD DNS attack.

First of all, we have to understand what is a DNS Cache Poisoning Attack. It is an attack in which corrupt DNS data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result record. DNS uses the UDP protocol for queries and responses. There is no handshake with the UDP protocol. Therefore, DNS responses can be spoofed by an attacker and, thus, an attack can inject forged DNS entry. This is one way to execute a DNS Cache Poisoning Attack. There is another way, which is accessing the DNS resolver server to change DNS resources. Anyway, it’s difficult to execute this attack but if there is no DNS protection, it can be done. 

DNS Cache Poisoning Attack

The DNS protocol has already changed several times to protect users to the DNS Cache Poisoning attack. For instance, prior to 2008, recursive resolvers used port 53 to send and receive messages to authoritative nameservers. This made guessing the source port trivial and the only variable an attacker needed to guess to forge a response to a query was the 16-bit message ID. Therefore, the Kaminsky’s attack was simple to run. The DNS protocol was changed to run over randomized source ports for security reasons.

Recently, UC Riverside and Tsinghua Universities has announced a new attack called SAD DNS (Side channel AttackeD DNS). This is a new way to defeat the source port randomization. Thanks to ICMP error messages, the attacker could ask the server which port number is being used for a pending query, that would make the construction of a spoofed packet much easier. However, this attack scenario isn’t easy to perform, but becomes totally possible when all the planets are well aligned. For instance, it requires DNS servers answer ICMP messages under specific conditions.

SAD DNS

If you are a network engineer who manage DNS forwarder or recursive DNS resolver, you should cosider upgrading your Linux Kernel, which uses unpredictable rate limits, blocking the outgoing ICMP “port unreachable” messages with a firewall, and keeping your DNS software up to date. In addition, configuring DNSSEC is a best practice because it is designed to protect against this type of attack.

To sum up, SAD DNS attack is not easy to perform but we should know this kind of attack to harden DNS servers with security protections. This is the best way to avoid attacks like this one.

How are you protecting your DNS servers?

10 May 2021

Electronic Signatures and Infrastructures

I’ve written a lot about information security management. I’ve written about ISO 27001, ENS, PCI-DSS, ISA-95, etc. I’ve also written about cybersecurity strategies such as the EU Cybersecurity Strategy, the National Cybersecurity Strategy of Spain, the Revue Stratégique Cyberdéfense de France, the National Cyber Strategy of the U.S. of America, etc. However, I’m reading the Draft ETSI EN 319 401 - Electronic Signatures and Infrastructures (ESI) this week. Actually, I’m reading the General Policy Requirements for Trust Service Providers which is just released last february.

If we want to know what is this standard for, first of all, we'll have to know what is a Trust Service Provider (TSP). A TSP is an entity which provides one or more trust services, while a trust service is an electronic service for creation, verification and validation of digital signatures, time-stamps and certificates for website authentication. A trust service is also an electronic service for preservation of digital signatures. Therefore, a TSP is a very important entity for providing and preserving digital certificates.

Policy Requirements Document Structure

The ETSI 319 401 standard has requirements that all TSP should comply. One of them is a requirement where the TSP shall specify the set of policies and practices appropiate for the trust services it is providing. I think, this is the most important requirement. In fact, it is a common requirement for all security standards. It is really important because the security policy is going to define a set of “sub-policies” which have to be enforced.

Actually, there are 13 “sub-policies”. Most of them have requirements that refer to ISO/IEC 27002:2013. This is really useful because if you know ISO 27001, we’ll have lots of work done. However, there are also specific requirements to TSP such as they shall have the financial stability and resources required to operate in conformity with the policy, as well as, they shall maintain sufficient financial resources and/or obtain appropriate liability insurance, in accordance with applicable law, to cover liabilities arising from its operations and/or activities. These are two specific requirements from ETSI 319 401 in the organization reliability “sub-policy”.

It’s also interesting the network security “sub-policy” because there are requirements where the TSP shall undergo or perform a regular vulnerability scan on public and private IP addresses identified by the TSP, as well as, the TSP shall undergo or perform a penetration test on the TSP’s systems at set up and after infrastructure or application upgrades or modifications. I like these explicit requirements to perform vulnerability scan and penetration tests. It’s a best practice and they are written in this standard.

To sum up, this is another security standard with lots of requirements. Most of them similar to ISO 27001 but also some of them specific to provide trust and confidence in electronic transactions.

Did you know this standard?

3 May 2021

Trois jours et une vie

J’ai lu "Trois jours et une vie" de Pierre Lemaitre, dont le genre littéraire est un roman psychologique, qui a été publiée en 2016.

Pierre Lemaitre est psychologue de formation et autodidacte en littérature qui a reçu le prix de Goncourt pour son roman « Au revoir là-haut » en 2013. Il travaillait dans la formation professionnelle des adultes jusqu’en 2006, quand il a commencé à vivre de sa plume comme romancier et scénariste. 

« Trois jours et une vie » est un livre où un garçon tue un ami accidentellement. Il ne dit personne que s’est-il passé parce qu’il prend de panique, alors il se débarrasse du petit corps. Le garçon doit apprendre à grandir avec ce secret parce que les jours passent, les habitants du village se mobilisent pour retrouver l’enfant disparu et les policiers cherchent dans tous les recoins. Cependant, seulement le petit enfant connaît la vérité.

L’histoire est présentée à Beauval en France à la fin de décembre 1999 et le roman est divisé en chapitres sans titre. Le narration est faite dans la tête du petit garçon qui raconte sa vie avec angoisse et terreur permanent.

Le roman parle principalement d’un enfant qui s’appelle Antoine et qui habite seul avec sa mère divorcée Mme Courtin. Il a douze ans quand il tue l’un de ses amis - Rémi Desmedt, 6 ans. Les parents de Rémi sont voisins des Courtin et ils sont très inquiets pour retrouver son fils. Il y a aussi d'autres personnages principaux comme le docteur Dieulafoy qui est le médecin de famille, Valentine Desmedt qui est la sœur de Rémi, et Émilie Mouchotte qui est aussi la voisine d’Antonie.

À mon avis, «Trois jours et une vie» est un livre prenant, qu'on ne peut pas arrêter de lire. J’ai vraiment aimé la fin du roman. C’était inattendu.

À bientôt!

26 April 2021

F5 ASM - Using Qualys for a Security Policy

I’ve been working with vulnerability assessment tools and F5 ASM these days. In fact, I’ve been configuring F5 ASM with the Qualys Web Application Scanner (WAS). I think this kind of integration is really useful to resolve quickly vulnerabilities found by scanners such as Qualys and HP WebInspect. Actually, there are lots of vulnerabilities assessments tools and WAF appliances but I think the integration is very important to improve security policies and resolve vulnerabilities as soon as possible. You can watch in the next video how to integrate Qualys with F5 ASM!! 

Enjoy!

19 April 2021

F5 ASM – Disabling attack signatures checks

I’ve deployed a new WAF appliance with F5 ASM recently where I have to secure web applications which have lots of entities such as URLs, parameters and files. These web applications are already running in a production environment, as a result, I’ve deployed a Rapid Deployment Policy in transparent mode to see and know what’s going on. After a week, I can see lots of attacks in the learning process. Most of them are due to a web application used to store files. Employees can upload whatever they want, thus, they upload PDF files as well as .exe files and source code with javascripts. Therefore, the best to reduce potential false-positive alerts is disabling attack signatures checks for the URL where the application is hosted or the parameter used to upload files.

I’ve recorded a video where we can watch how to disable attack signatures checks for URL and parameters. It’s really easy!!

Drop me a line with the first thing you are thinking!

12 April 2021

EDNS(0) – Extension Mechanisms for DNS

I’m reading, working and studying about EDNS(0) because a customer wants something similar to a parental control service that restricts access to particular domains from particular devices, as a result, we need a device-specific identifier. We need a precise client identity information for this requirement. There will be lots of laptops on the Internet and it’s unlikely that we can configure a VPN tunnel for each laptop. Therefore, DNS servers and DNS requests will go through Internet. I’m thinking whether EDNS(0) fits this requirement.

The DNS protocol send messages by UDP and it was restricted to 512 bytes but, in 1999, there was a proposal to extend DNS to allow for new flags and response codes, and to provide support for longer responses. This extension mechanism is EDNS and it has increased the functionalities of the protocol. EDNS adds information to DNS messages in the form of pseudo-Resource Records (“pseudo-RR”). For instance, the OPT pseudo-record provides space for up to 16 flags. One of them is the DNSSEC flag but there are also flags for Client Subnet (ECS) and Device ID.

Review of OPT Option Codes

Firstly, I’ve been reading about DNSSEC which is a security extension to DNS for cryptographic authentication and data integrity, but not confidentiality, which means, all DNSSEC responses are authenticated but not encrypted. Therefore, it was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. This security extension doesn’t fit the requirement I’m looking for because there is no way to identify the user device.

DNSSEC - Authenticity of DNS records

Another extension I’ve been reading is Client Subnet (ECS). I was already reading about it two years ago when F5 BIG-IP DNS included this feature in v14.0. The BIG-IP places the client IP address into the EDNS0 field to determine the topology proximity of the client. This feature improves too much the use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver. However, the ECS feature is not enough either to identify users’ computers.

With EDNS0 Client Subnet Support

Finally, I think I’ve found how to identify the user computer. There is already a DNS EDNS option to carry a client-specific identifier in DNS queries, but it’s still a draft. However, dnsmasq uses EDNS option code 65073 from the “Reserved for Local/Experimental Use” range to pass the client’s MAC address, or the Cisco Umbrella implementation which encodes the client’s MAC address with the option code 26946 from the “Unassigned” range. I can use F5 BIG-IP to authenticate users’ computers as DoH proxy farm and forward the DNS requests with the client identification in the EDNS field to the internal DNS server for analysis, filtering, cache control and recurses the request. What do you think?

Building a private DoH infrastructure

To sum up, EDNS has improved a lot the DNS protocol and it’s really useful for client identification, DNS-based load balancing and DNS Security.

Regards my friends! Have you ever configured EDNS?

5 April 2021

F5 LTM – DoH & DoT to DNS Proxy

I’ve come across an F5 class about DNS over HTTPS/DNS over TLS which is really interesting to learn how to configure these services with F5 BIG-IP. I’ve recorded a video where I show how to configure F5 BIG-IP as DoH and DoT to DNS Proxy, which means that BIG-IP translates DoH and DoT requests to DNS requests. You can watch DoH to DNS is a little bit more difficult to configure than DoT to DNS because the first one requires an iRuleLX while the second one only requires an SSL certificate. As a result, DoT to DNS configuration is easier than DoH to DNS. It’s much better you watch the video.

Have a nice day!! Are you configuring these kind of services?

29 March 2021

DNS over HTTPS (DoH) - DNS over TLS (DoT)

I wrote about DNS Security weeks ago because there are increasingly remote users working outside the protected walls and companies want to increase the security of their activities and resources. The DNS-layer security should be the first line of defense against threats because DNS resolution is the first step in Internet access. Some web browsers are already relying on DoH (DNS over HTTPS) for their own IP resolution. But using DoH with an untrusted public DNS service risks misuse of browsing data and reveals applications being utilized. In order to better protect remote workers, companies should therefore instead consider extending their private DNS recursive service and manage the DoH themselves.

Building a private DoH infrastructure

On the one hand, if you are going to install a DNS over HTTPS (DoH) infrastructure, you’ll need to configure a proxy farm to take HTTPS requests and sending it to traditional DNS servers. F5 BIG-IP can work as a proxy farm to transpose the data from HTTPS requests and translate into a traditional DNS request. Thanks to iRulesLX engine based on Node.js, BIG-IP can handle DoH translations. DoH requests either arrive at the BIG-IP in an HTTPS POST with a binary payload or a base64url-encoded GET request parameter. These requests are translated from HTTPS to DNS easily by F5 BIG-IP.

DoH to DNS Proxy

On the other hand, if you are going to deploy a DNS over TLS (DoT) infrastructure, you’ll also need to configure a proxy farm to take TLS requests and sending it to traditional DNS servers. BIG-IP can also work as a proxy farm to transpose the data from TLS requests and translate into a traditional DNS request. However, DoT-to-DNS configuration is easier than DoH-to-DNS configuration because proxying DoT queries to traditional DNS only require a classic BIG-IP high-performance SSL offloading profile and no iRule is needed.

DoT to DNS Proxy

These infrastructures are not difficult to configure but if you don’t know how to do it, iApps can help you. There is already a DNS over HTTP iApp which creates an iRule to perform resolution of DoH traffic. Firstly, you have to create a pool containing DNS resolvers. Secondly, install the iApp as a template. Thirdly, create the application service with the iApp. Fourthly, create a virtual server listening on port 443 with TCP, HTTP and Client SSL profile. Finally, test the deployment.

DNS over HTTP iApp

Testing the deployment is really simple because most browsers support DoH. For instance, Firefox can be used as a DoH client. It is configured in the about:config page. Firstly, we set network.trr.uri to our custom virtual server URL. Secondly, we should also enable network.trr.useGET as it’s a bit faster than using POST. Thirdly, we set network.trr.mode to 3, which means we want Firefox to only use DoH. Finally, the network.dns.skipTRR-when-parental-control-enabled disables Firefox’s feature that disables DoH when parental control via DNS is sensed on the network.

Test Driving DNS over TLS to Traditional DNS

To sum up, proxying DoH and DoT queries to traditional DNS is easy to configure and test with a BIG-IP proxy farm. It’s up to you if you want to protect your remote workers and extend your private DNS recursive service.

Have a nice day!! Would you like to deploy a DoH or DoT infrastructure?

22 March 2021

Data Access Governance

I remember once a customer asked me to audit a large file system with lots of folders and files. He wanted to know who had access to each file, when files were created and when they were changed for the last time, as well as, he wanted to know the categorization of each file, what kind of files (text, image, video, etc) were in NAS systems and how much space these files were using in the file system. We installed Data Access Governance (DAG) tools for that project and it was really successful. Today, DAG tools are increasingly deployed and it seems they will be quite useful for most companies in the near future.

Data Access Governance solutions help companies understand and secure their Structured and Unstructured Data. On the one hand, structured data is stored in databases and business applications and user access is usually provisioned to these systems by an Indentity and Access Management (IAM) platform. On the other hand, unstructured data are documents, spreadsheets, presentations and other files created by end users. These files are tipically contained in shared folders, network filers and cloud repositories such as DropBox and Amazon S3. As a result, Data Access Governance solutions help you to implement controls of your data.

Data Access Governance Solution

There are lots of use cases where Data Access Governance solutions are useful for organizations. One use case is to identify open access locations where permissions are granted to “Everyone” or “Authenticated Users” and close them down to put them under control. Another use case is to control privileged access to business applications and file systems as well as gaining visibility into what these users are doing with those permissions. One of the use case I really like is gaining visibility into Active Directory groups to know how these groups are used to grant the properly access to data. However, there are many other use cases.

Here the report you asked for boss

How this kind of solutions are deployed? Data Access Governance projects are mainly five steps. The first step is to discover where data lives to obtain a complete view of the data footprint. We have to know if data are stored in shared folders, network filers, such as NetApp or EMC, SharePoint or cloud repositories. The second step is to collect and analyze relevant data points to answer critical questions like sensitivity, access, ownership, age, etc, as well as, obtain categorization and statistics of data used.. The third step is to monitor activity to understand user interactions with data. The fourth step is to restructure access to achive least privilege principles and position for effective governance. We are going to improve security policies and modify permissions in this fourth step. Finally, the fifth and last step is to govern access ongoing to ensure security, compliance, and operational standards are met.

Securing data access begins with access to data

If you are interested in Data Access Governance, you may also be interested in Active Directory Security solutions to protect critical objects from unauthorized change or access, Data Privacy solutions to mitigate, prevent, detect and respond to advanced threats to credentials and sensitive data in real-time, and Privileged Access Management solutions to remove the user’s access completely and clean the system to match desired state.

A fresh perspective on your data

Have a nice day!! Do you govern your data?

Related Posts Plugin for WordPress, Blogger...

Entradas populares