Architecting for Security on AWS

My latest course Architecting for Security on AWS is now available on Pluralsight!

You’ll learn how to secure your data and AWS services using a defense-in-depth approach, including:

  • Protecting your AWS credentials using identity and access management
  • Capturing and analyze logs using CloudTrail, CloudWatch, and Athena
  • Implementing network and instance security
  • Encrypting data at rest and in-transit
  • Setting up data backup, replication, and recovery

Go check it out!

AWS Networking Deep Dive Courses

Puzzled by networking on AWS? Check out my AWS networking deep dive series!

AWS Networking Deep Dive: Route 53 DNS

Configure Route 53 for any domain name, and configure health checks and routing policies.

 

AWS Networking Deep Dive: Virtual Private Cloud (VPC)

Create secure and scalable VPCs. Implement multi-VPC topologies, build peering connections, network address translation, and more.

 

AWS Networking Deep Dive: Elastic Load Balancing (ELB)

Securely configure load balancing for any public or private application. Implement HTTPS, path-based routing, and idle timeouts.

AWS Networking Deep Dive: Route 53 DNS

Many of you have been asking for months when my Route 53 course would release. Well, it’s finally here! AWS Networking Deep Dive: Route 53 DNS is now available on Pluralsight.

Topics covered include:

  • Configuring Route 53 to work with any domain name, even one registered with a different registrar
  • DNS concepts and how Route 53 fits in with the internet’s domain name system
  • Creating public hosted zones, health checks, and routing policies
  • Using private hosted zones with multiple VPCs

 

101 Public DNS Servers Sorted by Speed

You probably know the popular Google DNS server IP addresses by heart: 8.8.8.8 and 8.8.4.4. Before those were around you might have even used Level3’s 4.2.2.1 and 4.2.2.2. Of course, everyone else uses these too, which means these popular servers are under a pretty heavy load.

Fortunately, there are faster public DNS servers out there. Much faster.

101 DNS Servers

I’ve compiled a list of 101 public DNS servers (PDF), sorted in order of fastest to slowest (for me).

A few things to keep in mind

This is not an exhaustive list of all public name servers, nor are these necessarily the fastest servers that exist. But if you’re using one of the more popular public name servers, you can easily see how other servers rank against those in terms of speed.

Not all DNS servers behave the same way. Some will return intentionally incorrect responses, usually if the query is for a malicious domain. Others will return inconsistent results, which can be problematic if you’re testing for recently changed records.

One name server in particular seemed to rate-limit my queries, and this behavior seemed to change based on the query type. For instance, queries for * (all) would time out, while queries for SOA records would work. After waiting a little while and trying again, the server answered all my queries quickly.

The lesson here is test the server thoroughly and get familiar with its quirks before using it everywhere.

Installing PowerShell Core on Amazon Linux

In preparation for my latest course in the AWS Networking Deep Dive series, I wanted to install PowerShell Core on an Amazon Linux instance to test out cross-platform compatibility for some scripts.

Specifically, I wanted to see if I could use methods in the System.Net.Dns class to perform name resolution. The dnsclient PowerShell module provides some cmdlets for this very purpose, but that module is Windows-only, and I needed something that would work on across different platforms.

To my surprise, it wasn’t as easy as just running sudo yum -y install powershell. Fortunately, it wasn’t as difficult as building from source. Here’s what I did:

Install the dependencies

sudo yum install -y curl libunwind libicu libcurl openssl libuuid.x86_64

Download the installation script

This script just fetches the tarball and extracts it to /opt/microsoft/powershell

wget https://raw.githubusercontent.com/PowerShell/PowerShell/master/docker/InstallTarballPackage.sh

Set the script to be executable

chmod +x InstallTarballPackage.sh

Run the script, specifying the PowerShell version (6.0.1) and package tarball as the arguments:

sudo ./InstallTarballPackage.sh 6.0.1 powershell-6.0.1-linux-x64.tar.gz

If you want to install a specific version (like the latest), then refer to the releases on the PowerShell repo.

Run PowerShell!

The command is pwsh, as in “Present Working SHell” (clever points). Be sure to use sudo, as it does require root privileges:

sudo pwsh

Get Your .NET On

The whole point of this exercise was to see if I could use .NET to perform DNS name resolution without any of the cmdlets in the Windows-only dnsclient module. Did it work? Let’s see.

PowerShell v6.0.1
Copyright (c) Microsoft Corporation. All rights reserved.
 
https://aka.ms/pscore6-docs
Type 'help' to get help.
PS /home/ec2-user> [System.Net.Dns]::GetHostAddresses("benpiper.com").IPAddressToString 
52.205.213.4

Yes indeed! Of course, I can still use the usual PowerShell tricks to extract just the data I want:

PS /home/ec2-user> [System.Net.Dns]::GetHostByName("pluralsight.com") | Select-Object AddressList
 
AddressList
 -----------
 {54.213.174.143, 35.164.44.204, 52.39.160.43}

I can also drill down to pick out just the first IP address in the list:

PS /home/ec2-user> ([System.Net.Dns]::GetHostByName("pluralsight.com")).AddressList[0].IpAddressToString
54.213.174.143

Run it again, and I get a different address:

PS /home/ec2-user> ([System.Net.Dns]::GetHostByName("pluralsight.com")).AddressList[0].IpAddressToString
52.39.160.43

Looks like round-robin DNS! But will this command work cross-platform? Let’s try it on my Windows 10 machine:

PS C:\Users\admin> ([System.Net.Dns]::GetHostByName("pluralsight.com")).AddressList[0].IpAddressToString
35.164.44.204

Yes! This is exactly why I chose PowerShell. The same command that works on Linux also works on Windows, which makes it perfect for an OS-agnostic course.

Ready to learn more PowerShell? Sign up for a free trial with Pluralsight and get unlimited access to every course in their humongous library!

Is Social Media Bad?

Most of us have tossed around the idea of restricting our social media consumption, or even giving it up altogether. It’s not that we don’t like it. We love it, sometimes too much. But inherently, something about social media just seems wrong. But what is it?

Social is Not a Neutral Tool

People often say that social media is just a tool, and like any other tool, it can be abused, but it can also be used for good. After mulling on this for several months, I have to disagree. Social media is not a tool. It’s not neutral. And that has nothing to do with the platform. Social can’t be neutral because it’s comprised of people, and people are not neutral.

Think of it this way. Imagine you’re at your favorite hangout. Maybe it’s a coffee shop, restaurant, the library, zoo, whatever. You’re having a good time, when suddenly, a large group of people appears. They all start talking to each other, LOUDLY, and what they’re saying is seriously ticking you off. They’re spewing some of the most unpleasant, irritating, obnoxious garbage you’ve ever heard.

What do you do? Most likely you’d put on your headphones, if you have any, or you’d leave. Yeah, you might engage some of the people for a while, if that’s your personality. But would you purposely subject yourself to that noxious experience day after day? Probably not.

And yet, when it comes to social media, many continually subject themselves to that kind of toxic social interaction multiple times a day.

Technical Solutions Don’t Work

Even before social media was big, people have tried to come up with a technical solution to this problem. Banning, shadowbanning, muting, blocking, throttling, etc. have all been tried.

But none of it has worked, or even helped much. If anything, social media interaction has gotten worse, not better. These solutions are predicated on the notion that social media is just a neutral platform, and if we enforce the right rules, we can maintain that neutrality. But that’s a false notion. Again, social media can’t be neutral because people are not neutral.

The only way for social media to work is for people to properly police their own behavior. This is exactly what happens in real life social situations. Nobody dares to walk into a noisy restaurant and launch into a profanity-laced tirade against a perfect stranger. But much of the time, that inhibition is driven by self-preservation rather than a moral imperative. Remove the risk of getting physically assaulted, and many won’t hesitate to say the vilest, ugliest stuff. That’s what social media does.

Bad Behavior is Contagious

Is social media bad? Not inherently. But it’s not inherently good either. People choose to behave in morally good or bad ways. When immoral speech spills over into social media, it spreads like a cancer. We love to think of ourselves as being in control of our own thoughts and choosing our own influences. But that’s just not true. Bad company corrupts good morals, as the Apostle Paul said, and being exposed to trash on social media day after day does affect you, even if you don’t consciously realize it.

How often have you gotten viscerally angry at something you read on Twitter or Facebook? Sure, you can get mad reading something on any website or even in a book. But those occurrences are few and far between. On social, they’re the norm. When you saw something that made you really mad, how long did you stew about it? Did your mood affect your interactions with other people?

This domino effect isn’t unique to social, of course, but it is amplified. Our use of social media is 180 degrees out of phase. For our own sanity, it should comprise seconds, maybe minutes of our day. Our one-on-one and in-person interactions should be the bulk. That tweet that made you burning mad should be a once-a-week event. Most of your disagreements with another person should be hashed out one-on-one, privately, not in a public forum with spectators.

Is Social Media Worth It?

Should you stop using social media? I think that’s the wrong question. A better question is why should you use it? What value does it hold for you? And is it worth the price you pay in terms of time, sanity, and relationships with others?

It’s not unusual to see someone take a break from social, usually for a week or two, but sometimes a month or more. This is common and doesn’t usually raise any eyebrows. But if you heard someone say, “I’m taking a break from all social interaction for a month!” you’d immediately think something was amiss. This is evidence that instinctively, we know something is off about social. You only take long breaks from something when you detect that it’s not healthy to continue at your current pace.

As ironic as it seems, cutting back on social media would probably make everyone more social.

Get a Free Hardcopy of “Learn Cisco Network Administration”

For the rest of this month, I’m giving away 10 free hardcopies of my book [amazon_textlink asin=’1617293636′ text=’Learn Cisco Network Administration in a Month of Lunches’ template=’ProductLink’ store=’benpiperbloginline-20′ marketplace=’US’ link_id=’b0d4e42f-0130-11e8-a1b0-bd02baf6fa09′]. Even if you already own the book, you can pick up a free extra copy to give to a friend, coworker, or just to leave around the office.

There are two ways you can get your copy:

If you’ve already read the book:

  1. Click here to leave a review on Amazon.
  2. Once your review goes live, send me an email and let me know. Remember to include where you want me to ship the book.

If you haven’t read it:

  1. Click here to sign up for my newsletter. If you’re already signed up, proceed to step 2.
  2. Send me an email and let me know you’ve already signed up. Remember to include your name and mailing address so I know where to send the book.

Looking for something more advanced?

If you’re already a Cisco CCNA-level professional and are ready to go to the next level, check out the CCNP Routing & Switching Learning Path.

Understanding the Meltdown Attack

This month, security researchers released a whitepaper describing the Meltdown attack, which allows anyone to read the full physical memory of a system by exploiting a vulnerability in Intel processors. If that sounds bad, that’s because it is. It means that if you’re running workloads on a public cloud provider, and you don’t have a dedicated server, an attacker can read what your workloads are putting into memory. This includes passwords, private keys, credit card numbers, your cat’s middle name, etc.

How Meltdown works

As a way of eking out every ounce of speed, modern processors perform out-of-order execution. Rather than executing a program one instruction at a time, the processor fetches multiple instructions at once and places them in an instruction queue. It then executes each instruction as soon as possible (and usually out-of-order) and stores each instruction’s output (if there is any) in a cache.

Now here’s the kicker. An instruction can do nasty things. Out-of-order execution runs instructions that the program isn’t allowed to run. Take the following assembly instruction:

; rcx = kernel address
 mov al, byte [rcx]

This copies one byte of data from the kernel memory and places it in a temporary portion of CPU memory, called a register. With in-order processing, the CPU would not allow this instruction to execute.

But with out-of-order execution, the CPU does execute the instruction, and it stores the resulting byte value in a temporary cache. The CPU then raises an exception and terminates the program.

But the byte value is still stored in the cache. This is where the flaw in Intel’s microcode lies. The CPU should clear the cache as soon as the exception is raised. But it doesn’t. It leaves it there, vulnerable to another type of side-channel attack called a cache attack.

Cache attacks have been around for years, and there are several different types which an hacker can use in conjunction with Meltdown to figure out the data stored in cache. For a great explanation of how these attacks work, check out Bert Hubert’s article on Spectre and Meltdown. It’s trivial for an attacker to pull one off, quickly.

Only Intel Processors were Shown to be Vulnerable

The researchers were not able to duplicate the results on AMD or ARM processors, which also use out-of-order execution. They speculate that they theoretically could, but they were not able to at the time they released the paper. You certainly shouldn’t assume that all non-Intel processors are immune to Meltdown.

Disabling out-of-order execution isn’t the answer

In order to be effective, the Meltdown attack depends on out-of-order execution as a necessary but not sufficient condition. Thus, simply having out-of-order execution enabled is not enough to make Meltdown possible. Disabling out-of-order execution does prevent Meltdown, but the performance impact is substantial.

What about Spectre?

Spectre is not the same as Meltdown. Although Spectre works against all CPUs, including Intel, AMD, and ARM, pulling off a Spectre attack is trickier. But both are equally bad and rely on out-of-order execution, which is why you usually see them lumped together.

You don’t need to replace your hardware

You don’t need to replace your hardware, and anyone who says you do is either trying to tell you something. Now for the obvious part. To mitigate Meltdown and Spectre, install the latest security patches for your operating system, BIOS, and CPU firmware — after sufficient testing, of course.

[amazon_link asins=’1484200659,1484224027′ template=’ProductCarousel’ store=’benpiperblog-20′ marketplace=’US’ link_id=’f5492b54-f283-11e7-b66c-83ded4902b58′]

3 Ways to Increase Your IT Earnings in 2018

As 2018 draws near, companies go into hiring mode, and people come and go, which often leaves a lot of open positions. If you qualify to fill one of the more in-demand positions, you can often negotiate a higher salary.

My biggest salary jumps have always come in the first quarter of the year. To increase your chances of getting that salary boost, here are three tips that you should start implementing right now.

 

Tip #1 – Shun the Snake Oil Tech Fads

These are technologies that sound interesting, seem promising, but either have no real-world use case or are actually impossible. Some current examples include blockchain and quantum computing. If you’re interested in these from a theoretical perspective, by all means, indulge yourself. But don’t expect that a real company is going to hire you as a blockchain or quantum computing expert. These are fads, and like all fads, they’ll die. Don’t let your career die with them.

An easy way to spot nonsense tech fads is to ask yourself, “Is this new technology an improvement over what we have now? If so, is it even possible?” Clearly, blockchain isn’t an improvement over any other database, distributed or otherwise. Quantum computing could theoretically blow classical computing out of the water, but quantum computers require temperatures close to absolute zero, making them practically impossible.

Another tech fad that’s captured the attention of the media is artificial intelligence (AI). Not to be confused with machine learning, the AI hype claims that computers will somehow begin working as good as or better than the human brain, perhaps even to the point of developing consciousness and understanding. Machine learning, on the other hand, deals with statistical analysis and making predictions based on large data sets. It has nothing to do with mimicking the human brain or consciousness.

 

Tip #2 – Get Certified

Rid your mind of the tripe that “certifications are just paper” and “they don’t prove that you know anything.” The fact is that more certifications = more money. But you have to get certified. Just taking courses isn’t enough. I’ve interviewed people whose resumes listed what courses they took, but they didn’t have the corresponding cert. Don’t do this. It’s a huge strike against you. Take all the courses you need to attain the cert, but then go and get it.

Here are some of the most lucrative and in-demand certification categories going into 2018:

Cloud and networking

Three of the most popular certifications are the AWS Certified Solutions Architect – Associate, and the Cisco Certified Network Associate (CCNA) and Cisco Certified Network Professional (CCNP). There’s no reason you can’t get two of these within the next 3 months.

Hybrid cloud and on-prem virtualization

The Citrix Certified Associate – Virtualization (CCA-V) and Citrix Certified Professional (CCP-V) are evergreen certifications that pertain to both cloud and on-prem virtualization and networking skills. Just having the word “Citrix” on your resume is huge. Having one of the certs is even better. With the right training, you should be able to study for and achieve one of these during the first part of the year.

Security

Information security (infosec) is hot, and it gets hotter with every Equifax hack. The Certified Information Systems Security Professional (CISSP) is a very lucrative certification that’s difficult to achieve. You won’t get it in 3 months. But if you’re dedicated and put in the time to attain it, you can write your own ticket.

How to study

Pluralsight has dozens of courses covering all of these certifications, and you can get unlimited access with a free trial. The courses also have practice exams integrated into the learning experience.

 

Tip #3 – Update your resume

Update your resume at least once a year. Remove references to obsolete technologies. People may chuckle at your references to Banyan Vines and Windows NT, but those won’t get you an interview. Needless to say, add any new technologies you’ve had a hand in implementing.

Put your certifications front and center on your resume. Put them on your LinkedIn, Twitter, Backchat, Kindler, McSpace, and whatever other job boards you use. Make sure people know you have them. It might seem a little braggy, but it will sharpen the distinction between you and everyone else who doesn’t have them.

Resumes might seem old school, but they’re still important because recruiters literally just Ctrl+F through them searching for various keywords. And guess what keywords they’re looking for. Terms like AWS, Citrix, CCNP, CCNA, Cisco, security, networking, TCP/IP, cloud, etc. Many recruiters don’t know what any of that stuff is, nor do they care. They just want to find someone who has those certs and skills!

Let it be you.