Archive

Category Archives for "Networking"

Kubernetes secrets management: 3 approaches and 9 best practices

Secrets, such as usernames, passwords, API tokens, and TLS certificates, contain confidential data that can be used to authenticate and authorize users, groups, or entities. As the name implies, secrets are not meant to be known or seen by others. So how do we keep them safe?

The key to keeping secrets safe lies within how you manage them. Where to store secrets, how to retrieve them, and how to make them available in an application as needed are all early design choices a developer must make when migrating an application or microservice to Kubernetes. Part of this design choice is to ensure the secrets can become available without compromising the application’s security posture.

In this article, I will provide approaches and recommended best practices for managing secrets in Kubernetes.

How to approach secrets management in Kubernetes

Let’s start with some approaches. Below are three approaches I recommend for Kubernetes secrets management.

etcd

etcd is a supported datastore in Kubernetes, and a lot of developers opt to store secrets in a Base64-encoded format in etcd as a key-value pair. Secrets stored in etcd can be made available from within Kubernetes deployment specs as an environment variable, which is stored in Continue reading

Friction as a Network Security Concept

I had the recent opportunity to record a podcast with Curtis Preston about security, data protection, and networking. I loved being a guest and we talked about quite a bit in the episode about how networking operates and how to address ransomware issues when they arise. I wanted to talk a bit more about some concepts here to help flesh out my advice as we talked about it.

Compromise is Inevitable

If there’s one thing I could say that would make everything make sense it’s this: you will be compromised. It’s not a question of if. You will have your data stolen or encrypted at some point. The question is really more about how much gets taken or how effectively attackers are able to penetrate your defenses before they get caught.

Defenses are designed to keep people out. But they also need to be designed to contain damage. Think about a ship on the ocean. Those giant bulkheads aren’t just there for looks. They’re designed to act as compartments to seal off areas in case of catastrophic damage. The ship doesn’t assume that it’s never going to have a leak. Instead, the designers created it in such a way as Continue reading

Juniper aims at simplifying campus fabric deployment

Juniper Networks is looking to ease complicated campus networking by automatically configuring and helping manage Ethernet VPN-Virtual Extensible XLAN (EVPN/VXLAN) deployments.Juniper also expanded its EX family of switches aimed at campus distribution deployments and low-density data-center top-of-rack environments, according to Jeff Aaron, vice president of enterprise marketing for Juniper.Juniper has rolled out a process called campus fabric workflow, under its subscription-based Wired Assurance program. Campus fabric workflow can help customers deploy common standards-based campus fabrics, such as EVPN multihoming, EVPN core/distribution and IP Clos for VLAN extensions with an easy process that lets them pick their desired topology, assign devices/roles and push configurations, Aaron said.To read this article in full, please click here

Juniper aims at simplifying campus fabric deployment

Juniper Networks is looking to ease complicated campus networking by automatically configuring and helping manage Ethernet VPN-Virtual Extensible XLAN (EVPN/VXLAN) deployments.Juniper also expanded its EX family of switches aimed at campus distribution deployments and low-density data-center top-of-rack environments, according to Jeff Aaron, vice president of enterprise marketing for Juniper.Juniper has rolled out a process called campus fabric workflow, under its subscription-based Wired Assurance program. Campus fabric workflow can help customers deploy common standards-based campus fabrics, such as EVPN multihoming, EVPN core/distribution and IP Clos for VLAN extensions with an easy process that lets them pick their desired topology, assign devices/roles and push configurations, Aaron said.To read this article in full, please click here

New Zero Trust navigation coming soon (and we need your feedback)

New Zero Trust navigation coming soon (and we need your feedback)

We’re updating the Zero Trust navigation

New Zero Trust navigation coming soon (and we need your feedback)

On March 20, 2023, we will be launching an updated navigation in the Zero Trust dashboard, offering all of our Zero Trust users a more seamless experience across Cloudflare as a whole. This change will allow you to more easily manage your Zero Trust organization alongside your application and network services, developer tools, and more.

As part of this upcoming release, you will see three key changes:

Quicker navigation

Instead of opening another window or typing in a URL, you can go back to the Cloudflare dashboard in one click.

New Zero Trust navigation coming soon (and we need your feedback)

Switch accounts with ease

View and switch accounts at the top of your sidebar.

New Zero Trust navigation coming soon (and we need your feedback)

Resources and support

Find helpful links to our Community, developer documentation, and support team at the top of your navigation bar.

New Zero Trust navigation coming soon (and we need your feedback)

Why we’re updating the Zero Trust navigation

In 2020, Gateway was broadly released as the first Cloudflare product that didn’t require a site hosted on Cloudflare’s infrastructure. In other words, Gateway was unconstrained by the site-specific model most other Cloudflare products relied on at the time, while also used in close conjunction with Access. And so, the Cloudflare for Teams dashboard was built on a new model, designed from Continue reading

The White House’s National Cybersecurity Strategy asks the private sector to step up to fight cyber attacks. Cloudflare is ready

The White House’s National Cybersecurity Strategy asks the private sector to step up to fight cyber attacks. Cloudflare is ready
The White House’s National Cybersecurity Strategy asks the private sector to step up to fight cyber attacks. Cloudflare is ready

On Thursday, March 2, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy aimed at securing the Internet. Cloudflare welcomes the Strategy, and congratulates the White House on this comprehensive, much-needed policy initiative. The goal of the Strategy is to make the digital ecosystem defensible, resistant, and values-aligned. This is a goal that Cloudflare fully supports. The Strategy recognizes the vital role that the private sector has to play in defending the United States against cyber attacks.

The Strategy aims to make a fundamental shift and transformation of roles, responsibilities, and resources in cyberspace by (1) rebalancing the responsibility to defend cyberspace by shifting the burden away from individuals, small businesses, and local governments, and onto organizations that are most capable and best-positioned to reduce risks, like data holders and technology providers; and (2) realigning incentives to favor long-term investments by balancing defending the United States against urgent threats today and simultaneously investing in a resilient future. The Strategy envisions attaining these goals through five collaborative pillars:

  • Pillar One: defending critical infrastructure;
  • Pillar Two: disrupting and dismantling threat actors;
  • Pillar Three: shaping market forces to drive security and resilience;
  • Pillar Four: investing in a resilient future; and
  • Pillar Five: forging Continue reading

Keeping the Cloudflare API ‘all green’ using Python-based testing

Keeping the Cloudflare API 'all green' using Python-based testing
Keeping the Cloudflare API 'all green' using Python-based testing

At Cloudflare, we reuse existing core systems to power multiple products and testing of these core systems is essential. In particular, we require being able to have a wide and thorough visibility of our live APIs’ behaviors. We want to be able to detect regressions, prevent incidents and maintain healthy APIs. That is why we built Scout.

Scout is an automated system periodically running Python tests verifying the end to end behavior of our APIs. Scout allows us to evaluate APIs in production-like environments and thus ensures we can green light a production deployment while also monitoring the behavior of APIs in production.

Why Scout?

Before Scout, we were using an automated test system leveraging the Robot Framework. This older system was limiting our testing capabilities. In fact, we could not easily match json responses against keys we were looking for. We would abandon covering different behaviors of our APIs as it was impossible to decide on which resources a given test suite would run. Two different test suites would create false negatives as they were running on the same account.

Regarding schema validation, only API responses were validated against a json schema and tests would not fail if the Continue reading

Fortinet adds new security, management features to its SASE platform

UNDER EMBARGO UNTIL TUESDAY, MARCH 7 AT 9AM ETFortinet has added features that broaden the range of management and security tools for its secure access service edge (SASE) package.The company has exanded its Secure Private Access offering that ties SASE resources together with SD-WAN-based applications through a Fortinet SD-WAN hub located in a nearby point-of-presence (PoP). The idea is to support larger hybrid environments and simplify anywhere access to corporate applications, said Nirav Shah, vice president of products with Fortinet.To read this article in full, please click here

Fortinet adds new security, management features to its SASE platform

UNDER EMBARGO UNTIL TUESDAY, MARCH 7 AT 9AM ETFortinet has added features that broaden the range of management and security tools for its secure access service edge (SASE) package.The company has added a feature to its Secure Private Access that ties SASE resources together with SD-WAN-based applications through a Fortinet SD-WAN hub located in a nearby point-of-presence (PoP). The idea is to support larger hybrid environments and simplify anywhere access to corporate applications, said Nirav Shah, vice president of products with Fortinet.To read this article in full, please click here

Barriers To Kubernetes

If you’re a system administrator or Infrastructure Engineer that has: Managed upgrades for large-scale systems Managed high availability and horizontal scaling Deployed binaries on Linux or Windows VMs Deployed virtualization and bare-metal environments Kubernetes is going to be a major upgrade for you, how you deploy, and how you manage services. Kubernetes truly does make […]

The post Barriers To Kubernetes appeared first on Packet Pushers.

Dynamic MAC Learning: Hardware or CPU Activity?

An ipSpace.net subscriber sent me a question along the lines of “does it matter that EVPN uses BGP to implement dynamic MAC learning whereas in traditional switching that’s done in hardware?” Before going into those details, I wanted to establish the baseline: is dynamic MAC learning really implemented in hardware?

Hardware-based switching solutions usually use a hash table to implement MAC address lookups. The above question should thus be rephrased as is it possible to update the MAC hash table in hardware without punting the packet to the CPU? One would expect high-end (expensive) hardware to be able do it, while low-cost hardware would depend on the CPU. It turns out the reality is way more complex than that.

Dynamic MAC Learning: Hardware or CPU Activity?

An ipSpace.net subscriber sent me a question along the lines of “does it matter that EVPN uses BGP to implement dynamic MAC learning whereas in traditional switching that’s done in hardware?” Before going into those details, I wanted to establish the baseline: is dynamic MAC learning really implemented in hardware?

Hardware-based switching solutions usually use a hash table to implement MAC address lookups. The above question should thus be rephrased as is it possible to update the MAC hash table in hardware without punting the packet to the CPU? One would expect high-end (expensive) hardware to be able do it, while low-cost hardware would depend on the CPU. It turns out the reality is way more complex than that.

Artificial intelligence helps solve networking problems

With the public release of ChatGPT and Microsoft’s $10-billion investment into OpenAI, artificial intelligence (AI) is quickly gaining mainstream acceptance. For enterprise networking professionals, this means there is a very real possibility that AI traffic will affect their networks in major ways, both positive and negative.As AI becomes a core feature in mission-critical software, how should network teams and networking professionals adjust to stay ahead of the trend?Andrew Coward, GM of Software Defined Networking at IBM, argues that the enterprise has already lost control of its networks. The shift to the cloud has left the traditional enterprise network stranded, and AI and automation are required if enterprises hope to regain control.To read this article in full, please click here

Building your personal Linux cheat sheets

Linux man pages can be overwhelming to people who are just learning how to work on the command line, but here we'll look at a way to quickly prepare a cheat sheet for a series of commands. These cheat sheets will tell new Linux users enough to get started and know what man page to read when they want to know more.To get started, we’ll take a look at series of commands that any Linux newbie would need to learn:alias cmp export less tail whereis apropos comm grep more tar who cat dd head passwd top whoami chmod df kill pwd unzip zip chown diff killall sort whatis Next, we use a series of commands that will provide short descriptions of these commands. These are help -d, whatis, and a man command that selects only the command description from the man pages.To read this article in full, please click here

Building your personal Linux cheat sheets

Linux man pages can be overwhelming to people who are just learning how to work on the command line, but here we'll look at a way to quickly prepare a cheat sheet for a series of commands. These cheat sheets will tell new Linux users enough to get started and know what man page to read when they want to know more.To get started, we’ll take a look at series of commands that any Linux newbie would need to learn:alias cmp export less tail whereis apropos comm grep more tar who cat dd head passwd top whoami chmod df kill pwd unzip zip chown diff killall sort whatis Next, we use a series of commands that will provide short descriptions of these commands. These are help -d, whatis, and a man command that selects only the command description from the man pages.To read this article in full, please click here