I'm working on project that aims to secure openstack, i want to secure virtualization, i’ve heard a lot about securing hypervisors so that I became afraid, what i understood that selinux does not require admin intervention since svirt generates automatic labels for instances and their disk image, so why there is to much debate about svirt and hypervisor security while putting selinux in mode enforcing is enough ??
Note that another option is to secure OpenStack applications using secure enclaves with a hardware root of trust, using technologies such as Intel SGX. That would provide hardware-grade security for the application, instead of rooting the trust in the hypervisor.
Related
What is the difference between 'networking operating systems' like ONOS, ONAP, Opendaylight and 'configuration management' platforms like Salt, Ansible, Puppet? More specifically, when would I choose one over the other? I have done some research on all these, and as far as I can tell, the configuration management platforms are, as the name implies, for configuring the network, and the operating system platforms are an actual software defined network that can also configure networks/networking devices plus more.
You're really talking about 3 different things.
OpenDaylight and ONOS are network controller platforms. While ONOS is starting to become feature parity with OpenDaylight, OpenDaylight is more widely deployed (over 1 billion people in production using it) and more supported.
ONAP is a is used to design, create, orchestrate, monitor, and perform life cycle management of open source and commercial VNFs and legacy networks. ONAP uses OpenDaylight MD-SAL at it's core.
I don't have much experience with SALT but it, Ansible and Puppet are flexible DevOps configuration utilities for managing users, services and general automation.
I'm trying to get a non-sales biased answer between deployment needs for hosted vs inhouse (FreePBX with SIP Trunking) PBX. We will only have about 20 handsets in the office, and probably a max of 5 concurrent calls (talkpaths/channels) so it seems like a hosted PBX is a viable option.
With a hosted solution is it merely a matter of plugging in the SIP phones to the network, configuring the phones and PBX and its ready to go? If not, does it require an edge device (SBC) also? Or, can a SMB router provide handle the NAT and security needed for SIP/RTP? I've been led to believe that if we run our own PBX then a SBC is necessary under all circumstances for security and quality while others say it isn't for the small traffic volume we will have.
Aside from the ability to customize the PBX beyond what a hosted solution provides and the ability to scale to more traffic, is there any practical reason to operate our own PBX if we're looking for a quick deployment route? Is the call quality and reliability typically distinctly better using a SIP Trunk as opposed to a hosted solution?
We've read and been told conflicting things regarding what need to do to deploy a hosted PBX vs our own so we're hoping someone with experience can bring clarity to what the typical process to deploy a hosted PBX involves in terms of the hardware (handsets) and local network (router and/or SBC to handle the NAT).
You don't need SBC, you are too small. NAT should be handled by PBX either hosted or your own.
So forget about all fancy words, like SBC and etc, you don't need it for 20 extension, all what you need is PBX.
If you choose hosted, then all what you need is just plug in phones, configure them and they should work. Off cause there might pop-up some network related issues, but generally all should work without any issue.
If you have resources and knowledge(or willingness to learn) regarding FreePBX, then you might choose your own PBX, if not - use hosted PBX, there is dozens options. I don't think there is a big reason to have own PBX instead of hosted, personally I will prefer my own FreePBX running on digitalocean and it will cost me 5-20$ per month, but if you don't have knowledge and willingness to deal with it, maybe hosted PBX is best option for you. Keep in mind that there is dozens hosted PBX and they differs a lot. Some providers might be better then others and some might be not reliable.
Off cause you need to think about security if you don't have any knowledge what you are doing and you don't have any person who can help you with securing your PBX, then there is only one option - using hosted PBX, but again it will not eliminate all risks. If you will decide to go with stupidly simple password, then there is nobody to blame, only you.
If you decide to go with your own PBX then FreePBX is only one option I believe.
If you have no dedicated admin, go hosted version.
Only go local version if you have bad internet connection and need in multiple calls inside company.
I want to know which options exist to provision (configure) multiple VoIP phones from multiple vendors for use with an Asterisk server. I'd like some kind of interface to manage extensions, configuration templates and so on.
Here's what I found so far:
FreePBX has a commercial module called Endpoint Manager which seems to do what I want. However, I don't like the idea of having to run a web server on the same machine (or container) that runs Asterisk. It seems like a bad idea which increases the attack surface of the Asterisk server. I would much rather have an endpoint manager on a separate server (or container) but I can't find any information about running or buying the Endpoint Manager outside of FreePBX.
Phonism advertises a "Cloud based IP phone provisioning and management system. Their service looks promising, but the number of supported phones is lower and I'm not completely sold on requiring the internet connection to configure the phone extensions in an office.
All the other solutions I found are tied to their complete proprietary VoIP solution (3CX, Kerio, etc.) or to a particular VoIP phone vendor.
Is anything else available? Or do people usually use a single VoIP phone vendor and use their own specific configuration method?
Since I can't find any phone provisioning solution which fits my needs, I'm questioning my understanding of Asterisk deployment best practices. Is using a plain Asterisk deployment a good idea or is it too bare in terms of related tooling?
You are thinking about this in a way that is too abstract and generic.
A voip equipment vendor will provide documentation which describes what provisioning protocols are used and how to use them. Then you can find a tool to use which meets that requirement and also suits your environment and skills.
Vendors usually provide proprietary tools to generate provisioning files too.
That said you should be advised that TFTP (trivial file transfer protocol) is a common provisioning method.
If you are using a bare bones asterisk install on linux then setting up your own TFTP server on linux is, well, trivial in comparison.
Running a provisioning server and asterisk server on different boxes is of course possible but you'll need to find or build some integration tools to keep provisioning config and asterisk config in sync (if that's important to you). I can't think of a reason why using two boxes makes this work significantly more difficult though.
Requirement
I want to secure my production VMs on AWS, these VMs host critical web applications and can see around 500 Mbps traffic during peak hours. I already using mod_security WAF but I am not very happy with it.
Here is what I am thinking:
What if I can use snort in a lightweight configuration to monitor only HTTP traffic (this would be behind SSL termination) and use opensource XSS and SQLi rules to add an additional layer of protection ? The number of rules will be > 100.
By the time traffic hits my VMs it will be unencrypted. Moreover as I am using snort as on the same host, there wont be much of a semantic gap ( WAF has an edge over IPS since it builds richer app layer context and can detect layer 7 attacks more accurately). Is this understanding correct ?
I can spare around 200Mb of memory and can take 10% overhead on CPU performance.
Is snort the best bet here ? I looked at Suricata which seems to be easier on CPU but hard on memory. Please let me know if this makes sense at all. I want to stick to open source solutions.
I have a commercial product that allows users to connect to various SSH end-points. Currently these users are forced to download and use Putty... Seems pretty straightforward, except that my SSH end-points require RSA/Private Key authentication. So now connectivity to these end-points is becoming a pain, because I need to explain to my users how to: 1) Download and configure Putty. 2) Manage, configure and use their PEM private keys. I would like to make everything transparent by 'just working' through the browser. I own all information (both IP addresses and PEM connectivity keys), so is there such a thing as a browser based SSH that is both capable and can access RSA keys for connectivity?
MindTerm, from http://www.appgate.com/index/products/mindterm/mindterm_features.html , has a limited-use free license and supports the features you want.
JCTerm is completely free.
Have you tried SSHtools? I think GSI-SSHTerm is derived from it. GSI-SSHTerm is still actively supported as far as I'm aware. I supports the Grid Security Interface (GSI), so may have more features than you need.
FireSSH is the best tool provided by Google chrome browser,install the firessh from the url,
https://chrome.google.com/webstore/detail/firessh/mcognlamjmofcihollilalojnckfiajm