Cyber Security on Azure: An IT

Professional’s Guide to Microsoft Azure

Security Marshall Copeland
Visit to download the full and correct content document:
https://textbookfull.com/product/cyber-security-on-azure-an-it-professionals-guide-to-
microsoft-azure-security-marshall-copeland/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Cyber Security on Azure An IT Professional s Guide to

Microsoft Azure Security 2nd Edition Marshall Copeland
Matthew Jacobs

https://textbookfull.com/product/cyber-security-on-azure-an-it-
professional-s-guide-to-microsoft-azure-security-2nd-edition-
marshall-copeland-matthew-jacobs/

Cyber Security on Azure: An IT Professional’s Guide to

Microsoft Azure Security Center 1st Edition Marshall
Copeland

https://textbookfull.com/product/cyber-security-on-azure-an-it-
professionals-guide-to-microsoft-azure-security-center-1st-
edition-marshall-copeland/

The Developer s Guide to Microsoft Azure Microsoft

https://textbookfull.com/product/the-developer-s-guide-to-
microsoft-azure-microsoft/

Data Lake Analytics on Microsoft Azure: A

Practitioner's Guide to Big Data Engineering Harsh
Chawla

https://textbookfull.com/product/data-lake-analytics-on-
microsoft-azure-a-practitioners-guide-to-big-data-engineering-
harsh-chawla/
Practical Microsoft Azure IaaS Shijimol Ambi
Karthikeyan

https://textbookfull.com/product/practical-microsoft-azure-iaas-
shijimol-ambi-karthikeyan/

Implementing Devops with Microsoft Azure Mitesh Soni

https://textbookfull.com/product/implementing-devops-with-
microsoft-azure-mitesh-soni/

Pro PowerShell for Microsoft Azure Make The Leap to The

Microsoft Cloud Ishac

https://textbookfull.com/product/pro-powershell-for-microsoft-
azure-make-the-leap-to-the-microsoft-cloud-ishac/

Quick Start Guide to Azure Data Factory Azure Data Lake

Server and Azure Data Warehouse 1st Edition Mark
Beckner

https://textbookfull.com/product/quick-start-guide-to-azure-data-
factory-azure-data-lake-server-and-azure-data-warehouse-1st-
edition-mark-beckner/

Serverless Security: Understand, Assess, and Implement

Secure and Reliable Applications in AWS, Microsoft
Azure, and Google Cloud Miguel A. Calles

https://textbookfull.com/product/serverless-security-understand-
assess-and-implement-secure-and-reliable-applications-in-aws-
microsoft-azure-and-google-cloud-miguel-a-calles/
Cyber Security
on Azure
An IT Professional’s Guide to Microsoft
Azure Security
—
Second Edition
—
Marshall Copeland
Matthew Jacobs
 Cyber Security on Azure
An IT Professional’s Guide
to Microsoft Azure Security
Second Edition

Marshall Copeland
Matthew Jacobs
Cyber Security on Azure: An IT Professional’s Guide to Microsoft Azure Security

Marshall Copeland Matthew Jacobs

Austin, TX, USA Nashville, TN, USA

ISBN-13 (pbk): 978-1-4842-6530-7 ISBN-13 (electronic): 978-1-4842-6531-4

https://doi.org/10.1007/978-1-4842-6531-4

Copyright © 2021 by Marshall Copeland and Matthew Jacobs

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with
every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an
editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not
identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Smriti Srivastava
Development Editor: Laura Berendson
Coordinating Editor: Shrikant Vishwakarma
Cover designed by eStudioCalamar
Cover image designed by Pexels
Distributed to the book trade worldwide by Springer Science+Business Media LLC, 1 New York Plaza, Suite
4600, New York, NY 10004. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.
com, or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner)
is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware
corporation.
For information on translations, please e-mail [email protected]; for reprint, paperback,
or audio rights, please e-mail [email protected].
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook versions and
licenses are also available for most titles. For more information, reference our Print and eBook Bulk Sales
web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is available to
readers on GitHub via the book’s product page, located at www.apress.com/978-1-4842-6530-7. For more
detailed information, please visit http://www.apress.com/source-code.
Printed on acid-free paper
 Thank you Angela Copeland for your love and support on this “one
more book.” Thank you Mark Hilley for saving lives as a Firefighter
EMT First Responder. Thank you Matthew Jacobs for giving up
weekends and providing cloud security insight; you have a future as a
cyber security “blue team” leader. A very special thank you to life-long
friends and family, Tara Larson, Anthony Puca, Julian Soh, Keith
Olinger, Mark Ghazai, Eric Schwindt, and Jaime Segura.
—Marshall Copeland
For my wonderfully supportive wife Elizabeth Jacobs, who has always
pushed me to go further than I have ever imagined. I am forever
grateful. To my mother Anita Hale, thank you for all you have done to
make this possible. Thank you to my mentors and friends, Cayce
Borden, Brent Reynolds, Andy Bullington, Zach Hoover, Jay Sundberg,
Jeff Prouse, Sharon Asmus, Vern Hall, Rusty Martin, David Joseph,
Andrew Scott, Maher Aldineh, and Ben Moss.
—Matthew Jacobs
Table of Contents
About the Authors���������������������������������������������������������������������������������������������������� ix

About the Technical Reviewer��������������������������������������������������������������������������������� xi

Acknowledgments������������������������������������������������������������������������������������������������� xiii

Introduction�������������������������������������������������������������������������������������������������������������xv

Part I: Zero Trust Cloud Security��������������������������������������������������������������������� 1

Chapter 1: Reduce Cyber Security Vulnerabilities: Identity Layer���������������������������� 3
Azure Cloud Relations: Tenant, Subscription, Resources�������������������������������������������������������������� 4
Azure Tenant Security�������������������������������������������������������������������������������������������������������������� 4
Azure Subscription Security���������������������������������������������������������������������������������������������������� 5
Azure API Security������������������������������������������������������������������������������������������������������������������� 6
Azure Resource Locks������������������������������������������������������������������������������������������������������������� 7
Managing Azure Active Directory: Users and Groups�������������������������������������������������������������������� 8
Azure Users����������������������������������������������������������������������������������������������������������������������������� 8
Azure Groups��������������������������������������������������������������������������������������������������������������������������� 9
Azure Active Directory: OAuth, SAML, AD Connect���������������������������������������������������������������������� 13
OAuth������������������������������������������������������������������������������������������������������������������������������������� 13
SAML������������������������������������������������������������������������������������������������������������������������������������� 14
AD Connect���������������������������������������������������������������������������������������������������������������������������� 16
Security Measures���������������������������������������������������������������������������������������������������������������������� 18
Azure Application Permission Scopes����������������������������������������������������������������������������������� 19
Configure Multi-Factor Authentication���������������������������������������������������������������������������������� 21
Conditional Access Policies��������������������������������������������������������������������������������������������������� 24
Azure AD Privileged Identity Management���������������������������������������������������������������������������������� 28
Summary������������������������������������������������������������������������������������������������������������������������������������ 35

v
Table of Contents

Chapter 2: Azure Network Security Configuration�������������������������������������������������� 37

Virtual Network Overview����������������������������������������������������������������������������������������������������������� 38
VNets������������������������������������������������������������������������������������������������������������������������������������� 43
Network Security Group�������������������������������������������������������������������������������������������������������������� 52
VNet Security Best Practices������������������������������������������������������������������������������������������������� 55
Network Peering�������������������������������������������������������������������������������������������������������������������� 57
Application Security Groups�������������������������������������������������������������������������������������������������������� 60
TCP/IP Port Vulnerability�������������������������������������������������������������������������������������������������������� 65
Azure Front Door Service������������������������������������������������������������������������������������������������������������ 66
Remote Access Management����������������������������������������������������������������������������������������������������� 74
Azure Bastion Host���������������������������������������������������������������������������������������������������������������� 79
Summary������������������������������������������������������������������������������������������������������������������������������������ 81

Chapter 3: Reduce Cyber Security Vulnerabilities: IaaS and Data�������������������������� 83

Azure Security with IaC��������������������������������������������������������������������������������������������������������������� 84
ARM Development����������������������������������������������������������������������������������������������������������������� 85
Harden Azure VMs����������������������������������������������������������������������������������������������������������������������� 90
Patching the VM Directly������������������������������������������������������������������������������������������������������������� 94
VM Security and Endpoint Protection������������������������������������������������������������������������������������������ 95
Database Security����������������������������������������������������������������������������������������������������������������������� 97
DB Best Practices������������������������������������������������������������������������������������������������������������������ 99
DB Authentication���������������������������������������������������������������������������������������������������������������� 100
Database Auditing��������������������������������������������������������������������������������������������������������������� 101
Storage Accounts���������������������������������������������������������������������������������������������������������������������� 102
Shared Access Signatures��������������������������������������������������������������������������������������������������� 105
Key Management����������������������������������������������������������������������������������������������������������������� 107
Summary���������������������������������������������������������������������������������������������������������������������������������� 108

vi
 Table of Contents

Part II: Azure Cloud Security Operations���������������������������������������������������� 109

Chapter 4: Configure Azure Monitoring for Blue Team Hunting���������������������������� 111
Azure Data Platform������������������������������������������������������������������������������������������������������������������ 113
Azure Logs��������������������������������������������������������������������������������������������������������������������������� 116
Azure Metrics���������������������������������������������������������������������������������������������������������������������� 118
Azure Monitor and Log Analytics Enablement��������������������������������������������������������������������������� 119
Log Analytics Workspace Security Strategy������������������������������������������������������������������������ 125
Guest OS Metrics and Logs������������������������������������������������������������������������������������������������������� 130
Connecting Data Sources to Log Analytics Workspace������������������������������������������������������� 136
Summary���������������������������������������������������������������������������������������������������������������������������������� 151

Chapter 5: Azure Security Center and Azure Sentinel������������������������������������������ 153

Cloud Security Challenges�������������������������������������������������������������������������������������������������������� 154
Enable Security������������������������������������������������������������������������������������������������������������������������� 156
Configuration Value������������������������������������������������������������������������������������������������������������� 160
Standard Tier Advantages���������������������������������������������������������������������������������������������������� 161
Just-in-Time Access������������������������������������������������������������������������������������������������������������ 162
Advanced Threat Detection�������������������������������������������������������������������������������������������������� 162
Anomaly Detection�������������������������������������������������������������������������������������������������������������� 163
Crash Analysis��������������������������������������������������������������������������������������������������������������������� 164
Threat Intelligence��������������������������������������������������������������������������������������������������������������� 164
Behavioral Analysis������������������������������������������������������������������������������������������������������������� 164
Configure Alerting��������������������������������������������������������������������������������������������������������������������� 165
Using Security Center��������������������������������������������������������������������������������������������������������������� 166
Compute and Apps�������������������������������������������������������������������������������������������������������������� 168
Network������������������������������������������������������������������������������������������������������������������������������� 169
Data and Storage����������������������������������������������������������������������������������������������������������������� 170
Azure Sentinel��������������������������������������������������������������������������������������������������������������������������� 173
Connect to Data Streams����������������������������������������������������������������������������������������������������� 179

vii
Table of Contents

Using Azure Sentinel����������������������������������������������������������������������������������������������������������������� 186

Logs Pane���������������������������������������������������������������������������������������������������������������������������� 187
Analytics Pane��������������������������������������������������������������������������������������������������������������������� 189
Hunting�������������������������������������������������������������������������������������������������������������������������������� 194
Summary���������������������������������������������������������������������������������������������������������������������������������� 196

Chapter 6: Azure Kubernetes Services: Container Security��������������������������������� 197

Microservices���������������������������������������������������������������������������������������������������������������������������� 198
Containers, Docker, and Kubernetes����������������������������������������������������������������������������������������� 200
Azure Kubernetes Services and Security���������������������������������������������������������������������������������� 204
Authentication��������������������������������������������������������������������������������������������������������������������� 213
Container Security��������������������������������������������������������������������������������������������������������������� 214
AKS Security with Security Center and Sentinel����������������������������������������������������������������������� 217
Kubernetes Security with Azure Policy������������������������������������������������������������������������������������� 221
Summary���������������������������������������������������������������������������������������������������������������������������������� 226

Chapter 7: Security Governance Operations��������������������������������������������������������� 227

Azure Governance Architecture������������������������������������������������������������������������������������������������� 228
Management Groups����������������������������������������������������������������������������������������������������������� 230
Azure Policy������������������������������������������������������������������������������������������������������������������������������ 234
Compliance Reporting��������������������������������������������������������������������������������������������������������� 239
Assignments������������������������������������������������������������������������������������������������������������������������ 240
Blueprints���������������������������������������������������������������������������������������������������������������������������� 244
Role-Based Access Control������������������������������������������������������������������������������������������������� 249
Azure Cost Management����������������������������������������������������������������������������������������������������� 251
Data Governance����������������������������������������������������������������������������������������������������������������������� 257
Classification����������������������������������������������������������������������������������������������������������������������� 257
Data Retention��������������������������������������������������������������������������������������������������������������������� 268
Summary���������������������������������������������������������������������������������������������������������������������������������� 272

Index��������������������������������������������������������������������������������������������������������������������� 273

viii
About the Authors
Marshall Copeland is a cloud security architect focused
on helping customers “shift left” with cloud security
defenses in Azure public cloud using cloud-native services
and third-party network security appliances. He uses
Infrastructure as Code (IaC) with ARM templates or
Terraform HCL to build cloud infrastructure and disaster
recovery solutions. Marshall’s Azure security design skills
include Azure Sentinel, Security Center, Policy, Firewall, and
ACL networking and a few open source solutions such as
ELK stack, Wireshark, and Snort. He partners with security
operations to guide cloud investigations to enhance “blue
team hunting” efficiencies.

Matthew Jacobs is a system engineer focused on cloud

architecture technologies needed to support identity
management, security, and collaboration toolsets for small
and medium businesses, including enterprise organizations.
His work has focused on digital transformation, including
on-premises only, hybrid cloud networks, and complete
public cloud-only deployment. Matthew brings a hands-on
cloud architecture approach for Identity and Access
Management (IAM) and enhanced engineering to enable
business agility that secures and supports a global remote workforce. His current
work in the Nashville, Tennessee, area includes Fortune 500 media, entertainment,
and hospitality companies, and his work history extends into public cloud federal
compliance requirements for the banking and healthcare industries.

ix
About the Technical Reviewer
Vidya Vrat Agarwal is a software architect, author, blogger,
Microsoft MVP, C# Corner MVP, speaker, and a mentor. He
is a TOGAF Certified Architect and a Certified Scrum Master
(CSM). He is currently working as a Principal Architect at
T-Mobile Inc., USA. He started working on Microsoft .NET
with its first beta release. Vidya is passionate about people,
process, and technology and loves to contribute to the .NET
community. He lives in Redmond, WA, United States, with
his wife Rupali, two daughters Pearly and Arshika, and a
female puppy Angel.

xi
Acknowledgments
Special acknowledgment to Shrikant Vishwakarma, Smriti Srivastava, and the Apress
team; we are so thankful for your guidance, support, and expert advice on this
publication. Thank you to Vidya Vrat Agarwal for his professional technical resources;
we are very fortunate to have your expert skills for this publication. The Apress team is a
fantastic company to help technical people share their knowledge at a global level.

xiii
Introduction
The first edition of this book in 2017 placed cyber security front and center to teams of
IT professionals who may not have focused on cyber security. This second edition is
completely rewritten and updated, with more than 70% of the book containing brand-­
new Azure cloud security topics. Business relies more on subject matter experts (SME),
the professional resources, as they continue to secure applications and data in the
cloud. This second edition goes deeper on Azure security features that did not exist a
few years ago. This publication is an ambitious resource to provide readers a strong
foundation to learn and deploy Azure security best practices.
This book comes from several years of lessons learned and late nights of trying
to understand the what, how, and why. Having worked with several customers and
organizations moving to cloud-focused technologies, this book will aid in choosing the
right path for planning and moving forward with a cloud strategy. It will also empower
organizations to start taking their first steps toward cloud adoption, cloud migration, and
creating governance around an ever-changing technology and toolset.
This book was written for the following types of IT/cloud professionals:

• IT subject-matter experts (SMEs)

• IT professionals looking to expand their knowledge of cloud

technologies
• Cyber security teams

This second edition does not repeat guidance to review current cyber security
reports; that should now be part of your security practice. You expand beyond Azure
Security Center and learn to use new and updated Azure native security services like
Azure Sentinel, Privileged Identity Management, Azure Firewalls, and SQL Advanced
Threat Protection and how best to protect Azure Kubernetes Services. Open this book
and begin the deep dive into Microsoft Azure Security.

xv
PART I

Zero Trust Cloud Security

In Part 1, the focus is on the configuration of Azure cloud-native security solutions to
support a Zero Trust model. Let us first understand the that cloud native are security
solutions created by Microsoft Azure for consumption in your Azure Tenant and
subscriptions. You need to consider what supports the Azure Tenant, which more closely
is tied to the identity layer, and what native solutions support the subscription layer.
The subscription layer has machines, which are tied directly to identity and customer
data. The data is what every “bad actor” is attempting to copy, augment, or damage.
The cyber security challenges are used to classify Azure cloud security needs to
better focus on improving your security posture in the cloud. Traditional on-premises
have been enabling security in different verticals, networks, identities, users, systems,
applications, and data.
In every chapter, security tools and techniques are introduced and real-world
examples of how attacks were achieved, and each example trains the Azure Security
operations teams using the cyber kill chain as their “north star.” Blue teams in the cloud
need to learn how to disrupt the kill chain at every link. The reader is introduced to the
most current command and control (C&C or C2) information framework to support
examples. The tool is used to identify hacker techniques based on their past attacks and
forensics. Examples will expand on different attack techniques with exercises to upskill
their Azure cloud security knowledge from these community-supported tools (https://
attack.mitre.org/ and www.thec2matrix.com/matrix).
CHAPTER 1

Reduce Cyber
Security Vulnerabilities:
Identity Layer
Navigating the shifting landscape of security can be a daunting task, especially when
making the jump to cloud services or after reading about the latest breach that happened
to “Company Z.” It can be confusing learning a new technology as both the threats and
the platforms we use evolve every day. By understanding and implementing some of the
concepts and technologies outlined in this chapter, you will stay on the forefront of the
emerging trends in cyber security.
In this chapter, we will explain some of the mechanisms to create layers of protection
around your Azure Tenant; how to manage Azure users and groups, utilizing Azure
Active Directory (AAD) as your Identity Management solution with OAuth, SAML, or AD
Connect; and how to set up Privileged Identity Management.

Note The topics and guidelines in this chapter represent how to take your first
steps to managing your identity in Azure. We cover a baseline that can be tailored
to fit your specific organizational needs.

3
© Marshall Copeland and Matthew Jacobs 2021
M. Copeland and M. Jacobs, Cyber Security on Azure, https://doi.org/10.1007/978-1-4842-6531-4_1
Chapter 1 Reduce Cyber Security Vulnerabilities: Identity Layer

 zure Cloud Relations: Tenant, Subscription,

A
Resources
As organizations start their journey toward migrating to full cloud with Azure or by
expanding their environment to include Azure in normal operations, we have to beware
of a new attack vector in our security posture. Tenant security, which encompasses our
subscription, resources, and our Azure AD are all now in play for potential exploitation.
In this section, we will outline where the responsibility falls for Tenant security based on
your service model and create some controls around your subscription, resources, and
APIs.

Azure Tenant Security

Tenant security can seem like one of the most daunting tasks to tackle. Since Microsoft
Azure is a public tenant, there is a certain level of responsibility that is shared between
Microsoft and the consumer. Your organization’s use of Azure for Infrastructure as a
Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) will drive the
amount of effort needed to implement security controls.
We can break down the responsibility into three parts: Microsoft, shared, and
consumer. No matter which scenario, governance around the physical data centers
that Azure resides is Microsoft’s responsibility. Microsoft will manage the availability,
security controls, and vulnerability for the base on which the Azure platform resides.
The consumer is always responsible for the users, data, and level of access within the
platform. The shared responsibilities are mixed between the three service models. IaaS
commands more responsibility on the consumer side, PaaS is generally 50/50, and SaaS
puts more responsibility on Microsoft (Figure 1-1).

4
 Chapter 1 Reduce Cyber Security Vulnerabilities: Identity Layer

Figure 1-1. Microsoft’s shared responsibility model

Even through all of these different responsibilities and configurations, Microsoft

provides a basic toolset. Activity logs, alerting, and metrics are all configurable to your
custom criteria. Take advantage of the work Azure does behind the scenes populating
the toolset.

Azure Subscription Security

At first glance, it may seem inconsequential to talk about subscription security. You may
be asking, “What kind of data can be stolen from my subscriptions?” Some attackers are
not always out for financial gain or to harvest data, but to cause disruption of service.
There is also an internal threat from your daily administrators and end users. An end
user or administrator may accidently navigate to a section of the Azure portal and
inadvertently cause harm. Due to Azure being primarily an operational expenditure, the
quickest way to sour an organization’s experience with Azure is an extreme increase in
cost. The easiest control put in place is an Azure Management Group.
Azure Management Groups are used for access control, policy, and compliance for
subscriptions across the tenant. You can deploy an Azure Management Group through
the Azure portal, PowerShell, or Azure CLI. Similar to NTFS permissions where you
can apply different actionable items to a user or group, the same concept applies to
a management group. Owners have the ability to do everything, Contributors can do
5
Chapter 1 Reduce Cyber Security Vulnerabilities: Identity Layer

everything but assign access, and Readers can read. For tighter controls, we can also
apply the roles of MG Reader or MG Contributor, which only allow for actions within the
management scope. Refer to Figure 1-2 for a detail of roles and actions.

Figure 1-2. Microsoft Azure Role-Based Access Control (RBAC) table

Azure API Security

An application programming interface (API) is one of the mechanisms by which we can
deliver requests of information from a single service or multiple services at the same
time. At its simplest form, we use an API by sending a request containing information we
would like to receive to a given service. The service will review our request, run through
a predefined process, and return information back for use. Azure allows organizations
to enable a centralized location for the management of APIs within your tenant. API
management is broken down into three main parts: API Gateways, the Azure portal,
and the developer portal. An API Gateway serves as the external facing entry for access.
The Azure portal is where you can administer your policies, create security metrics, and
manage access. The developer portal is where you can manage your API documentation
and allow web developers the access for integration with your APIs.
According to the Microsoft documentation (https://docs.microsoft.com/en-­us/
azure/api-­management/security-­baseline): “Azure provides a solid foundation in
which to host and manage your organizations APIs but there is a baseline of security
practices that should be followed to enhance the security within the platform. Some of

6
Chapter 1 Reduce Cyber Security Vulnerabilities: Identity Layer

Figure 1-7. This is a simple example of non-federation with Azure as the IdP

When setting up your Azure AD Connect using a non-federation model, you

have two different options for how your accounts authenticate: Password Hash
Synchronization (PHS) and Pass-Through Authentication (PTA). PTA is similar to the
ADFS model, but instead of redirecting to an ADFS farm, Azure AD Connect will validate
the credentials directly to your on-premises domain controllers. While each method
has robust security around the transport and storage for credentials, an ideal scenario is
to set up PHS and enable password writeback. Enabling password writeback allows for
users to change their password without the need to directly contact a domain controller.
When the user changes their password through the Azure tenant, the password will be
validated against the password requirements of the local domain. You will also need
to have password writeback enabled to perform Self-Service Password Reset (SSPR),
outlined in a later section.

Security Measures
Now that we have gone over the Identity Provider scenarios, mechanisms we use to
access our identity, and high-level management concepts, we need to look at how we
create security measures within our tenant. Security measures are the ways in which
we minimize the ability for bad actors to gain access to our resources. We will touch

18
Another random document with
no related content on Scribd:
than there is food for, thus ensuring that every portion of the food will
be rapidly consumed, after which the partially-grown larvae complete
their development by the aid of cannibalism. It is thus ensured that
the food will raise up as many individuals as possible.

Fam. 38. Muscidae.—Bristle of antennae feathered. This family

contains many of the most abundant flies, including the House-fly,
Blue-bottles or Blow-flies, Green-bottles, and other forms which,
though very common, are perhaps not discriminated from one
another by those who are not entomologists. The larvae live on
carrion and decaying or excrementitious matters. The common
House-fly, Musca domestica, runs through its life-history in a very
short time. It lays about 150 very small eggs on dung or any kind of
soft damp filth; the larvae hatch in a day or two and feed on the
refuse; they may be full-grown in five or six days, and, then pupating,
may in another week emerge as perfect flies. Hence it is no wonder
that they increase to enormous numbers in favourable climates.
They are thought to pass the winter chiefly in the pupal state. The
House-fly is now very widely distributed over the world; it sometimes
occurs in large numbers away from the dwellings of man. Of Blow-
flies there are two common species in this country, Calliphora
erythrocephala and C. vomitoria. The Green-bottle flies, of which
there are several species, belonging to the genus Lucilia, have the
same habits as Blow-flies, though they do not commonly enter
houses. The larvae are said to be indistinguishable from those of
Calliphora.

The larvae of Eumyiid Muscidae are, when first hatched,

metapneustic, but subsequently an anterior pair of stigmata appears,
so that the larva becomes amphipneustic. They usually go through
three stages, distinguished by the condition of the posterior stigmata.
In the early instar these have a single heart-shaped fissure, in the
second stage two fissures exist, while in the third instar there is a
greater diversity in the condition of the breathing apertures.
The various forms of Muscidae show considerable distinctions in the
details of their natural history, and these in certain species vary
according to the locality. This subject has been chiefly studied by
Portschinsky, a Russian naturalist, and a very interesting summary
of his results has been given by Osten Sacken,[435] to which the
student interested in the subject will do well to refer.

A few years ago a great deal of damage was caused in the

Netherlands by Lucilia sericata, a Green-bottle-fly, extremely similar
to our common L. caesar, which deposited its eggs in great
quantities on sheep amongst their wool. This epidemic was
attributed to the importation of sheep from England; but, according to
Karsch, there is reason to suppose that the fly was really introduced
from Southern Europe or Asia Minor.[436]

The larvae of species of the genus Lucilia sometimes attack man

and animals in South America, but fortunately not in this country. The
larva of Lucilia (Compsomyia) macellaria is called the screw-worm,
and is the best known of the forms that infest man, the larvae living
in the nasal fossae and frontal sinuses, and causing great suffering.
The fly is common in North America, but is said never to attack man
farther north than in Kansas. A little fly (Stomoxys calcitrans), very
like the common house-fly though rather more distinctly spotted with
grey and black, and with a fine, hard, exserted proboscis, frequently
enters our houses and inflicts a bite or prick on us. It is commonly
mistaken for an ill-natured house-fly that has taken to biting. It is
frequently a source of irritation to cattle. A closely allied fly,
Haematobia serrata, is very injurious to cattle in North America, but
the same species causes no serious annoyance in England. We may
mention that the various attacks of Dipterous larvae on man have
received the general name "myiasis."

The Tse-tse fly (Glossina morsitans), another ally of Stomoxys, is not

very dissimilar in size and shape to the blow-fly.[437] It bites man and
animals in South Africa, and if it have previously bitten an animal
whose blood was charged with the Haematozoa that really constitute
the disease called Nagana (fly-disease), it inoculates the healthy
animal with the disease; fortunately only some species are
susceptible, and man is not amongst them. It has recently been
shown by Surgeon Bruce[438] that this fly multiplies by producing,
one at a time, a full-grown larva, which immediately changes to a
pupa, as do the members of the series Pupipara. There are already
known other Muscid flies with peculiarities in their modes of
reproduction, so that it is far from impossible that the various
conditions between ordinary egg-laying and full-grown larva- or
pupa-production may be found to exist. Although it has been
supposed that the Tse-tse fly is a formidable obstacle to the
occupation of Africa by civilised men, there is reason to suppose that
this will not ultimately prove to be the case. It only produces disease
when this pre-exists in animals in the neighbourhood; only certain
species are liable to it; and there is some evidence to the effect that
even these may in the course of a succession of generations
become capable of resisting the disease inoculated by the fly. As
long ago as 1878 Dr. Drysdale suggested[439] that this fly only
produces disease by inoculating a blood-parasite, and all the
evidence that has since been received tends to show that his idea is
correct.

Fig. 244—The Tse-tse fly (Glossina morsitans). A, The fly with three
divisions of the proboscis projecting; B, adult larva; C, pupa.

Although the facts we have mentioned above would lead to the

supposition that Muscidae are unmitigated nuisances, yet it is
probable that such an idea is the reverse of the truth, and that on the
whole their operations are beneficial. It would be difficult to
overestimate their value as scavengers. And in addition to this they
destroy injurious creatures. Thus in Algeria Idia fasciata, a fly like the
House-fly, destroys the dreaded migratory Locust Schistocerca
peregrina in great quantities, by the larvae eating the eggs of the
Locust. The female of this fly, in order to reach the desired food,
penetrates from one to three inches below the surface of the ground.

Fam. 39. Oestridae (Bot-flies).—Rather large or very large flies, with

extremely short antennae, bearing a segmented arista, the front of
the head prominent, the posterior part of the wings frequently rough,
and with but few veins: the mouth usually atrophied, the trophi being
represented only by tubercles; larvae living in Vertebrates, usually
Mammals, though it is possible that a few occur in Birds and even in
Reptiles. This is a family of small extent, less than 100 species being
known from all the world, yet it is of much interest on account of the
habits of its members, which, though of large size, live entirely at the
expense of living Vertebrates, to the viscera or other structures of
which they have definite relations, varying according to the species.
Some (Gastrophilus, etc.) live in the alimentary canal; others
(Hypoderma, etc.) are encysted in or under the skin; while others
(Oestrus, etc.) occupy the respiratory passages. As many of them
attack the animals used by man, and some of them do not spare
man himself, they have attracted much attention, and there is an
extensive literature connected with them; nevertheless the life-
histories are still very incompletely known. Indeed, the group is from
all points of view a most difficult one, it being almost impossible to
define the family owing to the great differences that exist in important
points. Some think the family will ultimately be dismembered; and
Girschner has recently proposed to treat it as a division of
Tachinidae. The chief authority is Brauer, in whose writings the
student will find nearly all that is known about Oestridae.[440] Some
of them exist in considerable numbers (it is believed that they are
now not so common as formerly), and yet the flies are but rarely met
with, their habits being in many respects peculiar. Some of them, for
purposes of repose, frequent the summits of mountains, or towers,
or lofty trees. Some have great powers of humming; none of them
are known to bite their victims, indeed the atrophied mouth of most
of the Oestridae forbids such a proceeding.
 Fig. 245—Cephalomyia maculata, a Bot-fly of the camel. Arabia. A,
The fly with extended wings; B, under aspect of the head: a,
antenna; b, the obsolete mouth-parts.

Some deposit their eggs on the hairs of the beasts from which the
larvae are to draw their nutriment, but others place their larvae,
already hatched, in the entrances of the nasal passages. They do
not feed on the blood or tissues of their victims, but on the
secretions, and these are generally altered or increased by the
irritation induced by the presence of the unwelcome guests. It would
appear, on the whole, that their presence is less injurious than would
be expected, and as they always quit the bodies of their hosts for the
purposes of pupation, a natural end is put to their attacks. We have
ten species in Britain, the animals attacked being the ox, the horse,
the ass, the sheep, and the red deer; others occasionally occur in
connexion with animals in menageries. The eggs of Gastrophilus
equi are placed by the fly, when on the wing, on the hair of horses
near the front parts of the body, frequently near the knee, and, after
hatching, the young larvae pass into the stomach of the horse either
by being licked off, or by their own locomotion; in the stomach they
become hooked to the walls, and after being full grown pass out with
the excreta: the Bots—as these larvae are called—are sometimes
very numerous in the stomach, for a fly will lay as many as four or
five hundred eggs on a single horse: in the case of weakly animals,
perforation of the stomach has been known to occur in consequence
of the habit of the Bot of burying itself to a greater or less extent in
the walls of the stomach. Hypoderma bovis and H. lineata attack the
ox, and the larvae cause tumours in the skin along the middle part of
the back. It was formerly inferred from this that the fly places its eggs
in this situation, and as the cattle are known to dread and flee from
the fly, it was supposed to be on account of the pain inflicted when
the egg was thrust through the skin. Recent observations have
shown that these views are erroneous, but much still remains to be
ascertained. The details of oviposition are not yet fully known, but it
appears that the eggs are laid on the lower parts of the body,
especially near the heels, and that they hatch very speedily.[441] As
the imago of Hypoderma appears for only a very short period in the
summer, the time of the oviposition is certain. The newly-disclosed
larva is considerably different from the more advanced instar found
in the skin of the back; moreover, a long period of many months
intervenes between the hatching of the larva and its appearance in
the part mentioned. Brauer has shown that when the grub is first
found in that situation it is entirely subcutaneous. Hence it would be
inferred that the newly-hatched larva penetrated the skin probably
near the spot it was deposited on, and passed a period in
subcutaneous wandering, on the whole going upwards till it arrived
at the uppermost part: that after moulting, and in consequence of
greater need for air, it then pierced the skin, and brought its
breathing organs into contact with the external air; that the irritation
caused by the admission of air induced a purulent secretion, and
caused the larva to be enclosed in a capsule. Dr. Cooper Curtice has
however found, in the oesophagus of cattle, larvae that he considers
to be quite the same as those known to be the young of Hypoderma;
and if this prove to be correct, his inference that the young larvae are
licked up by the cattle and taken into the mouth becomes probable.
The larva, according to this view, subsequently pierces the
oesophagus and becomes subcutaneous by passing through the
intervening tissues. The later history of the grub is briefly, that when
full grown it somewhat enlarges the external orifice of its cyst, and by
contractions and expansions of the body, passes to the surface, falls
to the ground, buries itself and becomes a pupa. If Dr. Curtice be
correct, there should, of course, be as many, if not more, larvae
found in the oesophagus as in the back of the animal; but, so far as
is known, this is not the case, and we shall not be surprised if the
normal course of development be found different from what Dr.
Curtice supposes it to be. His observations relate to Hypoderma
lineata. Our common British species is usually supposed to be H.
bovis; but from recent observations it seems probable that most of
the "Ox-warbles" of this country are really due to the larvae of H.
lineata.

The history of Oestrus ovis, which attacks the sheep, is also

incompletely known, but appears to be much simpler. This fly is
viviparous, and deposits its young larvae at the entrance of the nasal
passages of the sheep, thereby causing extreme annoyance to the
animal. The larvae penetrate to the frontal sinuses to complete their
growth. The duration of their lives is unknown, for it is commonly the
case that larvae of various sizes are found together. Cephenomyia
rufibarbis has recently been found in Scotland. It attacks the Red
deer, and its life-history is similar to that of Oestrus ovis, though the
larvae apparently prefer to attain their full growth in the pharynx of
the deer.

In reference to the Oestridae that attack man, we may merely

mention that the larva of the Hypoderma of the ox is occasionally
found in Europe infesting human beings, but only as an extremely
rare and exceptional event; and that only those engaged in attending
on cattle are attacked; from which it is inferred that the flies are
deceived by an odour emanating from the garments. In America
numerous cases are known of Oestrid larvae being taken from the
body of man, but information about them is very scanty. It appears,
however, that there are at least four species, one of which,
Dermatobia noxialis, is known as a fly as well as a larva. Whether
any of these are peculiar to man is uncertain.[442] There are several
larvae of Muscidae that have similar habits to the Oestridae; hence
the statements that exist as to larvae being found in birds and
reptiles cannot be considered to apply to members of the latter
family until the larvae have been studied by an expert.

The family Ctenostylidae has been established by Bigot for a South

American Insect, of which only a single individual exists in
collections. It is doubtful whether it can be referred to Oestridae.[443]
 Series V. Pupipara

The four families included in this Series are, with the exception of the
Hippoboscidae, very little known. Most of them live by sucking blood
from Mammals and Birds, and sometimes they are wingless
parasites. The single member of the family Braulidae lives on bees.
The term Pupipara is erroneous, and it would be better to revert to
Réaumur's prior appellation Nymphipara. Müggenburg has
suggested that the division is not a natural one, the points of
resemblance that exist between its members being probably the
results of convergence. Recent discoveries as to the modes of
bringing forth of Muscidae give additional force to this suggestion. A
satisfactory definition of the group in its present extent seems
impossible.

Fam. 40. Hippoboscidae.—Wings very variable, sometimes present

and large, then with waved surface and thick nervures confined to
the anterior and basal part; sometimes mere strips, sometimes
entirely absent. Certain members of this family are well known, the
Forest-fly, or Horse-fly, and the Sheep-tick belonging to it. The
proboscis is of peculiar formation, and not like that of other flies.
Seen externally it consists of two elongate, closely adapted, hard
flaps; these are capable of diverging laterally to allow an inner tube
to be exserted from the head. The details and morphology of the
structure have recently been discussed by Müggenburg.[444]
Melophagus ovinus, commonly called the Sheep-tick, is formed for
creeping about on the skin of the sheep beneath the wool, and may
consequently be procured with ease at the period of sheep-shearing:
it has no resemblance to a fly, and it is difficult to persuade the
uninitiated that it is such. Hippobosca equina (called in this country
the Forest-fly, perhaps because it is better known in the New Forest
than elsewhere), looks like a fly, but will be readily recognised by the
two little cavities on the head, one close to each eye, in which the
antennae are concealed, only the fine bristle projecting. Very little
seems to be known as to the Natural History of this fly. Lipoptena
cervi lives on the Red deer; the perfect Insect has apparently a long
life, and both sexes may be found in a wingless state on the deer all
through the winter. When first disclosed in the summer they are
however provided with wings, but when they have found a suitable
host they bite off, or cast, the wings. The female, it appears, does
this more promptly than the male, so that it is difficult to get winged
individuals of the former sex.[445]

Fig. 246.—Diagrammatic section of the larva of Melophagus ovinus.

(After Pratt.) a, mouth; b, suctorial pouch; c, imaginal disc for adult
head; d, meso- and meta-notal discs; e, anterior tracheal
anastomosis; f, first muscular belt; g, transverse tracheal branch;
h, the dorsal tracheal tube; i, sex-organ; k, Malpighian tube; l,
terminal part of intestine; m, terminal chamber of tracheal tube; n,
stigmatic fossa; o, terminal part of intestine; p, anus; q, anal disc;
r, ventral tracheal tube; s, stomach; t, nervous system; u, discs for
the three pairs of legs of the imago; v, ventral pouch; w, pharynx;
x, suctorial lip.

Most of the known Hippoboscidae live on birds, and are apparently

specially fond of the Swallow tribe. They are all winged, though in
some species the wings are very small. The bird-infesting
Hippoboscidae have been very little studied, and will probably form a
distinct family; the antennae of Stenopteryx hirundinis are quite
different from those of Hippobosca. The development is remarkable,
and has been studied by Leuckart[446] and by Pratt[447] in the case
of Melophagus ovinus. The ovaries are peculiarly formed, and
produce one large egg at a time; this passes into the dilated oviduct,
and there goes through its full growth and a certain amount of
development; it is then extruded, and undergoing little or no change
of form becomes externally hardened by the excretion of chitin,
passing thus into the condition of the Eumyiid pupa. Dufour thought
that there is no larval stage in this Insect, but it is quite clear from
later researches that he was wrong, and that a larval stage of a
peculiar kind, but in some respects resembling that of the Eumyiid
Muscidae, occurs. The larva has no true head, but the anterior part
of the body is invaginated, and the most anterior part again
protrudes in the invagination, so that two little passages appear on
section (Fig. 246); the upper one leads to the stomach, which is of
very large size. The tracheal system is peculiar; it is metapneustic,
there being neither anterior nor lateral spiracles. Pratt says that there
is at first a single pair of terminal spiracles, and subsequently three
pairs, hence he considers that the terminal part of the body
corresponds to three segments. This is however probably a mistaken
view; it appears more probable that the so-called three pairs of
stigmata really correspond with the complex condition of the
stigmata in the later instars of certain other Dipterous larvae. The
Melophagus-larva is nourished by secretion from certain glands of
the mother-fly; this is swallowed and the stomach is greatly
distended by this milky fluid. Probably it was this condition that
induced Dufour to suppose the larva to be only an embryo.

Some of the Hippoboscidae that live on birds take to the wing with
great readiness, and it is probable that these bird-parasites will prove
more numerous than is at present suspected.

We may here notice an animal recently described by Dr. Adensamer

and called Ascodipteron.[448] He treats it as the female imago of a
Pupiparous Dipteron. It was found buried in the skin of the wing of a
bat of the genus Phyllorhina, in the Dutch East Indies, only one
individual being known. It is entirely unsegmented, and externally
without head. If Dr. Adensamer should prove to be correct in his
surmise the creature can scarcely be inferior in interest to the
Strepsiptera.
 Fig. 247.—Braula coeca. × 18⁄1. (After Meinert.)

Fam. 41. Braulidae.—This consists only of a minute Insect that lives

on bees. The antennae are somewhat like those of the sheep-tick,
though they are not so completely concealed in the cavities in which
they are inserted. According to Müggenburg[449] a ptilinum exists,
and he is also of opinion that although the parts of the mouth differ
very much from those of Hippoboscidae they are essentially similar.
Lucas says that Braula specially affects the thorax of the bee:
Müggenburg, that it is fond of the queen-bee because of the
exposed membranes between the body-segments that exist in that
sex. Whether this Insect is truly Pupiparous is unknown, though
Boise states that a pupa is deposited in the cell of the bee by the
side of the young larva of the bee, and appears as the perfect Insect
in about twenty-one days. Müggenburg suggests that Braula may be
oviparous, as he has never found a larva in the abdomen. Packard
says that on the day the larva hatches from the egg it sheds its skin
and turns to an oval puparium of a dark brown colour. The Insect is
frequently though inappropriately called bee-louse; notwithstanding
its name it is not quite blind, though the eyes are very imperfect.

Fam. 42. Streblidae.— Winged; possessing halteres; the head

small, narrow and free. These very rare Diptera are altogether
problematic. According to Kolenati the larvae live in bats' excrement
and the perfect Insects on the bats.[450] If the former statement be
correct the Insects can scarcely prove to be Pupipara. The wing-
nervuration is, in the figures of the Russian author, quite different
from that of Hippoboscidae. The Streblidae have been associated by
some entomologists with Nycteribiidae, and by Williston with
Hippoboscidae.
 Fig. 248.—Nycteribia sp., from Xantharpyia straminea. Aden. A, Upper
surface of female, with head in the position of repose; B, under
surface of male. x 12⁄1.

Family 43. Nycteribiidae.—The species of this family are found on

bats; they are apparently rare, and we have been able to examine
only one species. The form is very peculiar, the Insects looking as if
the upper were the under surface. They are wingless, with a narrow
head, which reposes on the back of the thorax. The prothorax
appears to be seated on the dorsum of the mesothorax. According to
Müggenburg there is no trace of a ptilinum. A brief note on the
metamorphosis[451] by Baron Osten Sacken indicates that the
mature larva differs from that of Melophagus in the arrangement of
the stigmata; they appear to be dorsal instead of terminal. There are
apparently no characters of sufficient importance to justify the
association of these Insects with the other divisions of Pupipara; the
sole ground for this connection being the supposed nature of the life-
history of the larva.

Fig. 249—Anterior part of the body of Nycteribia sp., found on

Xantharpyia straminea by Colonel Yerbury at Aden. A, Upper
 surface of female, with head extended; B, under surface of male,
with head extended; C, claws of a foot.

Sub-Order Aphaniptera or Siphonaptera (Fleas)

Fam. Pulicidae.—Wingless, with the body laterally compressed, so

that the transverse diameter is small, the vertical one great. The
head indistinctly separated from the body, small, with short thick
antennae placed in depressions somewhat behind and above the
unfaceted eyes. These are always minute, and sometimes wanting.

Fig. 250—Hystrichopsylla talpae. Britain. (After Ritsema.)

Fig. 251.—Mouth-parts of a flea, Vermipsylla alakurt ♂ . H. Unpaired

pricking organ; Lp. labial palp; Md. mandible; Mx. maxilla; Mxp.
maxillary palp. (After Wagner.)

We all know that the Flea is so flat, or compressed sideways, that it

does not mind the most severe squeeze. This condition is almost
peculiar to it; a great flattening of the body is common in Insects—as
is seen in another annoying Insect, the bed-bug—but the
compression, in the flea, is in the reverse direction. In other respects
the external anatomy of the flea shows several peculiarities, the
morphological import of which has not yet been elucidated. The head
is of very peculiar shape, small, with the antennae placed in an
unusual position; the clypeus is said to be entirely absent, the front
legs are articulated in such a manner that they have a large
additional basal piece—called by some anatomists the ischium—and
in consequence appear to be placed far forwards, looking as if they
were attached to the head; the meso- and meta-thorax have certain
flaps that have been considered to be homologues of wings; and the
maxillary palpi are attached to the head in such a way that they
appear to play the part of the antennae of other Insects (Fig. 250),
and were actually considered to be the antennae by Linnaeus, as
well as others; the mouth-parts themselves are differently
constructed from those of any other Insects.[452] The maxillae and
labium are considered to be not only present, but well developed, the
former possessing palpi moderately well developed, while the labial
palps are very large and of highly peculiar form, being imperfectly
transversely jointed and acting as sheaths; the mandibles are
present in the form of a pair of elongate, slender organs, with
serrated edges; and there is an unpaired, elongate pricking-organ,
thought by some to be a hypopharynx, and by others a labrum.

Fig. 252—Larva of Pulex serraticeps, the dog- and cat-flea. (After

Künckel.)

The antennae are of unusual form, consisting of two basal joints,

and, loosely connected therewith, a terminal mass of diverse form
and more or less distinctly, though irregularly, segmented. The full
number of ten stigmata exists, Wagner giving three thoracic, with
seven abdominal, placed on segments 2-8 of the abdomen; but
Packard thinks the supposed metathoracic stigma is really the first
abdominal. Fleas undergo a very complete metamorphosis; the
larvae are wormlike, resembling those of Mycetophilid Diptera (Fig.
252). The egg of the cat's flea is deposited among the fur of the
animal, but (unlike the eggs of other parasites) apparently is not
fastened to the hair, for the eggs fall freely to the ground from
infested animals; the young larva when hatched bears on the head a
curious structure for breaking the egg-shell. It has the mouth-parts of
a mandibulate Insect and is peripneustic, having ten pairs of
stigmata. It subsequently becomes of less elongate form. Flea-larvae
are able to nourish themselves on almost any kind of refuse animal
matter, Laboulbène having reared them on the sweepings of
apartments; they may perhaps sometimes feed on blood; at any rate
the contents of the alimentary canal appear red through the
transparent integuments. When full grown the larva makes a cocoon,
and frequently covers it with pieces of dust. The perfect flea appears
in a week or two thereafter; the pupa has the members free. The
food of the larvae of fleas has been much discussed and a variety of
statements made on the subject. It has been stated that the mother-
flea after being gorged with blood carries some of it to the young, but
Künckel has shown that there is very little foundation for this tale.
Enormous numbers of fleas are sometimes found in uninhabited
apartments to which animals have previously had access, and these
fleas will attack in numbers and with great eagerness any
unfortunate person who may enter the apartment. The cat-flea can
pass through its growth and metamorphosis with excessive rapidity,
the entire development of a generation in favourable conditions
extending but little beyond a fortnight.[453]

About a hundred kinds of fleas are known, all of which live on

mammals or birds. Hystrichopsylla talpae (Fig. 250) is one of the
largest, it occurs on the Mole. It was found by Ritsema in the nests of
Bombus subterraneus (and was described under the name of Pulex
obtusiceps). As these nests are known to be harried by Voles, and
as this flea has also been found on Field-mice, it is probable that the
parasites are carried to the nests by the Voles. The species that
chiefly infests man is Pulex irritans, an Insect that is nearly
cosmopolitan, though arid desert regions are apparently unsuitable
to it. Pulex avium occurs on a great variety of birds. P. serraticeps
infests the dog and the cat, as well as a variety of other Mammals. It
is a common opinion that each species of Mammal has its own
peculiar flea, but this is far from correct. Fleas pass readily from one
species of animal to another; the writer formerly possessed a cat that
was a most determined and successful hunter of rabbits, and she
frequently returned from her excursions swarming with fleas that she
had become infested with when in the rabbits' burrows; her ears
were on some occasions very sore from the flea-bites. Some of the
fleas of other animals undoubtedly bite man. There appears,
however, to be much difference in the liability of different individuals
of our own species to the bites of fleas. Sarcopsylla penetrans differs
in habits from other fleas, as the female buries the anterior parts of
her body in the flesh of man or other Vertebrates, and the abdomen
then becomes enormously enlarged and distended and undergoes a
series of changes that are of much interest.[454] While in this position
the Insect discharges a number of eggs. This species multiplies
sufficiently to become a serious pest in certain regions, the body of
one man having been known to be affording hospitality to 300 of
these fleas. Sarcopsylla penetrans is known as the Sand-flea, or
chigger, and by numerous other names. Originally a native of tropical
America it has been carried to other parts of the world. Another
Sarcopsylla, S. gallinacea, attaches itself to the eyelids of the
domestic fowl in Ceylon, and an allied form, Rhynchopsylla pulex,
fastens itself to the eyelids and other parts of the body of birds and
bats in South America. In Turkestan Vermipsylla alakurt attacks
cattle—ox, horse, camel, sheep—fastening itself to the body of the
animal after the fashion of a tick. Retaining this position all through
the winter, it becomes distended somewhat after the manner of the
Sand-flea, though it never forms a spherical body. The parts of the
mouth in this Insect (Fig. 251) are unusually long, correlative with the
thickness of the skins of the animals on which it lives. Grassi
considers that the dog's flea, Pulex serraticeps, acts as the
intermediate host of Taenia.

Great difference of opinion has for long prevailed as to whether fleas

should be treated as a Sub-Order of Diptera or as a separate Order
of Insects. Wagner and Künckel, who have recently discussed the
question, think they may pass as aberrant Diptera, while Packard,
[455] the last writer on the subject, prefers to consider them a
separate Order more closely allied to Diptera than to any other
Insects. Although widely known as Aphaniptera, several writers call
them Siphonaptera, because Latreille proposed that name for them
some years before Kirby called them Aphaniptera. Meinert considers
them a separate Order and calls it Suctoria, a most unfortunate
name.

Order VIII. Thysanoptera.

Small Insects, with a palpigerous mouth placed on the under

side of the head and apposed to the sternum so as to be
concealed. With four slender wings, fringed with long hairs on
one or both margins, or with rudiments of wings, or entirely
apterous. Tarsi of one or two joints, terminated by a vesicular
structure. The young resemble the adult in general form, but
there is a pupal stadium in which the Insect is quiescent and
takes no food.

The tiny Insects called Thrips are extremely abundant and may often
be found in profusion in flowers. Their size is only from 1⁄50 to ⅓ of
an inch in length; those of the latter magnitude are in fact giant
species, and so far as we know at present are found only in Australia
(Fig. 253). As regards the extent of the Order it would appear that
Thysanoptera are insignificant, as less than 150 species are known.
Thrips have been, however, very much neglected by entomologists,
so it will not be a matter for surprise if there should prove to be
several thousand species. These Insects present several points of
interest; their mouth-organs are unique in structure; besides this,
they exhibit so many points of dissimilarity from other Insects that it
is impossible to treat them as subdivisions of any other Order. They
have, however, been considered by some to be aberrant
Pseudoneuroptera (cf. Vol. V.), while others have associated them
with Hemiptera. Both Brauer and Packard have treated
Thysanoptera as a separate Order, and there can be no doubt that
this is correct. Thysanoptera have recently been monographed by
Uzel in a work that is, unfortunately for most of us, in the Bohemian
language.[456]
 Fig. 253—Idolothrips spectrum. Australia.

The antennae are never very long, and are 6 to 9-jointed. The head
varies much, being sometimes elongate and tubular, but sometimes
short; it has, however, always the peculiarity that the antennae are
placed quite on its front part, and that the mouth appears to be
absent, owing to its parts being thrust against the under side of the
thorax and concealed. Their most remarkable peculiarity is that
some of them are asymmetrical: Uzel looks on the peculiar structure,
the "Mundstachel," m, m (Fig. 254) found on the left side of the body,
as probably an enormous development of the epipharynx. Previous
to the appearance of Uzel's work, Garman had, however, correctly
described the structure of the mouth;[457] he puts a different
interpretation on the parts; he points out that the mandibles (j), so-
called by Uzel, are attached to the maxillae, and he considers that
they are really jointed, and that they are lobes thereof; while the
Mundstachel or piercer is, he considers, the left mandible; the
corresponding structure of the other side being nearly entirely
absent. He points out that the labrum and endocranium are also
asymmetrical. We think Garman's view a reasonable one, and may
remark that dissimilarity of the mandibles of the two sides is usual in
Insects, and that the mandibles may be hollow for sucking, as is
shown by the larvae of Hemerobiides. There are usually three ocelli,
but they are absent in the entirely apterous forms.
 Fig. 254—Face (with base of the antennae) of Aeolothrips fasciata.
(After Uzel.) a, Labrum; b, maxilla with its palp (c); bl, terminal part
of vertex near attachment of month-parts; d, membrane between
maxilla and mentum; e, mentum ending in a point near f; g,
membrane of attachment of the labial palp h; i, ligula; j, j the
bristle-like mandibles; k, the thicker base of mandible; l, chitinous
lever; m, mouth-spine, with its thick basal part n, and o, its
connection with the forehead, r, r; p, foramen of muscle; s and t,
points of infolding of vertex; u, a prolongation of the gena.

The wings appear to spring from the dorsal surface of the body, not
from the sides; the anterior pair is always quite separated from the
posterior; the wings are always slender, sometimes very slender; in
other respects they exhibit considerable variety; sometimes the front
pair are different in colour and consistence from the other pair. The
abdomen has ten segments, the last of which is often tubular in form.
The peculiar vesicular structures by which the feet are terminated
are, during movement, alternately distended and emptied, and have
two hooks or claws on the sides. The stigmata are extremely
peculiar, there being four pairs, the first being the mesothoracic, 2nd
metathoracic, 3rd on the second abdominal segment, 4th on the
eighth abdominal segment.[458] There are four Malpighian tubes,
and two or three pairs of salivary glands. The dorsal vessel is said to
be a short sack placed in the 7th and 8th abdominal segments. The
abdominal ganglia of the ventral chain are concentrated in a single
mass, placed in, or close to, the thorax; the thorax has two other
approximated ganglia, as well as an anterior one that appears to be
the infra-oesophageal.
The metamorphosis is also peculiar; the larva does not differ greatly
in appearance from the adult, and has similar mouth-organs and
food-habits. The wings are developed outside the body at the sides,
and appear first, according to Heeger, after the third moult. The
nymph-condition is like that of a pupa inasmuch as no nourishment
is taken, and the parts of the body are enclosed in a skin: in some
species there is power of movement to a slight degree, but other
species are quite motionless. In some cases the body is entirely
bright red, though subsequently there is no trace of this colour.
Jordan distinguishes two nymphal periods, the first of which he calls
the pronymphal; in it the Insect appears to be in a condition
intermediate between that of the larva and that of the true nymph;
the old cuticle being retained, though the hypodermis is detached
from it and forms a fresh cuticle beneath it. This condition, as Jordan
remarks, seems parallel to that of the male Coccid, and approaches
closely to complete metamorphosis; indeed the only characters by
which the two can be distinguished appear to be (1) that the young
has not a special form; (2) that the wings are developed outside the
body.

Thrips take their food, it is believed, in the same manner as Aphidae,

by suction; but the details of the process are not by any means
certain, and examination of the stomach is said to have resulted in
finding pollen therein. Walsh thought that Thysanoptera pierce and
suck Aphidae. An elaborate inquiry by Osborn[459] failed to elicit
satisfactory confirmation of Walsh's idea, though Riley and Pergande
support it to some extent; Osborn concludes that the ordinary food is
not drawn directly from sap, but consists of exudation or pollen, the
tissues of the plant being pierced only when a supply of food from
the usual sources falls short. Members of this family have been
reputed as being very injurious to cultivated plants, especially to
cereals, and it is said that as a result the harvests in Europe have
been seriously diminished. Several species may take part in the
attacks. These appear to be directed chiefly against the
inflorescence. Lindeman thought that Limothrips denticornis (=
Thrips secalina), and Anthothrips aculeata (= Phloeothrips
frumentarius), were the most destructive species in an attack of