Sunday, April 25, 2021

Building Data Centers

Have you ever built a data center?

In my 40+ year career, I've probably been involved in building around 10 data centers.

Then this article was mentioned in Windows Weekly episode 721.


Microsoft currently operates more than 200 data centers. Think of the logistics of building 50-100 data centers each year! I'd guess there would have to be 10-20 people dedicated to each project not to mention the expenditures.

After each data center is up and running, then you've to facilitate the network connectivity, the power, the operations, etc.

In this article was a link to a virtual tour.

PS. The article mentions that few people ever get to tour Microsoft's physical data centers. I was fortunate enough to tour Microsoft's Redmond facility in the mid-2000s. The thing that made the longest lasting impression on me was a single server they had over in a nook in front of a glass window. They described that as a "generic" server. The idea was that any manufacturer could build a server to those specifications and the hardware would be interchangeable. In hindsight, no manufacturer wanted that as it would be too easy to displace them but the idea eventually manifested as virtual machines that aren't tied to a hardware specification.

Sunday, April 18, 2021

Application Layer Gateways - Part II

In Part I, I discussed Network Address Translation (NAT).
That seems like a good idea and it is.


What if the response doesn't come back on the same PORT as it originated on? Then NAT Port Address Translation (PAT) won't let it through.

How does NAT PAT know what to do?

That's when Application Layer Gateways (ALGs) come into play.

[ALG] allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer ... protocols ...

In Security Now Episode 792, Steve Gibson explains:

The problem is that Application Layer Gateways attempt to be completely transparent to the application protocols they’re proxying for. They’re sitting there in our routers, enabled by default, hidden, powerful, and automatic.

So you say that YOU don't have any of these? Think again.

Here's what my router has:

Even deep in the bowels of a really good router, this is described only as "Enable NAT Passthrough to allow a Virtual Private Network (VPN) connection to pass through the router to the network clients."

Fooled you, didn't it?

Look at that list of applications that are allowed to "tweak" the router so that traffic to different incoming ports is allowed.

Back to Security Now Episode 792, Steve Gibson related that he had gone through and judiciously turned these to "Disable." But then his Verizon femtocell wouldn't work. It needed IPSec.

More in Part III.

Sunday, April 11, 2021

Application Layer Gateways - Part I

This is the first in a series of posts about Application Layer Gateways. But first you have to understand Network Address Translation (NAT).

NAT is what makes your router such a good firewall.

Basically it makes all of your Internet requests look as if they originated from the router, hiding your various devices. But more than that, it only allows incoming packets that are responsive to outgoing packets.

Here's how wikipedia explains it:

[T]he port numbers are changed so that the combination of IP address (within the IP header) and port number (within the Transport Layer header) on the returned packet can be unambiguously mapped to the corresponding private network destination.

By Yangliy at English Wikibooks - Transferred from en.wikibooks to Commons., Public Domain,

In plain English, every time something is sent out from your network, the router keeps a record of it and will only allow incoming traffic that is responsive to that.

This has 2 benefits. First, the Internet can't see your internal network. All traffic looks like it originated from your router. Second, any non-responsive traffic, e.g. from hackers, is simply disregarded.

Part II will dig another layer deeper.

Sunday, April 04, 2021

Risks of Remote Work

I follow KnowBe4's blog. Recently they covered a white paper by Cybersecurity Insiders.

It raised several issues that I've been worried about since the pandemic hit and everybody went home.

KnowBe4 called out the following key findings:
  • Almost three-quarters of organizations are concerned about the security risks introduced by users working from home; despite these challenges, 86% are likely to continue supporting remote work in the future.
  • Key security challenges cited include user awareness and training (57%), home/public WiFi network security (52%), and sensitive data leaving the perimeter (46%).
  • The applications that organizations are most concerned with securing include, file sharing (68%), the web (47%), video conferencing (45%), and messaging (35%).
  • More than half of organizations see remote work environments having an impact on their compliance posture (70%). GDPR tops the list of compliance mandates (51%).
  • Organizations prioritize human-centric visibility into remote employee activity (34%), followed by next-generation anti-virus and endpoint detection and response (23%), improved network analysis and next-gen firewalls (22%), and Zero Trust Network Access (19%).
How is your organization going to mitigate concerns about continuing remote work?

How is your organization going to mitigate WiFi network security and data exfiltration?

How is your organization going to mitigate file sharing, video conferencing, and messaging?

Keep me posted.