Secure Network, How? – Security Blog #7

--Originally published at That Class Blog

This entry is not addressed to regular computer users, but more specifically to engineering students or people interested in network’s security, as the concepts are not that regular. This entry’s topic is the security of the network’s enterprise.

Virtual Private Network

This first category isn’t that much complex, as Virtual Private Networks (VPNs), are more and more widely used by the general users. So I won’t be talking a lot about this. VPNs are a method used by enterprises to connect and access an internal network from the outside, using a more secure network and an encrypted one.

Secure Network, How? – Security Blog #7
“network” by Rosmarie Voegtli (CC Taken from

Intrusion Detection Systems

Intrusion Detection Systems (IDS) main function is to aid the administrator in the detection of the type of attack that is being carried to the system. Usually, the IDS also help the administrator find and execute a solution to the problem as well as a plan of action on future detections. These systems trace and record logs, signature and triggered events. Usually, the IDS is attached to the firewall (Which I’m speaking down below) and the network router.

The most popular IDS tools I found are Snort and Cisco Network-Based IDS. Both successfully notify the user real-time, the signatures of attacks made to the network. The main advantage of Cisco IDS is the results obtained in the aftermath of the events (Reassembly of IPs and TCP sessions) and Cisco continuous support to the client. Meanwhile, Snort is open-source, cheaper to implement (Hardware wise), and flexible (Only requires Linux) and has multiple modalities where it can be implemented.


Firewalls, also called Intrusion Detection Devices, are software or applications that work directly in the network layer. As most of us already know, the firewalls protect the internal network users from the rest of the world, and vice versa. The rules set in the firewall can block specific functionalities and applications if the port is marked as prohibited. They also can redirect incoming requests from one port to another. When a block or a forwarding is made, a log it generated so the administrator can oversee the data that it’s being affected by the rules. usually, the firewall is located after the incoming data is processed by the router.

As I found out, the most common firewalls are Cisco ASA and Sophos. Overall I found people prefer Sophos firewalls. Basically, because Cisco ASA only works for people who can’t get out of the traditional enterprise comfort zone. This means that if you want to implement a not that usual functionality, ASA won’t be enough.


Miguel Montoya
Esperanto enthusiast

Further reading:

Cisco IDS vs SNORT discussion thread at CISCO support: Cisco IDS vs SNORT.

Firewalls discussion thread at Spiceworks: Sophos vs SonicWall vs Cisco ASA vs Fortinet.

Late and FINAL Report – Week 14

--Originally published at That Class Blog

I don’t know what to say about my new habit of making very late publication of our weekly reports (And any report in general).

This week the rest of the team primary focus was to film and deliver the final project video, and myself, I worked in the design of the project poster. The one that we needed to present at “The Engineering Expo”. I’m very proud of that poster, I think it ended up real nice Late and FINAL Report – Week 14

Late and FINAL Report – Week 14
“After the rain” of Susanne Nilsoon (CC Taken from

I’m proud of our project. I think we worked very well and accomplished the delivery of a nicely done (And well tested) product. I’m still amazed at how bad I’m at playing it. But the doubts about myself got at ease when I saw at the expo how most of the people who played were having difficulties playing, because it is indeed, a difficult project. I guess my teammates just practiced a whole lot more when designing the levels and testing them.

See you the next time!

Miguel Montoya
Esperanto enthusiast

I leave you my poster down below.
Please, only share.

Late and FINAL Report – Week 14
“It’s not raining” by Miguel Montoya (CC BY-NC-ND



--Originally published at Ce qui est chouette

In this topic I’ll cover Virtual Private Clouds, such are offered by Google Cloud Platform and Amazon Virtual Private Cloud.

A virtual private cloud is a cloud service that offers an infrastructure in which various services (VPC users), of the platform offering it, share resources available in this cloud while isolated from each other. This isolation is usually achieved through having a private local network and subnetting it (could be through VLANs), assigning a subnet to each user, or group of users that need to be directly connected, for other connections a local DNS server can be used.

Clouds by Eric Summers on Flickr under a CC License.

VPC services usually also encrypt  and mask the communication between its users and the shared resources through a VPN, adding as well a layer of authentication. A VPC implements layered security and provides it As-A-Service at the cost that it is highly complicated to set up, but using it correctly can yield a system with powerful defense.

This is a technology that I’ve yet to learn, but will do so, hopefully, this summer. If there are some project ideas that you, the reader, have that may help in my learning of this technology, I’ll appreciate it if you shared them in the comments.

– Virtual Private Guy.


--Originally published at Ce qui est chouette

In this post I’ll talk about containers, how they are used, and talk a little about their implication with security.

First, what is a container? A container is a lightweight packaging of a piece of software, including everything needed to execute it: code, runtime, system tools, system libraries, settings, etc.. A container is isolated, it will run the same every time, anywhere it’s executed. When run in a single machine, they share its operating system kernel, start instantly, and use less computing power and RAM.

Isn’t that a virtual machine?





Container by Photo Your Space on Flickr under a CC License.

A virtual machine consists of the following:

  • Abstraction of physical hardware.
  • Each VM consists of a full copy of the Guest OS, some apps and necessary binaries and libraries.
  • The hypervisor allows several VM’s to run on a single machine, turning one computer into many.
  • Usually in the GBs.

While a container is:

  • Abstraction of the application layer.
  • Contains code and its dependencies.
  • Multiple containers run on the same machine sharing the Host OS kernel with other containers.
  • Usually in the MBs.

So yeah, it’s virtual-machine-esque but not quite. By using a container, things like environment variables, that may contain sensible data, are not exposed to the main machine, instead they are cozily packaged along with the software and running inside the container, you can couple this with a reverse proxy like NGINX, setup SSL, and you’re all set for a slightly more secure application.

A technology that’s currently leading the market is Docker, providing a hub on which to upload your own images for the world to see and download common images from which to extend your own.

– FROM fornesarturo/dude:latest

Onions were right all along

--Originally published at Ce qui est chouette

This post will deal with the topic or security practice of security by layers, and a little suggestion of a technology that may serve for this purpose in a not so deep-in-configuration manner.

Onions were right all along
Onion by John Vetterli on Flickr under a CC License.

In Information Security, security by layers refers to the practice of combining various security control points across the pipeline of an application. That is multiple mitigating security controls to protect the application’s resources and data. There are various ways of going about this layers, there is no silver bullet in security by layers, as every system is different, but some examples may be:

Consumer Layered Security Strategy

  • Extended validation (EV) SSL certificates.
  • Multifactor authentication.
  • Single sign-on (SSO).
  • Fraud detection and risk-based authentication.
  • Transaction signing and encryption.
  • Secure Web and e-mail.
  • Open fraud intelligence network.

Enterprise Layered Security Strategy

  • Workstation application whitelisting.
  • Workstation system restore solution.
  • Workstation and network authentication.
  • File, disk and removable media encryption.
  • Remote access authentication.
  • Network folder encryption.
  • Secure boundary and end-to-end messaging.
  • Content control and policy-based encryption.

These are the common can-be-found-in-any-page-you-check strategies, in the next blog I’ll cover another topic related, in some way, to security by layers, that is using containers to deploy code.

– An ogre.

Late TODO week 14

--Originally published at That Class Blog

Okay, so this week is movie production week! Yay, I guess. It means we are mostly done.

I still owe a level. I’m getting into it. But the most important thing this week is to develop our promotional video. Decide what to include and what to tell. And yeah…


Miguel Montoya
Esperanto enthusiast

OMG I did it!

--Originally published at That Class Blog

Okay, so I’ve been so proud this last 2 weeks because I finally got a -more than- decent score in LastPass Security Challenge. The first time I took the quiz I had more than 40 sites (There were more of them, but I already had the duplicate/same domain configuration working), and I obtained a well deserved 12%, in the lowest 7%, but at least my Master Password was excellent (At least something wasn’t horribly wrong).

OMG I did it!
“pw_xato-net_02-06” by Mark Burnett (CC Taken from

Now, I can truly be proud to say that after some heavy work I got, after inserting 5 new sites, a 96%. This puts my account in the top 1% of Last Pass users. YAY!

So,  it was really a heavy task to change the passwords of almost 50 sites. It was really horrible and exhausting (Maybe because I tried to all of the necessary changes in one sitting). But I can share some stuff I’ve learned to the rest of the world:

  • Last Pass offers a method that automatically changes your password in the supported sites (Usually it only works with the big ones). I found that method extremely ineffective. It takes what feels like years, to let the program found the adequate buttons, text fields and then generate the password. I don’t know why did this happen. Maybe because I have some pages in Spanish and Esperanto, and the program failed to find the buttons (if the method is made using the value of the button and not the ID, or something like that).
    I mean. My problem was with the time it took to accomplish those tasks. Not that it didn’t work. I don’t have any problem leaving Last Pass to change your password in the background while you do something else. Then there isn’t any con for you. (Remember that you will need to manually select each site that you wish to auto-change).
  • Manually changing your passwords was a pain in the butt… sometimes. Why? Because of three reasons.
    1. Sometimes, Last Pass doesn’t detect the new password fields. So how can I take advantage of the password generator, if it doesn’t appear where I need it to be. I then need to use the generate password feature in the extension button of the explorer.  Which is, in fact, the second reason.
    2. If you have the necessity of using the “generate password” inside the extension button, and if you want to write edit the password (Which is a feature you supposedly have), you will suffer. Why? Because the dumb system stores the texts that you have managed to type in. I was going to post a GIF where I showed this ugly implementation, but then I realized that the stored list has passwords that you actually use on some sites! I mean, if supposedly Last Pass is trying to make me use different passwords for each account, then don’t show me my used passwords. But specifically, don’t store them in a list that impedes the insertion of a new password to test or the generation and tweaking of a different one. So I encourage you to try this by yourself so you can actually understand.
      The problem is that instead of letting the user write a new password to test, it will change the value of the field to the stored text in the list (I sincerely don’t know how I managed to get those in) that starts with the key you just typed, like a form.
      And if you manage to actually make Last Pass stop changing your text, you can only add more characters to the end of the string. You can’t move the text cursor somewhere else because, bad luck, it will change the entire string that it’s being displayed.
      And after that, if you think that that password you have would fit your needs, then, good luck copying that into the reset password field (Remeber that you only got here because, from the start, Last Pass didn’t detect that you were actually trying to change the password). Because when you release the ctrl+c keys, Last Pass will change the text to the string that starts with c in the list. And your clipboard will still remain empty, and your perfect password lost.
    3. Okay, so let’s say that Last Pass actually detected you are changing your password. And let’s say that you manage to generate a new one, either automatically (Without even touching a thing), or semi-automatically (Giving the generator some parameters). Sometimes, after you click the update password button in the site, Last Pass will prompt you to update also the entry in your vault. But, this is only sometimes! And how am I to know that if you can detect that new password field for a particular site, doesn’t mean that you will be able to tell if I actually updated the password?!
      If this feature didn’t exist, then I wouldn’t care. But the problem is that sometimes it does work. And it’s beautiful. But when it doesn’t, how am I to update myself the Last Pass vault entry, if I don’t have any clue of the new password! It only leaves me with the option to click on the “I forgot my password” on the site. Generate another password and remember to copy it. Then, and this is just ridiculous, if Last Pass doesn’t automatically detect the new password this time, I manually updated it in the vault.

And those are my complaints of Last Pass. I still have one HUGE complain. During this process of changing the passwords, I found out that there are sites that handle this request easely, and others that makes it impossible to the user to reach its goal. Some of them let you change the password only if you click on the “I forgot my password”. But there is one site that is thw worst of all. – I mean… they don’t event let you change your password. So I clicked on the forgotten password button, to then realize that they just sent me my password via email. OMG. That is so badly implemented. In fact I made a public complaint in Twitter. But they account is mostly offline.

And I guess that its everything I have to share about my experience. If you feel like asking something, please do.


Miguel Montoya
Esperanto enthusiast