WebVeta - Advanced, unified, consistent search for your website(s), from content of your website(s), blogs(s). First 50 customers, who sign-up prior to 15/05/2024 get unlimited access to existing features, newer features for at least 1 year. Sign up now! https://webveta.alightservices.com/
In my own startups – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A) I do everything from end-to-end i.e coming up with ideas, analysing value proposition, deciding on features, feature prioritization, cloud architecture, technical architecture, actual development, some sanity checks, deployment with the help of some CI/CD tools based in the cloud and blog articles in the open internet. I have been evaluating and experimenting with various methods of securely accessing cloud workloads.
I have tried few more things after writing the above mentioned blog post:
MagicDNS and Serve: Definitely useful feature for quick demos or prototypes.
SSH: SSH via Tailscale, did not trigger my alerts. I have configured and developed my own monitoring and alerting system based on NIST CyberSecurity Framework. When I SSH’ed via Tailscale by advertising node by passing –ssh these did not get triggered. The reason could be because Tailscale SSH does not use port 22 and that’s why port does not need to be opened. This option did not even require the .pem or password because SSH is being done directly inside of Tailscale rather than normal port 22.
I have not tried SSH without –ssh option i.e normal ssh while connected to VPN overlay yet.
I have uninstalled Tailscale and I might make further trials later or tomorrow.
BTW in my own startups – ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A) I do everything from end-to-end i.e coming up with ideas, analysing value proposition, deciding on features, feature prioritization, cloud architecture, technical architecture, actual development, some sanity checks, deployment with the help of some CI/CD tools based in the cloud and blog articles in the open internet.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
Tailscale is a SaaS product offering, enabling easy VPN networks of scale on top of WireGuard. I have been using Tailscale for 2 – 3 months now and I plan to use more Tailscale features soon. This article is not a hands on guide, but more of a discussion on the features.
Someday I might upgrade to the paid plans.
Simple and straightforward installation, setup and thorough documentation.
Tailscale machines can be registered in the network, removed from the console. By default machines need to be registered every 24 hours, but if needed key expiry can be disabled.
By registering machines, the machines are registered in an overlay network and can communicate. The communications, user-access can be configured via policies. I think it’s very important to use –shields-up argument with tailscale up on client machines where we don’t want inbound connections. Considering the anonymous mafia equipment, I think there is a small loophole where a hacker might temporarily gain control a server in some scenarios – I have reported and suggested an alternative way: https://github.com/tailscale/tailscale/issues/8823
tailscale up --shields-up
VPN via exit node:
Although not the primary use-case, one of the Tailscale nodes can be configured as exit-nodes and can be used as VPN with very minimal configuration. This is one of the features, I have been using. I have a exit node in AWS in London region and I use the exit node like a VPN. The reason, I liked this feature is because, I don’t need to open any ports to the public internet or even for my own IP.
SSH:
Another useful feature, for semi-secure environments such as Development / QA could be SSH. Without opening the ports SSH can be done through Tailscale portal. I have used this feature few times.
WebHook Alerts: Webhook alerts can be used for getting notifications. I have configured Slack for alerts.
Some features, I haven’t tried yet but plan to:
Lock: Locks allow key signing from trusted internal nodes.
MagicDNS: MagicDNS allows an internal DNS. Should be useful for Dev / QA environments, internal applications etc…
Cert: Allows generating certificates based on MagicDNS i.e internal applications can be accessed securely using SSL.
Serve: Spin up a web-server. This can be done from command-line for some quick tests / validations without worrying about web server configurations in Dev / QA environments. For longer-term, I think configuring NGinx / Apache / IIS would be more useful.
SSH Session Recording: This is a paid feature but definitely useful i.e SSH sessions via Tailscale can be recorded.
Tailscale has extensive documentation and should be straightforward for most users.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
In a previous blog post – Custom Layout Renderer for NLog using C#, I have mentioned about how to create a class inheriting LayoutRenderer and writing custom Layout Renderer.
This blog post talks about inheriting from WrapperLayoutRendererBase class.
The WrapperLayoutRendererBase class has a method with the signature:
protected override string Transform(string text)
This method needs to be overridden. The nice thing about using this class is other layout renderers can be used in combination.
Here is a GitHub repo implementing hash functions that can be used as LayoutRenderers.
The hash implementation is about 10 – 11 times faster but uses Murmur3 non cryptographic hash.
I might consider a nuget package at a later point, but not now, because the code is very minimal and like a small helper class.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
In the above scenarion, we can use ${name} when defining a layout, of course instead of returning static string we can do something useful based on the use-case.
Class:
Define a new class inherited from NLog.LayoutRenderers.LayoutRenderer. Use class attribute LayoutRenderer(“name”). LayoutRenderer is an abstract class, implement the class by overriding Append(StringBuilder builder, LogEventInfo logEvent) method i.e Append the value that needs to be added to the log by appending to the StringBuilder parameter.
[LayoutRenderer("Example")]
public class ExampleLayoutRenderer : NLog.LayoutRenderers.LayoutRenderer
{
public string Value { get; set; }
protected override void Append(StringBuilder builder, LogEventInfo logEvent)
{
builder.Append("Value");
}
}
Extra parameters can be passed and assigned as properties of the custom class.
[LayoutRenderer("example")]
public class ExampleLayoutRenderer : NLog.LayoutRenderers.LayoutRenderer
{
public string Value { get; set; }
protected override void Append(StringBuilder builder, LogEventInfo logEvent)
{
// Your custom code
builder.Append(Value);
}
}
In the config file the custom layout renderer with params can be used like follows:
{example}
{example:value=abc}
Sometimes, in logs we write some data that might be needed for identifying but not necessarily the real value and for various reasons we might just need a hash. For example: SessionId / Some Cookie Value / IP address etc… Having a custom renderer for hashing such a value could be used.
Very few lines of code, i.e hashing and appending to a stringbuilder would solve the need i.e 2 – 3 lines of code. But, I think the 2 – 3 lines of code could be helpful for other people. I am considering creating an opensource version. I might or might not release nuget package. If I release nuget package, I would definitely make an anouncement. Anyway, not a big open-source project, but just few lines of code.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
This blog post discusses some multi-layered security approach with several MFA based authentications.
In the current world, cyber-security has become the biggest threat! With the rise of hackers, powerful hacking equipment / techniques, even people with bare minimum knowledge of computing can become hackers.
This blog post in a certain way shows techniques to reduce the attack area. In the past, I have written few blog posts regarding cyber-security, this is in continuation of the overall concepts. Here are the blog posts:
The over-all concept is about using one-time use VPN profiles with time limits on the validity of the connection. i.e Once I create and connect to a VPN server, if anyone ever gets hold of the VPN profile and attempts to connect, the connection should not be allowed and based on organizations policy, breach alert should be sent / any other mitigation action should be performed.
As of now, ALight Technology And Services Limited does not have any other employees but, based on employee permissions and categories, the VPN’s outbound IP address should be segregated i.e x.x.x.x for accessing accessing production environments, y.y.y.y for different set of resources etc…
By doing this type of segregation, it becomes easy to segregate cloud workloads on top of IAM policies in AWS / RBAC in Azure. Moreover the policies can be restricted.
This being the over-all policy, I am going to implement such a implementation soon. In the anouncements blog – ALight Technology And Services Limited: Internal maintenance, server migration (alightservices.com), I have mentioned about moving most AWS cloud workloads into Azure for easier management reasons, because the biggest workload of ALight Technology And Services Limited – WebVeta is going to be hosted on Azure. Because I am attempting Azure Certified Developer Associate certification on September 15th (Thanks Microsoft for the free exam voucher, gratitude). I am planning to get the Server migration completed by September 20th. The planned one-time use VPN profiles implementation + moving developer workload into the cloud by September 25th – i.e After this implementation, the source code, development, visual studio would be in the cloud. My laptop would not have anything critical. I am considering doing a webcast soon and would cover the following topics:
Using YubiKey for logging into laptop – not too useful, because this step can be bypassed and any other laptop can be used.
Setting up one-time use OpenVPN profile secured by a random password with pre-configured validity – One of the critical step.
Biometric Authentication MFA for accessing AWS for getting the OpenVPN profile.
Accessing internal servers i.e RDP for Windows / SSH for Linux and requiring YubiKey – Another critical step – TODO i.e I still need to implement this step. / Alternatively, having a different kind of MFA requirement prior to accessing RDP for Windows or SSH for Linux.
By doing the above set of activities, the following multi-layered security can be implemented:
MFA for accessing VPN profile.
One-time use VPN profile with pre-configured validity.
Random and different password for each profile.
Alerts / Mitigations for any breach / second attempts – sometimes could be false alarm i.e network reasons.
Requiring another layer of MFA for accessing the VPN profile.
Another layer of MFA for accessing servers.
Now, here are some No-No’s:
Don’t use the same type of MFA for all the stages, use different form of MFA or different MFA device for each stage i.e lost phone / stolen one-time codes / keys would not affect. If for example, if you are using same totp generator / normal yubikey / mobile phone for SMS, losing the key or phone can cause a breach. But having different MFA at each stage would minimise the problem.
Irrespective of how many layers of security or how much cyber security measures, implement logging, monitoring, metrics, alerting and do review the logs, monitor metrics for abnormalities. Have a plan of action i.e what to monitor, what are considered normal, what are considered abnormal, how to detect and attack, what needs to be done during an attack for mitigation, what needs to be done for reversing the damage, how to identify the damage, root-cause analysis, future mitigation, communication plan based on what has happened.
I am hoping this blog post and some of my previous blog posts, can help small SME’s and small startups like mine.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
Create a class and use the attributes [GlobalSetup] for any initialization, use the [Benchmark] attribute for the methods. Use [MemoryDiagnoser] for memory related information.
In the Program.cs use:
BenchmarkRunner.Run<BENCHMARK_CLASS>();
The code in the github repo clearly demonstrates the usage.
In the previous blog post I have mentioned about non-cryptographic hashes for general purposes.
Here are the results:
32 bytes data:
I commented some code and evaluated with more data sizes:
25 KB:
5 MB:
25 MB:
Conclusion:
For non-cryptographic 128 bit hashes use Murmur3.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
var sometext = "SOME TEXT";
ReadOnlySpan<byte> data = new ReadOnlySpan<byte>(Encoding.UTF8.GetBytes(sometext));
var retVal = FastHash.HashGenerator.GenerateHash128(data);
var guid = retVal.AsGuid().ToString();
OR
Convert.ToBase64String(retVal.AsSpan());
MurmurHash3 – Generates 128 bit hash and faster than FastHash’s 128 bit implementation.
var sometext = "SOME TEXT";
var data = Encoding.UTF8.GetBytes(sometext);
var retVal = murmurHasher.ComputeHash(data);
var guid = Convert.ToBase64String(retVal);
var sometext = "SOME TEXT";
var bytes2 = Blake2Fast.Blake2b.ComputeHash(new ReadOnlySpan<byte>(Encoding.UTF8.GetBytes(sometext)));
var guid = Convert.ToBase64String(bytes2);
For specifying the hash-size in bytes use the overload for ComputeHash.
var bytes2 = Blake2Fast.Blake2b.ComputeHash(new ReadOnlySpan<byte>(<bytes>, Encoding.UTF8.GetBytes(sometext)));
The value of <bytes> can be between 1 and 64.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
The above command looks for xml files under TestResults/* folder and generates HTML reports under report folder.
The HTML report looks like this. If there is any code that was not covered under unit test, those can be seen easily. The following screenshots have 100% code coverage, but if there is any code not covered, the code would be shown in red.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
If there is an existing database and if you need to use Entity Framework, use Database First approach. Have Entity Framework generate the DBContext and the classes.
dotnet ef dbcontext scaffold "Server=<SERVER>;User=<USERNAME>;Password=<PASSWORD>;Database=<DATABASE>;" "Pomelo.EntityFrameworkCore.MySql"
The EF classes and DBContext gets scaffolded.
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
Symmetric encryption is an encryption technique where the same set of keys are used for encryption and decryption. Whereas, Asymmetric encryption uses different keys i.e public key for encryption and associated private key for decryption.
TripleDES is an algorithm for implementing symmetric encryption.
TripleDES uses Key and IV.
public string EncryptTripleDES(string plainText, byte[] Key, byte[] IV)
{
byte[] encrypted;
using (TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider())
{
ICryptoTransform encryptor = tdes.CreateEncryptor(Key, IV);
using (MemoryStream ms = new MemoryStream())
{
using (CryptoStream cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter sw = new StreamWriter(cs))
sw.Write(plainText);
encrypted = ms.ToArray();
}
}
}
return Convert.ToBase64String(encrypted);
}
The above code snippet is for encryption.
public string DecryptTripleDES(string cipherText, byte[] Key, byte[] IV)
{
string plaintext = null;
var cipherBytes = Convert.FromBase64String(cipherText);
using (TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider())
{
ICryptoTransform decryptor = tdes.CreateDecryptor(Key, IV);
using (MemoryStream ms = new MemoryStream(cipherBytes))
{
using (CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
{
using (StreamReader reader = new StreamReader(cs))
plaintext = reader.ReadToEnd();
}
}
}
return plaintext;
}
The above code snippet is for Decryption.
My open-source tool LightKeysTransfer uses TripleDES and the accompanying source code can be found at:
I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
