Deploying firmware at Cloudflare-scale: updating thousands of servers in more than 285 cities
As a security company, it’s critical that we have good processes for dealing with security issues. We regularly release software to our servers - on a daily basis even - which includes new features, bug fixes, and as required, security patches. But just as critical is the software which is embedded into the server hardware, known as firmware. Primarily of interest is the BIOS and Baseboard Management Controller (BMC), but many other components also have firmware such as Network Interface Cards (NICs).
As the world becomes more digital, software which needs updating is appearing in more and more devices. As well as my computer, over the last year, I have waited patiently while firmware has updated in my TV, vacuum cleaner, lawn mower and light bulbs. It can be a cumbersome process, including obtaining the firmware, deploying it to the device which needs updating, navigating menus and other commands to initiate the update, and then waiting several minutes for the update to complete.
Firmware updates can be annoying even if you only have a couple of devices. We have more than a few devices at Cloudflare. We have a huge number of servers of varying kinds, from varying vendors, spread Continue reading
Video: SD-WAN Backend Architecture
After describing the SD-WAN reference design, Pradosh Mohapatra focused on individual components of an SD-WAN solution, starting with the backend architecture.
You need at least free ipSpace.net subscription to watch this video and other videos in the SD-WAN Overview webinar.
Video: SD-WAN Backend Architecture
After describing the SD-WAN reference design, Pradosh Mohapatra focused on individual components of an SD-WAN solution, starting with the backend architecture.
You need at least free ipSpace.net subscription to watch this video and other videos in the SD-WAN Overview webinar.
Enterprise Broadband Expansion: Follow the Money
What do government-subsidized broadband buildouts mean for enterprises seeking new and better infrastructure opportunities?F5 BIG-IP HA LTM in Azure
This post goes through the deployment of a HA pair of F5 BIG-IP LTMs in Azure. Like with most vendors the F5 solutions is documented as part of ARM templates, I personally prefer to pick these things apart and first build them manually to better understand what is going on under the hood. A more cynical person may suggest they do this on purpose to try and hide all the fudges needed to make their solution work in a public cloud.
Hedge 169: Network Address Translation with Steinn
Network Address translation is one of those phrases that strikes fear into the hearts of some network engineers … and joy into the hearts of others! Steinn Bjarnarson joins us to discuss the history of NAT, its uses, its misuses, and how NAT fits into the big picture of network design today. Steinn just finished writing a paper on the history of NAT.
Xcitium’s Endpoint Virtual Jail Aims To Lock Up Mystery Malware
Xcitium is an Endpoint Detection and Response (EDR) vendor that sells client software that uses multiple methods to protect endpoints. Methods include anti-virus, a host firewall, a Host Intrusion Protection System (HIPS), and a technique it calls ZeroDwell Containment. The first three components are straightforward. The AV software relies on signatures to detect known malware. […]
The post Xcitium’s Endpoint Virtual Jail Aims To Lock Up Mystery Malware appeared first on Packet Pushers.
Kubernetes Security And Networking 3: Helpful Tips For Securing Your Kubernetes Cluster – Video
Michael Levan reviews security essentials for protecting your Kubernetes infrastructure, including worker nodes. He discusses server hardening using CIS Benchmarks as a guide, running a scanner (using Kubescape as an example), and employing role-based access control (RBAC). You can subscribe to the Packet Pushers’ YouTube channel for more videos as they are published. It’s a […]
The post Kubernetes Security And Networking 3: Helpful Tips For Securing Your Kubernetes Cluster – Video appeared first on Packet Pushers.
IPv6 Buzz 121: Uncovering IPv6 Host Default Address Selection
Today's IPv6 Buzz podcast explore the topic of default address selection with IPv6 hosts as defined in RFC 6724. It's very common for a host to have multiple IPv6 addresses of different types (as well as an IPv4 address in dual-stack environments) and RFC 6724 includes rules for which addresses are used first.
The post IPv6 Buzz 121: Uncovering IPv6 Host Default Address Selection appeared first on Packet Pushers.