Democratizing access to Zero Trust with Project Galileo
This post is also available in Deutsch, Français, Español, 简体中文.
Project Galileo was started in 2014 to protect free expression from cyber attacks. Many of the organizations in the world that champion new ideas are underfunded and lack the resources to properly secure themselves. This means they are exposed to Internet attacks aimed at thwarting and suppressing legitimate free speech.
In the last eight years, we have worked with 50 partners across civil society to onboard more than 2,000 organizations in 111 countries to provide our powerful cyber security products to those who work in sensitive yet critical areas of human rights and democracy building.
New security needs for a new threat environment
As Cloudflare has grown as a company, we have adapted and evolved Project Galileo especially amid global events such as COVID-19, social justice movements after the death of George Floyd, the war in Ukraine, and emerging threats to these groups intended to silence them. Early in the pandemic, as organizations had to quickly implement work-from-home solutions, new risks stemmed from this shift.
In our conversations with partners and participants, we noticed a theme. The digital divide in terms of cyber security products Continue reading
Network Dictionary: necropost
What is a necropost?
Cloudflare Zero Trust for Project Galileo and the Athenian Project
This post is also available in 日本語, Deutsch, Français, Español.
The organizations served by Projects Galileo and Athenian face the same security challenges as some of the world’s largest companies, but lack the budget to protect themselves. Sophisticated phishing campaigns attempt to compromise user credentials. Bad actors find ways to disrupt connectivity to critical resources. However, the tools to defend against these threats have historically only been available to the largest enterprises.
We’re excited to help fix that. Starting today, we are making the Cloudflare One Zero Trust suite available to teams that qualify for Project Galileo or Athenian at no cost. Cloudflare One includes the same Zero Trust security and connectivity solutions used by over 10,000 customers today to connect their users and safeguard their data.
Same problem, different missions
Athenian Project candidates work to safeguard elections in the United States. Project Galileo applicants launched their causes to support journalists, encourage artistic expression, or protect persecuted groups. They each set out to fix difficult and painful problems. None of the applications to our programs wrote their mission statement to deal with phishing attacks or internal data loss.
However, security problems plague these teams. Instead of being Continue reading
vagrant-libvirt Dependency Hell
One of the tiny details Open Networking preachers conveniently forget to mention is the tendency of open-source software to use a gazillion small packages from numerous independent sources to get the job done. Vendors selling commercial products (for example, Cumulus Linux) try their best to select the correct version of every package involved in their product; open-source projects could quickly end in dependency hell.
netlab tries to solve the dependency conundrum with well-defined installation scripts. We recommend you start with a brand new Ubuntu server (or VM) and follow the four lines of instructions1. In that case, you usually get a working system unless something unexpected breaks behind the scenes, like what we experienced a few days ago.
Welcome to Cloudflare’s Impact Week
In the early days of Cloudflare, we made it a policy that every new hire had to interview with either me or my co-founder Michelle. It’s still the case today, though we now have more than 3,000 employees, continue to hire great people as we find them, and, because there are only so many hours in the day, have had to enlist a few more senior executives to help with these final calls.
At first, these calls were about helping screen for new members of our small team. But, as our team grew, the purpose of these calls changed. Today, by the time I do the final call with someone we’ve made the decision to hire them, so it’s rarely about screening. Instead, the primary purpose is to make sure everyone joining has had a positive conversation with a senior member of our team, so if in the future they ever see something going wrong they’ll hopefully feel a bit more comfortable letting one of us know. I think because of that these calls are some of the most important work I do.
But, for me, there’s another purpose. I get to hear first-hand why people chose to apply. That’s Continue reading
Querying Netbox with Pynetbox
You should be using Netbox or something equivalent. I’m serious. Stop documenting your network with Word docs and Wiki pages and use something where the information can be queried. I’ve been using Netbox for a couple years, and it’s where I keep all that important information about my network. I use it to store hardware inventory, circuit inventory, contact information, site information…all sorts of stuff. Since all this information is already recorded there, I can just query it for the information I need. That includes any time I need to write some Python code to do something on the gear. I use the pynetbox module to do that.
To use pynetbox (or anything that uses API calls to Netbox), you’ll need to set up an API token. I am not qualified to tell you what the best way to manage these are, so we’re just going to assume you have an appropriate token configured already.
The Python Code
We’re going to write a short script to get all the devices from the Netbox instance…and here it is!1
import pynetbox
import urllib3
NETBOX_SERVER = "*.*.*.*"
NETBOX_API_KEY = "742*****"
nb_conn = pynetbox.api(url=f"https://{NETBOX_SERVER}", token=NETBOX_API_KEY)
nb_conn.http_session.verify = Continue readingAkvorado: a flow collector, enricher, and visualizer
Earlier this year, we released Akvorado, a flow collector, enricher, and visualizer. It receives network flows from your routers using either NetFlow v9, IPFIX, or sFlow. Several pieces of information are added, like GeoIP and interface names. The flows are exported to Apache Kafka, a distributed queue, then stored inside ClickHouse, a column-oriented database. A web frontend is provided to run queries. A live version is available for you to play.
Several alternatives exist:
- Kentik, a popular cloud-based solution,
- ElastiFlow, a self-hosted proprietary solution, or
- your own assembly of open source solutions by picking a flow collector (pmacct, GoFlow2, or vFlow), a distributed queue1 (Apache Kafka or RabbitMQ), a database (ClickHouse, Elasticsearch, or Apache Pinot), and a web frontend (Grafana, Kibana, or Apache Superset).
Akvorado differentiates itself from these solutions because:
- it is open source (licensed under the AGPLv3 license), and
- it bundles flow collection, storage, and a web interface into a single “product.”
The proposed deployment solution relies on Docker Compose to set up Akvorado, Zookeeper, Kafka, and ClickHouse. Continue reading
Worth Reading: NetOps Requires AI/ML and Rules
Here’s some common-sense view on hard-coded rules versus machine learning in network operations by Mark Seery – quite often we can specify our response to an event as a simple set of rules, but if we want to identify deviation from “normal” behavior, machine learning might not be a bad idea.
For more details, watch the Event-Driven Network Automation part of Building Network Automation Solutions online course.
s arguments and address this split between circuits.
Worth Reading: Fail-Slow at Scale
Did you ever wonder why everything in IT becomes slower over time? Our changed expectations and accumulated cruft definitely play a major role.. but it could also be hardware. For more details (and fun reading), explore Fail-Slow at Scale: Evidence of Hardware Performance Faults in Large Production Systems.
Ubiquiti Wireless Access Point Adoption Failed
https://codingpackets.com/blog/ubiquiti-wireless-access-point-adoption-failed
Heavy Networking 659: Securing Cloud Metro With Zero Trust (Sponsored)
On today's Heavy Networking podcast, sponsored by Juniper Networks, we discuss how metro networks are evolving to Cloud Metro, how to apply cloud principles and automation to these locations, and how the attack surface changes when you transition to Cloud Metro. We also talk about how Juniper supports active assurance and zero trust security in these environments.
The post Heavy Networking 659: Securing Cloud Metro With Zero Trust (Sponsored) appeared first on Packet Pushers.
Heavy Networking 659: Securing Cloud Metro With Zero Trust (Sponsored)
On today's Heavy Networking podcast, sponsored by Juniper Networks, we discuss how metro networks are evolving to Cloud Metro, how to apply cloud principles and automation to these locations, and how the attack surface changes when you transition to Cloud Metro. We also talk about how Juniper supports active assurance and zero trust security in these environments.Stop attacks before they are known: making the Cloudflare WAF smarter
Cloudflare’s WAF helps site owners keep their application safe from attackers. It does this by analyzing traffic with the Cloudflare Managed Rules: handwritten highly specialized rules that detect and stop malicious payloads. But they have a problem: if a rule is not written for a specific attack, it will not detect it.
Today, we are solving this problem by making our WAF smarter and announcing our WAF attack scoring system in general availability.
Customers on our Enterprise Core and Advanced Security bundles will have gradual access to this new feature. All remaining Enterprise customers will gain access over the coming months.
Our WAF attack scoring system, fully complementary to our Cloudflare Managed Rules, classifies all requests using a model trained on observed true positives across the Cloudflare network, allowing you to detect (and block) evasion, bypass and new attack techniques before they are publicly known.
The problem with signature based WAFs
Attackers trying to infiltrate web applications often use known or recently disclosed payloads. The Cloudflare WAF has been built to handle these attacks very well. The Cloudflare Managed Ruleset and the Cloudflare OWASP Managed Ruleset are in fact continuously updated and aimed at protecting web applications against known Continue reading