WServerNews: MACsec limitations

In this issue:

Editor’s Corner: More on layer 2 encryption. This Week in IT: chip problems, cybersec, more. Windows, Linux and Cloud news. Free tools to test your network. Go passwordless on Azure. IT Bookshelf – Mastering Modern Linux. Factoid: zzzzzzz…..Wakeup, you have mail! Fun videos from Flixxy (BACK BY POPULAR DEMAND!). And Finally: virtual meetings and cat videos. Plus lots more — read it all, read it here on WServerNews!

Encryption can be good if it’s done properly. It not always is. Photo by FLY:D on Unsplash

Got questions? Ask our readers!

WServerNews goes out each week to almost 200,000 IT pro subscribers worldwide! That’s a lot of expertise to tap into. Do you need help with some technical problem or are looking for expert advice on something IT-related? You can Ask Our Readers for help by emailing us your problem or question. Do it today!

Help spread the news!

Please tell all your colleagues and friends about WServerNews and let them know that they can subscribe to these and other TechGenix newsletters for free by going here. Thanks!!

Editor’s Corner

Welcome to another issue of WServerNews, the oldest and largest (and best!) IT-focused newsletter in the world! Last week I touched briefly on the topic of layer 2 encryption for networks and shared a link to a whitepaper by Christoph Jaggi that provides a market overview of technologies and solutions. In conversation with Christoph afterwards he was gracious enough to provide his personal take on the current market offers in this area together with some background information on MACsec, so we decided to make room for him in this issue to share his thoughts as a guest editorial.

Based in Switzerland, Christoph Jaggi’s fields of activity are digitalization, technologies and marketing. The combination of these core disciplines with an orientation towards people, markets and target groups forms the foundation for solving complex challenges in different areas. And it is the foundation for identifying and developing strategies. His international client base ranges from startups to SMEs to large corporations. His website (English version) can be found at https://www.uebermeister.com/en/. Let’s now here what he has to say on the subject…

Network security and network support

The objective of a network security solution is security and network support. Here, the requirements for internal networks differ significantly from the requirements for external networks. There is one standard for encryption for internal Ethernet networks: MACsec. There are several standards for external Ethernet networks. One can also get the standard for internal Ethernet networks to work on external Ethernet networks. In this case, however, security and compatibility are only guaranteed to a limited extent. The threat scenario and the network infrastructure are different. As an analogy: In an apartment, slippers are quite sufficient footwear. For a hike, on the other hand, proper footwear in the form of hiking boots is appropriate. Slippers are the wrong footwear for that. For external networks such as Metro and Carrier Ethernet, there are therefore established solutions that represent de facto standards.

At Layer 2, MPLS and IP networks can also be natively encrypted in bridge mode. There are now several vendors offering more secure alternatives to router-based GETVPN and GroupVPN for IP networks. Some vendors’ products can secure both Carrier Ethernet and IP in parallel on the same device. Both of them DoS-resistant. Other vendors use separate devices and products for this purpose.

The requirements list for multi-site network encryption

An up-to-date and future-proof solution for external multi-site networks should have the following features to ensure CIA (Confidentiality, Integrity, Availability):

• Zero Trust (don’t trust, verify)
• Quantum secure
• Equivalent protection of ALL data (data plane, control plane)
• Perfect firewall (only what is allowed in and verified is allowed in)
• Processing at line speed
• High Availability

For government, agencies, military and critical infrastructure, there is an additional element:

• High Assurance

There are solutions on the market that already meet all of these requirements. Therefore, it can be stated that the above features define state-of-the-art and the solutions that do not meet these features incur technical debt. Quantum security can be retrofitted using PQC (Post-Quantum Cryptography), and the same applies to Zero Trust if it has not yet been implemented. On the other hand, the other features require the necessary hardware together with the required functionality. This can usually only be done by replacing the existing solution.

Standards for Carrier Ethernet

There are different types of standards and for different applications. For Ethernet, there is only one hop-by-hop standard for LAN and MAN, MACsec. The current version is IEEE 802.1AE-2018 (https://standards.ieee.org/ieee/802.1AE/7154/). MACsec is limited to the protection of user data. Reasonable protection options for the control plane, on the other hand, are completely missing. For end-to-end encryption and WAN, de facto standards have existed for decades. These have evolved in different ways. The most relevant vendors are Atmedia, IDQuantique, Rohde & Schwarz, Secunet, Securosys, Senetas and Thales. Only the products based on the Atmedia and the Rohde & Schwarz platforms can be considered state-of-the-art. The Atmedia platform (also used by Secunet and Securosys) is currently the most sophisticated one. It is also the one with the largest number of deployments and it is the one with the largest network (900 plus sites, including all network segments) and the only which offers multi-tenancy on port-level. Not everybody needs all of the features offered by a single platform, so there is most of the time a choice of platforms.

Here’s the link to the 2022 market overview for layer 2 encryptors: https://www.uebermeister.com/en/news-and-articles/detail/2022-market-overview-layer-2-encryptors-for-carrier-ethernet-mpls-and-ip

The problem areas of MACsec

MACsec is inherently unable to meet the specifications of the requirements list. This is due to the fact that MACsec only encrypts one of the three EtherTypes that are transported over the network via the network interface. This does not matter for internal networks, but is relevant for external networks. With MACsec there is neither an equivalent protection of all data, nor a perfect firewall, nor line speed processing. Thus, MACsec can only provide Confidentiality and Integrity of user data, but not Availability of network encryption. This does not depend on the vendor, but is an inherent weakness of the MACsec standard admitted by the IEEE. If you have a policy that applications must be protected against denial-of-service (DoS) attacks over external networks, you must also implement a DoS solution for the control plane of MACsec. 

If MACsec is implemented on the network interface, the keys for encryption are also stored on the network interface. The network interface is the only component that can be accessed directly from the outside. Accordingly, the keys are stored on the only component that can be reached from the outside. 

MACsec is a hop-by-hop and not an end-to-end solution and therefore only works if the infrastructure used is MACsec-agnostic. There must be no MACsec device between the two endpoints of a MACsec-encrypted connection. This is achieved by tunneling the network traffic over another network, be it PBB, MPLS or IP. The basic nature as hop-by-hop encryption does not change. 

The IEEE only has MACsec and most vendors only have MACsec. Therefore, the only thing they have and can sell is MACsec. And that’s why the focus of the sales effort is on the fact that MACsec is the standard. The fact that it is the standard for LANs, not for WANs, is not mentioned.

It is not really understandable why the US government, the US military, the NSA etc. use MACsec up to top secret, as MACsec doesn’t meet basic CIA (Confidentiality, integrity, availability) requirements, whereas other solutions do. There are state-of-art solutions that are available as COTS (commercial off-the-shelf) and GOTS (government off-the-shelf) available that have FPGA-based network encryption for the data plane and the control plane, including the key exchange. There are even quantum-safe solutions out there (Atmedia, Secunet, Securosys) that are quantum-safe right out of the box and working perfectly over packet networks.

Security Certifications and Security

All state-of-the-art network encryption solutions for Carrier Ethernet are considered not secure by NIST as they don’t have a FIPS certification. They have EU, BSI and NATO certifications, though and are substantially more secure than NSA Type 1 encryption solutions. 

Security certifications such as FIPS and Common Criteria depend on what has actually been evaluated. Very often it is much less than what one would assume. See here for more info: https://www.uebermeister.com/en/news-and-articles/detail/why-the-most-prevalent-it-security-certifications-such-as-fips-common-criteria-and-niap-do-not-guarantee-security

Got comments about anything in this issue?

Email us! We love hearing from our readers!

This Week in IT

A compendium of recent IT industry news compiled by Your Editors. Feel free to email us if you find a news item you think our newsletter readers might be interested in.

More news recently about production and supply-chain problems in the chip industry and how it may affect businesses and consumers. Tom’s Hardware reports that high-end desktop CPUs have been disappearing from the market while Samsung Foundry is currently in talks with clients about hiking chip prices 15-20%. Chip shortages have gotten so bad in some sectors that silicon manufacturers are cannibalizing washing machines as TechSport reports. On the other hand comes news from Yahoo Finance that “A growing number of Chinese chip design firms have adopted open-source RISC-V in their chip designs as an alternative to Intel’s proprietary X86 and Arm’s architecture, in a bid to minimize potential damage from US sanctions and to save on licensing fees”. We wonder how many other countries and blocs will follow similar strategies going in the future, or simply launch their own chip fab industry initiatives such as Spain has announced they’re doing (Associated Press). What are your thoughts?

Good news perhaps for cybersecurity professionals styling themselves as ethical hackers or “what hats” is that the US Department of Justice says they won’t prosecute white hat security researchers (Motherboard). On the other hand comes this bad news about a potential new (and *serious*) attack vector as our TechGenix news editor Vuk Munjovic reports in this article. And returning to the topic of supply-chain problems, Stu Sjouwerman has some news about a new phishing campaign that impersonates the shipping giant MaerskMeanwhile, companies that use cyber insurance to offset their cybersecurity risk footprint will probably be seriously displeased to hear that cyber insurance rates rose last year by a whopping 92 percent! (KnowBe4).

A few more IT news tidbits:

Veeam Adding Intelligence to Microsoft 365 Backup Solution (Redmond Channel Partner)

Google unveils new Assured Open Source Software service (ITPro.)

Microsoft goes public with planned changes to undo restrictive cloud licensing policies in Europe (ZDNet)

And is Microsoft moving out of Redmond? See this article:

Microsoft moves forward with massive corporate campus project in Atlanta (Daily Commercial News)

Also this news item for web developers as it may be a trend taking hold of the industry:

GOV.UK drops jQuery from their front end (Gov.UK)

*WHAT’S AHEAD FROM REDMOND* – Check out The 2022 Microsoft Product Roadmap from Redmond Channel Partner!

Windows news

We’ll start with a reminder that Windows Server 20H2 reaches end of support in August 2022 (Born’s Tech and Windows World). Günter also has news concerning the Windows 10 profile issues that have been reported.

Meanwhile, Microsoft is probably embarrassed that Windows 11 and Microsoft Teams were hacked multiple times on the first day of the Pwn2Own event in Vancouver, Canada (Bleeping Computer). Doesn’t give you a heck of a lot of confidence in the way Microsoft develops its software at this present time.

Finally, here’s one for iPhone and iPad users: Microsoft Remote Desktop just got a massive app update on iOS (OnMSFT). It’s about time!

Linux news

Some miscellaneous Linux news that’s come to our attention recently:

Serious security vulnerability in Tails 5.0 (Tails)

Mark Shuttleworth: Expect Canonical to Go Public in 2023 (Foss Force)

Red Hat Enterprise Linux 9 aims to fuel innovation in the open hybrid cloud (ITPro.)

RHEL Clone and CentOS Replacement Releases Rocky Linux 8.6 (Foss Force)

Google Created ‘Open Source Maintenance Crew’ to Help Secure Critical Projects (The Hacker News)

Docker Desktop Comes to Linux (Admin Network & Security)

Redis Vulnerability Impacts Linux Servers (Admin Network & Security)

Will JavaScript containers overtake Linux containers? (InfoWorld)

Cloud news

Returning once again to the topic of supply chain comes news from Data Center Frontier that cloud players are scooping up data center space as supply chain worries escalate. In other bad news comes this report from BetaBews that enterprise cloud costs have risen by over 90 percent during the past year. And something that we all probably know already, or can at least guess, is that the big three public cloud providers still continue to dominate the cloud landscape, led of course by AWS (ITProToday).

And some Microsoft-cloud items:

New: Require reauthentication for Intune enrollment or risk (Azure Active Directory Identity Blog)

IPv6 Support in Microsoft Azure (Marius Sandbu)

Seamlessly shift between work and personal files (Microsoft OneDrive Blog)

As always we welcome news submissions for our newsletter. Email us.

Upcoming webcasts, events and conferences

Got an event, conference or webcast you want announced in our newsletter? Email us!

VMware Carbon Black invites you to join their panel of experts to discuss Zero Trust – June 6 – Register

DevSecCon24 – DSC24 is the only free, global conference dedicated to DevSecOp – Virtual event on June 14 – Register

SC Media eSummit – Email Emergency: Steering Clear of Phishing and BEC Scams – Live broadcast on June 14 – More info

Also be sure to check out the following event listings:

• Redmond Channel Partner’s calendar of upcoming Microsoft conferences for partners, IT pros and developers.
• TechRepublic’s 2022 tech conferences and events to add to your calendar.

Got comments about anything in this issue?

Email us! We love hearing from our readers!

Meet the Editors!

MITCH TULLOCH is Senior Editor of WServerNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada that produces books, ebooks, whitepapers, case studies, courseware, documentation, newsletters and articles for various companies.

INGRID TULLOCH is Associate Editor of WServerNews. She was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press and collaborated on developing university-level courses in Information Security Management for a Masters of Business Administration (MBA) program. Ingrid also manages Research and Development for the IT content development business she runs together with Mitch.

Subscribe today to WServerNews!

Subscribe today and join almost 200,000 other IT professionals around the world who subscribe to our newsletter! Just go to this page and select WServerNews and you’ll receive it every Monday in your inbox.

IT Workshop – tools, whitepapers and more

Got a product or solution or some other resource you’d like to tell our readers about? Email us!

Our TOOL OF THE WEEK is ASG-Remote Desktop which provides administrative access to remote Systems and features integrated connection protocols to allow management of Windows, Citrix, Linux/UNIX, Macintosh and browser based systems – and from any computer, even via USB stick if necessary. Find out more.

Free network protocol wall posters from PacketLife!

Need to conduct an internal audit for your organization for ISO 27001 compliance? Learn how in this TechGenix article.

GFI solutions prevent common cybersecurity attacks while ensuring your organization complies with over 80 percent of controls mandated by the UK government-backed Cyber Essential initiative.

5 free tools from KnowBe4 you can use to test your network:

• Ransomware Simulator
• Domain Spoof Test
• Email Exposure Check Pro
• Weak Password Test
• Domain Doppelganger

Try the Simplest Thing First to Address Hybrid Network Performance Issues (NetworkComputing)

Recommended books about Azure security from Tobias Zimmergren,

Tips and Tutorials

Got tips or tutorials you’d like to recommend for our readers? Email us!

Want to go passwordless? Check out this tutorial from the Azure Developer Community Blog on how you can improve the security of your Azure environment:

• Getting rid of credentials in Azure – Part 1
• Getting rid of credentials in Azure – Part 2 (EasyAuth)

Windows 11 tips:

• How to rebuild Windows 11 BCD (Boot Configuration Data) completely from scratch (OnMSFT)
• Restoring Windows Terminal Link in Windows 11 (The Lonely Administrator)
• 10 secret Microsoft-specific keyboard shortcuts in Windows 11 (TechRepublic)
• How to turn off password-on-wake in Windows 10 or Windows 11 (OnMSFT)

Miscellaneous security tips:

• Top 5 tips for QR code safety (TechRepublic)
• 5 quick tips for better Android phone security now (yes, it’s this easy) (ZDNet)
• The top 10 password attacks and how to stop them (BleepingComputer)
• Email Security: Best Practices for SMBs and Top Email Security Providers (TechGenix)

Freebies!!

Got a freebie you want to offer our readers? You can reach almost 200,000 IT pros worldwide with our newsletter—email us!

Free ebook – Conversational Microsoft Teams Backup (Veeam)

Free cheat sheet! – Handy Keyboard Shortcuts for the Linux Bash Terminal  (The Hacker News)

Free ebook – A SysAdmin’s Guide to Azure IaaS, Second Edition (UseIT)

IT Bookshelf – Mastering Modern Linux

Mastering Modern Linux, Second Edition (CRC Press) is another book that I’ve been using to build my skills using the Linux platform as an IT professional. While the book is geared especially towards self-learning, the author’s website also provides lecture notes in PDF and PowerPoint format for instructors who adopt the book as a textbook for their classes.

After a brief overview of the history and features of Linux, the book begins with a primer for those new to the platform. Immediately it becomes clear that the best way to use the book is to have Linux installed on a computer so you can try out the actions illustrated by examples in the book. This inductive approach to learning will be superior for many learners than being presented with syntax and options for various Linux commands.

After the primer comes chapters on the GNOME desktop environment, Bash commands and scripting, navigating the file system, networking, system administration and the LAMP stack. Concluding chapters delve into deeper topics such as C programming on Linux, system calls and inter-process communication. Additional appendices online cover setting up your own Linux system, using SSH and SFTP for secure communications, and gnarly topics like learning how to use vi/vim, emacs and awk. In short, there’s something for everyone in this book which makes it suitable both for systematic learning and as a reference guide on various topics. Chapter 5 on writing Bash scripts for example is a very good and thorough introduction that starts by covering Bash scripting commands and then builds several examples of scripts that can perform useful actions such as removing unwanted files, performing a conditional file copy operation, resizing image files, and more.

Each chapter in the book includes one or more sets of exercises the reader (or student) can use to build upon what they’ve learned or engage in further research. Complete sample code packages can also be downloaded from the author’s website using the access code from your copy of the book. Mastering Modern Linux, Second Edition can be purchased from Amazon.

Factoid: zzzzzzz…..Wakeup, you have mail!

Our previous factoid was this:

Fact: Doritos Cuts Number of Chips in Each Bag, Blames Bidenflation (The Washington Free Beacon)

Source: https://freebeacon.com/latest-news/doritos-cuts-number-of-chips-in-each-bag-blames-bidenflation/

Question: How do our readers feel about shrinkflashion? And what’s the worst example you’ve seen recently?

Angelika from Malta responded with the following:

Hi Mitch, answering your Factoid Question from WSNews I hate ”shrinkflashion” as well as I feel cheated by the producer in many cases. In EU we have noticed this trend as well. Around 2,500 products have shrunk. And so a cube of butter now has 170 or 200 g – it used to be 250 g. Yogurt 330 g once weighed 500 g, and pasta 500 g (today it is 400 g) The bars and even … toilet paper are also smaller by about 12-15 percent than 5 years ago. You can also buy smaller chocolate instead of the standard 100 g have 90 g. And the marshmallow “decreased” from 450 g to 370 g. This is really unfair, especially that not only weight went down – prices increased anyway. I bought white cheese during yesterday’s shopping. I love it and buy it regularly. The weight remained the same, but the price of the 275g pack increased by 1.54 euros. This is real madness!

Now let’s move on to this week’s factoid:

Fact: Microsoft’s CEO Warns of the Impact of All Those Late-Night Emails (Bloomberg)

Source:https://www.bloomberg.com/news/articles/2022-04-07/microsoft-ceo-warns-of-the-impact-of-all-those-late-night-emails

Question: Does your IT job require that you deal with late-night emails? How often does it happen? And how do you cope with it? Email us your answer and we’ll include it in our next issue!

Fun videos from Flixxy (Back by popular demand!)

OK we give in. A number of readers have told us that Flixxy was their favorite part of our newsletter so we’re BRINGING IT BACK—enjoy!

Amazing Dancer – An amazing dancer entertaining the public at the main square of the old town of Kraków, Poland.

https://www.flixxy.com/amazing-dancer.htm

‘Walk of Life’ – Dire Straits – Sven Otten takes an already upbeat song and seriously augments it with dance moves.

https://www.flixxy.com/walk-of-life-dire-straits-sven-otten.htm

Boogie Woogie European Champions – Sondre and Tanya’s winning performace at the Boogie Woogie European Championship 2019 in Stuttgart, Germany.

https://www.flixxy.com/boogie-woogie-european-champions-sondre-and-tanya.htm

‘Dancing On The Ceiling’ – An energetic mash-up of the hit song ‘Dancing On The Ceiling’ by Lionel Richie with popular movie clips.

https://www.flixxy.com/dancing-on-the-ceiling-movie-mash-up.htm

And Finally

The odd, the stupid and the remarkable. Good for your mental health.

Highway death toll messages cause more crashes (ScienceDaily)

https://www.sciencedaily.com/releases/2022/04/220421141535.htm

[And maybe if there were fewer ads on websites people would buy more stuff. Riiight.]

AI for ANYONE with Azure Percept (Internet of Things Blog)

https://techcommunity.microsoft.com/t5/internet-of-things-blog/ai-for-anyone-with-azure-percept/ba-p/3293617

[What does the acronym ANYONE stand for?]

Twitter admits it overstated users for years ahead of Elon Musk takeover (Axios)

https://www.axios.com/2022/04/28/twitter-overstated-users-elon-musk-deal

[What else is new? *Every* business does that.]

Army of worm larvae hatch from man’s bum, visibly slither under his skin (Ars Technica)

https://arstechnica.com/science/2022/04/army-of-worm-larvae-hatch-from-mans-bum-visibly-slither-under-his-skin/

[Eeewww, I really didn’t need to read that!]

Virtual meeting study: 50% of participants arrive late, 22% don’t say anything (GeekWire)

https://www.geekwire.com/2022/virtual-meeting-study-50-of-participants-arrive-late-22-dont-say-anything/

[So virtual meetings are just like real meetings? “Hey, psst. Look at this cute cat video.”]

Hey reader! Got an amazing or weird or funny link you’d like to suggest for this section of our newsletter? Email us! But please make sure that it’s G-rated as in “Gee whiz”, “Golly!”, Good grief!”, “Gaaahh!!” and so on. Thanks!

Please tell others about WServerNews!

We hope you enjoyed this issue of WServerNews! Feel free to send us feedback on any of the topics we’ve covered—we love hearing from our readers! And please tell others about WServerNews! It’s free and always will be free—and they can subscribe to it here. Thanks!!!