Archive for cloud computing

Lightboard Lessons: SSO to Legacy Web Applications

IT organizations have a simple goal: make it easy for workers to access all their work applications from any device. But that simple goal becomes complicated when new apps and old, legacy applications do not authenticate in the same way.

In this Lightboard Lesson, I draw out how VMware and F5 helps remove these complexities and enable productive, any-device app access. By enabling secure SSO to Kerberos constrained delegation (KCD) and header-based authentication apps, VMware Workspace ONE and F5 BIG-IP APM help workers securely access all the apps they need—mobile, cloud and legacy—on any device anywhere.

 

 

Watch Now:



Managing Your Vulnerabilities

Posted in f5, big-ip, application security, cloud computing, compliance, 0day by psilva on December 9th, 2016

vuln_ahead.jpg

I recently recovered from ACDF surgery where they remove a herniated or degenerative disc in the neck and fuse the cervical bones above and below the disk. My body had a huge vulnerability where one good shove or fender bender could have ruptured my spinal cord. I had some items removed and added some hardware and now my risk of injury is greatly reduced.

Breaches are occurring at a record pace, botnets are consuming IoT devices and bandwidth, and the cloud is becoming a de-facto standard for many companies. Vulnerabilities are often found at the intersection of all three of these trends, so vulnerability and risk management has never been a greater or more critical challenge for organizations.

Vulnerabilities come in all shapes and sizes but one thing that stays constant – at least in computer security - is that a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. It is the intersection where a system is susceptible to a flaw; whether an attacker can access that flaw; and whether an attacker can exploit that flaw within the system. For F5, it means an issue that results in a confidentiality, integrity, or availability impact of an F5 device by an unauthorized source. Something that affects the critical F5 system functions - like passing traffic.

You may be familiar with CVE or Common Vulnerabilities and Exposures. This is a dictionary of publicly known information security vulnerabilities and exposures. Each vulnerability or exposure gets a name or CVE ID and allows organizations to reference it in a public way. It enables data exchange between security products and provides a baseline index point for evaluating coverage of tools and services. MITRE is the organization that assigns CVEs. There are also CVE Numbering Authorities (CNA). Instead of sending a vulnerability to MITRE for numbering, a CNA gets a block of numbers and can assign IDs as needed. The total CVE IDs is around 79,398.

Most organizations are concerned about CVEs and the potential risk if one is present in their environment. This is obviously growing with the daily barrage of hacks, breaches and information leaks. Organizations can uncover vulnerabilities from scanner results; from media coverage like Heartbleed, Shellshock, Poodle and others; or from the various security related standards, compliance or internal processes. The key is that scanning results need to be verified for false positives, hyped vulnerabilities might not be as critical as the headline claims and what the CVE might mean for your compliance or internal management.

For F5, we keep a close eye on any 3rd party code that might be used in our systems. OpenSSL, BIND or MySQL are examples. For any software, there may be bugs or researcher’s reports or even non-CVE vulnerabilities that could compromise the system. Organizations need to understand the applicability, impact and mitigation available.

Simply put: Am I affected? How bad is it? What can I do?

vuln chart

With Applicability, research typically determines if an organization should care about the vulnerability. Things like, is the version of software noted and are you running it. Are you running the vulnerable function within the software? Sometimes older or non-supported versions might be vulnerable but you’ve upgraded to the latest supported code or you are simply not using the vulnerable function at all. The context is also important. Is it being used in default, standard or recommended mode? For instance, many people don’t change the default password of their Wi-Fi device and certain functionality is vulnerable. It gets compromised and becomes part of a botnet. But if the password was changed, as recommended, and it becomes compromised some other way, then that is a different situation to address.

cvss calculator

For Impact, there are a couple ways to decide how bad it is. First, you can look at the severity of the vulnerability - is it low, medium, high or critical. You can also see if there is a Common Vulnerability Scoring System (CVSS) score tied to the vulnerability. The CVSS score can give you a gauge to the overall risk. To go a bit deeper, you can look at the CVSS Vector.

There are 3 sections to the CVSS. There are the constant base metrics covering the exploitability of the issue, the impact that it may have and the scope that it is in. There are the temporal metrics, which may change over time, giving the color commentary of the issue. And there are the environmental metrics which look at the specific, individual environment and how that is impacted. Areas explored here include things like the attack vector and complexity; whether elevated privileges are required or any user interaction along with the scope and how it affects the confidentiality, integrity and availability of the system. One can use the CVSS calculator to help determine a vector score. With a few selections you can get a base, temporal and environmental score to get an overall view of the severity. With this, you can get an understanding as to how to handle the vulnerability. Every organization has different levels of risk based on their unique situation. The vulnerability base score may have a critical listing yet based on your environmental score, the severity and risk may be nil.

Lastly, the Mitigation taken is not an exact science and truly depends on the issue and the organization’s situation. Mitigation is not necessarily prevention. For example, compensating controls, such as restricting root level access might mean that a vulnerability simply isn’t exploitable without a privileged account.

Vulnerability management and information security is about managing risk. Risk analysis, risk management, risk mitigation and what that risk means to the business. Patching a vulnerability can introduce other risks, so the old refrain of “patch your $#!+” is not the panacea we’re often led to believe. Risk is not limited to the severity of the vulnerability alone, but also to the required vector for exploiting that vulnerability where it exists within a specific organization’s infrastructure.

It’s important to understand your risk and focus on the important pieces.

ps




Q/A with Rackspace Network Architect Vijay Emarose - DevCentral’s Featured Member for November

Posted in f5, big-ip, cloud computing, devcentral by psilva on December 9th, 2016

vijayemarose.png

Koman Vijay Emarose works as a Network Architect with the Strategic Accounts team at Rackspace. He has been a “Racker” (Rackspace Employee) for 7+ years and currently he is adapting to a networking world that is pivoting towards a world of automation.

In Odaah's free time, he likes to identify DevCentral site bugs, incessantly torment Chase Abbott to fix them – particularly the badges and he is DevCentral’s Featured Member for November!

Vijay's other hobbies include traveling and has been to more than eleven countries and looking to increase that number in the future. Personal finance blogs and binge watching documentaries are his guilty pleasures.

DevCentral got an opportunity to talk with Vijay about his work, life and blog.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?

Vijay Emarose: I have been a passive DevCentral user for quite a while and relied heavily on DevCentral to improve my iRule skills. The continued support for DevCentral community among F5 employees and other BIG-IP administrators provided me with the motivation to start sharing the knowledge that I have gained over the years. Answering questions raised by other members helps me to reinforce my knowledge and opens me up to alternate solutions that I had not considered. Rest assured, I will strive to keep the momentum going.

DC: Tell us a little about the areas of BIG-IP expertise you have.

VE: I started working on F5 during the transition period from 9.x to 10.x code version in 2010. BIG-IP LTM & GTM are my strong points. I have some experience with AFM, APM and ASM but not as much as I would like. Working with clients of various sizes from small scale to large enterprises at Rackspace, exposed me to a wide variety of F5 platforms from the 1600s to the VIPRION.

I am sporadically active in the LinkedIn Community for F5 Certified Professionals. I had taken the beta versions of the F5 Certification exams and I am currently an F5 Certified Technology Specialist in LTM & GTM. I am eagerly looking forward to the upcoming F5 402 Exam.

I have been fortunate enough to work with the F5 Certification Team (Ken Salchow, Heidi Schreifels, et al) in the Item Development Workshop (IDW) for F5’s 201 TMOS Administration Certification Exam and it was an eye-opener to understand the amount of thought and effort that goes into creating a certification exam.

The 2016 F5 Agility in Chicago was my very first F5 Agility conference and I enjoyed meeting with and learning from Jason Rahm, Chase Abbott and other DevCentral members. I look forward to participating in future F5 Agility Conferences.

DC: You are a Network Architect with Rackspace, the largest managed cloud provider. Where does BIG-IP fit in the services you offer or within your own infrastructure?

rackspace1.jpg
VE: Rackspace is a leader in the Gartner Magic Quadrant for Cloud Enabled Managed Hosting and participates in the F5 UNITY Managed Service Provider Partner Program at the Global Gold Level.

Various F5 platforms from the 1600s to the VIPRIONS are offered to customers requiring a dedicated ADC depending on their requirements. LTM & GTM are widely supported.

In the past, I have been a member of the RackConnect Product team within Rackspace. “RackConnect” is a product that allows automated hybrid connections between a customer’s dedicated environment and Rackspace’s public cloud. F5 platforms were utilized as the gateway devices in this product. There is a DevCentral article on RackConnect by Lori MacVittie.

I would like to take this opportunity to thank the F5 employees who support Rackspace that I have had the pleasure of working with - Richard Tocci, Scott Huddy and Kurt Lanthier. They have been of massive help to me whenever I required clarification or assistance with F5.

DC: Your blog, Network-Maven.com, documents your experiences in the field of Network Engineering, Application Delivery, Security and Cloud Computing. What are some of the highlights that the community might find interesting?

VE: This is a recent blog that I started to share my knowledge and experience working in the Networking field. Application Delivery Controllers are a niche area within Networking and I was fortunate enough to learn from some of the best at Rackspace. My idea is to share some of my experiences that could potentially help someone new to the field.

Working with thousands of customer environments running different code versions on various F5 platforms has provided me with a rich variety of experience that could be of help to fellow F5 aficionados who are executing an F5 maintenance or implementing a new feature/function in their F5 environments.

DC: Describe one of your biggest challenges and how DevCentral helped in that situation.

VE: DevCentral has been a great resource for me on multiple occasions and it is tough to pinpoint a single challenge. I rely on it to learn from other’s experiences and to develop my iRule and iControl REST skills.

I have benefited from the iRule: 20 Lines or Less series and I am an avid follower of the articles published by community members. For someone starting new with F5, I would certainly recommend following the articles and catching up on the iRules: 20 Lines or less series.

DC: Lastly, if you weren’t working in IT – what would be your dream job?

VE: I haven’t figured it out yet. Tech, finance & travel interest me. May be some combination of these interests would be the answer.

DC: Thanks Vijay and congratulations! You can find Vijay on LinkedIn, check out his DevCentral contributions and follow@Rackspace.

Related:




The Intruders of Things

Posted in f5, big-ip, cloud computing, silva, application delivery, privacy, devcentral, iot by psilva on August 23rd, 2016

Gartner predicts that by 2020, IoT security will make up 20 percent of annual securitybudgets.

New-Year-2020-Calender-by-Danilo-Rizzuti

2020seems to be an important milestone for the Internet of Things. That’s the yearthat Ciscosays there will be 50 billion connected devices and also the year Gartner notes that over 50%of major new business processes and systems will incorporate some elementof the Internet of Things.

That’s the good news.

A recent SymantecInternet Security Threat Report says there are 25 connected devices per 100inhabitants in the US. Minimum 25 entry points to your personal information,not counting your front door, personal computers, compromised ATMs and otherdata sources. As your connected devices grow, so will your exposure. And with noclear methods of identifying and authenticating connected devices,enterprises will have a challenging time getting a handle on how many employeeshirts, shoes, fitness trackers, and smartwatches are connected to thecorporate network. And more importantly, what do they have access to?

The sneaky spreadsheet macro malware will soon be a spoofed critical alertrequiring instant attention.

Healthcare is a prime target for IoT attacks and researchers have alreadycompromised several devices revealing personal info and worse, causing thedevices to malfunction. ‘Hey, why isn’t my heart beating any……

The chaos on the feature first consumer side can be frustrating but nothingcompared to industrial and manufacturing.

The Industrial Internet of Things (IIoT) focuses on industrial controlsystems, device to network access and all the other connective sensorcapabilities. These attacks are less frequent, at least today, butthe consequences can be huge – taking out industrial plants, buildings,tractors, and even entire cities.

List-of-640-IoT-projects-min.png

If you think data protection and privacy are hot now, just wait until 2020.Like BYOD, security pros need to be ready for the inevitable not just thepotential of a breach. While the gadgets get all the interest, it’ll be theback end data center infrastructure that will take the brunt of the traffic –good and bad.

Organizations need an infrastructure that can both withstand the trafficgrowth and defend against attacks. Over on F5’s Newsroom, Lori MacVittie talks about the 3Things the Network Must Provide for IoT – delivery, security andvisibility. Things that can communicate securely with back-end apps, ADC’s thatcan understand the languages of things (like MQTT) and the ability to see whatis going on with the things.

Accordingto TechTarget, ensuring high availability of the IoT services will rely onboosting traffic management and monitoring. This will both mitigate businesscontinuity risks, and prevent potential losses. From a project planningstandpoint, organizations need to do capacity planning and watch the growthrate of the network so that the increased demand for the required bandwidth canbe met.

iot_keys.jpg

If you already have BIG-IP inyour back yard, you’re well on your way to being IoTready. You got the networksecurity to protect against inbound attacks; you can offload SSL to improvethe performance of the IoT application servers; you can extend your datacenters to the cloud tosupport IoT deployments; scale IoT applications beyond the data center whenrequired and both encrypt and accelerate IoT connections to the cloud.

A pair of BIG-IPs in the DMZ terminates the connection. They, in turn, intelligentlydistribute the client request to a pool (multiple) of IoT application servers,which then query the database servers for the appropriate content. Each tierhas redundant servers so in the event of a server outage, the others take theload and the system stays available.

The BIG-IP tuning may vary but it is still all about nodes, hosts, members,pools, virtual servers and the profiles and services applied. The BIG-IPplatform is application and location agnostic, meaning the type of applicationor where the application lives does not matter. As long as you tell the BIG-IPwhere to find the IoT application, the BIG-IP platform will deliver it.

ps

Related:




DevCentral at F5 Agility 2016

Posted in f5, big-ip, cloud computing, silva, devcentral, 2017 by psilva on July 26th, 2016

Four outta Five DevCentral members will appear in person at #F5Agility 2016.

That’s right! Jason, John, Chase and yours truly will be in Chicago next week for F5’s annual gathering of customers and partners. The DevCentral area will be in the heart of the Solution Expo and we’ll be offering some short technical presentations throughout the event. We’ll also have some t-shirts to give away along with a few other goodies.

Here is where we’ll be:

sol_expo.jpg

And here is our presentation schedule* to lock in to your mobile app.

dc_agility_sessions.jpg

If you will be at Agility 2016, please stop by to see us. 

And here are your Top 10 reasons to visit DevCentral at F5 Agility 2016:

  1. This is your F5 community
  2. Learn some new technical tips
  3. Ask your technical questions
  4. Watch a few technical presentations
  5. Our presentations are only 20 minutes
  6. Meet the team
  7. Grab a T-shirt
  8. Hang with other DC community members
  9. Relax and take a break
  10. Chase Abbott’s Session

Hope to see you there!

ps

*Subject to change 




Is 2016 Half Empty or Half Full?

Updating passwords is a huge trend in 2016

july16.jpg

With 2016 crossing the half way point, let's take a look at some technology trends thus far.

Breaches: Well, many databases are half empty due to the continued rash of intrusions while the crooks are half full with our personal information. According to the Identity Theft Resource Center (ITRC), there have been 522 breaches thus far in 2016 exposing almost 13,000,000 records. Many are health care providers as our medical information is becoming the gold mine of stolen info. Not really surprising since the health care wearable market is set to explode in the coming years. Many of those wearables will be transmitting our health data back to providers. There were also a bunch of very recognizable names getting blasted in the media: IRS, Snapchat, Wendy’s and LinkedIn. And the best advice we got? Don’t use the same password across multiple sites. Updating passwords is a huge trend in 2016.

Cloud ComputingAccording to IDC, public cloud IaaS revenues are on pace to more than triple by 2020.From $12.6 billion in 2015 to $43.6 billion in 2020. The public cloud IaaS market grew 51% in 2015 but will slightly slow after 2017 as enterprises get past the wonder and move more towards cloud optimization rather than simply testing the waters. IDC also noted that four out of five IT organizations will be committed to hybrid architectures by 2018. While hybrid is the new normal remember, The Cloud is Still just a Datacenter Somewhere. Cloud seems to be more than half full and this comes at a time when ISO compliance in the cloud is becoming even more important.

DNS: I’ve said it before and I’ll say it again, DNS is one of the most important components of a functioning internet. With that, it presents unique challenges to organizations. Recently, Infoblox released its Q1 2016 Security Assessment Report and off the bat said, ‘In the first quarter of 2016, 519 files capturing DNS traffic were uploaded by 235 customers and prospects for security assessments by Infoblox. The results: 83% of all files uploaded showed evidence of suspicious activity (429 files).’ They list the specific threats from botnets to protocol anomalies to Zeus and DDoS. A 2014 vulnerability, Heartbleed, still appears around 11% of the time. DevOps is even in the DNS game. In half full news, VeriSign filed two patent applications describing the use of various DNS components to manage IoT devices. One is for systems and methods for establishing ownership and delegation of IoT devices using DNS services and the other is for systems and methods for registering, managing, and communicating with IoT devices using DNS processes. Find that half full smart mug...by name!

IoT: What can I say? The cup runneth over. Wearables are expected to close in on 215 million units shipped by 2020 with 102 million this year alone. I think that number is conservative with smart eyewear, watches and clothing grabbing consumer’s attention. Then there’s the whole realm of industrial solutions like smart tractors, HVAC systems and other sensors tied to smart offices, factories and cities. In fact, utilities are among the largest IoT spenders and will be the third-largest industry by expenditure in IoT products and services. Over $69 billion has already been spent worldwide, according to the IDC Energy Insights/Ericsson report. And we haven’t even touched on all the smart appliances, robots and media devices finding spots our homes. Get ready for Big Data regulations as more of our personal (and bodily) data gets pushed to the cloud. And we’re talking a lot of data.

Mobile: We are mobile, our devices are mobile and the applications we access are mobile. Mobility, in all its iterations, is a huge enabler and concern for enterprises and it'll only get worse as we start wearing our connected clothing to the office. The Digital Dress Code has emerged. With 5G on the way, mobile is certainly half full and there is no empting it now.

dc-logo.jpg

Of course, F5 has solutions to address many of these challenges whether you’re boiling over or bone dry. Our security solutions, including Silverline, can protect against malicious attacks; no matter the cloud -  private, public or hybrid - our Cloud solutions can get you there and back; BIG-IPDNS, particularly DNSExpress, can handle the incredible name request boom as more ‘things’ get connected;and speaking of things, your datacenter will need to be agile enough to handle all the nouns requesting access; and check out how TCP Fast Open can optimize your mobile communications.

That's what I got so far and I'm sure 2016's second half will bring more amazement,questions and wonders. We'll do our year-end reviews and predictions for 2017 as we all lament, where did the Year of the Monkey go?

There's that old notion that if you see a glass half full, you're an optimist and if you see it half empty you are a pessimist. I think you need to understand what state the glass itself was before the question. Was it empty and filled half way or was it full and poured out? There's your answer!

ps 




Orchestrate Your Infrastructure

Posted in security, f5, big-ip, cloud computing, silva, access, programmability by psilva on June 28th, 2016

The digital society has emerged.

Today’s always-connected world and the applications we interact with are changing the way we live. People are mobile, our devices are mobile, and by all accounts, everything that is a noun – a person, place or thing – will soon be connected and generating data... and all that traffic is destined for an application – that could also be portable - located somewhere in a data center.

But not all data traffic is created equally and critical information might need some action that requires automation of the deployment process. At the same time, organizations can’t afford to manually make policy adjustments every time something needs attention. Automated coordination between applications, data and infrastructure from provisioning to applying policies and services which are in-line with business needs must be in place.

This is Orchestration.

thinker.jpg

Humans have always differentiated ourselves from all other creatures by our ability to reason. Today, we’re building reason into systems to make some of these decisions for us. Software that incorporates, ‘What’s the purpose?’ ‘What’s the reason why?

Purpose-driven networking – programmability - means not just recognizing this is Thing 1 or Thing 2 and route requests to the appropriate service, but recognizing what Thing 1 or Thing 2 is trying to do and delivering in such a way as to meet expectations with respect to its performance.

The underlying infrastructure/architecture also needs to understand the purpose or reason for the data traffic adjustment and enable the scale and speed of deployments necessary for business success.

There is a ton of communication between us, our devices and the things around us, along with the applications that support us. It takes an agile and programmable infrastructure which is able to intercept, evaluate and interpret each request with an eye toward user, device, location and, now, purpose.

Orchestration is the glue that holds together all the quick networking decisions, ensures the provisioning of policies go where they need to go and provides the intelligence for the architecture to make automatic decisions and adjustments based on policy.

There could be many good reasons to automatically adjust the system and the F5 proxy architecture can augment application delivery functionality in tune with many other frameworks.

Because everyone has a unique environment, we’ve built custom integrations for a variety of 3rd party solutions including Cisco APIC, Amazon EC2, VMware NSX, and OpenStack. It begins when an administrator creates a custom integration based on Application Templates.

 1load.jpg

These templates can contain any configuration for a BIG-IP – from firewalls to local traffic management or anything else. Many configurations are seamless but with Cisco APIC, the configuration is then turned into a custom plug-in. The device package can then be uploaded directly to Cisco APIC, where application developers can deploy their targeted configuration correctly without using lots of knobs, but only the knobs they need to configure their application.

 2import.jpg

The application developer only has to specify a couple of parameters because when the administrator created the templates, they pre-configured everything the application developer needs in order to correctly deploy their application. This is different from other vendor’s integrations, which simply expose a large series of configuration clicks that then users have to get correct…and they’re easy to get wrong.

3device.jpg 

At this point, iWorkflow translates this small set of parameters into the complete configuration needed by the BIG-IP. And it deploys it on the BIG-IP. The BIG-IP is now completely configured for your application.

 5finish.jpg

But we’re not done yet.

This is a dynamic integration since environments are always changing. When new application servers are added, or removed from your network, APIC will notice this, inform the BIG-IP, and BIG-IP’s configuration will update to reflect the new application servers and the associated application services. Now that the BIG-IP is aware of these application servers, it will immediately start directing traffic to those servers allowing your application to expand.

Likewise, when application servers are removed, the BIG-IP’s configuration will immediately be updated and will stop passing traffic to those application servers, allowing you to take a maintenance window or decrease the capacity provided to your application.

And while this all happening, the iWorkflow is collecting application level statistics, to provide a complete view of your infrastructure and reporting them upstream to the Cisco APIC in this example.

That’s it, we’re done right?!?!

WRONG!! What about security? What happens when you’re under attack?!?

As you know, it is critically important that the security services dynamically follow the application also, no matter where it lives or how it got there. And in some cases, an old application needs a new home.

The idea is that you start with the (figurative) castle protecting the queen's treasure – The Data - and we drop in the different service pieces to keep the application secure, available and resilient. The wall and moat around the castle represent BIG-IP AFM perimeter protection; there’s a satellite dish for signaling to Silverline DDoS Service; BIG-IP APM's draw bridge to thwart unauthorized access. The whole point is that F5 can add these services around all your 'castled' applications to protect them from threats. This is especially true for ‘older’ applications that may have issues adding security services. F5 can be deployed with the latest security services to protect your entire environment.

Orchestration gives organizations the automated provisioning processes of application policies in our hybrid, dynamic, mobile and risky world. And check out Nathan Pearce's great iWorkflow Series!

ps




Control It All with iControl

Posted in f5, big-ip, cloud computing, silva, application delivery, api, programmability, sddc by psilva on June 14th, 2016

The concept of Application programming interfaces (APIs) has been around for a while.

According to CSC Distinguished Engineer & Chief Product Architect (and bass player) Martin Bartlett,

'The concept of an API pre-dates even the advent of personal computing, let alone the Web, by a very long time! The principal of a well-documented set of publicly addressable "entry points" that allow an application to interact with another system has been an essential part of software development since the earliest days of utility data processing. However, the advent of distributed systems, and then the web itself, has seen the importance and utility of these same basic concepts increased dramatically.’ (Courtesy: http://history.apievangelist.com/)

An API is a set of routine definitions, protocols, and tools for building software and applications. It is software written to function as a communication bridge between Web applications. That’s how iControl started according to Joe Pruitt – as a way for the early versions of BIG-IP LTM (BIG-IP) and BIG-IP DNS (3-DNS/GTM) to communicate with each other to ensure they were making the right traffic management decisions. And this was 16 years ago!

Today, APIs are all over place running behind the curtains without any direct user interaction. They are primarily used for computer consumption and typically absorbed by web applications. APIs make services available for developers to build those same services into their applications. eBay, Amazon & AWS, Facebook, Twitter and Google Maps are some examples you might be familiar with. For instance, Google Maps has an API so developers can use the backend services to create their own ‘maps.’ Maybe it is a map of restaurants in the vicinity of a hotel. The hotel website could use the Google maps API to show different shopping, eating or recreational activities in the area. They wouldn’t need to develop the maps nor house the data themselves.

With the Internet of Things (IoT), APIs allow you to share, manage, access and interact with your previously unconnected items like cameras, bicycles and even medicine bottles. And there are many IoT APIs that are available.

And that’s really the point with iControl.

f5_programmability.png

Whether you’re looking to tweak a feature or spin up 500 new pool members, iControl can do it. Anything you can do via the command line or GUI, you can accomplish via iControl. And, you can do it programmatically so you don’t have to enter in every single command in the chain, or wake up someone at 3am during the change control window just to bleed the servers off a pool.

iControl is F5’s open, web services-based API that allows complete, dynamic, and programmatic control of control over nearly every aspect of both execution and configuration on BIG-IP systems. With iControl you can work like a wizard—add, modify, or configure your F5 device in real time. It is the primary means through which BIG-IP is integrated into both commercial management offerings and cloud computing environments. In short, iControl is a simple, light weight API that allows you programmatic access via Traffic Management Shell (tmsh) commands.

And now you can say, 'I control my infrastructure with iControl.'

ps

Related:




The Dangerous Game of DNS

credit-card-perspective.jpg

The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries.

And because of that, DNS is a precious target and only lags behind http as the most targeted protocol.

DDoS-ing DNS is an effective way to make the service unavailable. As the flood of malicious DNS requests hit the infrastructure, the service can become unresponsive if there is not enough capacity. Organizations can add more servers or turn to their cloud-based security provider for help. One of the strategies cloud-based security providers use to shield DNS is DNS redirection. Cloud providers will divert incoming traffic to their own infrastructure, which is resilient enough to detect and absorb these attacks. The success of this strategy however depends on how well the website's original IP address can be shielded. If the bad guy can find that IP address, then they can get around the protection.

So is DNS redirection effective? Researchers decided to find out.

Scientists from KU Leuven in Belgium built a tool called CLOUDPIERCER, which automatically tries to retrieve websites' original IP address, including the use of unprotected subdomains. Almost 18,000 websites, protected by five different providers, were part to the team's DNS redirection vulnerability tests. In more than 70% of the cases, CLOUDPIERCER was able to retrieve the website's original IP address - the precise info needed to launch a successful attack.

Researchers did share their findings with those cloud-based providers and have made CLOUDPIERCER freely available for organizations to test their own DNS infrastructure.

In another DNS scam, a new version of the NewPosThings PoS (point of sale, not…) malware is using DNS rather than http/https/ftp to extract data from infected PoS terminals. This is an interesting twist since most security solutions monitor http/https traffic for suspicious activity. Anti-virus doesn’t necessarily watch DNS and admins cannot simply turn off DNS since they need it to resolve hostnames and domains. Seems like a clear shot.

The newest version of NewPoSThings is nicknamed MULTIGRAIN and it only targets (and infects) one specific type of PoS platform: The multi.exe process, specific to a popular electronic draft capture software package. If the multi.exe process is not found the malware moves on. Once inside, the malware waits for the Track 2 credit card data and once it has the data, it encrypts and encodes it before sending to the bad guy via a DNS query.

The use of DNS for data exfiltration on PoS devices is not new and shows not only how attackers can adjust to different environments but also, that organizations need to be more aware of their DNS traffic for potential anomalies.

BIG-IP could also help in both instances.

For the redirection issue, BIG-IP or our Silverline Managed Service offers Proxy mode with DNS redirection. With Routed Mode, we offer BGP to Silverline then Generic Routing Encapsulation (GRE) tunnels or L2VPN back to the customer to mask the original IP address.

For the PoS malware, BIG-IP can utilize a DNS response policy zone (RPZ) as a firewall or outbound domain filtering mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain and each RRset includes the names of the malicious domain and any subdomains of the domain.

When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list of the RPZ, the system responds in one of two ways based on your configuration. You can configure the system to return an NXDOMAIN record that indicates that the domain does not exist or return a response that directs the user to a walled garden.

rpz1.png

BIG-IP returns NXDOMAIN response to DNS query for malicious domain

rpz2.png

BIG-IP forwards DNS query for malicious domain to walled garden

DNS is one of those technologies that is so crucial for a functioning internet, especially for human interaction. Yet is often overlooked or seems to only get attention when things are broken. Maybe take a gander today to make sure your DNS infrastructure is secure, scalable and ready to answer each and every query. Ignoring DNS can have grave consequences.

ps

Related:




You’re Getting Under My (e)-Skin

Posted in f5, cloud computing, silva, application delivery, big-iq, iot, sensors, wearable by psilva on April 20th, 2016

utokyo.jpg

Imagine if the temporary tattoos that come in a box of Cracker Jack (if you’re lucky) had an electronic display logo that lights up when you put it on. Or a fitness tracker that you tape to yourself rather than wearing it around your wrist. Or a watch so thin that it lights the time while blending into your skin. Or even, a sensor that can be applied directly to an organ to determine health.

This is the future for electronic skin. Yup, I said it: E-Skin.

Researchers in Japan have developed an ultra-thin and ultra-stretchy material that can mimic the flexibility of human skin. Ultraflexible organic photonic skin is an organic polymer with light-emitting diodes (PLEDs) or small sheets of energy-efficient lights that are laminated right on the skin. These are intended to equip the human body with electronic components for health-monitoring and information technologies. These are transparent but when powered with electrical pulses, it’ll emit a colored light, number or letter depending on the implementation. The arrangement of PLEDs can also display more complex information. They also report that this PLED film produced less heat and consumed less power than previous e-skin samples.

The interesting thing here is that they used organic materials, added an extra layer of film to protect it from oxygen and water, so it lasted several days. Past organic efforts lasted less than a day due to air exposure. Today, non-organic materials used to make super-thin tattoo-like monitoring devices can last weeks or longer.

These advancements will only fuel the health care wearable market which is growing exponentially.

HCW-16-chart.jpg

Research firm Tractica released findings from its report ‘Wearable Devices for Healthcare Markets’ that show worldwide shipments of healthcare wearables will increase from 2.5 million in 2016 to 97.6 million in 2021…or $17.8 Billion in yearly revenue. The general wearable device market will increase from 85 million units in 2015 to 559.6 million units by 2021 - a compound annual growth rate of about 37%.

If you thought the influx of data center and cloud traffic from mobile was big, just wait until all our body vitals start hitting the wire. Add that to all the other IoT initiates, like home/automotive, big data suddenly turns into ginormous data.

While we may instantly think about the fitness trackers and smartwatches that garner our bodies, the health care industry is also looking at the treatment of chronic diseases, wellness programs, remote patient monitoring and physician use. And there are other devices like posture monitors, connected wearable patches and pain management wearables that are gaining ground.

I can already hear the posture sensor barking, 'Stop Slouching!' and a pain patch that actually works instead of those menthol smelling globs – great idea!

ps

Related





« Older episodes · Newer episodes »