Archive

Category Archives for "Networking"

How to secure the cluster in an air gap environment with Calico Cloud

The concern about securing the clusters has grown exponentially and one of the ways to secure it is by isolating the cluster from the Internet to lower the risk of eventual attack. Enterprises that deal with confidential customer data and work with regulatory agencies, such as financial and insurance institutions, require air gap environments for their clusters to create highly secure environments.

What’s an air gap?

The air gap is a security configuration in which the cluster, network, or workload will not have access to the Internet, unless it is explicitly authorized to do so. It is a highly controlled environment and prevents the cluster from establishing external connections without prior authorizations.

The diagram below shows an air gap network:

 

In a containerized environment, the cluster needs to pull the images for spinning up containers and it is usually done by pulling the images from a repository located on the cloud or Internet. However, as the air gap network doesn’t have access to the Internet, pulling images from the Internet is not possible. To address this situation, it is necessary to create a private registry/repository in the air gap network and pull all required images for the cluster into Continue reading

NVA Part V: NVA Redundancy with Azure Internal Load Balancer – On-Prem Connec

 Introduction


In Chapter Five, we deployed an internal load balancer (ILB) in the vnet-hub. It was attached to the subnet 10.0.0.0/24, where it obtained the frontend IP (FIP) 10.0.1.6. Next, we created a backend pool and associated our NVAs with it. Finally, we bound the frontend IP 10.0.1.6 to the backend pool to complete the ILB setup.


Next, in vnet-spoke1, we created a route table called rt-spoke1. This route table contained a user-defined route (UDR) for 10.2.0.0/24 (vnet-spoke2) with the next-hop set as 10.0.1.6. We attached this route table to the subnet 10.1.0.0/24. Similarly, in vnet-spoke2, we implemented a user-defined route for 10.1.0.0/24 (vnet-spoke1). By configuring these UDRs, we ensured that the spoke-to-spoke traffic would pass through the ILB and one of the NVAs on vnet-hub. Note that in this design, the Virtual Network Gateway is not required for spoke-to-spoke traffic.


In this chapter, we will add a Virtual Network Gateway (VGW) into the topology and establish an IPsec VPN connection between the on-premises network edge router and VGW. Additionally, we will deploy a new route table called "rt-gw-snet" where we add routing entries to the spoke VNets with the next-hop IP address 10.0.1.6 (ILB's frontend IP). Besides, we will add a routing entry 10.3.0.0/16 > 10.0.1.6 into the existing route tables on vnet-spoke-1 and vnet-spoke-2 (not shown in figure 6-1). This configuration will ensure that the spoke to spoke and spoke to on-prem flows are directed through one of the Network Virtual Appliances (NVAs) via ILB. The NVAs use the default route table, where the VGW propagates all the routes learned from VPN peers. However, we do not propagate routes from the default route table into the "rt-gw-snet" and "rt-prod-1" route tables. To enable the spoke VNets to use the VGW on the hub VNet, we allow it in VNet peering configurations.


  1. The administrator of the mgmt-pc opens an SSH session to vm-prod-1. The connection initiation begins with the TCP three-way handshake. The TCP SYN message is transmitted over the VPN connection to the Virtual Gateway (VGW) located on the vnet-hub. Upon receiving the message, the VGW first decrypts it and performs a routing lookup. The destination IP address, 10.1.0.4, matches the highlighted routing entry in the route table rt-gw-snet.
  2. The VGW determines the location (the IP address of the hosting server) of 10.1.0.6, encapsulates the message with tunnel headers, and forwards it to an Internal Load Balancer (ILB) using the destination IP address 10.1.0.6 in the tunnel header.
  3. The Internal Load Balancer receives the TCP SYN message. As the destination IP address in the tunnel header matches one of its frontend IPs, the ILB decapsulates the packet. It then checks which backend pool (BEP) is associated with the frontend IP (FIP) 10.0.1.6 to determine to which VMs it can forward the TCP SYN message. Using a hash algorithm (in our example, the 5-tuple), the ILB selects a VM from the backend pool members, in this case, NVA2. The ILB performs a location lookup for the IP address 10.1.0.5, encapsulates the TCP SYN message with tunnel headers, and finally sends it to NVA2.
  4. The message reaches the hosting server of NVA2, which removes the encapsulation since the destination IP in the tunnel header belongs to itself. Based on the Syn flag set in the TCP header, the packet is identified as the first packet of the flow. Since this is the initial packet of the flow, there is no flow entry programmed into the Generic Flow Table (GFT) related to this connection. The parser component generates a metadata file from the L3 and L4 headers of the message, which then is processed by the Virtual Filtering Platform (VFP) layers associated with NVA2. Following the VFP processing, the TCP SYN message is passed to NVA2, and the GFT is updated with flow information and associated actions (Allow and Encapsulation instructions). Besides, the VFP process creates a corresponding entry for the return packets into the GFT (reversed source and destination IPs and ports). Please refer to the first chapter for more detailed information on VFP processes.
  5. We do not have any pre-routing or post-routing policies configured on either NVA. As a result, NVA2 simply routes the traffic out of the eth0 interface based on its routing table. The ingress TCP SYN message has already been processed by the VFP layers, and the GFT has been updated accordingly. Consequently, the egress packet can be forwarded based on the GFT without the need for additional processing by the VFP layers.
  6. Subsequently, the encapsulated TCP SYN message is transmitted over VNet peering to vm-prod-1, located on vnet-spoke-1. Upon reaching the hosting server of vm-prod-1, the packet is processed in a similar manner as we observed with NVA. The encapsulation is removed, and the packet undergoes the same VFP processing steps as before.


Figure 6-1: ILB Example Topology.

Continue reading

Exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test

Exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test
Exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test

Over the last several years, governments in a number of countries in the Middle East/Northern Africa (MENA) region have taken to implementing widespread nationwide shutdowns in an effort to prevent cheating on nationwide academic exams. Although it is unclear whether such shutdowns are actually successful in curbing cheating, it is clear that they take a financial toll on the impacted countries, with estimated losses in the millions of US dollars.

During the first two weeks of June 2023, we’ve seen Iraq implementing a series of multi-hour shutdowns that will reportedly occur through mid-July, as well as Algeria taking similar actions to prevent cheating on baccalaureate exams. Shutdowns in Syria were reported to begin on June 7, but there’s been no indication of them in traffic data as of this writing (June 13). These actions echo those taken in Iraq, Syria, Sudan, and Algeria in 2022 and in Syria and Sudan in 2021.

(Note: The interactive graphs below have been embedded directly into the blog post using a new Cloudflare Radar feature. This post is best viewed in landscape mode when on a mobile device.)

Iraq

Iraq had reportedly committed on May 15 to not implementing Internet shutdowns during the Continue reading

Cato boasts 5Gbps encrypted tunnel throughput

Cato Networks said today that it has successfully created an encrypted tunnel capable of 5Gbps of throughput, offering reassurance to network administrators worried about traffic overhead created by Secure Access Service Edge (SASE) platforms.The company’s announcement said that increasing uptake of SASE, particularly by large enterprises, has created a need for faster encrypted connections that still support the full array of security technologies present in SASE. The speed boost, Cato said, was made possible by improved performance in the company’s Single Pass Processing Engine, which is the umbrella of services that runs in its various points of presence.To read this article in full, please click here

Using aliases on Linux

Using aliases on Linux systems can save you a lot of trouble and help you work faster and smarter. This post examines the ways and reasons that many Linux users take advantage of aliases, shows how to set them up and use them, and provides a number of examples of how they can help you get your tasks done with less trouble.What are aliases? Aliases are simply one-line commands that are assigned names and generally stored in a startup file (e.g., .bashrc) that is run when you log in using a tool like PuTTY or open a terminal window on your desktop. The syntax is easy. It follows this pattern:$ alias NAME = 'COMMAND' As a simple example, typing a command like that shown below enables you to clear your screen simply by typing “c”.To read this article in full, please click here

Using aliases on Linux

Using aliases on Linux systems can save you a lot of trouble and help you work faster and smarter. This post examines the ways and reasons that many Linux users take advantage of aliases, shows how to set them up and use them, and provides a number of examples of how they can help you get your tasks done with less trouble.What are aliases? Aliases are simply one-line commands that are assigned names and generally stored in a startup file (e.g., .bashrc) that is run when you log in using a tool like PuTTY or open a terminal window on your desktop. The syntax is easy. It follows this pattern:$ alias NAME = 'COMMAND' As a simple example, typing a command like that shown below enables you to clear your screen simply by typing “c”.To read this article in full, please click here

Network spending priorities for second-half 2023

OK, it’s not been a great first half for many companies, from end users to vendors and providers. The good news is that users sort of believe that many of the economic and political issues that have contributed to the problem have been at least held at bay.There’s still uncertainty in the tech world, but it's a bit less than before. Most of the companies I’ve talked with this year have stayed guardedly optimistic that things were going to improve. Over the last month, of the nearly 200 companies I’ve emailed with, only 21 were “pessimistic” about the outlook for their tech spending in the second half.Lack of pessimism doesn’t translate to optimism, though, and optimism is a bit non-specific for network and IT planners to build on. What are the user priorities for tech for the rest of the year? Do they think their budgets will shift, and if so from what to what? Are they looking to make major changes in their networks, change their vendors, be more or less open? I thought I knew some of the answers to these questions, but for some I was wrong.To read this article in full, please click here

Network spending priorities for second-half 2023

OK, it’s not been a great first half for many companies, from end users to vendors and providers. The good news is that users sort of believe that many of the economic and political issues that have contributed to the problem have been at least held at bay.There’s still uncertainty in the tech world, but it's a bit less than before. Most of the companies I’ve talked with this year have stayed guardedly optimistic that things were going to improve. Over the last month, of the nearly 200 companies I’ve emailed with, only 21 were “pessimistic” about the outlook for their tech spending in the second half.Lack of pessimism doesn’t translate to optimism, though, and optimism is a bit non-specific for network and IT planners to build on. What are the user priorities for tech for the rest of the year? Do they think their budgets will shift, and if so from what to what? Are they looking to make major changes in their networks, change their vendors, be more or less open? I thought I knew some of the answers to these questions, but for some I was wrong.To read this article in full, please click here

Protecting GraphQL APIs from malicious queries

Protecting GraphQL APIs from malicious queries
Protecting GraphQL APIs from malicious queries

Starting today, Cloudflare’s API Gateway can protect GraphQL APIs against malicious requests that may cause a denial of service to the origin. In particular, API Gateway will now protect against two of the most common GraphQL abuse vectors: deeply nested queries and queries that request more information than they should.

Typical RESTful HTTP APIs contain tens or hundreds of endpoints. GraphQL APIs differ by typically only providing a single endpoint for clients to communicate with and offering highly flexible queries that can return variable amounts of data. While GraphQL’s power and usefulness rests on the flexibility to query an API about only the specific data you need, that same flexibility adds an increased risk of abuse. Abusive requests to a single GraphQL API can place disproportional load on the origin, abuse the N+1 problem, or exploit a recursive relationship between data dimensions. In order to add GraphQL security features to API Gateway, we needed to obtain visibility inside the requests so that we could apply different security settings based on request parameters. To achieve that visibility, we built our own GraphQL query parser. Read on to learn about how we built the parser and the security features it enabled.

Continue reading

Network Break 434: Cisco Licensing To Get Simpler, Bluecat Buys Again, Hashicorp Money Problems, and Itential Pops A Release

Take a Network Break: Drew is on holiday (again) and Ethan shows up. Who knew he was still around ? We start with FU, Cisco Live was underwhelming announcing a new focus simplicity and that customers hate their licensing, Bluecat spends again, Hashicorp gets a financial slapping, Itential ships a new version and Quantum Space Networking. 

The post Network Break 434: Cisco Licensing To Get Simpler, Bluecat Buys Again, Hashicorp Money Problems, and Itential Pops A Release appeared first on Packet Pushers.

Network Break 434: Cisco Licensing To Get Simpler, Bluecat Buys Again, Hashicorp Money Problems, and Itential Pops A Release

Take a Network Break: Drew is on holiday (again) and Ethan shows up. Who knew he was still around ? We start with FU, Cisco Live was underwhelming announcing a new focus simplicity and that customers hate their licensing, Bluecat spends again, Hashicorp gets a financial slapping, Itential ships a new version and Quantum Space Networking. 
1 235 236 237 238 239 3,478