Image via Wikipedia

Related articles

• Book Review – How’s That Underling Thing Working Out for You? by Scott Adams (duffbert.com)
• Scott Adams on IP theft: “It feels like a compliment” (RexBlog.com)
• I can’t do that, Dilbert (languagelog.ldc.upenn.edu)
• November 12, 2011: My Top 5 Favorite Comic Strips! (josephmallozzi.wordpress.com)
• Comics Crossover – Barney & Clyde (the-unmutual.blogspot.com)
• Strip where Dilbert confronts boss; looses chair (ask.metafilter.com)
• User Interface for Reality (dilbert.com)
• ArcaMax Launches Dilbert and Four Other Famous Comic Strips (prweb.com)

Rest in Peace Steve.

Thanks

It is now a quite very long time we talk about new architectures for our environment.
What is leading the way, nowadays, is talking about SOA and Cloud, but what do really means for us implementing those architecture in our networks?
One of the problem I’ve noticed when talking with customers and partners is that they usually try to use the same techniques they used for the old network deployment to the new ones. this is a mistake for several reasons, but for a mere philosophical point of view make a little, if not at all, sense to apply old rules to new ideas.
So what has really changed in those approach (cloud and SOA) that will require us to shift our way to project ad deploy networks?
Let’s say there are some evident changes, first of all the topology of connection has been dramatically modified. when once we could simply think of an identity between user or service, and relative IP address this is not more possible.
The reason behind this are easily found in both client and server side of this equation.
No more physical servers location
virtualization simply change the rules of the game, braking the identity between the physical location of a server and the service provided. this is a huge change in the way we should plan and deliver our service.
The classic structure was something like that:

The service used to be provider by one or more servers with a physical defined location and IP.
The client usually shared the same configuration with a well defined physical location and a fixed IP (or an address taken form a well defined pool).
With this situation was relatively simple to define rules of access and security.
User where defined by the  membership to a specific directory group (Active Directory or LDAP or …who really cares?) as well as client computer was identified and identified by it’s IP range.
From a service delivery and security perspective this was translated in two completely separated set of activities:
The owner of the network used to set delivery and security rules based on IP and MAC address, creating table to allow or block access to physical locations defined by it’s IP range. Tis way there was a sort of identity between IP structure and topology that was then copied at upper layer by software services.
The owner of the service was, at the same time, able to ignore the network structure and limit the relative security and delivery to the authentication of the requester, providing a set of different access to the different layer or services provided by the software.
This approach lead information technology for decades, ten something happened: the disruptive introduction of virtualization.
Virtualization has been a successful technology because of the promise of lower the TCO of our networks.
The original idea was to abstract the physical server from OS and application, making the physical server able to run multiple different instances.
The advantage was a standard physical layer interface seen by OS (no more drivers nightmares, bios upgrade pain and stuffs like this) and the possibility to reduce the overall number of physical devices running more instance on one Hardware.
The increasing power of hardware platforms made this approach approach successful, but at the beginning the virtualization technique was just used to hide the physical server and nothing more.

Nothing were really changed here, beside the fact that more services were running on the same physical platform.
But changing technology create new needs and so the virtual infrastructures evolved to something completely new.
Basically the abstraction layer provided by the virtual environment has been expanded in order to offer a complete abstraction from the physical layer topology. Nowadays virtual environment allow to have virtual environment running  as an unique environment on different HW and different locations, at the same time the services running inside this environment are able to move from an hardware structure to another one just according the required computational needs, for the same reason instances can be created on the fly by the service layer or the virtual environment layer.
This is a radical change in the design of applications, security and networks. While before a simple IP was a good token to recognize a physical layer, a virtual one and a service one, now everything is more complex.
From a logical point of view it is clear that the problem in design is that we have multiple required connection inside the virtual environment, the entities inside the virtual environment can create complex relationship between them (think of a classic SOA implementation) as well they need to instance the physical layer.
There are obvious problems related to authentication, identity flaw control, network control and monitoring inside the virtual environment as well as the interaction with the physical environment. In a single Datacenter the physical backplane and the communication between the physical servers is usually a problem solved with datacenter specific technologies as Unified computing by cisco.
Actually the situation is a way more complex if we consider a geographical implementation as it is used to build SaaS or cloud architectures.
Different environment can be located in different datacenter able to offer a single virtual environment.
Application living in the virtual severs can be located anywhere and change location upon request or load requirement.

In this situation we add another complexity to the structure, since the virtual layer needs physical geographical connections that emulate the single virtual environment, and at the same times applications need to communicate outside and inside their virtual environment.
The physical network layer need to manage several different kinds of traffic: the communication between the virtual layer units, the communication between different services that can be in need to communicate outside the virtual environment (typical SOA requirement) and the communication with client requiring service (we’ll explode this further in a few).
 
This kind of situation is typical in cloud implementation where the physical location of the provided service should not influence the client experience no matter where it is.
In a typical SOA implementation we add a new level of complexity since the service provided can be generated by different unit that can be stored generated and delivered in different fashion.

This kind of complexity is hard to manage with traditional techniques. the first thing that we have to realize is that we need to extend the control inside the virtual environment and its units form a network , authentication and identity point of view.
Since the post is not strictly on SOA architecture I would not go deeper on the modules authentication and security needs and I will talk generally of some network requirements.
Any service that need to communicate with another inside or outside the the virtual environment trough a network protocol (TCP\IP v4 or TCP\IP v6) usually need to be provided with some sort of connection link. this can be provided by a physical switch or a virtual one running in the virtual environment. using a physical switch can be, apparently, a great solution, in terms of performances and security. this is actually a misconception for several reasons:
First of all the communication outside the virtual environment require an overload to both the service and the virtual environment, if we widen the structure in a geographical scale this overload can be barley manageable.
Second aspect to keep in mind is that some network attack in this situation are easier since the real communicator is hided by the virtual shield. impersonating a service and access data is so not a remote threat.
If the physical cannot scale well, the virtual one has, on the other side, another set of  problems: resource consumptions (cpu and network latency for instance) the need to interface with the physical environment, a non matching vlan system and so on.
The problem is to overcome those limitation and keep the good from the two solutions
The solution the market is presenting nowadays is the integration between a virtual switch layer with a physical one datacenter scalable.
The idea is to have a single switch with two faces, one in the virtual world and one on the physical world. Cisco Nexus is a good example of this kind of approach.
As well as the switching similar requirement are related to firewalling. Since what happen inside a virtual environment is in a sort of black box from the outside world, keeping a security eye to check if the correct communication are in place an nothing strange happen is mandatory. Again we  have a dichotomy between the physical and virtual world, the solution nowadays is to adopt a virtual firewall able to deal with internal virtual environment communications. A good example can be found again in Cisco with VSG and Virtual ASA.
Cisco VSG Security in a Dynamic VM Environment, Including VM Live Migration


Basically this kind of solutions address two needs: manage and secure virtual internal traffic, and give an interface from the physical world to the virtual one and vice versa.
Alas this is only one part of the equation, since if from one side we have the problem to control manage and deploy the services we want to provide, on the pother end we have the problem to deliver those service to someone who can use it.
Here the problem again is evolving due to several factors: the vanishing of the physical borders of our networks, the consumerization of browser capable devices, the shift in use from simple data to rich context aware multimedia contents, just to name a few.
Users try to access resources from anywhere with different devices and we are barely able to know from where they will connect to the resources.
the initial situation was relatively easy to manage, as for the server also the client were easily locable. an IP address was more than enough to build a trust relationship between client and server.

With the Datacenter consolidation the number of servers and devices growth, but again with a limited presence of remote users the location of both side were quite easy understandable. The introduction of vlan technologies, stateful inspection firewall, the use of L3\L4 switches, the pervasive use of access lists were addressing (at least apparently) most of the issues.

The virtualization opened a break into this structure introducing a first layer of indetermination, virtual servers and services where not physically defined by the IP, since the could share the same physical location.

while adding complexity from “server” side, also the client side were expanding with an higher presence of remote users and the introduction of new services on the network (who does not have an IP phone nowadays?)

more devices means more network requirements, and so datacenter complexity, thanks to the virtual technology, expanded beyond the physical constrain of a single physical location. as we discussed before this lead to a series of problems that were paired with the expansion form the client side of remote and local  users using different devices.

And then comes the cloud, and the final vanishing of any physical predetermined location for our client and our services.

Client and server side so evolved in an interconnect way, but network components and design were not always following this thread.
Using old fashion access lists, IP based network policies, Static VLan Assignment to manage this situation create a level of complexity that makes things unmanageable. nowadays firewalls require thousands of rules to accomplish every dingle special need, alas we have all a lot of special needs.
It’s clear to me in this situation that we need to shift from a static design to a dynamic one, able to accomplish the different needs of this evolving environment. A technology like Cisco Trustsec address those kind of requests, using SGT (Secure Group Tagging) basically dynamically assign vlan membership upon user identity, regardless IP or location, driving the packets to destination accordingly to the needs, and encrypting the network communication. To drive correctly the traffic regardless the IP is a mandatory requirement in a dynamic Cloud or SOA environment.
As important as driving correctly the network traffic there is also the need to determine witch kind of access we want to assign, we have plenty of devices like tablets, smartphones, laptop, ip phones, printers, scanners, physical security devices, medical equipment that need to access somehow our services and need to be authorized on the network. Using a Network Access service is mandatory as well to be able to correctly filter the devices, both on wireless and wired networks (think of what happened recently in Seattle to understand this kind of need). Again we can think of a cisco product like ISE to accomplish this.

http://feeds.feedburner.com/portadiferro

Image via Wikipedia

But the last Anonymous attack make me wonder what is really anonymous, and similar group like lulzsec or web-ninja and so on.

Are those a real groups? And what are the reasons behind their moves? Do they really have a defined  agenda? and a boss or a hierarchy?

Usually press and police try to consider those groups as organized crime or terrorist.  so we can read news on a new hacking group leader arrested, and even if this could sound a good info the truth is that those act does not stop, “ou contraire”, they rise up.

Like the Hydra once you cut a head other two grown up? Or this is a highly structured and efficient organization, able to act and replace the troops with military precision?

Alas I do not think they’re right. Considering the way they act and the target they choose it looks more like social networking environment.

It looks like more as an unstructured group, leader does not means boss, and links and groups does not identify a hierarchy. If we do not put this in mind we will have a few chance to understand this phenomena. With this in mind it’s easier to understand the aggregation model of those groups, underground culture, acktivism, emulation are all drivers. Of course in such environment is quite easy to have criminal infiltration and manipulation but those are not the main drivers.

A diffuse sense of eager for justice is the main vector, also a sense of revenge against official institutions. If we analyze the first targets, big corporations, police enforcement agencies, governments who are fighting civil rights looks like we have a sort of new “68″.

But why now and why internet? There are several good reason that are joining all together.

I will talk about this next time

http://feeds.feedburner.com/portadiferro

Cisco Context-aware Security Webcast on August 9, 2011

Free Webcast August 9, 2011 1 p.m. Eastern Time, 12 p.m. Central Time, 10 a.m. Pacific Time Attend from wherever you are. Free White Paper Dynamic, Flexible Security Architecture By Andreas M. Antonopoulos, SVP and Founding Partner, Nemertes Research Free White Paper Cisco Cloud Security Accelerates Cloud Adoption Gartner 2011 CIO Survey revealed that almost half of all CIOs expect to operate their applications and infrastructures via cloud technologies within the next five years. Read this white paper to learn more about how Cisco cloud security solutions help remove cloud adoption barriers. Find Out More About Cisco SecureX The Cisco SecureX Architecture delivers policy-driven security in a scalable and consistent manner, to increase business growth and measurably reduce risk. Visit the Cisco SecureX Architecture and Identity Services Engine websites or contact your Cisco account representative to learn more. Are you challenged with protecting your workplace as more and more users bring their tablets and smart phones to your network? You are not alone. Even as workforces become more mobile and new technologies like data center consolidation and virtualization transform the IT industry, security remains static, location-based and inflexible. To meet the needs of the new, dynamic work environment, businesses must approach security with new thinking. A context-aware security approach permits flexible, policy-based security that travels with the user, no matter where and how the network is accessed. Cisco and Nemertes Research invite you to a live webcast about improving security in today’s dynamic work environment. During this webcast, Andreas Antonopoulos, Senior Vice President of Nemertes, will discuss: Why much of today’s security can barely keep up in a fast-changing environment Why the focus of security must shift from where the user is to who the user is How an identity-centric security architecture can permit secure, always-on business Additionally, Fred Kost, Director of Security Solutions of Cisco, will provide a deep-dive technical review of the newly launched Cisco Identity Services Engine and share with you: The latest information about the new Cisco SecureX Architecture How you can implement context-aware and policy-driven security in a scalable and consistent manner for business growth while measurably reducing risk “Companies need to transform their security infrastructure, to remove location-specific controls and introduce an identity-centric architecture that offers dynamic, flexible, mobile, policy-based security.” – Andreas M. Antonopoulos, Nemertes Research

© 2011 Cisco Systems, Inc. and/or its affiliated entities Share | Refer a colleague

Antonio Ierano EUROPEAN CONSULTING SYSTEMS ENGINEER Borderless Network: Security anierano@cisco.com Phone: +39 039 629 5092 Mobile: +39 331 628 9653 Follow me on Twitter @Antonioierano Follow my tech Blogs: PostOffice and PostOffice2 Check my profile on LinkedIn	Cisco Security Intelligence Operations Senderbase

http://feeds.feedburner.com/portadiferro

First of all we should try to define which process we want to consider. I opted for the Email systems because this is, generally speaking, a strongly neglected and misunderstood  area of IT process.

While mail is widely used and accepted as a communication media worldwide there are a few implementations that consider email security as a whole process involving users, data, and business value. the usual consideration we find around email is:

• why our mailbox is so little
• spam is annoying
• it is not a big issue if we stay without email for a while
• ….

well we should try to understand what email system really is.

I will use a top down approach trying to highlight all the issues and references that could have an impact in business and in the security space.

Then we will try to understand what security approach and technologies would be more useful and we could discover some unexpected relationships.

Sending and E-mail

What means allowing someone to use email?
What is email impact to our business?
What is the value of this service?
And the value of the data processed?

Those are questions that we all should be able to answer when dealing with a mail systems. The choice we do will impact our business widely in terms of productivity and customer satisfaction so we should not underestimate this.

So first of all let’s try to define what we’re talking about.

Basically sending an e-mail is a process that allow a User A to send information to a User B.

From a user perspective this require to give some info to the email client in order to be able to allow the message to be correctly delivered.

the User A experience is based on 4 basic steps:

access to email client
bein able to put the destination address and the recipient address
add the info to the email
send the message

Accordingly the User B should be able to recieve the message, open it and read it. At the end B should also be able to eventually answer to the message.

Right at this level we can start doing some consideration around the email system:

Who can access this service?
Who should provide this service?
Could we allow multiple services?
Do we neeed to control the information sent\recieved?
Do we need to control sender and recipients?
Do we need to define devices allowed to send messages?
Do we need to define a perimeter to send\recieve messages?
Do we need to define SLA related to this service?
…

of course answering those questions could open new subquestions, for example:

“Who can access this service?” should imply at least:

• can we recognize the users?
• what is the general knowledge of those users? do they need training?
• can we force an identification?
• can we log them?
• do we have to store the data sent?
• is there any legal implication?
• how we control unwanted access? is this a problem?
• ….

and for the other questions:

• can we provide it internally?
• Could we externalize the service?
• do we need to hold locally some data?
• are there any legal implication?
• ….

• Do we offer just one service (internal mail)?
• Do we allow the use also of personal email systems (Like Google, yahoo, Live…)?
• Can we implement control policy on any system?
• …

• Do we manage sensitive information?
• Is there any kind of communication that would be dangerous to be sent out by employee?
• Do we receive sensitive information with this media?
• how we control the trustworthiness of information received?
• is any legal implication?
• …

• do we need to impose limit to access the mail systems?
• do we need to prove our sender identity o the recipient?
• do we need to check if someone is sending message on behalf of someone else?
• …

• can we expose mail through a web-mail interface?
• can we allow mail being read on mobile devices?
• do those devices have to be company owned or could be of any kind?
• do we force a VPN connection to access email?
• …

• can anyone send\recieve email?
• are any limitation for role or location?
• can we define subset of needs that require special care (ie. legal dept, HR, contracts…)?
• ….

• what are expected SLA expectation?
• can we define sla for the several aspects of the service as delivery time, storage, access, uptime…..?
• ….

http://feeds.feedburner.com/portadiferro

Non sarà una vigilia tranquilla per l’Agcom: sarà, piuttosto, “La Notte della Rete”. Il 5 luglio, a 24 ore dall’approvazione della Delibera definita “ammazza-Internet” dai blogger italiani, artisti, esponenti della rete, leader politici, cittadini e utenti del web si troveranno a Roma per una no-stop contro il provvedimento.
Per maggiori informazioni sul provvedimento dell’Agcom vai alla pagina: www.agoradigitale.org/nocensura

Fra i presenti già confermati:
Olivero Beha, Rita Bernardini, Emma Bonino, Pippo Civati, Nicola D’Angelo, Juan Carlos de Martin, Tana de Zulueta, Antonio Di Pietro, Dario Fo, Giovanbattista Frontera, Alessandro Gilioli, Peter Gomez, Beppe Giulietti, Fabio Granata, Margherita Hack, Carlo Infante, Giulia Innocenzi, Ignazio Marino, Gianfranco Mascia, Gennario Migliore, Roberto Natale, Luca Nicotra, Leoluca Orlando, Flavia Perina, Marco Perduca, Marco Pierani, il Piotta, Donatella Poretti, Enzo Raisi, Franca Rame, Fulvio Sarzana, Marco Scialdone, Guido Scorza, Mauro Vergari, Carlo Verna, Vincenzo Vita, Vittorio Zambardino.

• Fai girare la notizia, condividila con i tuoi contatti [QUI IMMAGINE FACEBOOK + LINK ALLA POSSIBILITÀ DI FARE SHARE]
• Conferma la tua adesione alla mobilitazione tramite la pagina www.agoradigitale.org/lanottedellarete e tramite il corrispondente evento facebook http://www.facebook.com/event.php?eid=186527864733678
• Pubblica la notizia dell’evento de LA NOTTE DELLA RETE sul tuo blog e manda in onda la diretta in streaming dal sito de Il Fatto Quotidiano. Compilando il form che trovi all’indirizzo  www.agoradigitale.org/lanottedellarete riceverai nelle prossime ore il codice per l’embed della trasmissione sul tuo sito web.
• Firma la petizione all’Agcom all’indirizzo www.sitononraggiungibile.it e manda un messaggio ai membri dell’Agcom qui: http://www.avaaz.org/it/it_internet_bavaglio ;
• Informati sugli ultimi sviluppi della mobilitazione e sugli altri modi per entrare in azione dal sito http://www.agoradigitale.org/nocensura.

http://feeds.feedburner.com/portadiferro