SEATTLE — Blockchain may no longer be at the peak of its hype cycle, but the technology is still sparking innovation, as real-life use cases emerge. Distributed ledgers (DLTs), for instance, which allow for the secure recording and transfer of digital assets without reliance on a centralized authority, have obvious advantages for financial organizations. DLTs are at the core of an emerging ecosystem built on open source. In this On the Road episode of The New Stack Makers, recorded at Open Source Summit North America, Hedera, and OSSNA keynote talk on DLTs with Alex Williams, founder and publisher of TNS. For DLTs, Baird said, “We have an open source ledger, the blockchain is open source, you can think of it like an operating system that’s open source. You can run programs on top of it that are open source, you can run programs on top of it that are not open source.” The layer built on top of all this is also open source. “We had to come up with an algorithm for how they’re going to talk Continue reading
The popularity of open source software continues to soar alongside growth in cloud usage, including multicloud and hybrid cloud infrastructure. Pluralsight’s State of Cloud 2023 report revealed that
Last month viewers from 56 countries tuned in for a very special livestreamed event: The Institute of Electrical and Electronics Engineers reunited 80-year-old a special presentation from the very room where they first wrote the TCP/IP protocol together more than 50 years ago. “It’s truly an exciting honor to be here to celebrate the 50th anniversary of the work that Bob Kahn and I started, and so many have contributed to,” Cerf said during a Google vice president and their chief internet evangelist. Kahn is now chair and CEO of the not-for-profit
Throughout the development of networking, there has never been an effective way to capture and document the intended state of the network or to use that state to support network operations. Similarly, a go-to source for comprehensive training, guidance, and services on automating your network was unavailable. In 2014, with the rise of network APIs and DevOps tools being applied to networking, observing those two realities was the core reason for starting Network to Code. For ten years, our mission has been to help individuals and organizations automate their networks in any way we can. It’s why we held the first in-person, five-day network automation training event. This is why I co-wrote “Nautobot from network engineers worldwide, even those in third world countries and organizations with no budget, showcasing our commitment to transform the network industry any way we can. That’s why, in keeping with Network to Code’s mission, several of us have teamed up to co-author a new book on Nautobot, “
For DevOps and platform teams working with containers and Kubernetes, reducing downtime and improving security posture is crucial. A clear understanding of network topology, service interactions and workload dependencies is required in cloud native applications. This is essential for securing and optimizing your Kubernetes deployment and minimizing response time in the event of failure. Network observability can highlight gaps in network policies for applications that require network policy controls, thus reducing the risk of attack from unsecured egress access or lateral movement of threats within the Kubernetes cluster. However, visualizing workload communication, service dependencies, and active and inactive network security policies presents significant challenges due to the distributed and dynamic nature of
When updating a critical infrastructure element for application teams takes weeks due to coordination between NetOps, SecOps, PlatformOps and FinOps, you have a problem: ops sprawl. First was the technology ops team. Then came network operations and security operations. Then, arising from the site reliability engineering (SRE) movement and the goal of pushing more ops decisions into the development environment, came
Cilium is obviously undergoing a lot of changes as a dynamic and popular open source project that heavily utilizes eBPF, but its original reason remains in check: a tool that offers security, observability and networking capabilities. Its capabilities — or hooks — extend from the kernel to throughout the network, including cloud, on-premises or other infrastructures. This definition covers a lot of things, while Cilium should continue to adapt and extend as infrastructure needs change. @tgraf__ ‘s « Cilium Vision » has a lot of future but the core design remains in place. @thenewstack March 19, 2024 In this article, we look at Thomas Graf, who is CTO of Isovalent, described during his KubeCon + CloudNativeCon Europe talk Continue reading
SEATTLE–By the time he finished his Peace Lee got three (3!) separate rounds of applause from the audience. The Linux greybeards in attendance were impressed with the program, that he wrote the program himself (over a period of nine years) and that he did so without any help from system libraries. Logo Indeed,
Microsegmentation represents a transformative approach to enhancing network security within Kubernetes environments. This technique divides networks into smaller, isolated segments, allowing for granular control over traffic flow and significantly bolstering security posture. At its core, microsegmentation leverages Kubernetes network policies to isolate workloads, applications, namespaces and entire clusters, tailoring security measures to specific organizational needs and compliance requirements. The Essence of Microsegmentation Strategies Scalability and Flexibility The fundamental advantage of microsegmentation through network policies lies in its scalability and flexibility. Kubernetes’ dynamic, label-based selection process facilitates the addition of new segments without compromising existing network infrastructure, enabling organizations to adapt to evolving security landscapes seamlessly. Labeling the assets is a key to microsegmentation success. Prevent Lateral Movement of Threats Workload isolation, a critical component of microsegmentation, emphasizes the importance of securing individual microservices within a namespace or tenant by allowing only required and approved communication. This minimizes the attack surface and prevents unauthorized lateral movement. Namespace and Tenant Isolation Namespace isolation further enhances security by segregating applications into unique namespaces, ensuring operational independence and reducing the impact of potential security breaches. Similarly, tenant isolation addresses the needs of multitenant environments by securing shared Kubernetes infrastructure, thus protecting tenants from Continue reading
Istio and Tetrate Enterprise Gateway for Envoy (TEG). This release provides businesses with a modern and secure alternative to traditional Envoy Gateway version 1.0. TEG extends its features by including cross-cluster service discovery and load balancing, OpenID Connect (OIDC), OAuth2, Web Application Firewall (WAF), and rate limiting out of the box along with Federal Information Processing Standard (FIPS) 140-2 compliance. A standout feature of the Envoy Gateway, and by extension TEG, is its native support for the newly introduced
When most security and platform teams think about implementing zero trust, they tend to focus on the identity and access management layer and, in Kubernetes, on the service mesh. These are fine approaches, but they can cause challenges for constellations of legacy internal apps designed to run with zero exposure to outside connections. One solution to this problem is to leverage the load balancer as the primary implementation component for zero trust architectures covering legacy apps. True Story: A Large Bank, Load Balancers and Legacy Code This is a true story: A large bank has thousands of legacy web apps running on dedicated infrastructure. In the past, it could rely on a “hard perimeter defense” for protection with very brittle access control in front of the web app tier. That approach no longer works. Zero trust mandates that even internal applications maintain a stronger security posture. And for the legacy apps to remain useful, they must connect with newer apps and partner APIs. This means exposure to the public internet or broadly inside the data center via East-West traffic — something that these legacy apps were never designed for. Still, facing government regulatory pressure to enhance security, the bank Continue reading
Web3 represents the next evolutionary step in building web applications. Web3 combines blockchain technology, decentralized protocols and peer-to-peer interactions to give birth to a new standard for transparency and security through decentralized applications (dApps). The dApps rely on decentralized servers instead of traditional (Web2) applications based on a centralized server. However, this new paradigm presents challenges for logging, tracing — in a Django-based Web3 application using Scout APM. How Is Observability Different in Decentralized Apps? Observability in Web3 dApps poses several unique challenges that need to be resolved. Immutable Transactions Web3 dApps rely heavily on blockchain technology. Generally speaking, once a blockchain transaction has been confirmed, it cannot be changed, even if there has been a mistake. This makes it extremely important to have close monitoring and observability to detect and prevent issues before data is written to the blockchain. Distributed Data Traditional web applications rely on centralized servers while Web3 dApps rely on a globally distributed and decentralized network of nodes. A robust observability solution is therefore required to aggregate and analyze data across this complex network. Variable Continue reading
Multicluster Kubernetes gets complicated and expensive fast — especially in dynamic environments. Private cloud multicluster solutions need to wrangle a lot of moving parts: Private or public cloud APIs and compute/network/storage resources (or bare metal management) Linux and Kubernetes dependencies Kubernetes deployment etcd configuration Load balancer integration And, potentially other details, too. So they’re fragile — Kubernetes control planes on private clouds tend to become “pets” (and not in a cute way). Multicluster on public clouds, meanwhile, hides some of the complexity issues (at the cost of flexibility) — but presents challenges like cluster proliferation, hard-to-predict costs, and lock-in. What Are Hosted Control Planes (HCPs)? Kubecon Hosted Control Planes (HCPs) route around some (not all) of these challenges while bringing some new challenges. An HCP is a set of Kubernetes manager node components, running in pods on a host Kubernetes cluster. HCPs are less like “pets” and more like “cattle.” Like other Kubernetes workloads, they’re defined, operated, and updated in code (YAML manifests) — so are repeatable, version-controllable, easy to standardize. But worker nodes, as always, need to live somewhere and networked to control planes, and there are several challenges here. They gain basic resilience from Kubernetes itself: if Continue reading
There’s been a tension in physics over the last century or so between two theories. Both have proven valuable for predicting the behavior of the universe, as well as for advancing technological engineering, but they seem to make completely incompatible claims about the nature of reality. I’m referring, of course, to the general theory of relativity and quantum theory. Ordinarily, these two theories tackle very different questions about the universe — one at the largest scale and the other at the smallest — but both theories come together in the study of black holes, points of space from which no information can escape. There’s a tension in the air at many enterprise organizations today as well between two heuristics for enterprise networking, both of which have produced excellent results for software companies for years. That tension revolves around Kubernetes. As a manager of cloud security and network infrastructure for a large regional bank put it, “Kubernetes ends up being this black hole of networking.” The analogy is apt. Like black holes, Kubernetes abstracts away much of the information traditionally used to understand and control networks. Like quantum theory, Kubernetes offers a new way to think about your network, but Continue reading
Extended Berkeley Packet Filter, eBPF to its friends, enables you to run sandboxed programs in a privileged context in the Linux kernel. Netflix has unveiled bpftop, a new open source command-line tool designed to enhance the performance optimization and monitoring of eBPF applications. As the streaming giant continues integrating eBPF technology into its infrastructure, ensuring these applications operate efficiently has become a top priority.
At some point, you’re going to have a Linux server that includes directories that various users, developers, admins, or clients need to access from your network. If you depend on Linux, your best bet for this is Samba. Samba is the Linux implementation of the
A leading open source reverse proxy and load balancer, Emile Vauge, Traefik’s creator, said previously in The New Stack, “Traditional reverse proxies were not well-suited for these dynamic environments.” Now, the Traefik Labs, the project’s parent company, introduced the first Release Candidate of Traefik Proxy v3. This new version now supports WebAssembly (Wasm), OpenTelemetry, and Kubernetes Gateway API. A Game-Changer for WebAssembly? WebAssembly support inclusion may prove a game-changer. Besides offering high-performance, language-agnostic capabilities for serverless and containerized applications, Traefik’s support provides Wasm with a larger potential market. “This is a major step towards a low friction extensibility story for Traefik as it brings broader plugins into its growing ecosystem while providing a great developer experience. with plugins that can be written in different languages and compiled directly into Wasm,” said Open Worldwide Application Security Project (OWASP) OpenTelemetry protocol (OTLP), will provide users with improved visibility into their applications. Since the Prometheus and Jesse Haka, a cloud architect at
CHICAGO — Incoming traffic looking to access your network and platform probably uses the network’s ingress. But the ingress carries with it scaling, availability and security issues. For instance, said Kate Osborn, a software engineer at NGINX, suggested in this episode of TNS Makers recorded On the Road at KubeCon + CloudNative Con North America. “One of the biggest issues is it’s not extensible,” Osborn said. “So it’s a very simple resource. But there’s a bunch of complex routing that people want to do. And in Continue reading
Photo by David Woolley, cc0 Dr. David L. Mills, the visionary behind the Network Time Protocol (NTP) that synchronizes time across billions of devices globally, died at age 85 on Jan. 17, 2024. The Chicago song goes, “Network Time Protocol (NTP) was, and is, essential for running the internet. As Cerf wrote, announcing the news of his passing, “He was such NTP. We don’t think about how hard it is to synchronize time around the world to within milliseconds. But everything, and I mean everything, depends on NTP’s accuracy. It’s not just the internet, it’s financial markets, power grids, GPS, cryptography, and far, far more.
This new vulnerability, Terrapin, breaks the integrity of SSH’s secure channel. Yes, that’s just as bad as it sounds. Anyone who does anything on the cloud or programming uses Secure Shell (SSH). So any vulnerability is bad news. Guess what? I’ve got some bad news. Researchers at Ruhr University have found a significant vulnerability in the SSH cryptographic network protocol, which they’ve labeled CVE-2023-48795: General Protocol Flaw; CVE-2023-46446: Rogue Session Attack in AsyncSSH poses a serious threat to internet security. Terrapin enables attackers to compromise the integrity of SSH connections, which are widely used for secure access to network services. The Terrapin attack targets the SSH protocol by manipulating prefix sequence numbers during the handshake process. This manipulation enables attackers to remove messages sent by the client or server at the beginning of the secure channel without detection. The attack can lead to using less secure client authentication algorithms and deactivation-specific countermeasures against keystroke timing attacks in OpenSSH 9.5. Terrapin is a Man-in-the-Middle The good news — yes, there is good news — is that while the Terrapin attack Continue reading