Skip to content

The ever-evolving Cyber Security Architecture

There has been a lot of changes around the world in 2020 with the pandemic and walking into the year 2021 is not going to change a lot in terms of the new working style. A lot of industries have suffered a great deal and they have learnt new ways to adapt and do their businesses.

In my opinion, only a small percentage of companies took advantage of remote working and implemented such a solution before the pandemic in comparison to the current remote working proportion. Companies and government departments were on the fence about remote working and did not implement such solutions especially on a large scale until their hands were tied to implement it in a short span of time. This is where the quick deployment of technology was vigorously tested to deploy a working environment for the people while maintaining the same level of collaboration and the effectiveness of working from a centralized office.

Azure CDN HTTP to HTTPS Redirction

There are a few settings which needs to be checked while configuring Azure CDN. The one which usually gets overlooked is the HTTP to HTTPS redirect. While we deploy the CDN to be accessed via HTTPS, it does not automatically work when the HTTP protocol is used to access. When this happens, it usually displays the following message with the error “The account being accessed does not support http."

The account being accessed does not support http

This can be achieved using the Endpoint Rules engine to redirect the requests from HTTP to HTTPS.

Building Hugo CICD pipeline on Microsoft Azure

On my previous post, I have outlined on how to host Hugo generated website on Amazon S3 and serve it with CloudFront CDN. Even though it works flawlessly, it is still not possible to get CloudFront to support Simple URL without the use of Lambda@Edge.

Therefore, I have decided to enable Simple URL and move to Microsoft Azure Blob storage and serve it with Azure CDN.

I have decided against implementing Lambda@Edge because I feel…

  1. Introducing Lambda@Edge an unnecessary hurdle.
  2. I am open to using Microsoft Azure or other Cloud Providers and not tied to AWS.

Hosting Hugo on Amazon S3 and CloudFront

I have been hosting my static Hugo generated website on Amazon S3 and serving it using Amazon CDN CloudFront. It works flawlessly except one aspect of CloudFront where it will cause a problem if you enable S3 Bucket Restriction on.

CloudFront only allows you to specify a default root object (index.html), but it only works on the root of the website such as nish.com -> nish.com/index.html. It does not work on any subdirectory such as nish.com/about/. If you were to attempt to request this URL through CloudFront, It would do an S3 GetObject API call against a key that does not exist.

Moving away from WordPress to Hugo

This website was initially created with WordPress a long time ago. There have been several template changes over the years and finally, I was able to get everything working when I installed Thesis Theme around 2010.

Even though WordPress was working for me, it was taking a toll on my time when I had to make sure the security aspect of the website is constantly maintained.

Over the past few years, static Webhosting has become popular since the introduction of Amazon S3 / Azure Blog storage hosting. This has addressed one of the main issues I had with WordPress, which is Security. Even though WordPress code is very old, in my opinion, is a great solution for the right problem. However, it is not the right solution for a small blog like this one. I had to constantly make sure that the code and plugins are all up to date and the website is fully secured for any attacks.

My take on Amazon Network Switches

There has been a rumour floating around lately that Amazon is going to be introducing Ethernet switches. A move like this by Amazon will eventually challenge manufacturers like Cisco Systems. I have came across a video from Packet Pushers where Greg Ferro talks about the possibilities and avenues which Amazon would take to venture into the switching or even networking arena.

As Greg stated, Amazon, in this case AWS already run their own network on their own hardware and software. This is because they cannot have a profit margin by relying on another vendor. It would be cheaper in the long run, to run on your own hardware and software managed and manufactured by themselves. Furthermore, it will be near impossible to run the biggest cloud architecture in the world and run the network on some other vendor. They would most likely run their underlying network as a fabric, controlled by Software Driven Network SDN such as OpenFlow and run the rest of the architecture virtualized and controlled by the AWS console.

Setup Two Factor Authentication to Debian

It is always best to have Two-factor authentication (2FA) to any method of access control. The following post will guide you to enable 2FA on Debian Linux environment.

It is assumed that we will be using Password Authentication in conjunction with 2FA.

Install Google Authenticator

apt-get install libpam-google-authenticator

Edit /etc/pam.d/sshd and add the following.

auth required pam_google_authenticator.so nullok

Edit the file /etc/ssh/sshd_config and make sure you have the following enabled.

UsePAM yes
ChallengeResponseAuthentication yes

Run Google Authenticator from the account.

google-authenticator

Add the account to your Google Authenticator app and save the emergency codes.

Assigning CIDR 31 prefix address to interfaces

When it comes to subnetting most people usually stop at /30. This will give them a netmask of 255.255.255.252 thus resulting in two usable IP address along with one Network and one Broadcast address.

The /31 subnet prefixes was introduced in RFC3021 which defines that it can be used on a point-to-point link. A point-to-point interface does not need broadcast address, therefore we don’t really need to assign a /30 address prefix. On a /31 bit segment, both addresses are interpreted as hosts addresses.

The main advantage of using /32 prefix will enable us to limit the number of network address required on a segment. Therefore, if a company using multiple point-to-point networks using public IP addresses, then they will be able to save half of its allocated IP space.

Ubiquiti EdgeRouter Tunnelbroker IPv6 Configuration

This post will cover the IPv6 configuration on Ubiquiti Edge Router ERPoE-5 running Version 1.9.1. I will be going through the whole process of setting up IPv6 connectivity using Hurricane Electric 6in4 tunnel.

I will not be using the real IP Addresses, however the reader should be able to understand and substitute for their own configuration.

This is a home network, therefore a lot of aspects are not considered in the design!

Overview

  • There are three VLANs. (Main (1) , Guest (2) , Automation (3) )
  • Since there is no native IPv6 support from my ISP, I am using a 6in4 Tunnel to get IPv6 working.
  • The EdgeRouter is the public facing device connected to a vDSL Modem via eth0.
  • The Ethernet interfaces eth1, eth2, eth3, eth4 are bridged via bridge interface br0.
  • Bridge interface br0 has a 192.168.1.1/24 RFC1918 address assigned to VLAN1 and also used as the management IP.

Part 1

In this part, I will be covering the tunnel creation. You need to head to Hurricane Electric here and get yourself an IPv6 tunnel. I have used a /48 Routed Prefix for my configuration which you can see below.

Route Distinguisher vs Route Target

The Route Distinguisher (RD) and the Route Target (RT) can be somewhat confusing to someone who is trying to learn the concept on MPLS. In this post, I will try and explain what RD and RT are in relation to MPLS.

To answer this question, we will use the following diagram.

mpls