Category: Security

One of my readers sent me this question:

Using SSL over the Internet is a must when dealing with sensitive data. What about SSL between data center components (frontend load-balancers and backend web servers for example)? Does it make sense to you? Can the question be summarized as "do I trust my Datacenter network team"? Or is there more at stake?

In the ideal world in which you’d have a totally reliable transport infrastructure the answer would be “There’s no need for SSL across that infrastructure”.

My friend Matthias Luft sent me an interesting tweet a while ago:

@ioshints What’s your take on firewall rule sets & IP addresses vs. hostnames?

— Matthias Luft (@uchi_mata) August 16, 2016

All I could say in 160 characters was “it depends”. Here’s a longer answer.

One of my subscribers considered attending the Virtual Firewalls workshop on September 1st and asked:

Would it make sense to attend the workshop? How is it different from the Virtual Firewalls webinar? Will it be recorded?

The last answer is easy: No. Now for the other two.

One of my readers sent me a link to SoftEther, a VPN solution that

[…] penetrates your network admin's troublesome firewall for overprotection. […] Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage.

What could possibly go wrong with such a great solution?

In one of my ExpertExpress engagements the customer expressed the desire to manage their firewall with OpenFlow (using OpenDaylight) and I said, “That doesn’t make much sense”. Here’s why:

Obviously if you can't imagine your life without OpenDaylight, or if your yearly objectives include "deploying OpenDaylight-based SDN solution", you can use it as a REST-to-NETCONF translator assuming your firewall supports NETCONF.

A while ago Big Switch Networks engineers realized there’s a cool use case for their tap aggregation application (Big Tap Monitoring Fabric) – an intelligent patch panel traffic steering solution used as security tool chaining infrastructure in DMZ… and thus the Big Chain was born.

Curious how their solution works? Listen to Episode 58 of Software Gone Wild with Andy Shaw and Sandip Shah.

Gabi Gerber is organizing a Software-Defined Security event in Zurich next week in which I’ll talk about real-life security solutions that could be called software defined for whatever reason, and my friend Christoph Jaggi sent me a few questions trying to explore this particular blob of hype.

For obvious reasons he started with “Isn’t it all just marketing?”

Gabi Gerber (with a bit of help from my side) is organizing another set of SDN events in Zurich (Switzerland) in early June.

In the morning of June 7th we’ll talk about software-defined security:

I’m presenting at two Data Center Interest Group Switzerland events organized by Gabi Gerber in Zurich in early June:

• In the morning of June 7th we’ll talk about software-defined security, data center automation and open networking;
• In the afternoon of the same day (so you can easily attend both events) we’ll talk about VMware NSX microsegmentation and real-life implementations.

I hope to see you in Zurich in a bit more than a month!

The organizers of Troopers 16 conference published the video of my Real-Life Software Defined Security talk. The slides are available on my web site.

Hope you’ll enjoy the talk; for more SDN use cases watch the SDN Use Cases webinar.