How Badlock Was Discovered and Fixed

Severity analysis of vulnerabilities by experts from the information security industry is rarely based on real code review. In the ‘Badlock’ case, most read our CVE descriptions and built up a score representing a risk this CVE poses to a user. There is nothing wrong with this approach if it is done correctly.  CVEs are analyzed in isolation; as if no other issue exists. In the case of a ‘Badlock‘ there were eight CVEs. The difference is the fact that one of them was in a foundational component used by most of the code affected by the remaining seven CVEs. That very specific CVE was

Continue reading “How Badlock Was Discovered and Fixed”

Steps to Optimize Network Quality of Service in Your Data Center

Virtualization technologies have evolved such that support for multiple networks on a single host is a must-have feature. For example, Red Hat Enterprise Virtualization allows administrators to configure multiple NICs using bonding for several networks to allow high throughput or high availability. In this configuration, different networks can be used for connecting virtual machines (using layer 2 Linux bridges) or for other uses such as host storage access (iSCSI, NFS), migration, display (SPICE, VNC), or for virtual machine management.  While it is possible to consolidate all of these networks into a single network, separating them into multiple networks enables simplified management, improved security, and an easier way to track errors and/or downtime.

The aforementioned configuration works great but leaves us with a network bottleneck at the host level. All networks compete on the same queue in the NIC / in a bonded configuration and Linux will only enforce a trivial quality of service queuing algorithm, namely: pfifo_fast, which queues side by side, where packets can be enqueued based on their Type of Service bits or assigned priority. One can easily imagine a case where a single network is hogging the outgoing link (e.g. during a migration storm where many virtual machines are being migrated out from the host simultaneously or when there is an attacker VM). The consequences of such cases can include things like lost connectivity to the management engine or lost storage for the host.

A simple solution is to configure

Continue reading “Steps to Optimize Network Quality of Service in Your Data Center”

Red Hat at RSA Conference 2016

Red Hat will once again have a booth at this year’s RSA Conference. This time, however, we will have a bigger presence and more staff – featuring a number of Red Hat security experts with a variety of backgrounds.  We will be covering not only Identity Management (IdM) but the broader landscape of security related topics. Whether you’re interested in talking about high level security strategy, a vision for adopting IdM at your organization, or are simply seeking practical tips on how to solve specific problems related to risk assessment, governance, compliance, or

Continue reading “Red Hat at RSA Conference 2016”

Configuring and Applying SCAP Policies During Installation

Over the past few decades we have seen great advancements in the IT industry.  In fact, the industry itself seems to be growing at an increasingly faster pace.  However, as the industry grows so to does its evil twin – the figurative sum of all threats to IT security.

On the bright side, along with a steady stream of ever-evolving security issues and threats, there has also been a great effort to mitigate and, when possible, entirely eliminate such threats.  This is accomplished by either fixing the bugs that allowed these issues and threats to exist (in the first place) or by fixing the configurations and protectionary mechanisms of systems so as to prevent attackers from finding success.

As 2015 has been no stranger to news stories about data leakages, various security flaws, and new types of malware – one could easily conclude that “the dark side” is winning this seemingly eternal race.

However, taking the complexity of today’s IT solutions into account

Continue reading “Configuring and Applying SCAP Policies During Installation”

Identity Management or Red Hat Directory Server – Which One Should I Use?

In the identity management server space Red Hat has two offerings: Identity Management (IdM) in Red Hat Enterprise Linux and Red Hat Directory Server (RHDS). This article is dedicated to helping you understand why there are two solutions and how to chose the best one for your environment.

Before diving in too deep

Continue reading “Identity Management or Red Hat Directory Server – Which One Should I Use?”

Direct, or Indirect, that is the Question…

In my last post I reviewed some of my observations from the RSA Security Conference. As mentioned, I enjoyed the opportunity to speak with conference attendees about Red Hat’s Identity Management (IdM) offerings. That said, I was quick to note that whether I’m out-and-about staffing an event or “back home” answering e-mails – one of the most frequently asked questions I receive goes something like this: “…I’m roughly familiar with both direct and indirect integration options… and I’ve read some of the respective ‘pros’ and ‘cons’… but I’m still not sure which approach to use… what should I do?” If you’ve ever asked a similar question – I have some good news – today’s post will help you to determine which option aligns best with your current (and future) needs.

Continue reading “Direct, or Indirect, that is the Question…”

RSA Security Conference 2015 in Review: Three Observations

As many specialists in the security world know – the RSA Security Conference is one of the biggest security conferences in North America. This year it was once again held in San Francisco at the Moscone Center. Every year the conference gets bigger and bigger, bringing in more and more people and companies from all over the world.

If you attended – you may have noticed that Red Hat had a booth this year. Located in the corner of the main expo floor (not far from some of the “big guys” like: IBM, Microsoft, EMC, CA Technologies, and Oracle) we were in a great location – receiving no shortage of traffic.  In fact, despite staffing the booth with six Red Hatters we didn’t have any “down time” –  everyone seemed to be interested in what Red Hat has to offer in security.

Over the course of the conference I made a few interesting observations…

Continue reading “RSA Security Conference 2015 in Review: Three Observations”

rkt, appc, and Docker: A Take on the Linux Container Upstream

At this week’s CoreOS Fest in San Francisco, CoreOS is – unsurprisingly – pushing hard on the Application Container Spec (appc) and its first implementation, rkt, making it the topic of the first session after the keynote and a bold story about broad adoption.

When making technology decisions, Red Hat continuously evaluates all available options with the goal of selecting the best technologies that are supported by upstream communities. This is why Red Hat is engaging upstream in appc to actively contribute to the specification.

Red Hat engages in many upstream communities.  However, this engagement should not imply full support, or that we consider appc or rkt ready for

Continue reading “rkt, appc, and Docker: A Take on the Linux Container Upstream”

Understanding the Changes to ‘docker search’ and ‘docker pull’ in Red Hat Enterprise Linux 7.1

If you’re working with container images on Red Hat Enterprise Linux 7.1 or Red Hat Enterprise Linux Atomic Host, you might have noticed that the search and pull behavior of the included docker tool works slightly differently than it does if you’re working with that of the upstream project. This is intentional.

When we started the planning process for containers in RHEL 7.1, we had 3 goals in mind:

  1. Give control over the search path to the end-user administrator
  2. Enable a federated approach to search and discovery of docker-formatted container images
  3. Support the ability for Red Hat customers to consume container images and other content included as part of their Red Hat Subscription

The changes we implemented, which are documented on the Red Hat Customer Portal, affect three different areas of the tool:

Continue reading “Understanding the Changes to ‘docker search’ and ‘docker pull’ in Red Hat Enterprise Linux 7.1”

Forrester’s Dave Bartoletti Reports on Container Usage at Red Hat Partner Conference

20150408_110418Yesterday, at Red Hat’s annual North America Partner Conference (in Orlando, FL), Dave Bartoletti, principal analyst with Forrester Research, told hundreds of attendees about a recently completed market research program undertaken by Forrester and sponsored by Red Hat. In this study, 194 developers and IT decision-makers at mid- to large-size companies were surveyed as to their plans and expectations for container technologies.

What they shared, indicates that

Continue reading “Forrester’s Dave Bartoletti Reports on Container Usage at Red Hat Partner Conference”