(Photo Credit: Gizmodo)

You lose some. You win some: Of course as NBC’s online partner, Microsoft gets a least a cut of the $100 million dollars in online advertising spent around the Olympics. And the millions of downloads of Silverlight aren’t too shabby either.

The Internet is Falling! Arbor Networks, a security and network management company, partnered with ninety network services and content providers from around the world to publish an extensive study of IPv6 traffic on the Internet. Craig Labovitiz, Arbor Networks chief scientist, stated that only 900 days were left until the end of the Internet, or at least the exhaustion of IPv4 registry allocations. For the past year, the study shows very little IPv6 traffic – something like 1/100^th of 1% of Internet traffic. Craig credits this to money issues. “The department of commerce estimates it will cost $25 billion for ISPs to upgrade to native IPv6.”

Blogger James Urquhart created a bill of rights for cloud computing. The purpose of the bill is to “help guide would-be cloud customers to those clouds best able to guarantee their freedom.” The blogosphere is a great place to get some open debate going, and I applaud James for trying to make something yet so “cloudy” a bit more clear and concrete. But what’s up with the creating a PAC for this?? (Check out the comments.)

Trying to get by on limited resources? Need more money, staff and the freedom to focus on long-term projects? Sound familiar? Then you just might be in IT at a midsize company. (or in marketing at a young but rapidly growing IT company ) Arrow Enterprise Computing Solutions conducted a survey of 200 tech leaders at midsize companies (500 to 3000 employees). The upside: 61% of those surveyed think they’ll be spending more on IT next year – is this bullish thinking about the economy or how much their own business (rev) will be growing?

Bill Snyder calls Dell “Bozo of the Month” for trying to trademark “cloud computing”. Yikes. Maybe not a “bozo” move but certainly inadvisable given how ubiquitous the term is. Here’s our take on it.

I’ll take your 6 centers of excellence and uh, raise you 2 data centers. Following up on the HP announcement that they’ve partnered with Yahoo and Intel to create cloud computing Centers of Excellence this week, IBM said they were building out 2 data centers to accommodate the coming cloud computing resources need. I should say that IBM had already announced their “partnership” with Google to provide services for the cloud back in May. Who’s left to partner with on cloud computing? Microsoft and Amazon?

Packet Trap Networks recently conducted a survey of network engineers and IT professionals who perform network management duties inside companies with more than 100 employees. Out of the 800 engineers surveyed, 49 percent stated that they did not have a comprehensive network management system in place – showing a need for solutions focused on the mid-market – i.e., the right features at reasonable prices. If you remember, Sevcik and Wetzel (not a vendor!) conducted their own survey on application performance management and had similar findings but a rather different answer… (hint – starts with “E” and ends in “7”)

Is open-source software more secure? After all thousands of eyes are better than a handful, right? Well, according to a report sponsored by Fortify Software, that’s just not the case. Roger Thornton, founder and CTO of Fortify Software, adds that the underlying problem is “a lack of understanding and collaboration between developers and security experts – today each are talking past each other when it comes to security.”

For all you aspiring CIOs out there, WSJ has provided a must-read list. Uh oh– the first on the list is “How to Read a Book”. Please, any negative comments directly on the Journal site…and any “good” ones here!

ShareThis

Just what I was waiting for, open source takes on cloud computing.

We had a very interesting call this week with analyst firm, The 451 Group, about the cloud and who is really doing what in this space now. Trying to separate the hype from reality, just like everyone else.

After a disappointing (to analysts and the street) financial analyst call on Tuesday, VMware’s stock reached an all time low, almost back to the IPO stage. In a follow-up interview, Forbes asked the new CEO what he thinks about the stock price, the analysts saying VMware doesn’t have a solid or innovative growth plan for the future, and whether VMware should be part of EMC or not (their backhand way of bringing up the whole Diane Greene thing…he didn’t fall for it). 

Wait for it…wait for it…we have been waiting for it. VMware announced plans to launch a free version of its ESXI hypervisor starting July 28. I have to question the timing on this one. Why didn’t they do this before Hyper-v came out and try to at least undercut the Microsoft announcement? VMware is and should be the leader in this space but they act like they’re playing from behind. And to Wall Street, perception counts for a lot.

Surprisingly, there hasn’t been a lot of coverage after the June 2008 OMB mandate on IPv6 readiness. But one interesting follow-up, a feature is set to be added to IPv6 which the upgrade was supposed to eliminate. One of the design goals for IPv6 was that it would rid the Internet of network address translation (NAT), gateways that match increasingly scarce public IPv4 addresses with private IPv4 addresses used inside corporations, government agencies and other organizations.  NAT adds complexity and cost, but due to the length of time it’s taken to migrate from IPv4 to IPv6, engineers may create special NAT devices to translate between IPv4-only and IPv6-only hosts and hopefully nudge along the transition to IPv6. IEEE is all set to meet on this topic later this month.

ShareThis

At TechEd this year, I gave a presentation called "21st century networking: time to throw away your medieval gateways." (Actually, I've given this same talk before, at events in Amsterdam, Brussels, Oslo, and numerous on-campus customer meetings. It's time to bring the knowledge to the masses.)

I described an idea of using IPv6, IPsec, NAP, and group policy to build a pretty slick replacement for clunky VPN gateways. Turns out we've been piloting this very idea on our internal corpnet. Like a good little bunny I got myself enrolled in the thing and -- pardon the unattractive gushing -- this thing rawks! Here's a brief rundown of the parts you'd configure on managed clients:

• Windows Vista Business (with Software Assurance), Enterprise, or Ultimate editions
• That are domain-joined
• Users run as non-admin
• Group policy applies numerous settings
• UAC is enabled
• BitLocker is configured to protect confidential information stored offline
• The Windows Firewall is enabled
• NAP is used for checking health
• Forefront Client Security for keeping malware off the box
• Smart cards for strong authentication of users
• IPsec is required for connection authentication and traffic encryption
• IPv6 is required for worldwide Internet connectivity
• A DNS suffix search list represents the data center name space
• Static IPv6 DNS servers provide name resolution for hosts in the data center

What does this give you? True anywhere access, anywhere in the world, directly to corpnet resources from managed and secure client PCs. The Internet has replaced private WAN links for good reason: enormous cost benefits. The only thing holding us back from fully utilizing this development has been a lack of way to enforce and monitor the security of clients not physically located within the corpnet. Well, those days are over. Now you can build PCs that are trusted just as if they were on the corpnet, without knowing or caring anything about the underlying network connections. And let me tell you, it's as addictive as a few other substances I could mention, but will refrain, since this is (I hope) a family blog :)

Maybe you've heard of the notion of "deperimeterization." Taken to its extreme, I think it's a bit silly. To put a SQL Server directly on the Internet is just plain stupid -- not because I don't think I could keep it protected, but simply because that's unnecessary risk. Only my web server -- and no one else -- should be talking to my SQL Server. But that web server will be in the same subnet as the SQL Server, and IPsec policies used also here will govern who can connect to the SQL Server. Warning to any and all network DMZs: your days are numbered!

Shrink your perimeter to that which really matters -- your data center. All your clients live (as we would say in the olden days) "on the outside of the firewall." Now then, there are two kinds of clients. Managed clients, as I described above, establish IPsec-authenticated/encrypted, group-policy-configured, NAP-enforced IPv6 connections directly to corpnet resources without going through any kind of access gateway. The router connecting you to your ISP is fully sufficient for blocking denial of service attempts. Be sure to follow my advice in "Configure your router to block DOS attempts," and then add two more rules to permit incoming port udp/500 and IP protocol 50 over IPv6. That's it. No NATing or other unnatural network acts are required (finally, you can stop lying to your significant other about why you squirrel yourself away in the computer room all those weekend nights).

Unmanaged clients will continue to use IPv4 to access published Web and Win32 applications through a gateway like IAG. Since you can't trust these clients nor can you trust the data they're throwing at you, you have to inspect and validate at the perimeter. You can take advantage of IAG's application-modifying capabilities to "wrap" security around poorly-written web apps; you can even download an ActiveX control to unmanaged clients to perform some basic health checking, policy enforcement, and cache clearing. None of these eliminates the final requirement to continue inspecting and removing malware from servers where users store data: Exchange, SharePoint, Office Communications Server, and file servers.

Machines are mobile, data is mobile. The mainframes and large desktop PCs of the past posses an effective security attribute: the heaviness of the machines. You couldn't easily saunter out the front door with a PC-AT in your pocket! These days, we all line our pockets with tiny little mobile phones stuffed with 16GB of storage. It's now a fact: data moves. And like water, data moves wherever it can, as rapidly as it can, often beyond your control if you don't prepare for that. With properly-configured and managed clients we can enjoy a single access and authentication experience no matter where the computer is physically located. For example: I can sit in my house and enter '"http://internal-web-site-name" in my browser. The DNS suffix search list adds the appropriate suffix, my browser's resolver performs an IPv6 name lookup, and my computer makes an authenticated and encrypted connection, after it meets the NAP policy, directly to that internal server. Very nice. As far as I'm concerned, there's no difference between the Internet and my corpnet. It's all just there.

For a while now many of you know I've been speaking and writing, mostly at the conceptual level, about the day when such a way of remote computing will arise. Well, my friends, that day is now. You can indeed build it now, with the products you have. I won't admit it's all peaches and cream: there's a fair number of moving parts here, it's true. But most of these moving parts are parts you're already familiar with: I'm simply encouraging you to move them in a specific way. You'll need to do some custom scripting for client-side connection diagnostics, but that's about it.

My next step is to create a more detailed guide, which I plan to publish through TechNet Magazine. I'm targeting (but not promising) the October issue. The article will include greater details about configuring your infrastructure to support the managed clients I describe.

I've lost track of the swelling number of individual conference attendees and the plethora of email writers who've expressed a desire to build this in their own environments. The one common thread from everyone is "I want to do it now!" Folks, it's really pretty exciting for me to see so many of you ready to cross the chasm from the perdition of paleo-networking (layer upon endless, complex layer of DMZs) into the paradise of flat, simple, cheap, and secure access to information. If you haven't yet, please take the time to read through some of our information (especially Scott Charney's paper) on end-to-end trust. Friends, the idea I describe above is the plumbing for realizing the end-to-end trust vision.

Synopsis:  Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 40-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 25, 2008. Yes, that was two months ago... we know!

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Special Edition #23 with Sonus Networks
• Squawk Box podcast about voice phishing ??? also this article Vishing: The Latest, and Greatest, Security Concern
• Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell???s coverage
• ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
• Voice of VOIPSA: Slides about P2PSIP security new available
• Voice of VOIPSA: RUCUS mailing list & BOF
• Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
• Also a whole bunch on SIP Identity
• SIP Torture Tests for IPv6 now out in RFC 5118
• SIP Usage Scenarios Similar to SPIT
• SPEERMINT Security BCPs
• SIP Identity Baiting Attack
• Concerns around Applicability of RFC 4474
• VoIP Hopper 0.9.9 released (site ) ??? Thanks to Frank Leonhardt for the info.
• VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
• ZDNet: Cracking GSM
• TMCnet- Practicing Safe OCS
• TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
• Speaking of Tom, Techtionary.com Releases SIP Security Checklist
• Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
• Voice of VOIPSA: Underpowered Hardware
• Project Spider ??? about SPIT
• CBC: Bell recovers stolen data on 3.4 million customers
• Comment (email) from Larry Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) about SE #23
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 40:01 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 40-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 25, 2008. Yes, that was two months ago... we know!

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Special Edition #23 with Sonus Networks
• Squawk Box podcast about voice phishing – also this article Vishing: The Latest, and Greatest, Security Concern
• Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell’s coverage
• ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
• Voice of VOIPSA: Slides about P2PSIP security new available
• Voice of VOIPSA: RUCUS mailing list & BOF
• Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
• Also a whole bunch on SIP Identity
• SIP Torture Tests for IPv6 now out in RFC 5118
• SIP Usage Scenarios Similar to SPIT
• SPEERMINT Security BCPs
• SIP Identity Baiting Attack
• Concerns around Applicability of RFC 4474
• VoIP Hopper 0.9.9 released (site ) – Thanks to Frank Leonhardt for the info.
• VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
• ZDNet: Cracking GSM
• TMCnet- Practicing Safe OCS
• TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
• Speaking of Tom, Techtionary.com Releases SIP Security Checklist
• Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
• Voice of VOIPSA: Underpowered Hardware
• Project Spider – about SPIT
• CBC: Bell recovers stolen data on 3.4 million customers
• Comment (email) from Larry Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) about SE #23
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 40:01 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.