Heartbleed....and why yours should, too
|
|
- Karen Hardy
- 8 years ago
- Views:
Transcription
1 Heartbleed...and why yours should, too
2 You are in the right session _ This is an emergency service announcement _ Due to events that transpired on Tuesday _ I thought it d be good to have some info OSDC
3 About me _ Dr. Christopher Kunz _ Studied CompSci in Hannover, PhD in 2012 _ Works as a hoster for 15 years _ Some admin experience _ Used to do a lot of PHP _ Author, PHP- Sicherheit, ed. 1-3 _ And don t get me started about swords! OSDC
4 About filoo _ hqps:// _ Quickly- growing hosvng company _ Data center in Frankfurt, Germany _ Developed own IaaS middleware _ QEMU/KVM, OVS, Ceph _ Offer hosvng, co- locavon, cloud services _ 100% subsidiary of Thomas- Krenn.AG _ Visit their booth! OSDC
5 Heartbleed in a nutshell _ A bug with a cute name _...and not so cute effects _ Pre- auth, pre- logging universal TLS/SSL bug _ Introduced in OpenSSL 1.0.1a (2012) _ Allows to make 64kb memory dumps of the server s memory OSDC
6 Wait. What? _ Yes, remote memory dumps _ Due to an unchecked buffer length, a TLS enabled server may dump memory contents to the client _ Limit of 64k per reply _ MulVple replies possible _ Memdump may contain... _ URLs and GET / POST variables _ Random excerpts from whatever _ Source code of scripts/whatever else _ SSL cervficate private keys OSDC
7 About DTLS heartbeats _ RFC 6520, Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension _ Provides a heartbeat for TLS (TCP) and DTLS (mostly UDP) sessions _ Intended to add stability to unstable connecvons and prevent renegovavons _ Implemented in OpenSSL as part of a PhD thesis _ Patch commiqed Dec 15, OSDC
8 What this bug is not _ This is not a crypto bug _ At least not in its primary funcvon _ This is not a fully arbitrary mem disclosure _ Only memory belonging to aqacked daemon can be dumped _ This is not a remote root hole _ Hence the relavvely low CVE score of OSDC
9 Anatomy of the bug 1 struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[heartbeatmessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage; _ From RFC6520: _ payload_length: The length of the payload. _ payload: The payload consists of arbitrary content OSDC
10 Anatomy of the bug 2 _ ssl/d1_both.c, line 1474+: buffer = OPENSSL_malloc( payload + padding); bp = buffer; [..] memcpy(bp, pl, payload); _ From: d069b4c b02a22116ad75f822b OSDC
11 Anatomy of the bug _ The heartbeat extension allocates payload+19 bytes of memory _ Copies pl bytes of arbitrary user- supplied data payload via memcpy() to construct response _ Client sets pl to _ Client sends only 1 byte of data in payload _ Response contains 1 byte of client- supplied payload _...and 64K of RAM from the memcpy() call _ Analysis in: hqp://blog.existenvalize.com/diagnosis- of- the- openssl- heartbleed- bug.html OSDC
12 Test vulnerability _ Python script at: hqps://gist.github.com/takeshixx/ _ Can test any SSL/TLS enabled TCP service _ Has support for StartTLS (- s opvon) _ Conveniently dumps 64kb of memory for you 00d0: F #...3A1% 00e0: F 6D 6F C%22_mode%22%3A 00f0: A 73 6F 6E %22json%22%2C% : 5F F _id%22%3a%22p_ : F %22%2C%22_ 0120: 63 6F 6E E container%22%3a0 0130: F F 6E %2C%22_action% : %3A%22view%22%2C OSDC
13 Memdump _ From: hqps://twiqer.com/markloman/status/ OSDC
14 Memdump _ Memory contents is non- determinisvc _ SomeVmes excivng, mostly boring _ while true do python hb-test.py yahoo.com grep -C 2 login >> /tmp/out; sleep 1; done" _ Profit! OSDC
15 Detect exploitation _ No logging on the machine _ All exploitavon is pre- logging, pre- applicavon _ IDS vendors are pushing out signatures already OSDC
16 Affected services _ Above all, SSL- enabled web servers _ Any that uses OpenSSL, anyway _ Mail servers _ IMAP over SSL, POP over SSL, SMTP over SSL, StartTLS _ VPN tunnels _ OpenVPN when using cert auth (maybe?) _ PotenVally others _ IRC servers, XMPP, FTP over TLS _ Android is vulnerable _ OpenSSH is not vulnerable OSDC
17 Linux versions affected _ OpenSSL a thru f _ Debian Wheezy, Jessie, Sid _ Fixed for Wheezy & Sid _ Ubuntu 10.04, 12.04, 12.10, 13.10, _ Fixed packages exist _ RHEL 6 _ Patch exists _ And all others that ship OpenSSL _ Clients are also vulnerable! OSDC
18 Other affected stuff _ Cisco devices: We use Cisco SSL which is not OpenSSL. ; SSL VPN products potenvally affected _ Juniper has released fixes for their SSL VPN, none for J- Web etc. yet _ Big IP? Kemp? Fritz.Box? Your home NAS? _ More info (hopefully) here: hqp:// vuls/byvendor?searchview&query=field +Reference=720951&SearchOrder= OSDC
19 Mitigation & cleanup _ First, upgrade to fixed openssl _ apt- get install openssl libssl _ Next, restart all services that load old lib _ Use checkrestart or lsof n grep DEL grep ssl _ If you use stavc binaries, recompile everything _ If you use Google s mod_spdy on Apache2.2, don t _ It has its own stavcally linked mod_ssl which is shamefully out of date OSDC
20 What about certs? _ It is possible that privkeys have leaked _ If so, you need to revoke&reissue certs _ Some CAs offer free reissue _ If you don t have PFS, you have a problem _ AQackers who sniffed your traffic might be able to decode it OSDC
21 Thank you _.Do not despair, there is hope! hqp://xkcd.com/1353/ _...and now, back to our regular scheduled programme! OSDC
22 Software-defined Networking In an open-source cloud
23 Agenda _ High- Level overview: What is this about? _ The use case virtualized networks for IaaS _ Intro to OpenVSwitch _ How- to: Deploy OpenVSwitch _ Frontnet, Backnet, public net _ Firewalling _ Tying it all together OSDC
24 So what s the hype? _ Sovware- Defined Networking is the hype _ I m not good with hype _ Networking is decoupled from bare metal _ EssenVally you virtualize parts of your network _ Control and data plane are decoupled _ Many vendors jumped on the train _ HP, Cisco, VMWare, you name it OSDC
25 OpenFlow _ ImperaVve control _ Switches are dumb they only forward according to rules _ OpenFlow controllers make the rules _ First packet of each type is sent thru OpenFlow controller _ Subsequent ones go directly through switch OSDC
26 OpFlex _ Cisco s answer to OpenFlow _ Other vendors on board: Citrix, MSFT, RHAT, Canonical _ Not on board: J, HP, Huawei, vmware _ Balance intelligence between switch and controller _ DeclaraVve control ; just declare how you want it and the switch interprets that rule _ IETF proposed standard _ Drav- smith- opflex _ Open APIs _ AltruisVc goal: Eliminate SPOF (the controller) _ EgoisVc goal: Sell smarter (=$++) switches OSDC
27 The OSS Contender _ OpenVSwitch _ Openvswitch.org _ Open Source _ Apache 2.0 license, non- viral _ GPLv2 _ MulVlayer (2,3) virtual switch _ Supports lots of interesvng features _ VLANs, Ne{low, sflow, LACP, filtering, OSDC
28 OVS Overview Control Cluster Off-box ovsdb-server ovs-vswitchd User Kernel Management Protocol (6632/TCP) OpenFlow (6633/TCP) Netlink OVS Kernel Module _ Shamelessly lived from [1] OSDC
29 OSVDB _ Database holds configuravon items _ DefiniVons for bridges, tunnels, interfaces _ Controller addresses _ ConfiguraVon is reboot- safe _ Custom database system, not MySQLiteMongoDB _ Speaks custom protocol (OSVDB) _ Log based _ osvdb- tool show- log shows all changes _ Nivy for debug / change management! OSDC
30 How ovs works _ ImperaVve control _ All intelligence is in the controller _ Data path only carries out instrucvons _ Data Path _ Kernel module _ Licensed under GPLv2 _ Controller _ Lives in userland _ Licensed under Apache OSDC
31 Flow flow _ Everything is a flow _ CombinaVon of input port, VLAN, MAC, IP, TCP/UDP port OSDC
32 OVS management _ Command- line tools _ Ovs- vsctl for switch management _ Ovs- ofctl for flow management _ Ovsdb- tool for database management OSDC
33 What s our angle here? _ filoo is a hoster. _ We host VMs. _ VMs need networking. _ See where this goes? OSDC
34 What we wanted _ Internet- facing front- net interface _ Private LAN for VMs _ VM isolavon _ Firewalling _ Traffic shaping _ Fine- grained accounvng _ Live migravon OSDC
35 Overview - physical Front- end switch Back- end switch OSDC
36 Overview - virtual Firewall Firewall Firewall OSDC
37 Overview OVS stack OVS OVS OVS OSDC
38 Let s get started _ We usually compile ovs ourselves _ There are also packages in apt _ Those might work or not _ Download & compile OVS _ Latest stable: 2.1.0, latest LTS: _./boot.sh &&./configure && make && make install _ Kernel module from 3.3+ _ Enable in Kernel Networking - > OpVons - > Open Vswitch _ modprobe openvswitch OSDC
39 Let s get started 2 _ Set up ovs db _ Ovsdb- tool create conf.db vswitch.ovsschema _ Conf.db is in /usr/localetc/openvswitch _ /usr/src/openvswitch /vswitchd/vswitch.ovsschema _ Make sure ovs- vswitchd and ovsdb- server start before networking _ Add startup entries to rc.local _ Remove networking from rc.d _ start networking in rc.local OSDC
40 Initial bridges _ Front- net vlan: 199 _ Same procedure for back- net VLAN _ Add bridges _ ovs- vsctl add- br vmbr1 _ ovs- vsctl add- port vmbr1 vlan199 tag=199 _ ovs- vsctl set interface vlan199 type=internal _ Log in via IPMI _ ovs- vsctl add- port vmbr1 eth1 _ Machine is offline now _ Modify physical switching OSDC
41 VM networking _ We use KVM/QEMU _ Add the TAP interface _ /sbin/ip tuntap add dev tap1i0d0 mode tap user fcms _ qemu- system- x86_ device rtl8139,mac=00:f1:70:00:00:10,netdev=vlan0d0 - netdev type=tap,id=vlan0d0,ifname=tap1i0d0 _ Bring up the port _ /usr/local/bin/ovs- vsctl add- port vmbr0 tap1i0d0 199 other_config:stp- enable=false OSDC
42 From TAP to port to flow _ We have a tap interface tap1i0d0 _ Find the corresponding bridge port: _ ovs- ofctl show vmbr0 grep tap1i0d0 _ 1820(tap1i0d0): addr:fa:7a:67:e3:5d: _ Now we have a port number: 1820 _ We use this port for flow management OSDC
43 Multiple interfaces _ Add more TAP interfaces _ Assign one VLAN per customer _ Internal network across VMs on same node _ Make VLAN known on inter- node switches _ Via whatever switch automavon you have _ Cross- node internal networking _ VLAN limits apply hard cut at ~4090 _ Overlay networks to the rescue OSDC
44 Prevent MAC spoofing _ PORT=1820 We know this MAC _ ovs- ofctl add- flow vmbr0 "in_port="${port}" arp idle_vmeout=0 because priority=39500 we control acvon=resubmit("$ {PORT}",2) the hypervisor! _ ovs- ofctl add- flow vmbr0 "in_port="${port}" table=2 arp priority=200 idle_vmeout=0 arp_sha=00:f1:70:00:00:10 nw_src= acvon=normal" We know this _ ovs- ofctl add- flow vmbr0 "in_port="${port}" table=2 address too! priority=100 idle_vmeout=0 acvon=drop" OSDC
45 Caveats for MAC/ARP _ SomeVmes you want customers to spoof _ HA soluvons that switch cluster IP addresses _ You can cater for this in case you know the corresponding MACs _ Assign sequenval MACs and wildcard _ Or set specific rules _ OpVonal HA feature for VMs _ Never allow customers to wildcard here! OSDC
46 Firewalling with flows _ ovs- ofctl add- flow vmbr0 "in_port="${port}" table=1 tcp idle_vmeout=0 nw_dst= /32 nw_src= /32 tp_dst="80" priority=38000 acvon=drop _ From _ To _ Port 80 _ Drop OSDC
47 Port ranges _ ovs- ofctl add- flow vmbr0 "in_port="${port}" table=1 tcp idle_vmeout=0 nw_src= /32 nw_dst= /24 tp_src="0x05e8/0xfffc" priority=37960 acvon=drop _ Source _ DesVnaVon /24 _ Source port = 0x05E8/0xFFFC _ 0x05E8/0xFFFC = 1512/65532 _ Port _ OVS 1.11 supports Megaflows, i.e universal wildcarding OSDC
48 Default accept _ ovs- ofctl add- flow vmbr0 "in_port="${port}" table=1 priority=100 acvon=normal _ Fallthru rule _ Match everything else OSDC
49 Accounting _ We grab interface counters from the tap interfaces _ You can also use Ne{low/sFlow or ipfix _ We didn t go there yet, experiences welcome OSDC
50 Shaping _ Simple shaping: _ ovs- vsctl set Interface tap0 ingress_policing_rate= _ ovs- vsctl set Interface tap0 ingress_policing_burst=1000 _ QoS policies: _ ovs- vsctl set port eth1 qos=@newqos \ id=@newqos create qos type=linux- htb \ other- config:max- rate= queues=0=@q0,1=@q1 \ _ We don t do QoS policies, shaping works mostly as intended OSDC
51 Live migration _ We don t actually do OVS s own live migravon _ Start VM on target host in suspend- to- RAM mode _ Stop VM on losing host; down interface _ Resume VM on target host _ There are live migravon mechanisms in OVS _ L2 based _ Inter- OVS GRE tunnel _ Honestly, I have no clue OSDC
52 Thank you _ I hope you learned something _ If not, I hope you had a laugh at my expense _ If neither, I m really sorry. Beer? _ QuesVons? OSDC
53 Literature _ [1] hqp://openvswitch.org/slides/ OpenStack pdf OVS Deep Dive _ OVS IntroducVon: hqp://horms.net/projects/ openvswitch/ /openvswitch.en.pdf OSDC
Programmable Networking with Open vswitch
Programmable Networking with Open vswitch Jesse Gross LinuxCon September, 2013 2009 VMware Inc. All rights reserved Background: The Evolution of Data Centers Virtualization has created data center workloads
More informationUnderneath OpenStack Quantum: Software Defined Networking with Open vswitch
Underneath OpenStack Quantum: Software Defined Networking with Open vswitch Principal Software Engineer Red Hat, Inc. April 24, 2013 1 Part One Why Open vswitch? Open vswitch enables Linux to become part
More informationNetwork Virtualization and Software-defined Networking. Chris Wright and Thomas Graf Red Hat June 14, 2013
Network Virtualization and Software-defined Networking Chris Wright and Thomas Graf Red Hat June 14, 2013 Agenda Problem Statement Definitions Solutions She can't take much more of this, captain! Challenges
More informationOpenStack: OVS Deep Dive
OpenStack: OVS Deep Dive Justin Pettit Eric Lopez 07 November 2013 2013 VMware Inc. All rights reserved Overview Visibility (NetFlow, IPFIX, sflow, SPAN/RSPAN) Fine-grained ACLs and QoS policies Centralized
More informationDebugging OVS. Jus.n Pe0t April 14, 2011
Debugging OVS Jus.n Pe0t April 14, 2011 Main Components Control Cluster Off- box ovsdb- server ovs- vswitchd User Kernel Management Protocol (6632/TCP) OpenFlow (6633/TCP) Netlink openvswitch_mod.ko Debugging
More informationHeartbleed. or: I read the news, too. Martin R. Albrecht. Information Security Group, Royal Holloway, University of London
Heartbleed or: I read the news, too Martin R. Albrecht Information Security Group, Royal Holloway, University of London XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 RFC 6520: Transport
More informationSDN, OpenFlow and the ONF
SDN, OpenFlow and the ONF OpenFlow/Software-Defined Networking (SDN) OpenFlow/SDN is emerging as one of the most promising and disruptive networking technologies of recent years. It has the potential to
More informationSoftware Defined Networking (SDN) OpenFlow and OpenStack. Vivek Dasgupta Principal Software Maintenance Engineer Red Hat
Software Defined Networking (SDN) OpenFlow and OpenStack Vivek Dasgupta Principal Software Maintenance Engineer Red Hat CONTENTS Introduction SDN and components SDN Architecture, Components SDN Controller
More informationOpenStack/Quantum SDNbased network virtulization with Ryu
OpenStack/Quantum SDNbased network virtulization with Ryu Kei Ohmura NTT May 31, 2013 Outline Introduction to Ryu OpenStack Quantum and Ryu Demo Summary 2 What is Ryu 流流 (ryu) means flow 龍龍 (ryu) means
More informationSoftware Defined Network (SDN)
Georg Ochs, Smart Cloud Orchestrator (gochs@de.ibm.com) Software Defined Network (SDN) University of Stuttgart Cloud Course Fall 2013 Agenda Introduction SDN Components Openstack and SDN Example Scenario
More informationRecent (2014) vulnerabilities in SSL implementations. Leiden University. The university to discover.
Recent (2014) vulnerabilities in SSL implementations Introduction We will discuss two vulnerabilities in SSL implementations that were found in 2014: The Apple bug, affecting recent Mac OS X and ios devices.
More informationSOFTWARE-DEFINED NETWORKING AND OPENFLOW
SOFTWARE-DEFINED NETWORKING AND OPENFLOW Freddie Örnebjär TREX Workshop 2012 2012 Brocade Communications Systems, Inc. 2012/09/14 Software-Defined Networking (SDN): Fundamental Control
More informationOpen vswitch and the Intelligent Edge
Open vswitch and the Intelligent Edge Justin Pettit OpenStack 2014 Atlanta 2014 VMware Inc. All rights reserved. Hypervisor as Edge VM1 VM2 VM3 Open vswitch Hypervisor 2 An Intelligent Edge We view the
More informationSpecific recommendations
Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It
More informationRelease Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8
Release Notes for Epilog for Windows v1.7/v1.8 InterSect Alliance International Pty Ltd Page 1 of 22 About this document This document provides release notes for Snare Enterprise Epilog for Windows release
More informationHow To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan
Centec s SDN Switch Built from the Ground Up to Deliver an Optimal Virtual Private Cloud Table of Contents Virtualization Fueling New Possibilities Virtual Private Cloud Offerings... 2 Current Approaches
More informationHow To Install Openstack On Ubuntu 14.04 (Amd64)
Getting Started with HP Helion OpenStack Using the Virtual Cloud Installation Method 1 What is OpenStack Cloud Software? A series of interrelated projects that control pools of compute, storage, and networking
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationUsing SouthBound APIs to build an SDN Solution. Dan Mihai Dumitriu Midokura Feb 5 th, 2014
Using SouthBound APIs to build an SDN Solution Dan Mihai Dumitriu Midokura Feb 5 th, 2014 Agenda About Midokura Drivers of SDN & Network Virtualization Adoption SDN Architectures Why OpenDaylight? Use
More informationDesigning Virtual Network Security Architectures Dave Shackleford
SESSION ID: CSV R03 Designing Virtual Network Security Architectures Dave Shackleford Sr. Faculty and Analyst SANS @daveshackleford Introduction Much has been said about virtual networking and softwaredefined
More informationRyu SDN Framework What weʼ ve learned Where weʼ ll go
Ryu SDN Framework What weʼ ve learned Where weʼ ll go FUJITA Tomonori NTT Software Innovation Center Ryu Project lead 2014.11.14 NTT Ryu team goal Change the networking industry by Open Source Software
More informationAn Introduction to Open vswitch
An Introduction to Open vswitch Netfilter Workshop, Seville, Spain Simon Horman Horms Solutions Ltd., Tokyo October 2010 Open vswitch Server Open vswitch Datapath Open vswitch Controller
More informationSupply Chain Management of Open Source Software used within Software Development Lifecycle
Slide 1 Supply Chain Management of Open Source Software used within Software Development Lifecycle Author: Roderick Koch Co-Author: Kym Watkin-Statham http://www.sentar.com/ Secure Sw. Dev. Lifecycle with
More informationQuantum Hyper- V plugin
Quantum Hyper- V plugin Project blueprint Author: Alessandro Pilotti Version: 1.0 Date: 01/10/2012 Hyper-V reintroduction in OpenStack with the Folsom release was primarily focused
More informationHow To Set Up A Vns3 Controller On An Ipad Or Ipad (For Ahem) On A Network With A Vlan (For An Ipa) On An Uniden Vns 3 Instance On A Vn3 Instance On
ElasticHosts Configuration ElasticHosts Setup for VNS3 2015 copyright 2015 1 Table of Contents Introduction 3 ElasticHosts Deployment Setup 9 VNS3 Configuration Document Links 20 copyright 2015 2 Requirements
More informationEthernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心
Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心 1 SDN Introduction Decoupling of control plane from data plane
More informationWhat is new in Zorp Professional 6
What is new in Zorp Professional 6 April 17, 2015 Copyright 1996-2015 BalaBit IT Security Ltd. Table of Contents 1. Preface... 3 2. Reusable Encryption policies... 4 3. Server Name Indication... 5 4. New
More informationLinux VPS with cpanel. Getting Started Guide
Linux VPS with cpanel Getting Started Guide First Edition October 2010 Table of Contents Introduction...1 cpanel Documentation...1 Accessing your Server...2 cpanel Users...2 WHM Interface...3 cpanel Interface...3
More informationViking VPN Guide Linux/UNIX
Viking VPN Guide Linux/UNIX Table Of Contents 1 : VPN Questions answered 2 : Installing the Linux Client 3 : Connecting with the Linux Client 4 : Reporting Problems Version 1.0 : 10/27/2010 Information
More informationWhat is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates
What is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates 1 Goals of the Presentation 1. Define/describe SDN 2. Identify the drivers and inhibitors of SDN 3. Identify what
More informationVirtualization, SDN and NFV
Virtualization, SDN and NFV HOW DO THEY FIT TOGETHER? Traditional networks lack the flexibility to keep pace with dynamic computing and storage needs of today s data centers. In order to implement changes,
More informationLinux KVM Virtual Traffic Monitoring
Linux KVM Virtual Traffic Monitoring East-West traffic visibility Scott Harvey Director of Engineering October 7th, 2015 apcon.com Speaker Bio Scott Harvey Director of Engineering at APCON Responsible
More informationEnhancing Hypervisor and Cloud Solutions Using Embedded Linux Iisko Lappalainen MontaVista
Enhancing Hypervisor and Cloud Solutions Using Embedded Linux Iisko Lappalainen MontaVista Setting the Stage This presentation will discuss the usage of Linux as a base component of hypervisor components
More informationAerohive Networks Inc. Free Bonjour Gateway FAQ
Aerohive Networks Inc. Free Bonjour Gateway FAQ 1. About the Product... 1 2. Installation... 2 3. Management... 3 4. Troubleshooting... 4 1. About the Product What is the Aerohive s Free Bonjour Gateway?
More informationNetwork Virtualization: Delivering on the Promises of SDN. Bruce Davie, Principal Engineer
Network Virtualization: Delivering on the Promises of SDN Bruce Davie, Principal Engineer What does SDN promise? The original* SDN promise was: Enable rapid innovation in networking Enable new forms of
More informationSDN v praxi overlay sítí pro OpenStack. 5.10.2015 Daniel Prchal daniel.prchal@hpe.com
SDN v praxi overlay sítí pro OpenStack 5.10.2015 Daniel Prchal daniel.prchal@hpe.com Agenda OpenStack OpenStack Architecture SDN Software Defined Networking OpenStack Networking HP Helion OpenStack HP
More informationCreating Overlay Networks Using Intel Ethernet Converged Network Adapters
Creating Overlay Networks Using Intel Ethernet Converged Network Adapters Technical Brief Networking Division (ND) August 2013 Revision 1.0 LEGAL INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION
More informationPalo Alto Networks. Security Models in the Software Defined Data Center
Palo Alto Networks Security Models in the Software Defined Data Center Christer Swartz Palo Alto Networks CCIE #2894 Network Overlay Boundaries & Security Traditionally, all Network Overlay or Tunneling
More informationPRACTICAL EXPERIENCES BUILDING AN IPFIX BASED OPEN SOURCE BOTNET DETECTOR. ` Mark Graham
PRACTICAL EXPERIENCES OF BUILDING AN IPFIX BASED OPEN SOURCE BOTNET DETECTOR ` Mark Graham OUTLINE RESEARCH PROBLEM: Botnet detection in Cloud Providers FLOW: IPFIX and NetFlow CONCEPTUAL FRAMEWORK: Build
More informationfor NewTech United, London
JANUARY 02, 2015 SECURITY REPORT MADE 02.01.2015 BETWEEN 18:00 22:00 by John Doe Security Specialist at Keios Solutions for NewTech United, London WWW.KEIOS.EU CLUSTER INFORMATION Number of servers: 1
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationMy FreeScan Vulnerabilities Report
Page 1 of 6 My FreeScan Vulnerabilities Report Print Help For 66.40.6.179 on Feb 07, 008 Thank you for trying FreeScan. Below you'll find the complete results of your scan, including whether or not the
More informationBring your virtualized networking stack to the next level
Bring your virtualized networking stack to the next level Mike Kolesnik, mkolesni@redhat.com Senior Software Engineer, Red-Hat FOSDEM February 2014 1/42 Agenda ovirt network configuration Neutron overview
More informationHow Linux kernel enables MidoNet s overlay networks for virtualized environments. LinuxTag Berlin, May 2014
How Linux kernel enables MidoNet s overlay networks for virtualized environments. LinuxTag Berlin, May 2014 About Me: Pino de Candia At Midokura since late 2010: Joined as a Software Engineer Managed the
More informationEXPLORER. TFT Filter CONFIGURATION
EXPLORER TFT Filter Configuration Page 1 of 9 EXPLORER TFT Filter CONFIGURATION Thrane & Thrane Author: HenrikMøller Rev. PA4 Page 1 6/15/2006 EXPLORER TFT Filter Configuration Page 2 of 9 1 Table of Content
More informationApache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, 2013 2:32 pm Pacific
Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide Revised February 28, 2013 2:32 pm Pacific Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide
More information基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器
基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器 楊 竹 星 教 授 國 立 成 功 大 學 電 機 工 程 學 系 Outline Introduction OpenFlow NetFPGA OpenFlow Switch on NetFPGA Development Cases Conclusion 2 Introduction With the proposal
More informationCitrix XenServer 5.6 OpenSource Xen 2.6 on RHEL 5 OpenSource Xen 3.2 on Debian 5.0(Lenny)
Installing and configuring Intelligent Power Protector On Xen Virtualized Architecture Citrix XenServer 5.6 OpenSource Xen 2.6 on RHEL 5 OpenSource Xen 3.2 on Debian 5.0(Lenny) 1 Introduction... 3 1. Citrix
More informationOverview. Author: Seth Scardefield Updated 11/11/2013
Author: Seth Scardefield Updated 11/11/2013 Yealink IP Phone OpenVPN Guide This guide will walk you through configuring an OpenVPN server instance in pfsense to allow Yealink IP Phones (T26P, T28P, T32G,
More informationWeb Application Firewall
Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
More informationFirewalls. Chien-Chung Shen cshen@cis.udel.edu
Firewalls Chien-Chung Shen cshen@cis.udel.edu The Need for Firewalls Internet connectivity is essential however it creates a threat vs. host-based security services (e.g., intrusion detection), not cost-effective
More informationSOFTWARE-DEFINED NETWORKING AND OPENFLOW
SOFTWARE-DEFINED NETWORKING AND OPENFLOW Eric Choi < echoi@brocade.com> Senior Manager, Service Provider Business Unit, APJ 2012 Brocade Communications Systems, Inc. EPF 7 2012/09/17 Software-Defined Networking
More informationAbout the VM-Series Firewall
About the VM-Series Firewall Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/
More informationCloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam
Cloud Networking Disruption with Software Defined Network Virtualization Ali Khayam In the next one hour Let s discuss two disruptive new paradigms in the world of networking: Network Virtualization Software
More informationSet Up a VM-Series Firewall on an ESXi Server
Set Up a VM-Series Firewall on an ESXi Server Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara,
More informationCERN Cloud Infrastructure. Cloud Networking
CERN Cloud Infrastructure Cloud Networking Contents Physical datacenter topology Cloud Networking - Use cases - Current implementation (Nova network) - Migration to Neutron 7/16/2015 2 Physical network
More informationAnyConnect VPN Client FAQ
AnyConnect VPN Client FAQ Document ID: 107391 Questions Introduction What level of rights is required for the AnyConnect client? Is a reboot required after AnyConnect is installed/upgraded? Is it possible
More informationNOC PS manual. Copyright Maxnet 2009 2015 All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3
NOC PS manual Copyright Maxnet 2009 2015 All rights reserved Page 1/45 Table of contents Installation...3 System requirements...3 Network setup...5 Installation under Vmware Vsphere...8 Installation under
More informationOVN: Open Virtual Network for Open vswitch. Ben Pfaff (@Ben_Pfaff) Justin Pettit (@Justin_D_Pettit)
OVN: Open Virtual Network for Open vswitch Ben Pfaff (@Ben_Pfaff) Justin Pettit (@Justin_D_Pettit) Virtual Networking Overview Provides a logical network abstraction on top of a physical network VMA VMB
More informationCloudStack 3.0.0 Release Notes
CloudStack 3.0.0 Release Notes For CloudStack Version 3.0.0 Revised March 22, 2012 2:19 PM Pacific 2011, 2012 Citrix Systems, Inc. All rights reserved. Specifications are subject to change without notice.
More informationVXLAN: Scaling Data Center Capacity. White Paper
VXLAN: Scaling Data Center Capacity White Paper Virtual Extensible LAN (VXLAN) Overview This document provides an overview of how VXLAN works. It also provides criteria to help determine when and where
More informationEnabling Technologies for Distributed Computing
Enabling Technologies for Distributed Computing Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF Multi-core CPUs and Multithreading Technologies
More informationChapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding
Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN
More informationAbout the VM-Series Firewall
About the VM-Series Firewall Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/
More informationNetwork Virtualization Tools in Linux PRESENTED BY: QUAMAR NIYAZ & AHMAD JAVAID
Network Virtualization Tools in Linux PRESENTED BY: QUAMAR NIYAZ & AHMAD JAVAID Contents Introduction Types of Virtualization Network Virtualization OS Virtualization OS Level Virtualization Some Virtualization
More informationMulticasting on SDN. Prof. Sunyoung Han Konkuk University syhan@cclab.konkuk.ac.kr 23 July 2015
Multicasting on SDN Prof. Sunyoung Han Konkuk University syhan@cclab.konkuk.ac.kr 23 July 2015 1 Contents 1. Software Defined Networking (SDN) 2. OpenFlow 3. Multicasting 4. Open vswitch 5. OpenFlow Protocol
More informationNew Security Perspective for Virtualized Platforms
, July 3-5, 2013, London, U.K. New Security Perspective for Virtualized Platforms Abdelmajid Lakbabi, Said El hajji, Ghizlane Orhanou, Kaouthar Chetioui Abstract Recently, an important transition in IT
More informationBuilding a Penetration Testing Virtual Computer Laboratory
Building a Penetration Testing Virtual Computer Laboratory User Guide 1 A. Table of Contents Collaborative Virtual Computer Laboratory A. Table of Contents... 2 B. Introduction... 3 C. Configure Host Network
More informationNetwork Security Platform 7.5
M series Release Notes Network Security Platform 7.5 Revision B Contents About this document New features Resolved issues Known issues Installation instructions Product documentation About this document
More informationSDN/OpenFlow. Dean Pemberton Andy Linton
SDN/OpenFlow Dean Pemberton Andy Linton Agenda What is SDN and Openflow? Understanding Open vswitch and RouteFlow Understanding RYU and SDN applications Simple SDN programming python vs IOS or Junos! Building
More informationOVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS
OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS Matt Eclavea (meclavea@brocade.com) Senior Solutions Architect, Brocade Communications Inc. Jim Allen (jallen@llnw.com) Senior Architect, Limelight
More informationHuawei Enterprise A Better Way VM Aware Solution for Data Center Networks
Huawei Enterprise A Better Way VM Aware Solution for Data Center Networks HUAWEI TECHNOLOGIES CO., LTD. Contents Server Virtualization Challenges in Data Center Networks Huawei VM Aware Solution Implementation
More informationCloud Networking From Theory to Practice" Ivan Pepelnjak (ip@ioshints.info) NIL Data Communications"
Cloud Networking From Theory to Practice Ivan Pepelnjak (ip@ioshints.info) NIL Data Communications Who is Ivan Pepelnjak (@ioshints) Networking engineer since 1985 Consultant, blogger (blog.ioshints.info),
More informationThe Risks that Pen Tests don t Find. OWASP 13 April 2012. The OWASP Foundation http://www.owasp.org
The Risks that Pen Tests don t Find 13 April 2012 Gary Gaskell Infosec Services gaskell@infosecservices.com 0438 603 307 Copyright The Foundation Permission is granted to copy, distribute and/or modify
More informationVirtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader
Virtualization System Vulnerability Discovery Framework Speaker: Qinghao Tang Title:360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization
More information6.0. Getting Started Guide
6.0 Getting Started Guide Netmon Getting Started Guide 2 Contents Contents... 2 Appliance Installation... 3 IP Address Assignment (Optional)... 3 Logging In For the First Time... 5 Initial Setup... 6 License
More informationSSL VPN Server Guide. Access Manager 3.2 SP2. June 2013
SSL VPN Server Guide Access Manager 3.2 SP2 June 2013 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A
More informationAutomating Network Security
Automating Network Security Ivan Pepelnjak (ip@ipspace.net) Network Architect ipspace.net AG Who is Ivan Pepelnjak (@ioshints) Past Kernel programmer, network OS and web developer Sysadmin, database admin,
More informationVM-Series Firewall Deployment Tech Note PAN-OS 5.0
VM-Series Firewall Deployment Tech Note PAN-OS 5.0 Revision A 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Supported Topologies... 3 Prerequisites... 4 Licensing... 5
More informationExtending Networking to Fit the Cloud
VXLAN Extending Networking to Fit the Cloud Kamau WangŨ H Ũ Kamau Wangũhgũ is a Consulting Architect at VMware and a member of the Global Technical Service, Center of Excellence group. Kamau s focus at
More informationYealink Technical White Paper. Contents. About VPN... 3. Types of VPN Access... 3. VPN Technology... 3 Example Use of a VPN Tunnel...
1 Contents About... 3 Types of Access... 3 Technology... 3 Example Use of a Tunnel... 4 Yealink IP Phones Compatible with... 5 Installing the Open Server... 5 Installing the Open Server on the Linux Platform...
More information1 Scope of Assessment
CIT 380 Project Network Security Assessment Due: April 30, 2014 This project is a security assessment of a small group of systems. In this assessment, students will apply security tools and resources learned
More informationProtecting and controlling Virtual LANs by Linux router-firewall
Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia
More informationSDN CONTROLLER. Emil Gągała. PLNOG, 30.09.2013, Kraków
SDN CONTROLLER IN VIRTUAL DATA CENTER Emil Gągała PLNOG, 30.09.2013, Kraków INSTEAD OF AGENDA 2 Copyright 2013 Juniper Networks, Inc. www.juniper.net ACKLOWLEDGEMENTS Many thanks to Bruno Rijsman for his
More informationPenetration Testing LAB Setup Guide
Penetration Testing LAB Setup Guide (External Attacker - Intermediate) By: magikh0e - magikh0e@ihtb.org Last Edit: July 06 2012 This guide assumes a few things... 1. You have read the basic guide of this
More informationIceWarp to IceWarp Server Migration
IceWarp to IceWarp Server Migration Registered Trademarks iphone, ipad, Mac, OS X are trademarks of Apple Inc., registered in the U.S. and other countries. Microsoft, Windows, Outlook and Windows Phone
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationMuL SDN Controller HOWTO for pre-packaged VM
MuL SDN Controller HOWTO for pre-packaged VM 1 P a g e Table of Contents 1 Starting the VM... 3 2 Using MuL controller... 3 2.1 Mul component overview... 3 2.2 Running MUL... 5 2.2.1 Running MuL s forwarding
More informationMicrosoft Azure Configuration
Microsoft Azure Configuration Azure Setup for VNS3 2015 copyright 2015 1 Table of Contents Introduction 3 Create Azure Private VLAN 10 Launch VNS3 Image from Azure Marketplace 15 VNS3 Configuration Document
More informationDecember 2015 702P00860. Xerox App Studio 3.0 Information Assurance Disclosure
December 2015 702P00860 Xerox App Studio 3.0 Information Assurance Disclosure 2014 Xerox Corporation. All rights reserved. Xerox and Xerox and Design and ConnectKey are trademarks of Xerox Corporation
More informationFirewall Troubleshooting
Firewall Troubleshooting (Checkpoint Specific) For typical connectivity issues where a firewall is in question follow these steps to eliminate any issues relating to the firewall. Firewall 1. From the
More informationOVN: Open Virtual Network for Open vswitch. Russell Bryant (@russellbryant) Kyle Mestery (@mestery) Justin Pettit (@Justin_D_Pettit)
OVN: Open Virtual Network for Open vswitch Russell Bryant (@russellbryant) Kyle Mestery (@mestery) Justin Pettit (@Justin_D_Pettit) Virtual Networking Overview Provides a logical network abstraction on
More informationWhite Paper. SDN 101: An Introduction to Software Defined Networking. citrix.com
SDN 101: An Introduction to Software Defined Networking citrix.com Over the last year, the hottest topics in networking have been software defined networking (SDN) and Network ization (NV). There is, however,
More informationQuick Startup Installation Instructions. Overview. Important Information
Overview The Cisco AnyConnect VPN Client is the next-generation VPN client, providing remote users with secure VPN connections to Washington Regional Medical System s software applications and services.
More informationTECHNICAL NOTE. Technical Note P/N 300-999-649 REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.
TECHNICAL NOTE EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.0 and later Technical Note P/N 300-999-649 REV 03 February 6, 2014 This technical note describes how to configure
More informationCenturyLink Cloud Configuration
CenturyLink Cloud Configuration CenturyLink Setup for VNS3:vpn, VNS3:net and VNS3:turret 2015 copyright 2015 1 Table of Contents Introduction 3 CenturyLink Cloud Deployment Setup 9 VNS3 Configuration Document
More informationEnabling Technologies for Distributed and Cloud Computing
Enabling Technologies for Distributed and Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Multi-core CPUs and Multithreading
More informationOpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables
OpenFlow and Software Defined Networking presented by Greg Ferro OpenFlow Functions and Flow Tables would like to thank Greg Ferro and Ivan Pepelnjak for giving us the opportunity to sponsor to this educational
More informationSoftware Defined Networking (SDN) - Open Flow
Software Defined Networking (SDN) - Open Flow Introduction Current Internet: egalitarian routing/delivery based on destination address, best effort. Future Internet: criteria based traffic management,
More informationwww.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013
www.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,
More information