Networking Archives - Page 120 of 3478

Improving authoritative DNS with the official release of Foundation DNS

We are very excited to announce the official release of Foundation DNS, with new advanced nameservers, even more resilience, and advanced analytics to meet the complex requirements of our enterprise customers. Foundation DNS is one of Cloudflare's largest leaps forward in our authoritative DNS offering since its launch in 2010, and we know our customers are interested in an enterprise-ready authoritative DNS service with the highest level of performance, reliability, security, flexibility, and advanced analytics.

Starting today, every new enterprise contract that includes authoritative DNS will have access to the Foundation DNS feature set and existing enterprise customers will have Foundation DNS features made available to them over the course of this year. If you are an existing enterprise customer already using our authoritative DNS services, and you’re interested in getting your hands on Foundation DNS earlier, just reach out to your account team, and they can enable it for you. Let’s get started…

Why is DNS so important?

From an end user perspective, DNS makes the Internet usable. DNS is the phone book of the Internet which translates hostnames like www.cloudflare.com into IP addresses that our browsers, applications, and devices use to connect to services. Without Continue reading

How we ensure Cloudflare customers aren’t affected by Let’s Encrypt’s certificate chain change

Let’s Encrypt, a publicly trusted certificate authority (CA) that Cloudflare uses to issue TLS certificates, has been relying on two distinct certificate chains. One is cross-signed with IdenTrust, a globally trusted CA that has been around since 2000, and the other is Let’s Encrypt’s own root CA, ISRG Root X1. Since Let’s Encrypt launched, ISRG Root X1 has been steadily gaining its own device compatibility.

On September 30, 2024, Let’s Encrypt’s certificate chain cross-signed with IdenTrust will expire. After the cross-sign expires, servers will no longer be able to serve certificates signed by the cross-signed chain. Instead, all Let’s Encrypt certificates will use the ISRG Root X1 CA.

Most devices and browser versions released after 2016 will not experience any issues as a result of the change since the ISRG Root X1 will already be installed in those clients’ trust stores. That's because these modern browsers and operating systems were built to be agile and flexible, with upgradeable trust stores that can be updated to include new certificate authorities.

The change in the certificate chain will impact legacy devices and systems, such as devices running Android version 7.1.1 (released in 2016) or older, as those exclusively Continue reading

HN729: Open Source to Closed

With “The Cathedral and the Bazaar” as his guide, Srivats launched Ostinato, his open source project, in 2010. He needed an affordable network traffic generator at his day job, he was passionate enough to build one during his nights and weekends, and end users loved it– it has been downloaded hundreds of thousands of times.... Read more »

Public Videos: Kubernetes Ingress

All the Kubernetes Ingress videos from the Kubernetes Networking Deep Dive webinar with Stuart Charlton are now public. Enjoy!

Explore

Hedge 221: Energy Aware Protocols

A lot of people are spending time thinking about how to make transport and control plane protocols more energy efficient. Is this effort worth it? What amount of power are we really like to save, and what downside potential is there in changing protocols to save energy? George Michaelson joins us from Australia to discuss energy awareness in protocols.

download

How Cisco sees Silicon One Easing Network Convergence and Helping with AI

With the rise of AI and its massive impact on networking, Cisco has pivoted swiftly to enable customers to utilize its converged networks to run taxing AI apps.

KU053: Migrate Legacy Applications to Kubernetes with Konveyor

Whether you want to migrate legacy applications to Kubernetes in order to save the whales or for any other reason, Konveyor is here to help. Savitha Raghunathan joins us today to walk us through the open source tool. The basics: You input the application’s source code (any language that has a language server) and Konveyor... Read more »

Collaborate to Trust Telco SaaS

Unlocking the full potential of telecom in the SaaS era relies on comprehensive strategies and a constant commitment to evolving security practices.

Enhancing Kubernetes Network Security with Microsegmentation

Microsegmentation represents a transformative approach to enhancing network security within Kubernetes environments. This technique divides networks into smaller, isolated segments, allowing for granular control over traffic flow and significantly bolstering security posture. At its core, microsegmentation leverages Kubernetes network policies to isolate workloads, applications, namespaces and entire clusters, tailoring security measures to specific organizational needs and compliance requirements. The Essence of Microsegmentation Strategies Scalability and Flexibility The fundamental advantage of microsegmentation through network policies lies in its scalability and flexibility. Kubernetes’ dynamic, label-based selection process facilitates the addition of new segments without compromising existing network infrastructure, enabling organizations to adapt to evolving security landscapes seamlessly. Labeling the assets is a key to microsegmentation success. Prevent Lateral Movement of Threats Workload isolation, a critical component of microsegmentation, emphasizes the importance of securing individual microservices within a namespace or tenant by allowing only required and approved communication. This minimizes the attack surface and prevents unauthorized lateral movement. Namespace and Tenant Isolation Namespace isolation further enhances security by segregating applications into unique namespaces, ensuring operational independence and reducing the impact of potential security breaches. Similarly, tenant isolation addresses the needs of multitenant environments by securing shared Kubernetes infrastructure, thus protecting tenants from Continue reading

LISP vs EVPN: Mobility in Campus Networks

I decided not to get involved in the EVPN-versus-LISP debates anymore; I’d written everything I had to say about LISP. However, I still get annoyed when experienced networking engineers fall for marketing gimmicks disguised as technical arguments. Here’s a recent one:

LISP vs EVPN: Mobility in Campus Networks

Narrowboat: Lessons learnt

At this stage of the build internally there is only really the bedroom, snags and trims (windows, ceiling edges and doors) left to do. I am currently in Australia having a bit of RnR so this is a reflective post to show the build at its present state and go through the things I have learnt along the way. I could plan all I like but as I haven’t lived on a boat before there was always going to be a few wrong design decisions.

D2C239: “(Almost) Every Infrastructure Decision I Endorse or Regret”

You can’t just drop a knife on fish and expect there to be sushi. Jack Lindamood joins us today to share his metaphors and thoughts on picking the right IT tools and processes as outlined in his popular article, “(Almost) Every Infrastructure Decision I Endorse or Regret after 4 Years Running Infrastructure at a Startup.”... Read more »

Tetrate Enterprise Gateway for Envoy Graduates

Istio and Tetrate Enterprise Gateway for Envoy (TEG). This release provides businesses with a modern and secure alternative to traditional Envoy Gateway version 1.0. TEG extends its features by including cross-cluster service discovery and load balancing, OpenID Connect (OIDC), OAuth2, Web Application Firewall (WAF), and rate limiting out of the box along with Federal Information Processing Standard (FIPS) 140-2 compliance. A standout feature of the Envoy Gateway, and by extension TEG, is its native support for the newly introduced

Zero Trust for Legacy Apps: Load Balancer Layer Can Be a Solution

When most security and platform teams think about implementing zero trust, they tend to focus on the identity and access management layer and, in Kubernetes, on the service mesh. These are fine approaches, but they can cause challenges for constellations of legacy internal apps designed to run with zero exposure to outside connections. One solution to this problem is to leverage the load balancer as the primary implementation component for zero trust architectures covering legacy apps. True Story: A Large Bank, Load Balancers and Legacy Code This is a true story: A large bank has thousands of legacy web apps running on dedicated infrastructure. In the past, it could rely on a “hard perimeter defense” for protection with very brittle access control in front of the web app tier. That approach no longer works. Zero trust mandates that even internal applications maintain a stronger security posture. And for the legacy apps to remain useful, they must connect with newer apps and partner APIs. This means exposure to the public internet or broadly inside the data center via East-West traffic — something that these legacy apps were never designed for. Still, facing government regulatory pressure to enhance security, the bank Continue reading

Modernizing IT Networks for Higher Education

In today’s data-driven world, higher educational institution networks and their management must be modernized to address the needs of everyone across campus. Enterprises face similar challenges and also need to modernize their networks.

Stateful Firewall Cluster High Availability Theater

Dmitry Perets wrote an excellent description of how typical firewall cluster solutions implement control-plane high availability, in particular, the routing protocol Graceful Restart feature (slightly edited):

Most of the HA clustering solutions for stateful firewalls that I know implement a single-brain model, where the entire cluster is seen by the outside network as a single node. The node that is currently primary runs the control plane (hence, I call it single-brain). Sessions and the forwarding plane are synchronized between the nodes.

Stateful Firewall Cluster High Availability Theater

1000BASE-T Part 4 – Link Down Detection

In the previous three parts, we learned about all the interesting things that go on in the PHY with scrambling, descrambling, synchronization, auto negotiation, FEC encoding, and so on. This is all essential knowledge that we need to have to understand how the PHY can detect that a link has gone down, or is performing so badly that it doesn’t make sense to keep the link up.

What Does IEEE 802.3 1000BASE-T Say?

The function in 1000BASE-T that is responsible for monitoring the status of the link is called link monitor and is defined in 40.4.2.5. The standard does not define much on what goes on in link monitor, though. Below is an excerpt from the standard:

Link Monitor determines the status of the underlying receive channel and communicates it via the variable
link_status. Failure of the underlying receive channel typically causes the PMA’s clients to suspend normal
operation.
The Link Monitor function shall comply with the state diagram of Figure 40–17.

The state diagram (redrawn by me) is shown below:

While 1000BASE-T leaves what the PHY monitors in link monitor to the implementer, there are still some interesting variables and timers that you should be Continue reading

HS069: Regulating AI

In today’s episode Greg and Johna spar over how, when, and why to regulate AI. Does early regulation lead to bad regulation? Does late regulation lead to a situation beyond democratic control? Comparing nascent regulation efforts in the EU, UK, and US, they analyze socio-legal principles like privacy and distributed liability. Most importantly, Johna drives... Read more »

« Previous 1 … 118 119 120 121 122 … 3,478 Next »