I’ve got 99 problems, but a switch ain’t one.

If you’re havin’ loop problems I feel bad for you son, I got 99 problems but a switch ain’t one.

The SoC used for the SG-1000 (also known as “uFW”) includes an on-die 3 port gigabit Ethernet switch.   By leveraging VLANs, it’s possible to build a ‘router on a stick‘ on one board.  In order to make this switch as functional as possible, we decided to leverage the FreeBSD etherswitch(4) framework.  Support for the on-die switch on SG-1000 was directly upstreamed to FreeBSD in revision 309113.

Support for this framework then needed to be added to pfSense.   First support was added to the PHP module that provides the glue layer between FreeBSD and PHP via a series of commits. Here are two of them: 1 2. Once this was done, we could start designing the components of the web GUI. Switch_system.php shows which switches are attached to the system.  It has no controls.

pfSense_localdomain_-_Interfaces__Switch__System

Switch_ports.php show the ports available on the selected switch. Since the SG-1000 only has one switch, the selector that allows you to choose which switch you are looking at is hidden.

pfSense_localdomain_-_Interfaces__Switch__Ports

Multiple switches attached to one firewall causes a selector to appear so you can choose which one to work on.  Obviously there is only one switch on the SG-1000, but I’ve faked things here (“cd /dev: ln -s etherswitch0 etherswitch1”) to show the selector, and in order to show that we’re “thinking forward”.

pfSense_localdomain_-_Interfaces__Switch__VLANs (1)

The VLAN page allows you to view/create/edit a VLAN.

pfSense_localdomain_-_Interfaces__Switch__VLANs

Switch_vlans_edit.php allows you to create or edit a VLAN. Clicking on any port in the “Available ports” column adds it to, or deletes it from the “members” list.  While we accommodate up to 128 ports, this is a SG-1000, so there are only 3 ports to choose from.  There is some pretty fancy jQuery in this page.

pfSense_localdomain_-_Interfaces__Switch__VLANs__Edit

The SG-1000 is not the only product we have coming that has built-in switches. Here is a sneak peek at another.

IMG_8956 3

The systems you see in this photo are a Broadwell-DE with either 6 x 10G on SFP+ on top (bcc-1) or 16x1G on RJ45 (with 2 10Gbps uplinks), plus 4 x 10G on SFP+ on bottom (bcc-0).  Both systems additionally have 2 1Gbps Ethernet ports on SFP, as well as redundant power, 2 x M.2, miniPCIe 4 x SATA3 as 2.5″ drives, and a PCIe 3.0 x16 slot for expansion.  Both of these have QuickAssist cards installed, enabling high-speed encryption and compression, but bypass NICs (for IDS/IPS) will likely prove popular as well.

Both also contain a “uBMC“, which is remarkably similar to the SG-1000, and runs pfSense with support for our coming (but unannounced) remote management product.  In fact, the germination of the SG-1000 occurred because of uBMC.  We noticed that a lot of people (including us) use pfSense to control access to the IPMI/BMC ports on their servers in colocation, so we thought, “Why not put pfSense in the BMC?”

Of course, since pfSense software is open source, this means that you’re no longer beholden to your IPMI vendor for security patches and updates.  More details on those systems, uBMC and the remote management product will be provided in future posts.

 

Multi-Factor Authentication in Exchange and Office 365

Multi-Factor Authentication (MFA), which includes Two-factor authentication (2FA), in Exchange Server and Office 365, is designed to protect against account and email compromise.

Microsoft has evaluated recent reports of a potential bypass of 2FA. We have determined that the technique described is not a vulnerability and the potential bypass does not exist on properly configured systems.

The reported technique does not pose a risk to Exchange Server or Office 365:

  • In Exchange Server, authentication configuration settings for client endpoints are not shared across protocols.  Supported authentication mechanisms are configured independently on a per protocol endpoint basis.  Multi-Factor Authentication in Exchange Server can be enabled in multiple ways, including OAuth.  Before implementing MFA with Exchange Server it is important that all client protocol touchpoints are identified and configured correctly.
  • In Office 365, when Azure MFA is enabled within a tenant, it is applied to all supported client protocol endpoints. Exchange Web Services (EWS) is an Office 365 client endpoint which is enabled. Outlook on the Web (OWA) and Outlook client access are also enabled in Office 365. Office 365 users may experience a small delay in activation of MFA on all protocols due to propagation of configuration settings and credential cache expiration.

Additional information on enabling OAuth in Office 365 and Exchange Server can be found on Office.com and MSDN.

The Exchange Team

Certificate-Based Authentication (CBA) for Exchange Online is Generally Available

Many organizations have been using certificate based authentication for Exchange Online while the feature was in preview. Today, we are excited to announce that the feature is generally available in Office 365 Enterprise, Business, Education, and Government plans. For more details, please reference our preview post which has been modified to reflect this announcement. As always, we look forward to hearing your suggestions and feedback!

Tyler Lenig
Program Manager
Office 365