Archive

Category Archives for "Networking"

4 ways to leverage existing kernel security features to set up process monitoring

The large attack surface of Kubernetes’ default pod provisioning is susceptible to critical security vulnerabilities, some of which include malicious exploits and container breakouts. I believe one of the most effective workload runtime security measures to prevent such exploits is layer-by-layer process monitoring within the container.

It may sound like a daunting task that requires additional resources, but in reality, it is actually quite the opposite. In this article, I will walk you through how to use existing Linux kernel security features to implement layer-by-layer process monitoring and prevent threats.

Threat prevention and process monitoring

Containerized workloads in Kubernetes are composed of numerous layers. An effective runtime security strategy takes each layer into consideration and monitors the process within each container, also known as process monitoring.

Threat detection in process monitoring involves integrating mechanisms that isolate workloads or control access. With these controls in place, you can effectively prevent malicious behavior, reduce your workload’s attack surface, and limit the blast radius of security incidents. Fortunately, we can use existing Kubernetes mechanisms and leverage Linux defenses to achieve this.

Kernel security features

By pulling Linux defenses closer to the container, we can leverage existing Kubernetes mechanisms to monitor processes and reduce Continue reading

Content Creation Complications

If you’ve noticed my regular blog posts have been a bit irregular as of late you’re not alone. I’m honestly working through a bit of writer’s block as of late. The irony is that I’m not running out of things to talk about. I’m actually running out of time to talk about them the way that I want.

Putting in the Work

By now you, my dear readers, know that I’m not going to put out a post of 200-300 words just to put something out during the week. I’d rather spend some time looking into a topic and creating something that informs or encourages discussion. That means having sources or doing research.

Research takes time. Ironically enough I’ve always had a much easier time writing things so long as I have the info to pull from in my head. One of the side effects of neurodivergence that I’ve learned about recently is that neurodivergent people tend to write their ‘first draft’ in their head throughout the creation process. Rather than writing and rewriting over and over again I pool all the information in my brain and work through it all to put down my final thoughts. That means what Continue reading

Kyndryl lays off staff in search of efficiency

Kyndryl, the managed IT services provider that spun out of IBM, has announced layoffs that could affect its own internal IT services.“We are eliminating some roles globally — a small percentage — to become more efficient and competitive,” said a Kyndryl spokesperson, without giving the exact number of employees affected due to the layoffs.“These actions will enable us to focus our investments in areas that directly benefit our customers and position Kyndryl for profitable growth,” the spokesperson said, adding that the company was in the process of undergoing transformation to streamline and simplify its processes and systems.Bloomberg first reported about the layoffs.To read this article in full, please click here

Kyndryl lays off staff in search of efficiency

Kyndryl, the managed IT services provider that spun out of IBM, has announced layoffs that could affect its own internal IT services.“We are eliminating some roles globally — a small percentage — to become more efficient and competitive,” said a Kyndryl spokesperson, without giving the exact number of employees affected due to the layoffs.“These actions will enable us to focus our investments in areas that directly benefit our customers and position Kyndryl for profitable growth,” the spokesperson said, adding that the company was in the process of undergoing transformation to streamline and simplify its processes and systems.Bloomberg first reported about the layoffs.To read this article in full, please click here

Kubernetes Unpacked 022: Kubernetes Networking And Abstraction With Cilium And eBPF

In this episode, Michael catches up with Stephane Karagulmez, Senior Solution Architect at Isovalent (founded by the creators of Cilium). Michael spent a lot of time working with Cilium, which is open-source software that provides networking and observability capabilities for Kubernetes workloads. Cilium is based on another open-source project, eBFP. It's important to understand the details and performance changes when implementing eBPF and removing kube-proxy.

The post Kubernetes Unpacked 022: Kubernetes Networking And Abstraction With Cilium And eBPF appeared first on Packet Pushers.

Kubernetes Unpacked 022: Kubernetes Networking And Abstraction With Cilium And eBPF

In this episode, Michael catches up with Stephane Karagulmez, Senior Solution Architect at Isovalent (founded by the creators of Cilium). Michael spent a lot of time working with Cilium, which is open-source software that provides networking and observability capabilities for Kubernetes workloads. Cilium is based on another open-source project, eBFP. It's important to understand the details and performance changes when implementing eBPF and removing kube-proxy.

Dropped packet reason codes in Linux 6+ kernels

Using sFlow to monitor dropped packets describes support for standard sFlow Dropped Packet Notications in the open source Host sFlow agent. This article describes additional capabilities in Linux 6+ kernels that clarify reasons why packets are dropped in the kernel.

The recent addition of dropreason.h in Linux 6+ kernels provides detailed reasons for packet drops. The netlink drop_monitor API has been extended to include the NET_DM_ATTR_REASON attribute to report the drop reason, see net_dropmon.h.

The following example illustrates the value of the reason code in explaining Linux packet drops.

tcp_v4_rcv+0x7c/0xef0
The value of NET_DM_ATTR_SYMBOL shown above indicates that the packet was dropped in the tcp_v4_rcv function in Linux kernel at memory location 0x7c/0xef0. While this information is helpful, there are many reasons why a TCP packet may be dropped.
NO_SOCKET
In this case, the value of NET_DM_ATTR_REASON shown above indicates that the TCP packet was dropped because no application had opened a socket and so there was nowhere to deliver the packet.

In the case of Linux-based hardware switches or smart network adapters, where packet processing is offloaded to hardware, the netlink drop_monitor events include NET_DM_ATTR_HW_TRAP_GROUP_NAME and NET_DM_ATTR_HW_TRAP_NAME attributes and packet header information supplied by the hardware Continue reading

From IP packets to HTTP: the many faces of our Oxy framework

From IP packets to HTTP: the many faces of our Oxy framework
From IP packets to HTTP: the many faces of our Oxy framework

We have recently introduced Oxy, our Rust-based framework for proxies powering many Cloudflare services and products. Today, we will explain why and how it spans various layers of the OSI model, by handling directly raw IP packets, TCP connections and UDP payloads, all the way up to application protocols such as HTTP and SSH.

On-ramping IP packets

An application built on top of Oxy defines — in a configuration file — the on-ramps that will accept ingress traffic to be proxied to some off-ramp. One of the possibilities is to on-ramp raw IP packets. But why operate at that layer?

The answer is: to power Cloudflare One, our network offering for customers to extend their private networks — such as offices, data centers, cloud networks and roaming users — with the Cloudflare global network. Such private networks operate based on Zero Trust principles, which means every access is authenticated and authorized, contrasting with legacy approaches where you can reach every private service after authenticating once with the Virtual Private Network.

To effectively extend our customer’s private network into ours, we need to support arbitrary protocols that rely on the Internet Protocol (IP). Hence, we on-ramp Cloudflare Continue reading

Helping protect personal information in the cloud, all across the world

Helping protect personal information in the cloud, all across the world
Helping protect personal information in the cloud, all across the world

Cloudflare has achieved a new EU Cloud Code of Conduct privacy validation, demonstrating GDPR compliance to strengthen trust in cloud services

Internet privacy laws around the globe differ, and in recent years there’s been much written about cross-border data transfers. Many regulations require adequate protections to be in place before personal information flows around the world, as with the European General Data Protection Regulation (GDPR). The law rightly sets a high bar for how organizations must carefully handle personal information, and in drafting the regulation lawmakers anticipated personal data crossing-borders: Chapter V of the regulation covers those transfers specifically.

Whilst transparency on where personal information is stored is important, it’s also critically important how personal information is handled, and how it is kept safe and secure. At Cloudflare, we believe in protecting the privacy of personal information across the world, and we give our customers the tools and the choice on how and where to process their data. Put simply, we require that data is handled and protected in the same, secure, and careful way, whether our customers choose to transfer data across the world, or for it to remain in one country.

And today we are proud to announce Continue reading

ChatGPT on BGP Routing Security

I wanted to include a few examples of BGP bugs causing widespread disruption in the Network Security Fallacies presentation. I tried to find what happened when someone announced beacon prefixes with unknown optional transitive attributes (which should have been passed without complaints but weren’t) without knowing when it happened or who did it.

Trying to find the answer on Google proved to be a Mission Impossible – regardless of how I structured my query, I got tons of results that seemed relevant to a subset of the search words but nowhere near what I was looking for. Maybe I would get luckier with a tool that’s supposed to have ingested all the world’s knowledge and seems to (according to overexcited claims) understand what it’s talking about.

ChatGPT on BGP Routing Security

I wanted to include a few examples of BGP bugs causing widespread disruption in the Network Security Fallacies presentation. I tried to find what happened when someone announced beacon prefixes with unknown optional transitive attributes (which should have been passed without complaints but weren’t) without knowing when it happened or who did it.

Trying to find the answer on Google proved to be a Mission Impossible – regardless of how I structured my query, I got tons of results that seemed relevant to a subset of the search words but nowhere near what I was looking for. Maybe I would get luckier with a tool that’s supposed to have ingested all the world’s knowledge and seems to (according to overexcited claims) understand what it’s talking about.

Intel announces 144 core Xeon processor

Intel has announced a new processor with 144 cores designed for simple data-center tasks in a power-efficient manner.Called Sierra Forest, the Xeon processor is part of the Intel E-Core (Efficiency Core) lineup that that forgoes advanced features such as AVX-512 that require more powerful cores. AVX-512 is Intel Advanced Vector Extensions 512, “a set of new instructions that can accelerate performance for workloads and usages such as scientific simulations, financial analytics, artificial intelligence (AI)/deep learning, 3D modeling and analysis, image and audio/video processing, cryptography and data compression,” according to Intel.Sierra Forest signals a shift for Intel that splits its data-center product line into two branches, the E-Core and the P-Core (Performance Core), which is the traditional Xeon data-center design that uses high-performance cores.To read this article in full, please click here

Intel announces 144 core Xeon processor

Intel has announced a new processor with 144 cores designed for simple data-center tasks in a power-efficient manner.Called Sierra Forest, the Xeon processor is part of the Intel E-Core (Efficiency Core) lineup that that forgoes advanced features such as AVX-512 that require more powerful cores. AVX-512 is Intel Advanced Vector Extensions 512, “a set of new instructions that can accelerate performance for workloads and usages such as scientific simulations, financial analytics, artificial intelligence (AI)/deep learning, 3D modeling and analysis, image and audio/video processing, cryptography and data compression,” according to Intel.Sierra Forest signals a shift for Intel that splits its data-center product line into two branches, the E-Core and the P-Core (Performance Core), which is the traditional Xeon data-center design that uses high-performance cores.To read this article in full, please click here

Supermicro has a new liquid-cooled server for AI

With data center servers running hotter and hotter, the interest in liquid cooling is ramping up with vendors announcing servers that feature self-contained systems and businesses with expertise in related technologies jumping in.Liquid cooling is more efficient than traditional air cooling, and Supermicro is using it to cool the hottest processors in a new server designed as a platform to develop and run AI software.The SYS-751GE-TNRT-NV1 server runs hot. It features four NVIDIA A100 GPUs that draw 300W each and are liquid-cooled by a self-contained system.Some liquid cooling systems rely on water that is piped into the data center. The self-contained system doesn’t require that, so it makes the servers more widely deployable.The system is quiet, too; its running noise level is 30dB.To read this article in full, please click here

Supermicro has a new liquid-cooled server for AI

With data center servers running hotter and hotter, the interest in liquid cooling is ramping up with vendors announcing servers that feature self-contained systems and businesses with expertise in related technologies jumping in.Liquid cooling is more efficient than traditional air cooling, and Supermicro is using it to cool the hottest processors in a new server designed as a platform to develop and run AI software.The SYS-751GE-TNRT-NV1 server runs hot. It features four NVIDIA A100 GPUs that draw 300W each and are liquid-cooled by a self-contained system.Some liquid cooling systems rely on water that is piped into the data center. The self-contained system doesn’t require that, so it makes the servers more widely deployable.The system is quiet, too; its running noise level is 30dB.To read this article in full, please click here

Hedge 172: Roundtable! SONiC, Open Source, and Complexity

It’s roundtable time at the Hedge! Eyvonne Sharp, Tom Ammon, and I start the conversation talking about the SONiC open source NOS, and then wander into using open source, build versus buy, and finally complexity in design and deployment.

Thanks for listening–if you have an idea for a Hedge episode, would like to be a guest, or know someone you think would be a good guest, let one us know!


 
download