Speaking with quite a few network engineers in the last few months, I was shocked by the lack of real understanding of the Domain Naming System (DNS). It shocked me because it is the singular application functionality that is entirely network-based. Meaning that DNS is the foundation of the Internet, and from their perspective, should […]
DNS: Back to Basics for Network Engineers Read More »
Picking up where we left off last, I was showing you the awesome usefulness, security and affordability of Yubikey (Yubico’s 2-Factor authentication token) and using it for 2-factor authentication on network devices. Well, I’d like to go another step forward: 2-Factor authentication for Windows computers to a Windows Active Directory environment. If your enterprise deployment
Yubikey and Windows Domain 2-Factor Authentication Read More »
In the DoD there is a strong requirement for 2-factor authentication in the network. For systems and workstations they use a successful implementation with Public Key Infrastructure (PKI) and a DoD common access card (CAC) which has a client certificate. The user has a PIN; therefore, 2-factor. Nothing like this exists for network devices (routers,
Secure and Affordable 2-factor authentication: Yubikey Read More »
FIPS 140-1 and FIPS 140-2 had quite a bit of longevity. However, FIPS 140-3 is almost here. Based on previous NIST standards development processes, the 140-3 standard will most likely have a publication date of a year from now. So sometime in February/March 2014, FIPS 140-3 will be the dominate federal crypto module certification. Not
FIPS 140-3 is Coming: Time to Plan Read More »
***Update 7 January 2013: The APLITS website is now back up and serving the DoD APL community***
DoD APL Website Down Read More »
***Updated on 14 May 2014 – regarding NET-IPv6-022, See below*** Thousands of network engineers in the DoD out there looking at implementing IPv6 now have to address a few Security and Technical Implementation Guidance (STIG) items that they used to just annotate as “Not Applicable – NA.” Now, IPv6 security is important. If you are
Cisco IPv6 IOS Hardening – DoD Style Read More »
Last month I presented the case as to why 802.1x authentication is not enough for local network (wired or wireless) security (go back here to read). In this post I will present an alternative: IPv6 Secure Neighbor Discovery (SeND). If you have an IPv6 enterprise, small IPv6 deployment, or a little IPv6 lab then pay
Why 802.1x is Not Enough: How to Implement SeND – Part 2 Read More »
There’s been much debate in the IPv6 community regarding the abysmal support or IPv6 Secure Neighbour Discovery (SeND). To get you up to speed on what IPv6 Secure Neighbour Discovery is think IPv6 + 802.1x-like + ARP security + PKI environment. Later in this blog I’ll show you how to set up an IPv6 SeND
Why 802.1x is Not Enough: Use IPv6 SeND – Part 1 Read More »
We just posted a white paper on our website that discusses the various reasons why getting commercial IT products tested at the Joint Interoperability Test Command (JITC) for DoD Unified Capabilities Requirements (UC) Approved Products List (APL) certification is very important. We also illustrate the advantages it gives product vendors selling in the U.S. Federal IT
The Importance of DoD UC APL Certification Testing Read More »
Bravo to Fernando Gont for getting out a great Internet Draft (soon-to-be RFC) on the Implementation Advice on IPv6 Router Advertisement (RA) Guard. This has been one of the open, gaping wounds in the side of IPv6 enterprise deployment for years. In fact, many of us in the IPv6 and IPv6 security fields love to
IPv6 RA Guard Implementation Advice Read More »