Interview with John Kindervag, the Godfather of Zero Trust Networking

Last month, I had the pleasure of spending a few minutes with John Kindervag, the industry-described “Godfather” and thought leader behind Zero Trust Networking. John developed these concepts during his tenure as Vice President and Principal Analyst at Forrester Research.

Zero Trust, rooted in the principle of “never trust, always verify,” is primarily designed to address the threats of lateral movement within the network by utilizing micro-segmentation and by redefining the perimeter as that based on user, data and location.

We are at an inflection point in the industry where Zero Trust principles are starting to take hold, and many organizations are adopting these principles in order to adopt a stronger security posture. John eloquently describes these principles in this interview.

John’s Twitter – https://twitter.com/Kindervag

John’s LinkedIn – https://www.linkedin.com/in/john-kindervag-40572b1/

More background on Zero Trust architecture – https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

Palo Alto Traps: The End for AV and EDR?

The world of malware and exploits has a long history, and anyone involved in this industry knows that we are at a tipping point. Threats continue to evolve, from the first viruses seen in the wild back in 1982, to the modern day malware of today that’s capable of spreading laterally in the blink of an eye.

We are in an arms race, and the traditional, legacy ways of dealing with these types of problems just doesn’t cut it anymore. For the last few months I’ve been learning and playing with Palo Alto’s Endpoint Protection solution, aptly entitled Traps. As someone who has worked in the network and cybersecurity industries over the last 20 years, I can tell you, it’s a revolutionary approach to the problem of dealing with these types of attacks. While the industry as a whole has focused on Antivirus (AV) mechanisms and more recently, Endpoint Detection and Response (EDR), Palo Alto is taking an altogether different approach; an approach that in my opinion will ultimately leave these legacy approaches in the dust.

Continue reading “Palo Alto Traps: The End for AV and EDR?”

Carrier Grade NAT and the DoS Consequences

Republished from Corero DDoS Blog:

The Internet has a very long history of utilizing mechanisms that may breathe new life into older technologies, stretching it out so that newer technologies may be delayed or obviated altogether. IPv4 addressing, and the well known depletion associated with it, is one such area that has seen a plethora of mechanisms employed in order to give it more shelf life.

Continue reading “Carrier Grade NAT and the DoS Consequences”

Is DDoS Mitigation as-a-Service Becoming a Defacto Offering for Providers?

Republished from Corero DDoS Blog:

It’s well known in the industry that DDoS attacks are becoming more frequent and increasingly debilitating, turning DDoS mitigation into a mission critical initiative. From the largest of carriers to small and mid-level enterprises, more and more Internet connected businesses are becoming a target of DDoS attacks. What was once a problem that only a select few dealt with is now becoming a regularly occurring burden faced by network operators.

Continue reading “Is DDoS Mitigation as-a-Service Becoming a Defacto Offering for Providers?”

Black Hat OSPF Vulnerabilities: Much Ado About Nothing

Imagine a group of researchers planning to speak at a conference regarding a previously undiscovered vulnerability present in most homes that would allow a thief to rob your home of its valuables with complete ease.  You would probably be interested in hearing what they had to say so you could take the necessary precautions to protect your home.

Now imagine when they presented their findings, they went on to state that it was incredibly easy to do, so long as you left your front door open and also provided them with the security code for any alarm systems.  You would probably find this implausible and simply the proliferation of fear, uncertainty, and doubt.

That’s precisely what happened last week at the well-respected Black Hat security conference in Las Vegas when researchers from the Israel Institute of Technology and Advanced Defense Systems, Ltd. presented their findings of a serious vulnerability present in OSPF.  So serious in fact, the researchers stated the only way to properly mitigate the threat, short of fixing the protocol, is to switch to another routing protocol such as RIP or IS-IS. Continue reading “Black Hat OSPF Vulnerabilities: Much Ado About Nothing”

Juniper SRX Tips :: Altering Default-Deny Behavior

In our previous article, we looked at using apply-groups to alter all the security policies uniformly on an SRX device such that they would all have an implicit logging statement. And while this is fine for all existing policies, it doesn’t log traffic which doesn’t match any explicitly defined security policy.

The reason for this is due to the fact that in Junos, traffic which doesn’t match an explicitly defined security policy matches against the default-deny policy.  However, given the fact that the default-deny policy is implicitly defined, apply-group configurations are of little benefit as apply-groups can only be inherited by those elements which have been explicitly defined. Continue reading “Juniper SRX Tips :: Altering Default-Deny Behavior”