Ensuring Secure Data Interoperability in Government Agencies: Challenges and Solutions
Secure data interoperability is not just a technical requirement but a strategic necessity for government agencies. As security professionals, your role in defending against increasingly sophisticated attackers and ensuring seamless and secure data exchange cannot be overstated. Organizations can enhance their capabilities by adhering to a structured framework, implementing robust data management pipelines, and leveraging advanced technologies.
How is SDN disrupting the way businesses develop technology?
You must have read so much about software-defined networking (SDN) by now that you probably think you know it inside and out. However, such a nascent industry is constantly evolving and there are always new aspects to discover and learn about. While much of the focus on SDN has focused on the technological benefits it brings, potential challenges are beginning to trouble some SDN watchers. While many businesses acknowledge that the benefits of SDN are too big to ignore, there are challenges to overcome, particularly with the cultural changes that it brings. In fact, according to attendees at the Open Networking Summit (ONS) recently the cultural changes required to embrace SDN outweigh the technological challenges. One example, outlined in this TechTarget piece, is that the (metaphorical) wall separating network operators and software developers needs to be torn down; network operators need coding skills and software developers will need to be able to program networking services into their applications. That’s because SDN represents a huge disruption to how organisations develop technology. With SDN, the speed of service provisioning is dramatically increased; provisioning networks becomes like setting up a VM... a few clicks of the button and you’re done. This centralised network provision means the networking element of development is no longer a bottleneck; it’s ready and available right when it’s needed. There’s another element to consider when it comes to SDN, tech development and its culture. Much of what drives software-defined networking is open source, and dealing with that is something many businesses may not have a lot of experience with. Using open source SDN technologies means a company will have to contribute something back to the community - that’s how open source works. But for some that may prove to be a bit of an issue: some SDN users such as banks or telecoms companies may feel protective of their technology and not want is source code to be released to the world. But that is the reality of the open source SDN market, so it is something companies will have to think carefully about. Are the benefits of SDN for tech development worth going down the open source route? That’s a question only the companies themselves can answer. Software-defined networking represents a huge disruption to the way businesses develop technology. It makes things faster, easier and more convenient during the process and from a management and scalability point of view going forward. There will be challenges - there always are when disruption is on the agenda - but if they can be overcome SDN could well usher in a new era of technological development.
Getting Around the Logon/Legal Banner Issues when using APM PCoIP Proxy and Horizon
If you're using APM's PCoIP Proxy and require a logon banner, you've probably figured out that the PCoIP Proxy integration stops working when you turn on the integrated logon banner from within the Horizon Administrator. Adding to the pain, internal users can't get any logon banner since you had to turn it off in order for your external access to work! Well, the wait is over! With the use of a nifty iRule that you can attach to your internal Horizon Connection Servers virtual server, you can now present a banner BOTH internal users as well as external users who access Horizon resources using APM PCoIP Proxy. Here's how it works: Disable the logon banner through Horizon Administrator - the BIG-IP will handle presenting the banners for internal users (through the iRule) and external users (through the View iApp) instead of Horizon. Modify the text in the iRule with the text you want to show in the logon banner. Apply the iRule to your LTM Virtual Server that services internal Horizon users (either manually to the LTM virtual server or through the View iApp). You're done! A couple of things to think about when you implement this: If you need to present a legal disclaimer your external users using the PCoIP Proxy, you can still do that through the Horizon View iApp. Do not apply this to any virtual server running the APM PCoIP Proxy - it's only for providing the logon banner to internal Horizon users. The banner for PCoIP Proxy can be easily enabled through the iApp It's important to ensure the PCoIP Proxy's Connection Server settings are pointing to the individual connection server(s) and NOT the LTM virtual server that has the Logon Banner iRule applied. The iRule source is below. # Attach iRule to iApp created virtual server named "<iapp_name>_internal_https" # Replace the section “This is a XXX computer system that is FOR OFFICIAL USE ONLY. This # system is subject to monitoring. Therefore, no expectation of privacy is to be assumed. # Individuals found performing unauthorized activities are subject to disciplinary action # including criminal prosecution.” with your desired text. when RULE_INIT { # Debug Level 0=off, 1=on, 2=verbose set static::internal_disclaimer_debug 0 } when CLIENT_ACCEPTED { set log_prefix_cs "[IP::remote_addr]:[TCP::remote_port clientside] <-> [IP::local_addr]:[TCP::local_port clientside]" if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: CLIENT_ACCEPTED" } } when HTTP_REQUEST { set bypass 0 if {[HTTP::uri] starts_with "/portal/info.jsp"} { if { $static::internal_disclaimer_debug > 0 } { log local0. "<$log_prefix_cs>: Portal Info request, bypassing further processing"} set bypass 1 } else { if {[HTTP::header exists "Content-Length"]} { set content_length [HTTP::header "Content-Length"] } else { # If the header is missing, use a sufficiently large number set content_length 5000 } if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Set content-length to $content_length"} HTTP::collect $content_length if { [HTTP::path] == "/broker/xml" && [HTTP::header Expect] == "100-continue" } { SSL::respond "HTTP/1.0 100 Continue\r\n\r\n" if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Application requested: client requires 100 continue response, sending 100-continue"} } } } when HTTP_REQUEST_DATA { if { [HTTP::payload] contains "set-locale" and ( not ($bypass)) } { HTTP::respond 200 content {<?xml version="1.0"?><broker version="9.0"><configuration><result>ok</result><broker-guid>aaaaaaaa-bbbb-cccc-ddddddddddddddddd</broker-guid><authentication><screen><name>disclaimer</name><params><param><name>text</name><values><value>This is a XXX computer system that is FOR OFFICIAL USE ONLY. This system is subject to monitoring. Therefore, no expectation of privacy is to be assumed. Individuals found performing unauthorized activities are subject to disciplinary action including criminal prosecution.</value></values></param></params></screen></authentication></configuration><set-locale><result>ok</result></set-locale></broker>} noserver "Connection" "close" "Content-Type" "text/xml;charset=UTF-8" if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Sending Disclaimer Message"} } if { [HTTP::payload] contains "disclaimer" } { if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Disclaimer Message Accepted - waiting for credentials."} } } This solution has been tested using Horizon 6.0 (and later) as well as the Horizon 3.0 (and later) Client. Earlier versions of the client and/or Horizon Connection Server could produce unexpected results. Big shout-out to Greg Crosby for his work on the iRule!Load Balancing VMware's Workspace Portal/Identity Manager with F5 BIG-IP Local Traffic Manager (LTM)
What is VMware Identity Manager (formerly known as VMware Workspace Portal)? VMware Identity Manager is a service that extends your on-premises directory infrastructure to provide a seamless Single Sign-On (SSO) experience to Web, Mobile, SaaS, and legacy applications. Simply put, it's a service aggregator and identity provider for your IT resources. One single login to Identity Manager gains you access to Citrix XenApp, Horizon, Web, SaaS, and ThinApp resources. You can find more about Identity Manager at https://www.vmware.com/products/identity-manager/. BIG-IP can provide intelligent traffic management, high availability and monitoring through the use of BIG-IP Local Traffic Manager (LTM) and BIG-IP DNS (Global Traffic Management). BIG-IP's Access Policy Manager (APM) can also provide secure access to the apps and resources accessible through the Identity Manager portal as well as the actual Identity Manager portal itself. In this article, we'll focus on building a highly available Identity Manager implementation using BIG-IP LTM. You can download the updated step-by-step load-balancing guide for VMware Workspace Portal/Identity Manager here. What's also cool is you can do a walk through of this very setup in the VMware Hands-On-Lab at VMworld 2015 (Look for HOL-MBL-1659) or by clicking the following link - http://labs.hol.vmware.com/HOL/catalogs/lab/2078. Special thanks to Bryan Salek, Matt Mabis, and Mosa Emamjomeh for helping put this together! Stay tuned for a future post on how to securely access Workspace Portal/Identity Manager using BIG-IP Access Policy Manager (APM), which includes proxying Citrix XenApp, Horizon, and Web Application resources. WorkspaceOne/Identity Manager 2.6 Update: When changing the FQDN of VMware Identity Manager there is an additional (and new) step that needs to be done. After changing the FQDN, log back into the Workspace One Admin UI using a local account and click Catalog --> Settings. Next, select New End User Portal UI and click Enable New Portal UI. Once completed, log out and you should now be able to login using a domain account.US FEDERAL: DISA UCCO APL Certification
Great news! We have finally been posted to the Defense Information Systems Agency (DISA) Unified Capability (UC) Approved Product List (APL), as an IA Tool. The certification covers all F5 BIG-IP platforms (VE through Viprion) running a minimum of TMOS 11.6. The certification Memo can be found at the following link: DISA UC APL F5 Approval Memo Anyone that has been through the now defunct DoD Information Assurance Certification and Accreditation Process (DIACAP) or DoD Information Technology Security Certification and Accreditation Process (DITSCAP) in the past (1) knows it’s a party, and (2) may know that F5 BIG-IP used to be classified as a “Content Switch / Load Balancer with an OS of Other Network OS.” With the new APL certification, F5 is now classified as an IA tool. While the Certification and Accreditation process will look pretty much the same, things concerning the F5 are starting to change quite a bit. Change 1. F5 Military Unique Deployment Guide. This document helps identify and configure the BIG-IP base configuration required to pass IA scans. Change 2. There is much better clarification on which STIGS apply to F5 BIG-IP, and stronger guidance on how to configure your platform in adherence to STIG and Security Requirements Guidelines (SRG). Change 3. There is also the new National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) process (DoD Instruction 8501.01). We didn’t have anything to do with this, but its new, and its important to know that we are in line with this process. Getting Started To start preparing the F5 BIG-IPs on your network, you should reach out to your account team to acquire a copy of the Military Unique Deployment Guide (MUDG), which details the proper base configuration. The MUDG can be acquired from any member of the F5 Federal team. However, due to sensitive information, a copy of the Information Assurance Assessment Package (IAAP) must be acquired directly from the Unified Capability Certification Office (UCCO), details on this information is located within the DISA UC APL Certification Memo. Next, Apply STIG/SRG. These are currently in process, but the MUDG is sufficient to lock the appliance down to pass initial IA scans. Draft STIG Release Guidance -Update: Final F5 STIG / SRG released, see below. There have been a lot of questions lately on the release of the Draft STIGS for BIG-IP. The important things to note are as follows: First and foremost, do not apply draft STIGS. These are drafts and not yet final. Do not start applying draft STIGS in production environments. Draft STIGS are subject to change. Finally, do not apply draft STIGS. To access and review the Draft STIGS, you can find them at the following location: http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/network-overview.aspx Final STIG/SRG Release Guidance There have been a lot of questions lately on the release of the Final STIGS / SRGS for BIG-IP. The important things to note are as follows: It is important to first follow and apply the guidance provided in the Military Unique Deployment Guide v1.2 (MUDGv1.2). If you have any questions or concerns regarding the guidance or text in the F5 Final STIGS, do not hesitate to reach out to your account team. To access the Final F5 STIGS, you can find them at the following location: http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/other.aspx Need Help? Contact Federal [at] F5.com.
The Mounting Case for Cloud Access Brokers
#infosec #cloud #iam Addressing the need for flexible control of access to off-premise applications Unifying identity and access management has been a stretch goal for IT for nearly a decade. At first it was merely the need to have a single, authoritative source of corporate identity such that risks like orphaned or unauthorized accounts could be addressed within the enterprise. But with a growing number of applications - business applications - being deployed "in the cloud", it's practically a foregone conclusion that organizations are going to need similar capabilities for those applications, as well. It's not easy, there are myriad reasons why unifying identity and access control is a stretch goal and not something easily addressed by simply deploying a solution. Federation of identity and access control requires integration. It may require modification of applications. It may require architectural changes. All of these are disruptive and, ultimately, costly. But the costs of not addressing the issue are likely higher. Security a Rising Concern for Cloud-Based Application Usage With access to these applications taking place from a variety of locations including smartphones (80 percent),tablets (71 percent) and non-company computers (80 percent) and with a large percentage of organizations (73 percent) needing to grant temporary access to cloud apps, respondents cited concerns around identity management, governance and complexity. ... Nearly three-quarters (72 percent) of the respondents said they have the need to provide external users, such as consultants, with temporary access to the company’s cloud applications, while just under half (48 percent) of respondents said they are still not able to sign in to cloud applications with a single set of credentials. [emphasis mine] There is a significant loss of control - in terms of governance - that's occurring, where the organization no longer has the means by which they can control who has access to applications, from what device or location, and when. That's the downside of cloud, of distributed systems that are not architected with security in mind. Make no mistake, it's not just IT making a power grab for power's sake. This is a real, significant issue for the business side of the house, because it is their applications - and ultimately data - that is at risk by failing to properly address issues of access. THE CASE FOR CLOUD ACCESS BROKERS The least disruptive - and most efficient - means of addressing this disconnect is to insert into the data center architecture an access broker tier, a layer of dynamic access and identity management services designed to provide federation and unification of credentials across cloud and data center resources based on the organization's authoritative source of identity. The advantages of such a tier are that they are less disruptive, it respects the authoritative source of identity and it is highly flexible. The same cloud access broker that provides authentication and authorization to internal resources can do so for cloud-based resources. The downside is integration with a growing variety of SaaS and custom cloud-deployed applications used by the enterprise. A standards-based way of integrating off-premise applications with a cloud access broker is needed, and we find such a standard in SAML 2.0, an increasingly popular means of integrating identity and access management services across the cloudosphere. In addition to providing access control through such integration, a cloud access broker also provides the means for IT to address the issue of password security noted in "Security a Rising Concern for Cloud-Based Application Usage": The survey indicated unsafe password management continues to be a challenge, with 43 percent of respondents admitting that employees manage passwords in spreadsheets or on sticky notes and 34 percent share passwords with their co-workers for applications like FedEx, Twitter, Staples and LinkedIn. Twenty percent of respondents said they experienced an employee still being able to log in after leaving the company. By enabling federation and single-sign on capabilities, organizations can mitigate this problem by ensuring users have fewer passwords to recall and that they do not share them with off-premise applications like FedEx. Because IT controls the authoritative source of identity, it also governs policies for those credentials, such as password length, history, interval of change, and composition. FEDERATION MEANS HEIGHTENED (AND ENFORCEABLE) SECURITY Federation of identity and access management through a cloud access broker can alleviate the loss of control - and thus expanding security threats. By maintaining the authoritative source of identity on-premise, organizations can enforce security policies regarding password strength and length while improving the overall experience for end-users by reducing the number of credentials they must manage to conduct daily business operations. Issues such as orphaned or rogue accounts having access to critical business applications and data can be more easily - and quickly - addressed, and by using a flexible cloud access broker capable of transitioning security protocols, device incompatibility becomes a non-issue. As more and more organizations recognize the ramifications of unfettered use of cloud services it is inevitable that cloud access brokers will become a critical component in the data center.
A New Twist on DNS NXDOMAIN DDoS
DDoS attacks are increasing in scale and complexity, threatening to overwhelm the internal resources of businesses around the world. The F5 Silverline Security Operations Center (SOC) recently saw a new distributed denial-of-service (DDoS) attack vector targeting a customer’s DNS servers with malicious traffic averaging between 8 and 12 Mbps and bursts of malicious traffic peaking at over 100 Mbps. This attack began in mid-August and continued through November 2015. It was not a typical reflection attack where DNS servers are used to attack a web site, but an attack against the actual DNS servers. Through additional investigation, the SOC analysts identified the vector and crafted a targeted mitigation for this new “_dmarc” attack. In their investigation, Edgar Ojeda and his colleagues found that F5 Silverline customer's DNS servers were receiving hundreds of thousands of randomized queries for “_dmarc” DNS records even if from a volumetric standpoint this amount of traffic seems to be trivial. Then, they noticed that _dmarc DNS queries were for non-existent subdomains and that customer’s DNS infrastructure was becoming unstable. As the attack continued and after further investigation, F5 SOC created a finely tuned signature that successfully scrubbed all malicious traffic and the customer’s service became operational again. To read the full report describing the attack, click here. If you are under attack, just click this link and we can get you back online! Click here to learn more about how F5 Silverline mitigate DDoS attack.
La transition vers HTTP/2, l'envisager, s'y préparer, la réaliser
HTTP/2 est désormais un standard avec son support intégré dans les browsers modernes. Les serveurs Web, proposent aussi dans leurs dernières versions, la compatiliblité avec cette évolution. Ce qu'il faut retenir est qu'HTTP/2 vient accéler le transport du contenu Web en maintenant la confidentialité à travers SSL. Un des bénéfices pour les developpeurs et fournisseurs de contenu est la capacité à se rendre compte des apports de ce protocole sans remettre en cause toute son infrastructure. Les démonstrations montrent bien les gains à travers un browser sur un ordinateur portable, choses encore plus appréciables sur les plateformes mobiles. La version 12.0 de TMOS permet de se comporter comme un serveur HTTP/2 vis à vis des clients tout en continuant à solliciter le contenu en HTTP/1.0 et HTTP/1.1 auprès des serveurs. Pour trouver des raisons de s'interesser à ce protocole, plusieurs sources d'information peuvent y aider : Making the journey to HTTP/2 HTTP/2 homeBillionaires, Icons and Movie Stars – Why Geek Is Now Chic
Over the past few years we’ve seen the unstoppable rise of the geek. From popular culture to big business, the geeks have inherited the earth. They’re the billionaires, the modern day rock stars, and their many achievements have resulted in a significant change to their status in popular society. They are now often championed, given the limelight or even imitated - geek is now chic! So let’s take some time out to look how the geek – and our perception of the geek – has evolved… The Geek Revolution Before the dawn of the information age, being an IT expert was associated with social ineptitude, a stereotype amplified by films such as 'Revenge of the Nerds.’ Although this negative stigma has not quite been completely reversed, the rise of the geek has been prolific, driven by the mainstream rise of tech and the acute relevance of previously niche skills. Whether consumers or enterprises, society relies heavily on certain technologies, making IT experts and their knowledge indispensable. Employment of ‘Genius’ assistants in Apple stores show the change in status and dependence of society on the geek, as customers compete for the attention of who can fix their gadgets. The behaviour of geek idols such as Mark Zuckerberg and Bill Gates also helped make geeks cool, by having the audacity to drop out of (a Harvard) education to follow their dreams. The relevance of geek knowledge to businesses has been demonstrated by the scramble to fill the tech skills gap, but it spreads beyond classic computing know-how. Political forecaster Nate Silver received attention after mathematically predicting an Obama victory in 2012, resulting in a call to ‘hire geeks not pundits’ if you want to win a presidential election. The government introduction of compulsory IT-based aspects to school curriculums also shows the value attributed to IT know-how. The Omni-Present Geek Popular culture too is now exploring the techie as an unorthodox hero. This is perhaps most evident on the screen, demonstrated recently through television shows such as 'The Big Bang Theory' and 'The IT Crowd,' which explicitly focus their stories around stereotypical geeks. 'The Social Network' saw an entire film made about the rise of the IT genius. Characters are by no means portrayed with model good looks and bulging muscles, but the idea that the geek can 'win' is becoming more prevalent. In fashion, thick-rimmed, non-prescriptive glasses have become popular as an optional accessory rather than an optical necessity and been embraced by stars and school children alike. T-shirts sold by 'Topshop' emblazoned with the word 'NERD' or 'GEEK' were hugely successful when launched in 2013; it seems the implication of intellect, whether genuine or ironic, is now considered fashionable. Geek Power If society has progressed through the Iron Age and the Industrial Age, we are undoubtedly in the Tech Age. IT geeks have done amazing things with their inventions and innovations: Sir Tim Berners-Lee revolutionised global society by giving life to the World Wide Web; the inventions of Steve Jobs and Apple are omnipresent and envelop popular society and business; Mark Zuckerberg has helped shape a generation through social media – just try to escape social networks today! Despite geeks hitting the headlines for all the right reasons, there remains a significant gap between the level of demand for staff with specialist knowledge and the number of prospective employees who possess it. A number of recent high-profile hacking scandals show that IT experts have the potential to mould the business landscape in a variety of ways and have catapulted the cyber-security skills shortage to up the national agenda. These achievements have not gone unnoticed by businesses or the government, who have increased IT spending budgets and launched recruitment drives. The success of tech companies and individuals has seen expert knowledge come to be associated with entrepreneurial flair, with the stories of innovators like Zuckerberg carrying the geek into the unchartered realms of, dare we say it, coolness. Now that geek is chic, how about meeting some of the F5 geeks keeping businesses current in the age of tech? Why not join us at F5 Agility in Scotland in May? There will be F5 experts on hand to discuss your ideas and answer questions, as well as a host of sessions from a range of executives, from our CTO to our field engineers.How the cloud can improve your security solutions?
The advantage of being in this industry for a while is that you get to see first hand how things change. Mostly for the better, and usually quite quickly, too. Some of these changes have a knock-on effect on other parts of the industry. One recent example of this is security. In days gone by security was very much focused within a company’s network; all the necessary data and applications sat behind the firewall so that’s where defences were concentrated. These days, that’s simply not the case. Thanks to a raft of industry developments, primarily mobile devices and cloud computing, network perimeters are no longer contained within a company’s (metaphorical) four walls. That’s made security a slightly more difficult task - how can you be expected to use on-premises security solutions to protect apps, data, devices and so on, when they themselves are far beyond the traditional network perimeter? That’s why security solutions delivered via the cloud could help protect today’s businesses. It means workers - and all that important, sensitive data - are protected, no matter where they are, what device they’re using or what service/application they’re connecting to. It simply isn’t feasible for a company to protect each endpoint, inside and outside the perimeter. Using cloud-based security solutions can help with a variety of different threats. Take DDoS attacks, for example. DDoS attacks are getting bigger in scale, and when you’re talking about attacks around 300 Gbps in size (and up), the only way to stop these is with cloud-based technologies, as local network appliances won’t be able to cope with the bandwidth required. Delivering DDoS protection from the cloud also means (depending on the service provided) companies can call on a globally-distributed DDoS mitigation network operated by experts. On-premises DDoS protection is unlikely to be able to say the same. When you think about it, if you need to protect cloud-based devices, applications, data and so on, it makes sense to do that in the cloud, right? Cloud-based security can stop many attacks before they reach a corporate network and can use intelligence from its entire network to spot anomalies and new threats as they emerge. That real-time defence is something that on-premises software can struggle with, as databases have to be updated and new versions rolled out before the corporate network is secure. It’s worth noting that many of the benefits of cloud computing - cost reduction, better scaling, automation and so on - apply when it comes to using cloud-based security services. As we trust more and more of our critical applications, services and systems to the cloud there is no reason why security should not be on that list.
