SECURITY AND PERFORMANCE: INTEL CPU FLAW DISCOVERED– Updated!

Security and performance, Yin and Yang, we seem to always be doing the dance of trying to secure our systems and at the same time make sure that they perform well. This is one of the prime focuses of this blog, in most cases this balance is one that can be made to work together in beautiful harmony.  Unfortunately there are always those who seek to benefit by taking advantage of the weakness of others, and so we must be diligent and always keep our guards up.

This week several critical flaws were discovered that affect Intel processors from workstation to server class going back to 1995! These flaws read like very typical and go something like this: “A vulnerability has been discovered which could allow an attacker to gain unauthorized…” The big difference with this one is that it affects microcode buried deep in the hardware which is inaccessible, so a regular patch is not possible. The only possible answer is to either go out and buy a new processor which is not affected by the flaw or come up with a software fix. Intel has scrambled and managed to work up a fix which is software based and will protect you, but it comes at a (performance) cost.

The ramifications of these vulnerabilities, being called Meltdown and Spectre are going to be very disruptive. At the very least, in order to apply any of the updates to correct the issue will require a reboot of the systems. Think about your own datacenter and how many servers this might affect, add in virtualization and how many servers are running on hosts and the numbers of servers quickly adds up to hundreds, sometimes thousands in many datacenters. Now think about cloud providers, e.g Azure, AWS, Google, etc. with potentially millions of servers and your head quickly starts to spin. If this was not bad enough early reports are showing that the software fix can impact performance of the processors by as much as 30%!

If you are thinking that this probably does not affect me and I can take a wait and see approach, please be aware that the Spectre flaw allows applications to extract information from other applications running on the system, think passwords, Javascript, cookies, etc. and again, this is across servers as well as desktops, laptops really anything with an Intel chip.

If all of this is not enough to put you on edge, here is a final note, an administrative user on a guest VM could gain access to the hosts’ processor and read the kernel memory thereby gaining access to all of the VM data running on that host. Intel has released a tool to check if your processors is affected by the bug and we encourage everyone to down the tool as soon as possible.

Here is a list of helpful links:

Intel check if your processor is affected: https://downloadcenter.intel.com/download/27150?v=t

VMware Updates: https://lists.vmware.com/pipermail/security-announce/2018/000397.html

Full information on the flaw: https://meltdownattack.com/

UPDATE: January 8th, 2018

Microsoft has released two articles that provide guidance on how to deal with this issue. One for Desktops and one for Servers. The links are provided here:

Server: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Client: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Please contact Helient for more information and to put together a plan to protect your environment. We will continue to monitor this situation closely and update this blog posting with any relevant information as it becomes available.

Stay safe!

Aaron

TLS PADDING ORACLE VULNERABILITY IN MULTIPLE NETSCALER PRODUCTS

A vulnerability has been discovered in some editions of the NetScaler ADC as well as the NetScaler Gateway product line that could allow an attacker to decrypt TLS traffic. This issue is similar to an issue with SSL discovered a few months ago, but this time the attack targets TLS.

The following NetScalers versions are affected:

• Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.22
• Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 56.19
• Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 71.22
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 67.13

Please see the Citrix article: https://support.citrix.com/article/CTX230238 for more information. If you need any assistance with this or any other NetScaler work, please feel free to contact me or visit Helient who have deep knowledge on the NetScaler platform.

DIRECTOR ALERTS! CONFIGURING FOR OFFICE 365

Figured this would be an appropriate time to send this email, with all of the snow out there in the North East, many administrators may be working remotely. Having a process looking in on the health of your Citrix environment and reporting if any issues arise would be just wonderful! Well fear not, Citrix has thought of this already and with the latest version of Director, v7.7, they have added in the capability to create triggers to alert you to any potential issues as they come up. Of course our systems don’t have much use for alerts as they don’t have any issues!
After you install (or upgrade) your Director and log in, you will notice a new option in the title bar called Alerts:

Clicking on this new option will take you to the Alerts area where you can set up all sorts of triggers, I will leave this to you to sort out. What I wanted to discuss is how to get those alerts to be emailed out in an Office 365 world as it might not be so evident.
Click on the Alerts option and then the Email Server Configuration tab.

This will bring you to the email relay configuration. From this screen you have several pieces of information that you will need to provide. If you are in an Office 365 environment, you might have already configured other devices to send email out. There are two main ways to accomplish this, 1) via an onsite relay and 2) via direct authentication. The second choice is the more preferably one according to Microsoft. There are many articles out there already on how to set up a SMTP relay, so we I will focus on the second option.
Back to the tab, ok, so right off the bat, there is a mistake in the interface, so for the first choice, Protocol, if you pull down the drop-down, you will see the following options:

Office 365 requires SMTP-TLS, but Director seems to only have an option for a *new* protocol called SMTP-TSL! Ok, maybe not a big deal, but it made me take a second look, select this option, even if it feels wrong, don’t worry the option doesn’t stay wrong for long.
For Office 365 use the following choices:
Host: smtp.office365.com Port: 587 Sender Email:
Does SMTP server require authentication: Yes User Name:
Password:
You should have noticed that as soon as you selected the SMTP-TSL option, it immediately corrects itself and changes to SMTP-TLS. As for the other settings, namely the email address, most places have an email account that they use to send alerts for other things already, so this same account can be utilized here. You can use the same email address to be the sender as the one to do the sending. If you choose to have the alerts come from one email address and authenticate using a different one, make sure that you assign the correct send on behalf of permissions to allow the account to send properly.
That’s it, once this is completed, click on Save and feel free to send a test message. As soon as you click the Send Test Message button it will immediately ask you to enter in an address to send the message to. If all is ok, you should get something that looks similar to this:

If you don’t get the email, you might want to make sure that you don’t have a firewall blocking the port. Once you receive the email, you are good to go and can click through the other tabs to set up all of the alerts you are interested in being made aware of!

Aaron

CUSTOM OUTLOOK RULES FOR RETAINING AND ARCHIVING EMAIL

Hello All,

Quick note on a retention policy I just created in Outlook. I have a particular folder that I have email going into using a rule, it contains random items that I put into the “I’ll read if I get around to it” category. These emails come in so fast and furious and if a couple of weeks go by and I haven’t had a chance to read something, I don’t bother as there are probably a hundred other items that I’ll read before ever getting back to that one.

Anyway, I found myself going in from time to time to clear out the folder, at one point there was over 12,000 items in this one folder alone, and wanted to see if I could come up with a more automated way to have the system clear out the folder based on some criteria. What I came up with was, anything over a month old will probably not ever get read and is not something that I would want to even keep around, as with the speed of the industry ,the information is probably out of date anyway. Office 365 (and Exchange for that matter) has a very powerful retention policy engine, so I created a new policy to start keeping my mailbox tidy.  This probably falls into the features everyone knows about but never actually uses.

How do you do it? Glad you asked! Simply right click on a folder and select the Properties option:

Next, click on the Policy tab and then click the drop down, you should see a few choices:

Click the policy you wish to apply to the folder, and click Ok.

Now that you have activated the Policy, you will see that an expiration shows up on each mail item:

That’s it! There are all sorts of options that we can enable; in most cases, you will likely want to archive the emails (not delete them) and there are a whole bunch of default policies to choose from. Oh yeah, one more thing, you can set a policy on a particular email as well, so if you chose the policy above on a folder and are having all items get deleted after a month, but then come across an item that you want to keep (or Archive) you can override the policy on a per email basis: