Lords of the DNS remind admins about Flag Day, Juniper likes Watson and more
PING, PING, PING … it's your networking roundup for the week
Roundup To cure some persistent security, implementation, and performance problems in the Domain Name System, the lords of the DNS have proclaimed older implementations as end of life.
It has been on the cards for a while, but it's worth reminding admins that websites on unready hosts, along with big resolvers and DNS software vendors, need to be ready for "Flag Day", around February 1 2019.
DNS servers need to comply with stricter EDNS (extension mechanisms for DNS). This has already been implemented in the Knot Resolver, it's in BIND 9.13.3 (development) and 9.14.0 (production), PowerDNS Recursor 4.2.0, as well as Unbound 1.9.0. Upgrade if you need to.
The Flag Day site also explained that server operators need to test their implementations for compliance (there are tools at the site).
Another change is that after Flag Day, firewalls must not drop DNS packets with EDNS extensions: "Firewalls which drop DNS packets with such extensions are making the situation worse for everyone, including worsening DoS attacks and inducing higher latency for DNS traffic."
Adobe open-sources net mapper
Adobe isn't so well-known for networking tools, but here's at least one: Marinus, designed to help users map the footprint they present to the Internet.
In its GitHub post, Adobe explained that Marinus information "can be used to create network maps, identify shadow IT or legacy infrastructure, and track TLS best practices across your entire company".
The collection of Python scripts starts with DNS records, and incorporates other public-facing records such as connection handshakes (SSH, SMTP, HTTP, and HTTPS), certificate transparency logs, and malware records from services like VirusTotal.
According to this blog post by Adobe's Peleus Uhley, "Marinus data can be used to identify risks such as sub-domain takeovers, internal services that are unintentionally exposed, VirusTotal detections, and much more. It can also provide a visual summary of the network”.
Germany and Huawei
Under-fire Huawei might have taken heart from last year's statement by the president of the German Federal Office for Information Security (BSI), Arne Schönbohm, that a ban on its kit had to be backed by evidence.
But if this report in Handelsblatt is correct, it should trouble the Chinese firm.
The German business daily claimed ministers were "awkwardly trying to work out how to exclude Huawei from the companies bidding to build Germany's 5G network" by "putting together tougher security prerequisites that Huawei couldn't comply with", or even revising telecommunications law.
As to the non-infosec accusations against the company, the accusation against Meng Wanzou over alleged sanction-busting, and of Wang Weijing in Poland over alleged spying, will hopefully soon have their evidence tested in court.
For a dose of paranoia that's a bit weird, take in this piece in the Financial Times, reporting that US politicians are now worried that Huawei's solar inverters and related kit are a threat to the USA.
It would seem to The Register that following ICS-CERT's recommended practices to secure industrial control systems should stop inverters being shut down remotely or hacked to send secrets home to China.
Watson coming to Juniper's aid
Juniper, whose future fortunes depend on its customers' cloud plans, is getting more cloudy itself, and will fork over $325m to get IBM's help.
IBM this week announced the deal, under which the IBM Services Platform with Watson will help manage data centres, help desks, and Juniper's data and voice networks.
The deal will run for seven years.
Cisco fixes broken AnyConnect signature management
Admins, if your environment uses Cisco's Identity Services Engine (ISE) with AnyConnect, you could be seeing failed connections.
That's because, as set out in this field notice, there was a bug in the products' EAP-FAST TLS 1.2 implementation.
As a result of the bug, ISE doesn't generate the correct keys when trying to authenticate AnyConnect Secure Mobility Client Release 4.7, if the system is set up for TLS 1.2 and EAP-FAST (extensible authentication protocol – fast authentication via secure tunnelling).
Switchzilla has issued patches for affected version.
SDN down under: nbn™ joins ONF, Telstra's submarine cable protection
The government-owned company building Australia's national broadband network, nbn™, has joined the Open Networking Foundation (ONF).
nbn™ explained the move in terms of open networking making its purchases more flexible than it can achieve working only with proprietary platforms.
CTO Ray Owen said: "By investigating open-source software and building on the work already done by the ONF, we can aim to drive programmable network architectures through disaggregation of control.
"This will help to enable us to achieve a faster time to market with our wholesale products and deeper systems integration with retail service providers." The usual reason, then.
ONF's Timon Sloane highlighted the organisation's SEBA project as relevant to nbn™: the broadband access virtualisation technology currently supports XGS-PON and G-PON, and the ONF hopes to extend it to other access architectures such as PON, DSL, and DOCSIS.
Meanwhile, Australia's incumbent carrier Telstra reckons SDN will help cut down the changeover time needed to switch traffic between cables in the event that one suffers an outage.
The carrier's current guarantee is that a downed route will be restored in eight hours, meaning that the only way a multinational could guarantee better uptime would be to buy its own cable diversity, something that's too expensive for most.
Telstra settled on Ciena's GeoMesh Extreme, delivered by Ericsson, as the technology behind the rapid restoration product. After trials in December 2018, head of Connectivity and Platforms Nadya Melic said the service is now available on three intra-Asian routes.
Melic said the service should offer re-routing to restore service within 30 minutes.
Google DNS now over TLS
Google has started securing DNS queries using the DNS-over-TLS protocol first published in 2016.
Back in 2017, the Chocolate Factory first started experimenting with RFC 7858 on Android, and it's the smartphone operating system that got first production access to the more secure DNS.
Google announced earlier this month that Android Pie could use the technology by enabling private DNS in their settings, and using dns.google as the DNS provider.