"Shaped like a Blogg! or a Garden hose!"

It has been some time since I felt inspired enough to put fingers to keyboard and create a new post. That changed when a friend of mine, recently released his Architects Manifesto in which he summarises his 10 points for delivering good Architecture.

Architect Manifesto:

Whilst I pretty much agree with this call to action as it stands, I thought I’d delve into the points myself and add my own perspective, as there is a little repetition in there. Each one of these I could probably write enough material to fill a book, a wildly disjointed book that is. Instead I’ve put together my high level view on each point.

1 Provide true value-add to clients. Just adding value is no longer enough

We live in a day and age where marketing hype is designed to make us believe that because a product or service exists, we need it.

Value, as we all know, is a relative statement. In order to provide something of actual value you need to know your audience. As cliched as it sounds, what keeps them up at night, goes a long way to understanding what they care about. If you can address those cares you can show true value.

2 Commit yourself to being an architect and technologist, rather than acting like a ‘techie’

An Architect is someone that “works with stakeholders, both leadership and subject matter experts, to build a holistic view of the organization’s strategy, processes, information, and information technology assets.”  and a Technologist is someone that uses technology to solve practical problems. Being an Architect and a Technologist is taking that holistic view and applying technology, and services, to solve business challenges.

Contrast these to a “techie” who is looking at the shiny and the cool features and functions that exist, doing stuff with them because you can, not because you need to.

3 Solve client business challenges instead of simply fixing technical problems

As covered in the last point, in our role as Architects our job is to look at how to fix business challenges (or problems) with technology. But to fix the problem we need to know what the problem is. this too goes back to the first point, know your audience.

This is vastly different than looking at technical issues and working out how to make it better. It doesn’t require you to know much about your audience at all. This is also why this is the easy way out for most.

Most of the time what comes to us is a technical problem, or an abstracted view of what the real issue is. The trick is to ferret out the underlying business challenge that needs to be addressed.

4 Architect compelling and cost effective solutions that close business

Before you cry out “what has closing business got to do with it?” think about what happens when there are no more projects. Very soon there will be a whole lot of people without a job, including you!

If you are pulling together solutions that solve actual business challenges with technology or services that are of actual value, chances are you are 90% of the way there. When you look at delivering the solution in the most cost effective manner you are home and hosed.

Cost effective can me a lot of things, but put simply, how can you resolve the challenge in front of you in the cheapest way. Can the solution be only 85% of what people want? Can you deliver it a different way? Is there a smarter way to cut the financials to make it more viable? You won’t know until you look.

5 Ensure client satisfaction instead of focusing on increasing customer satisfaction scores

When you take in the full picture of what it is you are trying to address, looking at all the stakeholders for the specific business concern, the more you work an understanding your audience, or customer, the more focused and tailored your solutions will be. This in turn will ensure satisfaction.

6 Don’t just build solutions with cool technologies; focus on building profitable solutions

This goes back to point number 2. Often as ex-techies we Architects love us some cool tech. If you have been keeping the previous rules 1 through 5 you should be in good standing. For me where this comes into play is if, when building your solution, you don’t reach back into the standard kit-bag you possess as a business to deliver what is needed.

If you reach for that latest and greatest bit of tech BEFORE you have a look at what you already have access to that is good enough you are potentially going to have something that is more expensive to build and run. That said, sometimes the new thing is cheaper and does a better job.

I look at this with my outsourcing Enterprise Architect hat on and how I know that for the most part customers are looking for cost effective solutions. When you bring in the new and unknown, you introduce risk. Risk equates to money and whilst you can  estimate what this might be, there will be a lot you don’t know. At best you bake in a risk contingency to your cost, worst case you end up getting caught out doing a large amount or remediation work at your own expense. This kills profitability and the financial viability of the solution as a whole.

7 Maintain leverage and objectivity when working with vendors and partners.

The one thing to remember when working with vendors and partners is that they want to maximise their

components of the solution you are pulling together. If you are looking after rules 1 through 6, when you get here you won’t have much in the way of issue as you will have a clear view on what the business concern you are addressing is, what specific bits of technology you need to address it and the value of your solution to the business.

Remember, you are only bringing in a partner or a vendor because there is something specific you need.

8 Create intellectual property and sustainable competitive differentiation. Do it!

This is a hard one. Many times we as Architects reach into the kit and and find that there isn’t the tool or appropriate building block available, so we create something new to fill the gap.

My thoughts on this is that if you work on the other 9 points, and do it well, this will fall out the bottom quite nicely, however, the trick here is to understand what it is you have done. Rarely will you be immediately aware of this yourself and this is where I find having a team to support you comes into play.

Whilst your head is down developing solutions that meet points 1 – 7 and 9 – 10, you won’t necessarily know what gold you have produced. In the peer (critical) review of your work, this will come to light. It will be honed and the nugget you have at the end needs to be understood and passed on. So many times I see Architects re-inventing the wheel where there was work that could have, should have, been  built on top of.

9 Know the competition; understand their value proposition, and solution to win.

You spend months pulling together that perfect solution and writing up the value proposition, only to find you’ve been pipped at the post by someone else.

Now there is nothing wrong with having a component of a solution that is a “me too”  offering, but you need to understand why yours a) has value and b) has unique value to that of the competition.

If you don’t take time out to understand what else is out there, what is in their bag of tricks (solution building blocks) and how they position their unique value, you will be doomed to failure, because I can guarantee you that they are making sure that they know yours.

10 Deliver real innovation to clients. Simply being innovative doesn’t cut it anymore.

To me this is calling something “innovation” when it is not. Building something that is looking for a problem is not really innovation, neither is an incremental improvement on what went before.
Innovation is the development of new values through solutions that meet new needs, inarticulate needs, or old customer and market needs in value adding new ways. Nuff said!

Summary

There is a great post today by my friend Daniel Baird over at his site Outside the Asylum on Optimising Security.

It shows the relationship between the cost of security, risk and profitability of an organisation.

As I commented on his site, I can see a number of follow up posts on this and how you flesh out the data-points that support it. It is a juggling act that every one of us in the information security space plays.

Offline password by binaryCoco available at “http://www.flickr.com/photos/binarycoco/2704267877/”

As you may have noticed there have been a lot of website and business breaches in the last 3-4 months where usernames, passwords and occasionally some personal information has been taken. You can see a consolidated, and up to date list here at liquidmatrix.org. Given that passwords are so easily “lost” these days, are they doing much more than security theatre?

This has been an ongoing topic of discussion for several years inside the info-sec community and I thought I’d get my current thoughts out on the subject as it seems to be coming to a head again.

It is becoming generally accepted that users cannot be trusted/expected to look after their credentials and more and more businesses are looking at offering additional ways in which to secure user accounts beyond the humble password.

Background

A bit of Background, the issue is really comprised of 2 parts, the businesses supplying their services and the people that use these services.

Part of the problems is that the businesses breached don’t always take the appropriate care when managing credentials, these are stored in plain text (readable by anyone) or in a poorly encrypted form (that allows the passwords to be cracked or reversed).

This is not always something that is malicious and there can be any number of reasons why this happens. For example, the people building these websites are web developers and not security people, they don’t necessarily know that the standard library or function that they call when building a web application is 10 years old, calls a deprecated function/hashing algorithm and doesn’t do what is required in this day and age.

A more pessimistic take is that you can see, historically, businesses that have been caught out by these breaches in the past don’t always take a hit financially (unless it leads to privacy violations and they are fined or sued) and weigh up the cost of doing things right vs. the likelihood of something going wrong and having to pay compensation. This attitude is definitely changing, as be described. More and more businesses are beginning to offer alternatives.

The other factor in this is that users tend to reuse their passwords across multiple sites. Users tend to do this for any number of reasons, mostly because it is convenient to only have to remember a small set of credentials to get around work and social media sites.

Password Management

The first thing you can do is start using a password generation tool like LastPass or 1Password. Most of the tools out there have the ability to generate passwords given a number of different parameters like whether it is pronounceable, includes numbers, capitalisations, hyphens, etc (see the example below of 1Password browser plugin for password generation).

Couple this with a tool that remembers your passwords and you now have the ability to generate new and unique passwords for each and every application and website you can think of.

Most of these applications have browser plugins too that automate the entire process so there isn’t even the need to do more than follow the prompts.

Passwords – becoming too hard

Given that all of this is very complicated and relies heavily on you to do the work, more and more businesses are realising that trusting their user base to create unique passwords is not necessarily the best thing and offer a number of additional mechanisms to assist in the protection of themselves and the authentication of their users.

This second factor authentication mechanism is something that you should always take advantage of.

2-Factor authentication

What is 2-Factor authentication? Two factor authentication takes the something you know (your password) and then adds in either something you have (like a security token) or something you are (biometrics).

The “something you have” can be any number of things:

• Digital certificate;
• Smart card (generally stores a digital certificate);
• Physical Token (generates a one time password or pin on a screen of a device);
• Soft token (generates a one time password or pin via an application); or
• SMS (short message service) one time password or pin.

The something you are is exactly that, something that is uniquely you:

• Fingerprint;
• Retina scan;
• Palm print;
•  etc.

This second factor when coupled with your password makes it a lot harder for your account and personal information to be compromised should one or the other components be lost.

Most financial organisations offer a number of options for 2 factor authentication. The most common of these are SMS based one time passwords for transactions. Others opt to provide their customers with physical tokens that generate one time passwords.

Other organisations have started offering 2-factor authentication methods for their users -

Google offers both SMS and soft tokens for unauthenticated devices or services across their services like Reader, Gmail, etc.- http://googleblog.blogspot.com.au/2011/02/advanced-sign-in-security-for-your.htm

Dropbox have just added soft tokens for previously unauthenticated devices - https://blog.dropbox.com/index.php/another-layer-of-security-for-your-dropbox-account/

WordPress are now offering Vasco tokens - http://www.scmagazine.com.au/News/313736,wordpress-adds-vasco-one-time-password-technology.aspx and support for the Google Authenticator application –  http://wordpress.org/extend/plugins/google-authenticator

Facebook  now supporting SMS based tokens for unauthenticated devices- http://www.facebook.com/note.php?note_id=10150172618258920

The above list is certainly not exhaustive, but shows that there is now a move away from the old Username and Password as the way in which to authenticate a person.

What should I do?

The short answer to this is as follows:

• Never reuse passwords. Ever;
• Be aware of the risks in linking accounts to each other;
• Use a password manager; and
• Take advantage of 2-factor authentication.

Following these 4 simple things won’t guarantee that you and your accounts will not be compromised, but it will guarantee that the damage will be mitigated.

I realise that things have been a bit quiet here. As I do from time to time, I have my head down working on things; addressing the bits in life that are important. I read a post by Rich Mogul of Securosis on his priorities in life at the moment and have an almost identical one. Between flying around the country and doing my day job I’ve been silly enough to pick up some additional vocational education and this is taking up my spare time. My version of the priority list looks a little like:

1. Family
2. Fitness
3. Work
4. Study
5. Everything else in my life

During the rare moments of down time I have I’ve managed to get several bit posts put together and hope to start to flesh these out in the coming months.

Sometimes I wonder if I bite off more than I can chew to see if I’ll break.

Recently on the twittersphere there was a short exchange  as to why would  a security professional care about VXLAN when they don’t care about ASICs in a switch.

In stead of putting the conversation up (I’m lazy and can’t be bothered screen capturing it) I thought I’d share my $0.10 worth here.

In short, you always need to be concerned about the path of data. Just like Network Architects want to know packet paths for engineering purposes a Security Professional also is concerned with what systems or processes does it cross and where are the enforcement (choke) points. But most importantly, you need to know the data path so you can secure it.

I’ll start by briefly explaining what VXLAN is, its deficiencies and then a quick look as to why a Security professional needs to be concerned with the data paths, irrespective of whether or not they are virtual or physical.

What is VXLAN?

VXLAN (IETF REF: http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-00) is “A Framework for Overlaying Virtualised Layer 2 Networks over Layer 3 Networks“. This is a VMware and Cisco (amongst others) initiative. That’s the fluffy way of saying it is a tunneling protocol, more precisely a L4 tunneling protocol.

Why have VXLAN?

Personally I wouldn’t. It is a VMware kludge to a very specific problem. However, if you are a VMware proponent then you have your uses. For any one dealing with large virtualised environments, especially multi-tennant ones, you will find that you run into the limitations of your L2 network (even a well designed one) really quickly; 4000 VLANs doesn’t go far in multi-tennant environments .

• How do you migrate VMs across L3 boundaries?
• How do you move devices about without changing IP addresses?
• Do all application support the readdressing of VMs?

Let’s take a fairly simple example of vMotion; this is not the ideal example but sufficient to get the concept across. vMotion is the movement of one Virtual Machine (VM) from a physical server to another physical server. Figure 1, below, shows a fairly simple setup with servers connected to the same switch, which we will assume are in the same Layer 2 Domain.

Figure 1 – Servers with VMs in a single L2 Domain

I won’t go into the gratuitous detail on how vMotion works, you can look that up for yourself, but for the VM to move from one physical machine to another there needs to be Layer 2 (L2) adjacency. Figure 2 below shows how the machine is replicated. The path between the virtual Machine on the left (highlighted in Green); through the Hypervisor (in this instance I’ve used VMware) out the physical NIC into the switch; out the switch; into the first NIC of the second server; up through it’s Hypervisor and finally coming to rest.

Stay with me there is a point to all of this.. I hope.

Figure 2 – VMotion path through switch.

Now, throw a router in the middle (see figure 3) and the whole process breaks. Because there isn’t the ability for L2 adjacency, it crosses the L3 boundary, the machine cannot move, let alone retain its IP address, etc.

Figure 3 – VM Servers in two L2 domains, separated by router.

As mentioned previously VXLAN is essentially a tunneling protocol. It is taking a Layer 2 frames and wrapping it in a Layer 4 Datagram, Figure 4 depicts 2 VXLAN networks, green and pink. This, with some other wizardry gets over some of the aforementioned limitations, the virtual machines are tied to a VXLAN ID by the Hypervisor (they need to be the same) which is then passed to the VTEP (VXLAN Tunnel End Point) which then wraps everything in a UDP packet (OK that is slightly simplified).

Figure 4 – VXLAN allows pseudo L2 connectivity across L3.

Now there is an L2 adjacency between the two servers, they can now replicate VMs between each other whilst maintaining the same L2 and L3 addresses. See Figure 5.

Figure 5 – vMotion across L3 boundaries is now possible with VXLAN.

Security Issues:

This is where I hope the rant has some value – If you didn’t care how the protocol works (even in a rudimentary sense) or how the data flowed in the scenarios above you wouldn’t understand what the limitations, and therefore potential security flaws, are or understand what issues it solves. That said VXLAN doesn’t solve any of the existing security issues we find in Ethernet today. It still requires processes to lock down deficiencies in the technology.

1. Just like Ethernet you can spoofing ARPs;
2. Broadcast storms still possible (turned into multicast within VXLAN domain);
3. No security mechanisms built into VXLAN;
4. If you have access to the network you can spoof anything? If you are on the same network as a VXLAN segment; and
5. Through the very nature of the VXLAN function you are also now removed from the ability to provide hardware handoff for L2-L7 security measures (think ACLs, VACLs, Firewalls, NAT, Load-balancing, etc). You need to have this gated between VXLAN domains via a VM that spans both.

Even ignoring all these new issues (yes they are new issues, is this a new way of accessing an environment, of course it is!) what about policies, enforcement points, network taps, etc, that may be already in place, in-line/path with the new VXLAN tunnel that you are proposing?

These are all why a security engineer/architect/designer needs to care about the path.

Now to the comment “security guys don’t care about the path through a switch’s ASIC…”, generally speaking, most won’t care, but they should. Just because it is a switch doesn’t mean that nothing happens to a packet once it goes in and then goes out the other side. ASICs are customised, programmable chips that allow the device to perform a number of different functions; if you’ve ever looked into this you will know that no two platforms are the same (even from the same vendor).

In the diagram below (which is a fictitious switch construct) you can see that there are some capabilities built into the different components of the switch, specifically the ASICs.

Getting traffic from one port to another port isn’t necessarily a simple thing. Can I get straight from Eth1 to Eth2 directly, or do I have to go up through the switching fabric to the L2 switching engine? What happens when I have to route (below shows a path of a packet when going via the routing engine)? Does, or can, the packet be modified/duplicated inside the switch and if so what happens? At what point in the packet’s path through the switch is policy enforced, and in what order?

The list goes on and on.

Most enterprise switches, even basic ones, will allow you to mirror ports, I’m pretty sure that Security folk would care about what ports are set up as mirrors and more importantly, what’s at the other end of that port.

Conclusion:

The scenario’s above are fairly simple, more advanced switches allow far more sophisticated things to happen. You can rewrite packets, pass off packets to other processors (Routing, Load balancing, Packet inspection, policy enforcement, etc). Again you need to know the path through the switch and what touches a packet to understand the risk and potential impact to that application.

UPDATE:

Chris Neal sums up my rant nicely below: