Inhaltsverzeichnis für March/April 2020 in ADMIN Network & Security

External drives are a great way to add extra storage quickly and conveniently, but they have drawbacks. For one, their data retrieval capabilities are restricted to the computer to which they are connected. Although this might work for individual users with single PCs, it isn’t a practical solution for most people who have a variety of data-consuming devices. The go-to option for adding more flexibility to your data storage and retrieval policy is a network-attached storage (NAS) solution. With NAS, you can essentially share the storage with everyone on the network. More often than not, a typical NAS setup comprises a specific combination of hardware and software designed to provide file sharing through services such as the Network File System (NFS) and Server Message Block (SMB) protocols. Although you can…

If commentators are to be believed, tech communities have warmly embraced another predictable and definable phase in the Internet's evolution following the steady creep of Internet of Things (IoT) technologies. Apparently, the human race suddenly deems it necessary to connect to the Internet 24 hours a day anything that boasts a thermistor. Reportedly, somewhere in the region of a staggering 50 to 70 billion IoT devices will be in action by the end of 2020. For example, according to one report [1], a water project in China includes a whopping 100,000 IoT sensors to monitor three separate 1,000km-long canals that will ultimately “divert 44.8 billion cubic metres of water annually from rivers in southern China and supply it to the arid north.” The sensors were apparently installed to monitor for…

Kubernetes is not necessarily the brightest star for people who operate networks, because it does not cover more complex network scenarios, such as those found in ISPs, telecommunications companies, and advanced enterprise networks. The Container Network Interface (CNI) only creates the network interfaces required for containers when creating the pods and nodes and removes them when the resources are deleted [1]. This comes as no surprise, because Kubernetes’ flexibility mainly relates to applications. Thanks to application service meshes like Istio, Open Systems Interconnection (OSI) Layers 4 (the level of TCP streams and UDP datagrams) and 7 (HTTP/application protocols) can be configured comprehensively, whereas the underlying Layer 2 and Layer 3 network (frames and IP packet layers) cannot. Who Needs It? The developers [2] of Network Service Mesh (NSM) [3] are…

DevOps Orchestration Platform [1] is a web-server-based software platform and framework that implements an abstraction layer above Terraform [2] and Ansible [3], including the utilization of Ansible EC2.py and GCE.py scripts (Figure 1). It employs other open source technologies such as GoTTY and various JavaScript libraries and allows you to control security at two levels from the GUI: cloud hypervisor level (AWS Security Groups and Google Cloud Platform Firewall) and operating system platform level (iptables). The platform currently supports a local VirtualBox network, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The tool can run Ansible playbooks of various applications for installation on the deployed or imported infrastructure. Many sample Ansible playbooks have already been provided, forming a basis on which to extend the framework. A Docker module allows…

In 2018, Docker and Microsoft noticed the lack of a generic package standard for containers and set out to address the problem. The result was cloud-native application bundles (CNABs), which “… facilitate the bundling, installing, and managing of container-native apps and their coupled services” [1] (Figure 1). The “approved deliverable” version 1.0 was made publicly available under the terms of the Open Web Foundation 1.0 license in September 2019. I take a close look at the CNAB standard to see what it does and does not define and how administrators and developers can benefit. A New Ecosystem In the typical manner for new technology, a standard toolset can take a while to crystallize. Even containers are not immune to this effect. In the initial phase, Docker was the undisputed king…

The first time you roll out a Kubernetes test cluster with kubeadm, superuser certificate-based access is copied to ~/.kube/config on the host, with all options open. Unfortunately, it is not uncommon for clusters used in production to continue working this way. Security officers in more regulated industries would probably shut down such an installation immediately. In this article, I seek to shed some light on the issue and show alternatives. Three Steps Kubernetes has a highly granular authorization system that influences the rights of administrators and users, as well as the access options to the running services and components within the cluster. The cluster is usually controlled directly by means of an API and the kubectl command-line front end. Access to the kube-apiserver control component is kept as simple as…

Microsoft learned in previous versions of its software that it is difficult to create code integrity (CI) policies (application control policies) under Windows Defender Application Control (WDAC) [1]. As a result, the vendor is now shipping a set of preconfigured CI policies in Microsoft Windows Server 2019 and Windows 10 v1709 that allow the execution of operating system files and applications such as Microsoft SQL Server but block executable files known to bypass the configured CI policies. Additionally, Windows Server 2019 now allows multiple CI policies to be nested to create a whitelist containing all nested CI policies, all without the need to reboot the system. When a user runs a process, that process has the same access rights to data as the user, which means that confidential information is…

Amazon Web Services (AWS) Lambda functions [1] have grown immeasurably popular over the last year or two and will unquestionably have a place in the future when it comes to running repetitive tasks on cloud infrastructure while managing to avoid the costs and overhead of maintaining servers. Something that tripped me up initially when I began adopting Lambda functions, however, was the growth in favoritism for the Python programming language. It seems that Node.js and Python have become the de facto sweetheart languages (or run times) of choice when it comes to Lambda functions, with Ruby appearing at points, too. Although I can pick away and tweak Python scripts, it’s never been a priority for me to learn the language; as a result, creating a payload for Lambda functions was…

Transmitting confidential data over an insecure connection is not a good idea and should always be avoided, but what do you do if a service does not offer a secure communication channel, and no VPN is available? Everyone will be familiar with the following situation: You are sitting comfortably in a cafe or hotel, registered on the local WiFi network, and happily browsing the Internet. However, you might not want other users of the same wireless network to be able to track your Internet usage behavior. Worse still, you come across a service that requires you to enter sensitive data, such as login credentials, but does not provide data protection through a secure TLS connection. Unfortunately, such cases can still be found in 2020. So what now? Most Linux distributions…

If you want to use the security advantages of DNSSEC, you need a DNS resolver that can verify the DNS signatures. The easiest way to do this is with Pi-hole [3]. As the name suggests, a Raspberry Pi is all you need on the hardware side, although the software also runs on Debian, Ubuntu, Fedora, or CentOS. A Docker container is also available. Pi-hole was originally an ad blocker, but it is also very useful for filtering malware. Thanks to a good web interface, Pi-hole is easy to configure. If you check the software’s query log (Figure 3), you will immediately see which domains use DNSSEC (here, mozilla.org) and which do not (e.g., firefox.com). For the domains that use DNSSEC, manipulated entries would be detected and blocked. Alternatively, you can…

Often, older or slower hardware remains in place while the rest of the environment or world updates to the latest and greatest technologies; take, for example, Non-Volatile Memory Express (NVMe) solid state drives (SSDs) instead of spinning magnetic hard disk drives (HDDs). Even though NVMe drives deliver the performance desired, the capacities (and prices) are not comparable to those of traditional HDDs, so, what to do? Create a hybrid NVMe SSD and export it across an NVMe over Fabrics (NVMeoF) network to one or more hosts that use the drive as if it were a locally attached NVMe device (Figure 1). The implementation will leverage a large pool of HDDs at your disposal – or, at least, what is connected to your server – and place them into a fault-tolerant…

Besides internal corporate users, Azure Active Directory (AAD) is increasingly seeing access by suppliers, partners, and external developers. If your own identities and external partners are stored in one directory, collaboration across a diverse range of applications becomes easier but managing the various authorizations more complex. Azure identity governance comes in handy in these cases. Access management and processes that support the lifecycle are of interest even in companies that aim for little or no collaboration in the cloud. For example, employees often move between departments within a company, collecting different authorizations in the process, such as access to marketing repositories, insights into various training courses, or information on budget planning for previous years. Next, they might switch to a sales role, where they gain insights into customer relations information.…

In a PowerShell session, admins can configure settings for Exchange Online and on-premises Exchange servers in parallel. Therefore, hybrid environments also benefit from the scripting language’s possibilities. In this article, I introduce you to managing Exchange Online. To manage Exchange Online from a computer with PowerShell, the computer must have a cloud connection and the required PowerShell modules, unless you only want to administer Exchange Online without on-premises Exchange servers, in which case you would be working remotely across the board. If you want to work with onpremises Exchange servers in parallel, you need to install the latest version of the Exchange management tools on the appropriate computer. Configuring Local Settings with PowerShell To manage Exchange Online, the local execution policy for PowerShell must be set to RemoteSigned instead of…