- Welcome to Networking-Forums.com.
We're Here to Help!
Recent posts
#71
Everything Else in the Data Center / Re: Zero Trust Networking (and...
Last post by icecream-guy - December 15, 2023, 03:16:59 PMZT is a very detailed architecture, where one needs to be extremely familiar with to identify applications. group ports/protocols needed for those applications to work, identify sources and destinations. One must be an extraordinary engineer to deploy. The application owners have must have clarity on exactly what group ports/protocols needed for those applications, what is talking to what. but one must be an extraordinary application owner to have this knowledge, most don't have a clue. Application users have no clue, they just want click and the application to work as usual. This is usually left up to the network engineer to run packet captures and use Wireshark to identify. unless there is mega money dumped into tool that can monitor the network and identify apps, which may may take a huge investment to setup in the first place even before ZT pilot is deployed.
#72
Everything Else in the Data Center / Re: Zero Trust Networking (and...
Last post by config t - December 15, 2023, 12:22:01 AMThis is a good place to start:
https://www.nist.gov/publications/zero-trust-architecture
The amount of acronyms in ZT is staggering. Granted, I'm somewhat new to doing cybersec for a living, but I feel as if I'm learning a new language.
https://www.nist.gov/publications/zero-trust-architecture
The amount of acronyms in ZT is staggering. Granted, I'm somewhat new to doing cybersec for a living, but I feel as if I'm learning a new language.
#73
Security / Re: Negligible amount of clien...
Last post by deanwebb - December 06, 2023, 04:05:15 PMIs the SSL error with an internal-facing webpage or an externally-facing one?
If the cert for the webpage depends upon reaching a particular CA server, then if a path between the CA server and the endpoint does not exist, the SSL operation will fail. If the cert for the webpage is from an internal CA server, then the root cert must be installed on the endpoint. If the cert is from a third-party commercial entity, then it is likely that the root cert is already installed on the endpoint, but if damaged will require re-installation.
What's the exact issue and errors observed?
If the cert for the webpage depends upon reaching a particular CA server, then if a path between the CA server and the endpoint does not exist, the SSL operation will fail. If the cert for the webpage is from an internal CA server, then the root cert must be installed on the endpoint. If the cert is from a third-party commercial entity, then it is likely that the root cert is already installed on the endpoint, but if damaged will require re-installation.
What's the exact issue and errors observed?
#74
Security / Negligible amount of clients i...
Last post by networkloser - December 05, 2023, 05:46:44 AMI've read these stuffs:
We've tried mobile data and different ISPs and the problem seems to persist.
https://maulwuff.de/research/ssl-debugging.html
https://serverfault.com/questions/872424/why-are-some-people-getting-a-connection-not-secure-page-when-accessing-my-serve
Would ssl pinning fix this issue of very few clients getting ssl error?
https://developers.wultra.com/components/ssl-pinning-android/1.3.x/documentation/
There is an option to install CA cert on android, but is it worth the hassle or is there something simpler and efficient?
We've tried mobile data and different ISPs and the problem seems to persist.
https://maulwuff.de/research/ssl-debugging.html
https://serverfault.com/questions/872424/why-are-some-people-getting-a-connection-not-secure-page-when-accessing-my-serve
Would ssl pinning fix this issue of very few clients getting ssl error?
https://developers.wultra.com/components/ssl-pinning-android/1.3.x/documentation/
There is an option to install CA cert on android, but is it worth the hassle or is there something simpler and efficient?
#75
Routing and Switching / Re: netstat -rn meaning in lin...
Last post by deanwebb - December 04, 2023, 09:51:28 AMIt will list interfaces that are active with their MAC addresses and then it lists current active routes and any persistent routes.
#76
Routing and Switching / netstat -rn meaning in linux?
Last post by networkloser - December 04, 2023, 02:02:17 AMI read the UNIX and LINUX system admin handbook about this topic but I'm not yet clear about it.
I'm wondering what's the real answer to this? And what information is it really telling?
I mean some say it's a kernel routing table and it confuses me.
Can you truly make me understand this stuff?
I'm wondering what's the real answer to this? And what information is it really telling?
I mean some say it's a kernel routing table and it confuses me.
Can you truly make me understand this stuff?
#77
Everything Else in the Data Center / Zero Trust Networking (and eve...
Last post by deanwebb - December 01, 2023, 09:18:54 AMThe biggest difference between Zero Trust (ZT) thinking and earlier design concepts is that ZT means there is *no* trusted zone. There is *no* area of the network where we can safely assume that only the Good Guys are doing things in. Assume a breach can happen from any direction, starting in any location. Where you are not looking is where the attacker is preparing a base of operations.
Taking a step back from plunging into raving paranoia (which can be a good career choice, should you want to be deeper in security), ZT networking means the end of the flat network where everything can reach everything else. It's about determining what communications need to go where and permitting those and no more. The reason? Attackers, being unfamiliar with the network, will do probes and recon missions that go all over the place so they can plan their next moves. Blocking recon at the start makes things that much more difficult for attackers.
Which means they go the human route more and more - intimidation is on the rise as a component in cyberattacks, which means our own employees are more and more likely to use their access to permit attackers' entry and operations. Therefore, we have to keep an eye on those employee credentials, making Identity Management a critical pillar of ZT. No more assign users to groups and give groups rights on the network: assign users to groups and group members can check out temporary credentials to perform tracked and monitored functions.
Is this a bit police state-y? Yes. Yes, it is. If you read histories of how the East German secret police, the Stasi, ran operations, you will see ZT shot through their thinking. I abhor everything the Stasi stood for - oppression, silencing voices, totalitarianism - but at the same time, I can learn from studying them. By no means do I ever want to go as far as keeping scent samples on people so I can track them down with dogs or develop planar discharge mines to kill only people (or animals, as it turned out) who tried to cross border fences. But do I see a need to track and record all admin actions? Yes, I do. Most won't be reviewed, but if a forensic investigation arises, we want those for the investigation, 100%.
Taking a step back from plunging into raving paranoia (which can be a good career choice, should you want to be deeper in security), ZT networking means the end of the flat network where everything can reach everything else. It's about determining what communications need to go where and permitting those and no more. The reason? Attackers, being unfamiliar with the network, will do probes and recon missions that go all over the place so they can plan their next moves. Blocking recon at the start makes things that much more difficult for attackers.
Which means they go the human route more and more - intimidation is on the rise as a component in cyberattacks, which means our own employees are more and more likely to use their access to permit attackers' entry and operations. Therefore, we have to keep an eye on those employee credentials, making Identity Management a critical pillar of ZT. No more assign users to groups and give groups rights on the network: assign users to groups and group members can check out temporary credentials to perform tracked and monitored functions.
Is this a bit police state-y? Yes. Yes, it is. If you read histories of how the East German secret police, the Stasi, ran operations, you will see ZT shot through their thinking. I abhor everything the Stasi stood for - oppression, silencing voices, totalitarianism - but at the same time, I can learn from studying them. By no means do I ever want to go as far as keeping scent samples on people so I can track them down with dogs or develop planar discharge mines to kill only people (or animals, as it turned out) who tried to cross border fences. But do I see a need to track and record all admin actions? Yes, I do. Most won't be reviewed, but if a forensic investigation arises, we want those for the investigation, 100%.
#78
Routing and Switching / Re: Redundant interfaces keeps...
Last post by deanwebb - November 24, 2023, 09:52:43 AMCan the MAC for the VIP be different from the MAC for a hardware interface? I would want to do that to see if that resolves the issue, change the address so it's not a duplicate.
#79
Routing and Switching / Re: Redundant interfaces keeps...
Last post by kurdam - November 23, 2023, 02:30:20 AMThe "load balancer" part is done from the end device, it's either the VDS on vmware ar the Linux bound on Proxmox or the intelligence inside our dual controller network storages or the multiplexor card on our windows server. That part is working correctly and is doing what it is supposed to do.
What i don't understand is why when there is a change in the topology due to a failure, my switch keeps blocking the ports and preventing my hardware to failover correctly...
My real question is : Am I missing something ? Is there a specific config that i don't know for this kind of hardware that i have to setup on the switch side ? Or is it just a STP tuning problem ?
What i don't understand is why when there is a change in the topology due to a failure, my switch keeps blocking the ports and preventing my hardware to failover correctly...
My real question is : Am I missing something ? Is there a specific config that i don't know for this kind of hardware that i have to setup on the switch side ? Or is it just a STP tuning problem ?
#80
Routing and Switching / Re: Redundant interfaces keeps...
Last post by deanwebb - November 22, 2023, 08:42:37 AMI'm wondering if the setup would be better served with a load balancer array that would handle the VIPs and then the server interfaces themselves could have separate IP, MAC addresses.
But, if you tuning works out, that's another workaround.
But, if you tuning works out, that's another workaround.