Ads 468x60px

18 October 2021

Nokia Nuage SDN

When someone asks you what SDN is and what the benefits are, sometimes we don’t know what to reply. However, we know how to design a network architecture and we know what devices we have to buy for the customer’s request but, actually, we don’t know sometimes we are deploying an SDN solution. For instance, when a customer with several internet links wants all VoIP traffic use only one link and another one for backup, and the rest of the traffic use another internet link, we know they need an SD-WAN solution, which is actually an SDN solution.

At the beginning of WAN networks, if you wanted a private network between an office and the datacenter, or between two offices, you had to buy a leased line, which was really expensive. Later on, frame relay allowed us to share the same physical network for several customers. Therefore, it was cheaper. Today, IP/MPLS networks are like frame relay but it also allows us better QoS for applications. However, I think SD-WANs are the networks of the future because they are transport independent and we can manage and control the whole network from a centralized perspective.

WAN networks evolution

Nokia Nuage is one of the SD-WAN solutions based on SDN. This solution has mainly four components. The Virtualized Services Directory or VSD is the management console where network administrators are going to design the architecture and they are going to define the network policies. The Virtualized Services Controller or VSC has the network control plane and all branches’ configurations are stored in this device. The Network Service Gateway or NSG is the edge router where the data plane takes place. Finally, the Elastic Search or ES component is a database which is used by VSD to show network statistics.

Nuage Virtualized Network Services (VNS)

The Nokia Nuage is an SDN solution where we can see each component of an SDN architecture very well because data plane, control plane and management plane are each of them a component. The control plane (VSC) and the management plane (VSD) are usually deployed in high availability, thus, a load balancer is needed. In addition, we could install NSG-UBRs to breakout traffic to another network. For example, we can configure a backup private network through the Internet when the main IP/MPLS network fails.

Nuage VNS standard deployment architecture

Finally, if you are going to configure and deploy a Nokia Nuage SD-WAN solution, you have to know how to configure the network topology. First of all, we have to configure an Enterprise, which is a tenant or end user and they are isolated from each other. The Domain is a layer 3 instance, like a VPRN or VRF, and they are also isolated from other domains, although shared domains with route leaking is possible. A Subnet is a layer 2 instance, like VPLS. A Zone is an administrative group of subnets, which shares the same policies. The last component is the Vport which is a virtual interface of a VM (virtual machine) or LAN side port+vlan.

Service abstractions

Regards my friends! What SD-WAN solution do you like?

11 October 2021

Juniper 128T Session Smart SD-WAN

I’ve installed and configured SD-WAN networks just for redundant Internet links where customers have more than one Internet link for high availability, thus, if the primary link is down, another one works as a backup link, or even it works as active/active link. I’ve configured this kind of service mainly with FortiGate devices because customers wanted NGFW and SD-WAN in the same box but I would like to write today about Juniper 128T which is a revolutionary SD-WAN solution with Session Smart Routing.

First of all, I would like to tell you who is 128T. This is a U.S. company acquired by Juniper last year which has sold mainly SD-WAN solutions in the US. For instance, they have deployed SD-WAN in the U.S. DoD where performance and security is really important. Juniper wants to deploy this solution to the rest of the world as well as accelerate the industry evolution from the first generation SD-WAN technology that focuses on optimizing connections from branch-to-cloud to a modern AI-driven network that optimizes user experiences from client-to-cloud.

128 Session Smart

There are four business benefits I would like to tell you. The first one is that SD-WAN works without tunnels which I think is really powerful and revolutionary because there is no overhead and increases the network performance. The second one is the adaptative encryption technology which is very interesting because we can encrypt all traffic or only the one that is not encrypted. The third benefit is that it is software based, thus, we can install 128T wherever we want. Finally, the fourth benefit is the session awareness where there is a forwarding table with source addresses to route traffic from clients properly.

Business Benefits

There are many reasons why 128T is replacing Cisco, Silver Peak or Citrix solutions. Money is one of them because an architecture without tunnels reduces 75% in infrastructure costs and 30-50% in bandwidth costs because we can install 128T in any server and there is no traffic overhead. In addition, 128T scales rapidly and easily to lots of edges thanks to the tunnel-less architecture while other vendors require hard work to deploy new branches and services. However, there are many other reasons we could comment on.

Session Smart Routing

The Secure Vector Routing is revolutionary because routers send the first packet with a metadata, where the original addresses are inserted, and next packets are sent without this metadata because it is no needed due to the fact that there is already a session table to know how to translate addresses. Therefore, there is an important traffic saving with no overhead.

Secure Vector Routing

To sum up, Juniper 128T is revolutionary in SD-WAN networks because it is a tunnel-less architecture and it is an alternative to encapsulation with IPSec and/or IPSec + VxLAN, GRE or MPLS. As a result, there is an important saving traffic and money.

Regards my friends! What SD-WAN solution are you deploying?

4 October 2021

Best Cybersecurity Practices

I knew almost nothing about cybersecurity when I finished University twelve years ago. However, I started working at Ariadnex where I’ve been working for lots of projects till now. I’ve been installing lots of security systems such as firewall, IPS, antivirus, vulnerability scanners, antispam, etc. In addition, Ariadnex was certified in ISO 27001 & ISO 20000, and I was working on it. Therefore, I’ve been working last days in a speech for the FAROTIC project where a training about best cybersecurity practices has been carried out.

When I have to speak about best cybersecurity practices, I always like to speak about ISO 27001 because we have 114 security controls, which are really interesting, in this international standard. The first group is about information security policies. It’s really important. However, most companies don’t have any security policy. Organization of information security is another group which should be taken into account. For instance, companies should force segregation of duties to reduce the opportunities for unauthorised modification.

When we speak about best cybersecurity practices, the human resource security is also a best practice because companies should ensure that all employees are qualified for the job as well as employees understand their roles and responsabilities. Asset management and access control are also two best practices but I think both are increasingly known by most companies. Most of us have an asset inventory and users have the minimum privileges.

Encryption is well known by most employees. They know it is a requirement for sending and receiving information on the net but they forget saving their passwords in a secure way with a password manager. Physical and environmental security is also well known by most companies. We are used to seeing guards at the doors and rooms locked. However, operations security is very important and there are still companies who forget to schedule backups.

I don’t understand how there are companies that they don’t have any VLAN on the network. There is no communications security. There are also lots of companies without a policy for system acquisition, development and maintenance. However, this is usual for companies who has almost no security controls. What’s more, supplier relationships is another group of security controls that few companies take into account.

All of these are some groups of security controls, although we should also add incident management, business continuity and compliance, that companies should take into account for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Maybe, it seems 114 security controls are too many but it’s important to start small, but most of all, start.

Regards my friends! What kind of best cybersecurity practices are you applying.

27 September 2021

OWASP MSTG UnCrackable Level 1

I’m working lately with mobile devices to know security vulnerabilities and best practices. I’ve been reading about MSTG and MASVS. The first one, MSTG or Mobile Security Testing Guide, is like a penetration testing guide for mobile devices while the second one, MASVS or Mobile Application Security Verification Standard, is a starndard for mobile app security where developers have lots of information to learn how to develop app secure. In addition, I’ve been testing apps to learn how to break them!

If you would like to learn breaking apps, I recommend installing Androidx86 emulator and IntroToAndroidSecurity virtual machine. AndroL4b is another android security virtual machine that you can use for learning about mobile security. For instance, you can watch in the next video how to bypass the root detection and how to get the passcode. It’s the first level where you will learn reverse engineering using JADX and dynamic analysis with Frida. I think, UnCrackable Level 1 from MSTG is the first step for beginners.

Regards my friends! Do you like to learn about Mobile Security?

20 September 2021

OWASP Mobile Top 10 Vulnerabilities

I think OWASP is a great project and IT students should learn about OWASP at University because this project has a lot of interesting resources that IT engineers should take into account at work. OWASP is really interesting for developers but it’s also interesting for systems and security engineers because we can learn how to develop software secure but we can also learn what are the main vulnerabilities to protect the systems. I’ve already written about OWASP Top 10 and I would also like to write about OWASP Top 10 for Mobile Apps.

The first and leading mobile security vulnerability is M1 – Improper Platform Usage which refers to the misuse of any platform feature or failure to incorporate platform security controls. Next to the OWASP Top 10 Mobile list is M2 - Insecure Data Storage because it is crucial to store data securely in a place that won’t be accessible to another app or an individual. Therefore, we should never think attackers won’t have access to filesystems.

M3 - Insecure Communication is the third in the list. If the data is sent unencrypted in cleartext, attackers monitoring the network can capture and read all the information being sent. To avoid data from being stolen, we should rely on industry-standard encryption protocols. M4 – Insecure Authentication comes next on the security vulnerabilities list where we should verify the identity of the user securely before granting access.

The fifth security vulnerability is M5 – Insufficient Cryptography because there are mobile apps using weak algorithms for encryption and decryption or the cryptographic process ifself has implementation flaws. Like M4 - Insecure Authentication, M6 – Insecure Authorization leads to data theft where attackers log in as legitimate users and perform privilege escalation attacks. It’s highly recommended to ensure that for each request, the mobile app verifies the identity of the user.

Another vulnerability relating to faulty code implementations is the M7 – Client Code Quality. Nobody is perfect thus there could be code-level mistakes in mobile apps with issues such as buffer overflows, remote code execution, etc. Therefore, we should test and review the source code. We should also pay attention to tampered version of mobile apps because this is the M8 – Code Tampering security risk where we should implement anti-tamper techniques such as checksums, digital signatures, code hardening, and other validation methods.

The M9 – Reverse Engineering is also a mobile security risk that we have to prevent because reverse engineering allow attackers to understand, inspect, and modify the code to include harmful functionality. Finally, M10 – Extraneous Functionality is a security risk which allows attackers use backdoors or additional functionalities leave by developers unintentionally.

Regards my friends! Do you know OWASP Mobile Top 10?

13 September 2021

Mon parcours d’apprentissage des langues

Étant donné qu’il y a des amis qui me demandent pourquoi je suis en train d’étudier français, je vais raconter mon parcours d’apprentissage des langues. D’abord, il est très intéressant que vous sachiez que je n’aimais pas étudier des langues au lycée. En fait, je n’ai pas toujours réussi mes examens. C’est vrai, j’ai échoué à mes examens d’anglais de temps en temps. Néanmoins, finalement, je sais parler en anglais et j’étudie le français.

Quand j’ai fini l’université à Mérida, où j’ai étudié pendant trois années, je suis allé en Angleterre pour apprendre l’anglais grâce à une bourse. Il faut dire que je ne savais pas parler anglais. Cependant, je me suis rendu compte que l’apprentissage des langues était très important. Cela est dû au fait que je me suis fait voler mon portefeuille avec ma carte d’identité et je ne savais pas parler anglais pour la déclaration de vol au commissariat. Donc, un ami a dû m’aider à parler avec la police pour rentrer en Espagne.

Après ce jour-là, j’ai fait la demande d’inscription pour aller à l’école des langues parce que je voulais apprendre l’anglais. J’ai été alors en train d’apprendre l’anglais pendant 7 années à l’école. De plus, j’ai voyagé en Malte, Irlande, Turquie, Russie et Tchéquie où j’ai amélioré beaucoup l’anglais. Aussi, j’utilise beaucoup l’anglais dans mon travail. Donc, je connais actuellement l’anglais et je suis très content.

Pourtant, je ne voulais pas arrêter d’étudier des langues et je voulais de plus en plus. Au début, je ne savais pas quelle langue choisir à l’école. Il y avait quatre langues dans l’école. Allemand, Français, Italien ou Portugais. Finalement, j’ai choisi français parce qu’il y a beaucoup d’organismes européens en France et Belgique, non seulement la Commission Européenne mais aussi d’autres comme l’Interpol. Ainsi, je voulais parler la même langue que celles qui ont le pouvoir de faire choses dans l’Union Européen. D’ailleurs, j’avais déjà étudié le français au lycée et j’ai des amis qui habitent en France. Enfin, le français était la meilleure langue que je pouvais étudier, et j’étudie le français depuis 5 ans maintenant.

Ainsi donc, c’est mon parcours d’apprentissage d’anglais et français. Ce n’est pas facile parce qu’il faut étudier beaucoup. Il faut parler, écouter, écrire et lire beaucoup pour apprendre des langues. Également, je dois utiliser les langues de temps en temps pour ne pas oublier ce que j’ai déjà appris.

Tu veux parler des langues ? On y va !

6 September 2021


Le mois de repos est fini et je dois passer mes examens de français cette semaine. J’ai étudié le français pendant tout l’été. J’ai parlé et j’ai écrit mais aussi j’ai lu cet été. J’ai lu « L’Anomalie » de Hervé Le Tellier, dont le genre littéraire est du thriller au roman psychologique et de la littérature blanche au récit introspectif. C’est un roman qui a obtenu le prix Goncourt l’année dernière. La même année qu’il a été publié.

Hervé Le Tellier est mathématicien de formation, puis journaliste. Il est aussi docteur en linguistique et spécialiste des littératures à contraintes. Il est depuis 2019 le président du mouvement Oulipo où il a publié plusieurs ouvrages.

« L’Anomalie » est un livre où il y a beaucoup d'histoires avec beaucoup de personnages mais tous sur le même événement, “lanomalie" d’un vol Paris-New York en mars 2021. C’est un vol très bizarre parce qu’il y a un autre vol trois mois plus tard, en juin 2021, avec les mêmes voyageurs. Donc, la police et le gouvernement veulent savoir ce qui s'est passé dans ce vol alors ils parlent avec tous les voyageurs pour connaître leur vie.

L’histoire est présentée surtout à l’aéroport JFK aux État-Unis où l’avion se pose avec les mêmes voyageurs qu’il y a trois mois. C’est là où le FBI pose des questions à tous les passagers. Cependant, la première partie du roman s'agit sur la vie des personnages principaux tandis que la deuxième partie du roman s'agit sur l’enquête policière.

Le roman parle principalement d’onze personnages où il y a aussi un personnage qui a publié le roman « L’Anomalie ». La plupart des personnages principaux ont des jumeaux. En fait, tous les passagers ont des jumeaux. Il y a des jumeaux qui ont pris le vol de mars et il y en a qui ont pris le vol de juin. Néanmoins, toutes les personnes ont vécu la même vie jusqu’au premier vol de mars, puis les jumeaux ont eu des vies différentes.

À mon avis, «L’Anomalie» est un livre un petit peu difficile à lire pour les personnes qui veulent apprendre le français parce que c’est un livre bizarre avec beaucoup d’histoires et de personnages. Toutefois, j’ai beaucoup profité.

À bientôt!

26 July 2021

The last post

… before holiday!! This is the last post because I need to rest. I need to do something else. I need to read. I need to study. I need to be ready in September because there will be lots of things to do. The end of the year will be amazing. I’m sure! I’ll keep working with security appliances such as web application firewall, network firewall and VPN devices. I’ll keep working with DDI devices as well as I’ll keep working with load balancer appliances. Routers, switches and wireless devices will also be in my daily tasks. What's more, I will be the teacher of a mobile security training.

Cependant, je dois étudier cet été parce que je n’ai pas réussi mon examen de francais en juin. Je dois écrire plus souvent et je dois aussi parler en francais. Je parlerai peut-être seul en francais. Je parlerai devant mon ordinateur. Je m’enregistrerai et je m’écouterai. Vous savez que j’aime écrire mais cet été je n’écrirai pas sur la technologie mais j’écrirai sur l’économie, la famille et ce type de choses que les profs veulent lire. Donc, j’espère te dire après l’été que j’ai finalement reussi mon examen.

À bientôt.

19 July 2021

F5 BIG-IP APM – SP Initiated for Office 365

I wrote about IdP Initiated for Office 365 last week. However, there are some people they don’t know yet what is the difference between IdP Initiated and SP Initiated. When we configure an IdP Initiated architecture, firstly users access to the IdP for authentication, secondly, SAML IdP validates credentials and collects data from directory. Finally, after selecting a SAML Resource, SAML IdP redirects user back to the SAML SP with a SAML assertion.

IdP initiated SAML

On the other hand, SP Initiated is a little bit different. Firstly, users access to the SAML SP. Secondly, SAML SP redirects users to SAML IdP where users authenticate. Thirdly, SAML IdP validates credentials and collects data from directory. Finally, SAML IdP redirects user back to SAML SP with SAML assertion. As you can see, the main difference is users access first to the SP instead of the IdP.

SP initiated SAML

We can watch in the next video how to configure SP Initiated for Office 365 with the guided configuration of F5 APM.

Thank you! See you soon!

12 July 2021

F5 BIG-IP APM – IdP Initiated for Office 365

F5 BIG-IP APM is really useful for federation and Microsoft integration thanks to the AGC (Advanced Guided Configuration) for version 15 and SGC (Simplified Guided Configuration) for version 16. It is very easy to configure Application access with Azure AD or federation with Office 365. F5 APM federates user identity and enables single sign-on (SSO) to applications on-premises and in the cloud, including SaaS, because APM supports SAML, OAuth, Kerberos, header-based authentication and other SSO techniques.

I’ve been recording a new video today where you can watch how to configure F5 APM as Identity Provider for Office 365. The configuration is really easy. On one hand, there are some configuration needed on the Windows side such as Azure AD Connect installation on Active Directory for user sincronization, as well as, AzureAD and MSOnline for Windows Federation. On the other hand, we can use the Guided Configuration on F5 APM for configuring easily F5 as Identity Provider for Office 365.

Have a nice day! Would you like to configure federation on Office 365?

5 July 2021

F5 ASM - Sending security logs to BIG-IQ

I'm working deeply with BIG-IQ devices since the end of the last year. These devices are really useful when you have to manage lots of BIG-IP devices because you can search objects easily as well as you can deploy configurations from a central management device. However, BIG-IQ is also increasingly used for monitoring applications and saving events logs because the built-in dashboards are really powerful for applications visibility. For instance, we can know application latencies or bot traffic from a single dashboard.

Bot Traffic Dashboard

I’ve been recording a new video where you can watch how to add a BIG-IP device to the BIG-IQ and how to configure a security log profile to send events to the BIG-IQ. Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port. Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

Have a nice day! Do you like the BIG-IQ?

28 June 2021

What’s new in FortiOS 7.0

You already know I like writing about the new features and enhancements in FortiOS. I think it’s important to know the new features because they will be requirements for new projects and they will be interesting for lots of customers. The new FortiOS 7.0 brings lots of new features and enhancements. I can’t write about all of them in this article because there are more than 300 new features across the Fabric. Therefore, I will write about the most interesting features and improvements from my point of view.

The Fortinet Security Fabric has improved with new integrations for comprehensive protection. The Open Fabric Ecosystem has already more than 400 integrated solutions. There are Fabric Connectors and Fabric APIs for AWS, Aruba, Cisco and many more. We can also integrate FortiWeb, FortiDeceptor and FortiTester to the Security Fabric. What’s more, we can even integrate VDOMs in the Security Fabric. In addition, there are improvements in the automation workflow where we can even send notifications vía Microsoft Teams. 

Fortinet Security Fabric

There are some customers who want to block some features in social networks. For instance, they want to allow users to access social networks but they want to block social networks chats. This can already be configured with application control from previous versions. However, FortiOS 7.0 also allow you to block channels from YouTube, Vimeo or Daily Motion throught the new Video Filters. Therefore, we can configure security policies with a lot of granularity.

Video Filtering

There are another interesting feature I really like which allow you to generate automatically a certificate for a device using ACME (Automated Certificate Management Environment). I like because we can configure a Let’s Encrypt Certificate easily for SSL-VPN access. This new feature provides a simplified way for administrators to assign a certificate to the device, without complexities of manully managing certificates.

Let's Encrypt

I always like to write about the changes of subscription services. The FortiGuard Services have changed a little bit. The IPAM service is EoO (End of Order) thus you can’t buy this service anymore. The FortiGuard IoT Detection Service includes an IoT MAC database for device detection (visibility) WiFi access. The new Video Filtering service has been included in the Unified Threat Protection. In addition, FortiCloud SOCaaS is a new service where the Fortinet SOC Team can help you to protect your systems.

FortiGuard Services

There are many more features and improvements. There are also interesting features for wireless networks, NAC and wired networks with FortiSwitches. However, FortiOS 7.0 should be applied just for a non-production environment because we should wait three or four patches to have a stable version for production environments. Meanwhile, FortiOS 6.4 is the best version for your devices.

Have a nice day! Are you ready to test this new version?

Related Posts Plugin for WordPress, Blogger...

Entradas populares