Happy to step aside and feature a community member's content as a guest
article for this post. Please welcome Leonardo Souza to the ranks of
If you have upgraded a F5 device (BIG-IP) before, you probably have faced
SSL/TLS compatibility issues. That is not exclusive to F5 devices, but a
general problem every time a new software version or functionality is
released. In theory things should be compatible with previous version, but in
reality most of the time it is not. When talking about encryption we use the
term SSL, however when we start to discuss the technical details we need to
differentiate SSL and TLS.
I will not extend the SSL/TLS topic, as there is a good article in DevCentral
that explains how a F5 device uses SSL/TLS. Basically, TLS 1.0 is defined in
RFC 2246 in 1999, TLS 1.1 RFC 2246 in 2006, TLS 1.2 in RFC 4346 in 2008, a... (more)
Welcome back for another (long overdue) episode of the ABC's of NSM. What's
NSM you say? We'll go with Network and System Management, but you could
throw Security in there as well. We'll work our way through the alphabet
over the next several weeks looking at tools and concepts along the way
for all the administrators out there. By the way, you can thank
Joe for the format & Don for the title (I couldn't for the life of me
come up with one.)
Today's letter T is for TightVNC. TightVNC is a remote desktop option for
*nix/windows systems that comes with both server and... (more)
Microsoft released advisory 2416728 on Friday after researchers Thai Duong
and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding
Oracle Exploit Tool. The attack itself preys on a bug in ASP.NET’s AES
implementation, which you can read about over here at threatpost. So
what’s the reward for a successful attack? It’s not going to allow the
attacker to execute code or elevate rights, but it does all the attacker to
read potentially sensitive data that could then be further used to compromise
The mitigation for this attack is to obfuscate the server ... (more)
The default logon page for the Access Policy Manager module is pretty basic,
particularly so if only the minimal username and password is configured.
However, APM is wildly flexible. In this tech tip, I’ll cover customizing
the logon page by adding a dropdown box of services to the standard username
and password fields.
Introduction Background Information
The goal here is to provide access to multiple web applications behind APM
through the use of an admin-defined dropdown menu and different LTM pools for
each web application. We will be generating the list dynamically through t... (more)
I got a request yesterday morning to asking if there was a way to drop HTTP
requests if a certain number was referenced in the Accept-Language header.
The user referenced this post on Exploring Binary.
The number, 2.2250738585072012e-308, causes the Java runtime and compiler to
go into an infinite loop when converting it to double-precision binary
floating-point. Not good. Twitter is ablaze on the issue, and there is a
good discussion thread on Hacker News as well. So how do you stop it?
At first, this appeared to be a no-brainer, just copy that string and drop if
found in that... (more)