Blog‎ > ‎

Firewalls, IPsec and Misc

posted Nov 9, 2013, 10:40 PM by Sami Lehtinen   [ updated Nov 9, 2013, 10:41 PM ]
  • Outbound firewall rules: Well, that can be also considered to be a security problem. If traffic is being tunneled over 'wrong port' using encryption. That's why I often laugh when people talk about firewalling outgoing traffic. Blacklisting doesn't help, only very strict whitelisting helps. Same thing applies to many other security aspects. So if you have HTTPS port open to any IP, your networks security is almost as good as no outbound firewall at all. And don't forget tunneling over DNS etc.
  • Once again about IPsec: I think biggest problem with VPN and IPsec was incompatibility. I suggest that you'll got to store, buy random 20 IPsec firewalls and try to create mesh out of those where each IPsec firewall is connected to each other. If you want to get bit more challenge, add dynamic IPs for all devices and use DDNS, see how it works out. I can tell you, it won't, even if you would spend one year trying to get those connected, you'll most likely fail to get manufacturers to deliver properly working firmware.
  • Read:Python 2 vs. Python 3 A retrospective Guido van Rossum Hackers 2013 (No link, it's on dropbox, I assume you'll be able to find it if you're interested. I don't expect the original source to be long-lived.)
  • Checked out: Shortcutmedia ja Aurasma, alternatives for QR codes and augmented reality.
  • Really nice article with QR code error correction, with great examples!
  • Good reading: OpenPGP best practises. Nothing new for me, but if you aren't familiar with OpenPGP and related security issues this is just perfect for you.
  • More good reading: "Introducing SL4A: The Scripting Layer for Android" by Pieter Greyling and "Packaging and Distributing" by Paul Ferrill.
  • Studied & read about SSD file systems, this time DirectFS by FusionIO. As well as read a study about Write Amplification.
  • Had discussion with guys who claimed, it makes sense to put browser cache to RAM. I thought what's the point of using "file cache" on ram disk, when there is the direct memory cache option? Usually it's much more efficient, with a lot less overhead. If default RAM cache isn't large enough, you can make it larger, and you also can disable disk cache completely.
    With Firefox see settings: browser.cache.memory.capacity
  • One customer had summer workers added to the Domain Administrator Group because they had issues with access rights. Just perfect. This is the usual state of "data security", nothing new. So after all hacking & cracking some systems isn't hard at all, if you already have full access to those due to bad access right management.
  • Studied: Persona Beta 2 by Mozilla and polychart.js.
  • Witnessed classical default login / password usage with one customer. That's just great! Nobody can guess default login & password, right?
  • Something completely different to refresh mind: PAK DA and Next Generation Bombmer 
  • Google App Engine now allows: "European Data Location selectable now for billing enabled applications, premier account isn't required anymore." - This is from backlog.
  • Quickly checked out distributed task queue Celery. Right now I don't have use for it, no reason to study more deeply. In many cases I'm using SQL tables as queue, we all know that it isn't perfect solution, but if the task rate is reasonably low, it's good old and working solution.
  • It's interesting to see Intel pushing HTML5 dev tools forward. I thought HTML5 is huge risk for Intel. ARM tables/phones/smart TVs, ARM servers with Linux OS, open source dev tools. Doesn't sound too good for Wintel.