Preparing for 5G’s Biggest Security Challenges
The imminent arrival of a long-anticipated next-generation cellular technology presents some cutting-edge security challenges. Here's how to get ready.
Know your SCM_RIGHTS
As TLS 1.3 was ratified earlier this year, I was recollecting how we got started with it here at Cloudflare. We made the decision to be early adopters of TLS 1.3 a little over two years ago. It was a very important decision, and we took it very seriously.
It is no secret that Cloudflare uses nginx to handle user traffic. A little less known fact, is that we have several instances of nginx running. I won’t go into detail, but there is one instance whose job is to accept connections on port 443, and proxy them to another instance of nginx that actually handles the requests. It has pretty limited functionality otherwise. We fondly call it nginx-ssl.
Back then we were using OpenSSL for TLS and Crypto in nginx, but OpenSSL (and BoringSSL) had yet to announce a timeline for TLS 1.3 support, therefore we had to implement our own TLS 1.3 stack. Obviously we wanted an implementation that would not affect any customer or client that would not enable TLS 1.3. We also needed something that we could iterate on quickly, because the spec was very fluid back then, and also something Continue reading
Knowledge of the “Truths in Your Network” is KEY
I am a huge believer in “knowledge is key”. Yeah… I know… just reading that statement you are probably saying “well yeah… duh”.
Of course knowledge is key… duh, Fish! We know that! We love knowledge. We are knowledge seekers and we love to learn! I mean… if we didn’t love learning and knowledge why would we be reading this? Okay… got it. You love knowledge. You want to grow your knowledge. I hear you. You are basically saying… bring on the knowledge… max the setting! Got it.
So you most likely extend that desire for knowledge to most of the areas in your life.
For example….
- Buying a House: When buying a house you want the knowledge you can get by hiring a subject matter expert to walk thru the entirety of the house and inspect it. You want knowledge of the truths of that house.
- Hiring a Financial Advisor: When hiring a financial advisor you just go and “bare all” in reference to your financial situation so they can review every nuance of it. You want knowledge of the truths of your finances.
Let’s Continue reading
4 Things to Consider When Virtualizing Networking and Security
In order to plan the transition to virtualizing their business, enterprises must consider the required functionality, as well as complexity, cost, and performance.
AWS Beefs Up Its Database Portfolio to Escape ‘Abusive’ Relationships
Part of its database build-out includes a new blockchain managed service.
L4Drop: XDP DDoS Mitigations
Efficient packet dropping is a key part of Cloudflare’s distributed denial of service (DDoS) attack mitigations. In this post, we introduce a new tool in our packet dropping arsenal: L4Drop.
We've written about our DDoS mitigation pipeline extensively in the past, covering:
- Gatebot: analyzes traffic hitting our edge and deploys DDoS mitigations matching suspect traffic.
- bpftools: generates Berkeley Packet Filter (BPF) bytecode that matches packets based on DNS queries, p0F signatures, or tcpdump filters.
- Iptables: matches traffic against the BPF generated by bpftools using the
xt_bpfmodule, and drops it. - Floodgate: offloads work from iptables during big attacks that could otherwise overwhelm the kernel networking stack. Incoming traffic bypasses the kernel to go directly to a BPF interpreter in userspace, which efficiently drops packets matching the BPF rules produced by bpftools.
Both iptables and Floodgate send samples of received traffic to Gatebot for analysis, and filter incoming packets using rules generated by bpftools. This ends up looking something like this:
This pipeline has served us well, but a lot has changed since we implemented Floodgate. Our new Gen9 and ARM servers use different network Continue reading
Datanauts 152: No More Stretched Clusters!
Today on the Datanauts we examine why people stretch clusters, the problems this can cause, and alternative design strategies. Our guest is Erik Ableson, owner of the consultancy Infrageeks.
The post Datanauts 152: No More Stretched Clusters! appeared first on Packet Pushers.
IoT and Network Security: Here’s How Network Slicing and Segmentation Can Help
According to Ericsson, “Around 29 billion connected devices1 are forecast by 2022, of which around 18 billion will be related to...ABI Research: Network Slicing May Create $66B in Business by 2026
Mobile service providers stand to benefit from the growing promise of network slicing, but many are not taking full advantage of the opportunity.
Farewell SDxCentral Readers
I'm about to embark on a new adventure.
Envoy Joins Kubernetes, Prometheus With a CNCF Diploma
The service mesh proxy was initially developed by Lyft and breezed through the CNCF incubation process a year faster than its fellow graduates.
Nutanix Challenges VMware to PoC Battle, Launches Xi Cloud Services
“Our dominance in the core is why VMware avoids doing PoCs in accounts when we are in a head-to-head fight,” said CEO Dheeraj Pandey.
Nokia’s Software Biz Is Firmly Rooted in Silicon Valley
The company is building a corporate campus in Sunnyvale, California, to provide a home for its more than 1,000 employees in the Valley.
New Report: Major Online Retailers Increase Email Marketing Trustworthiness and Follow Unsubscribe Best Practices
Today, the Internet Society’s Online Trust Alliance released its fifth annual Email Marketing & Unsubscribe Audit. OTA researchers analyzed the email marketing practices of 200 of North America’s top online retailers and, based on this analysis, offer prescriptive advice to help marketers provide consumers with choice and control over when and what messages they receive. The Audit assesses the end-to-end user experience from signing up for emails, to receiving emails, to the unsubscribe process and its results.
In the 2018 Audit, seventy-four percent of the top online retailers received “Best of Class” designation, meaning they scored eighty percent or higher in OTA’s analysis of their email marketing. In addition, ten retailers received perfect scores, meaning they adopted all twelve of OTA’s best practices. They are: Dick’s Sporting Goods, Home Depot, Lands’ End, Musician’s Friend, Office Depot, OpticsPlanet, Sierra Trading Post, Staples, Talbots, and Walgreens.
In the subscribe process there were several positive findings. The percentage of sites that had subscribe forms that were easy for the user to find was 94% in 2018, up from 85% in 2017. In addition, one-quarter of sites offered incentives such as free shipping to entice users to subscribe, down slightly from 28% in 2018.
BiB 061: Understanding DriveScale Composer Architecture
DriveScale is all about the software. And what is the software? Much of the magic happens in DriveScale Composer. The chief value of DriveScale Composer is to compose any compute to any disk or flash, in a scalable way.
The post BiB 061: Understanding DriveScale Composer Architecture appeared first on Packet Pushers.
Episode 40 – MPLS Part 4 – Fast Reroute
In this Network Collective community roundtable episode, Nick Russo and Jeff Tantsura join us to close out our MPLS series with an episode on Fast Reroute.
We would like to thank VIAVI Solutions for sponsoring this episode of Network Collective. VIAVI Solutions is an application and network management industry leader focusing on end-user experience by providing products that optimize performance and speed problem resolution. Helping to ensure delivery of critical applications for businesses worldwide, Viavi offers an integrated line of precision-engineered software and hardware systems for effective network monitoring and analysis. Learn more at www.viavisolutions.com/networkcollective.
Nick Russo
Guest
Jeff Tantsura
Guest
Jordan Martin
Host
Russ White
Host
Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/
The post Episode 40 – MPLS Part 4 – Fast Reroute appeared first on Network Collective.
The Third India School on Internet Governance
The third edition of the India School on Internet Governance (inSIG) took place from 13–15 October 2018 at the India International Centre in New Delhi in partnership with the Internet Society Indian Chapters: Delhi, Trivandrum, Mumbai, and Kolkata. It was supported by the Beyond the Net Funding Programme with the participation of Olaf Kolkman, the Internet Society’s Chief Internet Technology Officer.
Ninety participants joined a three day activity event which included workshops, role play exercises and discussions. The event focused on educating emerging leaders from India and other South Asian countries, such as Afghanistan, Bangladesh, Nepal, and Sri Lanka on their role in the global Internet Governance ecosystem.
On 12 October 2018, two events were co-hosted: Firstly, The Internet Infrastructure Security Day, a workshop to learn more on pen Internet standards and sharing good practices as part of the Global Forum on Cyber Expertise (GFCE) – and secondly, India’s first Youth Internet Governance Forum (YIGF), which conducted multiple sessions on topics of relevance to young Internet users, particularly those in secondary school, college, and early employment. Both events were live streamed and viewed by over 1,500 participants.
A range of several industry experts offered insight into India’s Continue reading