ADMIN Network & Security的January/February 2021目录

Containers have become an almost omnipresent component in modern IT. The associated ecosystem is growing and making both application and integration ever easier. For some, containers are the next evolutionary step in virtual machines: They launch faster, are more flexible, and make better use of available resources. One question remains unanswered: Are containers as secure as virtual machines? In this article, I first briefly describe the current status quo. Afterward, I provide insight into different approaches of eliminating security concerns. The considerations are limited to Linux as the underlying operating system, but this is not a real restriction, because the container ecosystem on Linux is more diverse than on its competitors. How Secure? Only the specifics of container security are investigated here. Exploiting an SQL vulnerability in a database or…

One of the major innovations in PHP is intended to give the scripting language a boost, but it does require some prior knowledge. As of version 5.5, the code to be executed has been stored in a cache provided by the OPcache extension [1]. Thanks to this cache, the interpreter does not have to reread the scripts for every request. PHP 8 sees OPcache expanded to include a just-in-time (JIT) compiler. This converts parts of the PHP code into native program code, which the processor then executes directly and far faster as a consequence. As a further speed tweak, the generated binary code is also cached. When the PHP code is restarted, PHP 8 simply accesses the precompiled binary code from the cache. As the first benchmarks by PHP developer…

The idea of populating all clouds with the same templates has remained a pipe dream until now. Although some services offer a compatibility interface for templates from Amazon Web Services (AWS), it being the industry leader, my experience suggests you should not rely on it. Admins are faced with the major dilemma of theoretically having to learn how to use the orchestration tools for various clouds and maintain their own templates (see “The Nebulous Cloud” box). Tools like Terraform (Figure 1) promise to avoid exactly that. One relatively new player in the field of these tools is Pulumi. It differs significantly from other tools in that it uses known programming languages instead of its own declarative syntax. So, how does it work, and what does the admin get out of…

Moving away from passwords to improve account security is a recurring theme for administrators and security researchers. On the Internet, the password as a knowledge-based factor of authentication still dominates the login methods of online services. Password managers are increasingly relieving the burden on users as a weak point in password selection. However, despite all technical support, many users still use passwords that are easy to remember and therefore easy to crack. Projects like Have I Been Pwned [1] or the researchers of the University of Bonn in their EIDI (effective information after a digital identity theft) project [2] follow a reactive approach to account security; web development needs to focus more strongly on alternative authentication methods. Back in December 2014, the FIDO Alliance published the FIDO Universal Authentication Framework…

A perennial problem for any system operator is sifting through mountains of logfiles that contain entries of importance. However, when you’re presented with half a million lines in a single logfile full of differing content, you have little hope of spotting attack data that may be of concern or, in fact, partially or completely successful. Numerous tools can help you sort the wheat from the chaff in logfiles, such as the daily reporting provided by the excellent Logwatch [1]. Although these tools are ideal for a small number of entries, few offer analysis in real time with the sophistication of Teler, a “real-time HTTP intrusion detection” tool [2]. Judging by the age of the commits on its GitHub page, it’s a relatively new project, but I found its uncomplicated ingenuity…

In this article, I look into the options Microsoft provides for effective management of Internet Information Services (IIS). You can easily manage web servers on Windows Server 2019 with multiple tools in parallel (e.g., the IISAdministration module in PowerShell). The command line on Windows servers also offers a way to manage the web server with the appcmd and iisreset tools, not only for servers with graphical user interfaces, but also for core servers and containers. In this article, I assume you have IIS configured on Windows Server 2019 (Figure 1), but most settings also apply to Windows Server 2012 R2 and 2016. Managing the Web Server and Sites Once IIS is up and running, it can be managed with the IIS Manager. The fastest way to launch this tool is…

The Amazon Simple Storage Service (S3) protocol has had astonishing development in recent years. Originally, Amazon regarded the tool merely as a means to store arbitrary files online with a standardized protocol, but today, S3 plays an important role in the Amazon tool world as a central service. Little wonder that many look-alikes have cropped up. Ceph, the free object store, for example, has offered a free alternative for years by way of the Ceph Object Gateway, which can handle both the OpenStack Swift protocol and Amazon S3. MinIO is now following suit: It promises a local S3 instance that is largely compatible with the Amazon S3 implementation. MinIO even claims to offer functions that are not found in the original. The provider, MinIO Inc. [1], is not sparing when…

A number of methods can stop attackers from exhausting your server resources, such as filtering inbound traffic with a variety of security appliances locally or by utilizing commercial, online traffic-scrubbing services to catch upstream traffic for mitigating denial-of-service attacks. Equally, honeypots can be used to draw attackers in, so you get a flavor of the attacks that your production servers might be subjected to in the future. In this article, I look at a relatively unusual technique for slowing attackers down. First, Endlessh, a natty piece of open source software, can consume an attacker’s resources by keeping their connections open (so that they have less ability themselves to attack your online services), leaving them in a “tarpit.” Second, to achieve similar results a more traditional rate-limiting approach, courtesy of advanced…

Although machine learning (ML) applications always put a great deal of effort into preprocessing data, the algorithms can also automatically detect structures. Deep learning in particular has led to further progress in the field of feature extraction, which makes ML algorithms even more interesting, especially for cybersecurity tasks. In IT security, data volumes are often huge, and interpreting them involves massive effort, either because of the sheer bulk or the complexity. Not surprisingly, then, cybersecurity product vendors often offer special ML toolkits such as Splunk [1] or Darktrace [2], which apparently relies almost entirely on machine learning. Although machine learning has not suddenly turned the cybersecurity world completely on its head (even if some product vendors believe it has), you need to answer the following questions – if only to…

Whether you need to log into an online store, read your email in the browser, check your account balance, or upload photos to the cloud, most services require an individual account with authentication when accessing the service. This raises various problems. Using the same passwords on multiple accounts has long been considered a bad idea. However, if you use a separate password for each service, you can quickly lose track of which password goes with which account. At the same time, passwords need to meet certain security requirements to resist brute force attacks. It is important to use uppercase and lowercase letters, numbers, and special characters in a way that prevents algorithms from cracking the password, leading to complex passwords. Last, but not least, users soon forget their passwords for…

Usually the task of a performance engineer involves running a workload, finding its first bottleneck with a profiling tool, eliminating it (or at least minimizing it), and then repeating this cycle – up until a desired performance level is attained. However, sometimes the question is posed from the reverse angle: Given existing code that requires a certain amount of time to execute (e.g., 10 minutes), what would it take to run it 10 times faster? Can it be done? Answering these questions is easier than you would think. Parallel Processing The typical parallel computing workload breaks down a problem in discrete chunks to be run simultaneously on different CPU cores. A classic example is approximating the value of pi. Many algorithms that numerically approximate pi are known, variously attributed to…

With the latest release of Red Hat Enterprise Linux (RHEL) and OpenShift, it has become even easier for businesses to add edge deployment to existing infrastructure. With this release, Red Hat has attempted to refine the definitions of Edge computing. To this, Nicolas Barcet, Red Hat Senior Directory Technology Strategy, says “Edge is not just one thing, it’s multiple things, multiple layers.” Barcet continues, “A single customer use case may have up to five layers of edge-related infrastructure, going from the IoT device all the way to the aggregation data centers.” Barcet concludes with, “What we need to offer as a software infrastructure provider is all the components to build according to the topology that the customer wants for that use case.” To address those components, Red Hat identified three…

Managing user identities decentrally and manually directly within applications is not only error-prone, it also takes up valuable time and involves administrative overhead. Storing users and their access authorizations for certain systems and applications in a central location makes sense, especially in hybrid environments, where applications exist both on-premises and in various clouds. Identity and access management (IAM) tools typically provide a number of functions to facilitate this work. Not only does the software provide user lifecycle and access management, it needs to offer other features, such as a self-service portal for resetting user passwords or for additional authorization requests. A single sign-on based on modern protocols such as OpenID Connect or Security Assertion Markup Language 2.0 (SAML2) should also be part of the standard scope. Flexible auditing is necessary…

Event streaming is a modern concept that aims at continuously processing large volumes of data. The open source Apache Kafka [1] has established itself as a leader in the field. Kafka was originally developed by the career platform LinkedIn to process massive volumes of data in real time. Today, Kafka is used by more than 80 percent of the Fortune 100 companies, according to the project’s own information. Apache Kafka captures, processes, stores, and integrates data on a large scale. The software supports numerous applications, including distributed logging, stream processing, data integration, and pub/sub messaging. Kafka continuously processes the data almost in real time, without first writing to a database. Kafka can connect to virtually any other data source in traditional enterprise information systems, modern databases, or the cloud. Together…

Among other things, my job involves developing applications in the field of network automation on the basis of the Spring Boot framework, which requires a running Java environment. At the same time, some infrastructure applications are required, such as DNS servers. Before containers existed, infrastructure services ran in minimal change root environments, containing only the necessary binaries (e.g., chroot/named), configuration files, and libraries. This setup reduced the number of potential attack vectors for exposed services. For example, an attempt by the attacker to call /bin/sh would fail because the environment would not have a shell. Classical Docker build files, which use FROM ubuntu to include a complete Ubuntu environment, are the exact opposite of the approach just described. The resulting container is easier to debug because, for example, a shell…

Single sign-on (SSO) offers many advantages, and SSO providers can provide valuable services in terms of user account security. Although each user only needs to remember one password to access different services (which is not to be confused with a user simply using the same password for different services), the providers themselves do not have any knowledge of the password used. If a data leak occurs in one of the services, passwords will not fall easily into the hands of criminals. The service exclusively relies on the SSO provider to verify the user’s identity securely. For some providers, the identity itself is not important, the only important thing is to identify the same person beyond any doubt. To use SSO, you are not dependent on the three major players, Google,…

You just bought a new system with lots and lots of cores (e.g., a desktop with 64 cores or a server with 128 cores). Now that you have all of these cores, why not take advantage of them by parallelizing your code? Depending on your code and your skills, you have a number of paths to parallelization, but after some hard work profiling and lots of testing, your application is successfully parallelized – and it gives you the correct answers! Now comes the real proof: You start checking your application’s performance as you add processors. Suppose that running on a single core takes about three minutes (180 seconds) of wall clock time. Cautiously, but with lots of optimism, you run it on two cores. The wall clock time is just…