Ask JJX: What About the KeePass Vulnerability?
In the midst of LastPass’s repeated barrage of breaches, a pretty serious vulnerability was found in another common password manager — KeePass. This slid under most of our radars, including mine. Professor Cyber Naught of the Mastodons suggested I comment on the situation. I’m so glad he brought this up, because it highlights several critical […]
The post Ask JJX: What About the KeePass Vulnerability? appeared first on Packet Pushers.
What’s new in Calico Enterprise 3.16: Egress gateway on AKS, Service Graph optimizations, and more!
We are excited to announce the early preview of Calico Enterprise 3.16. This latest release extends the active security platform’s support for egress access controls, improves the usability of network-based threat defense features, and scales visualization of Kubernetes workloads to 100s of namespaces. Let’s go through some of the highlights of this release.
Egress gateways for Microsoft Azure and AKS
Egress gateways allow you to identify the source of traffic at the namespace or pod level when it leaves a Kubernetes cluster to communicate to external resources. This makes it highly beneficial for security teams to apply access controls to specific traffic instead of opening up a larger set of IP addresses. Calico Enterprise 3.16 has added egress gateway support for Microsoft Azure and AKS in addition to our support for AWS and EKS. Check out our documentation, Configure egress gateways, Azure, to learn more.
Operator-managed deployments of egress gateways
Calico Enterprise now includes operator-managed deployments of egress gateways. This reduces operational overhead and eliminates additional steps required during software upgrades. With the Tigera Operator, egress gateways will always be automatically upgraded.
UI for workload-based web application firewalls (WAF)
Calico Enterprise’s unique workload-centric web application Continue reading
Planning for the Unexpected: Why Internet Resilience Matters
In a post-pandemic landscape where every business is now effectively an online business, slow is the new down. And so, Internet resilience has become a top priority at the board level.How Rust and Wasm power Cloudflare’s 1.1.1.1
On April 1, 2018, Cloudflare announced the 1.1.1.1 public DNS resolver. Over the years, we added the debug page for troubleshooting, global cache purge, 0 TTL for zones on Cloudflare, Upstream TLS, and 1.1.1.1 for families to the platform. In this post, we would like to share some behind the scenes details and changes.
When the project started, Knot Resolver was chosen as the DNS resolver. We started building a whole system on top of it, so that it could fit Cloudflare's use case. Having a battle tested DNS recursive resolver, as well as a DNSSEC validator, was fantastic because we could spend our energy elsewhere, instead of worrying about the DNS protocol implementation.
Knot Resolver is quite flexible in terms of its Lua-based plugin system. It allowed us to quickly extend the core functionality to support various product features, like DoH/DoT, logging, BPF-based attack mitigation, cache sharing, and iteration logic override. As the traffic grew, we reached certain limitations.
Lessons we learned
Before going any deeper, let’s first have a bird’s-eye view of a simplified Cloudflare data center setup, which could help us understand what we are going to talk Continue reading
Alternatives to IBGP within Multihomed Sites
Two weeks ago I explained why you might want to run IBGP between CE-routers on a multihomed site. One of the blog readers didn’t like my ideas:
In such a small deployment I assume that both ISPs offer transit, so that both CEs would get a default route from their upstream.
In this case I would not iBGP the CEs together but have HSRP running on the two CEs and track the uplink (interface and/of BGP session) to determine the active gateway.
Let’s see what could possibly go wrong with that design.
Alternatives to IBGP within Multihomed Sites
Two weeks ago I explained why you might want to run IBGP between CE-routers on a multihomed site. One of the blog readers didn’t like my ideas:
In such a small deployment I assume that both ISPs offer transit, so that both CEs would get a default route from their upstream.
In this case I would not iBGP the CEs together but have HSRP running on the two CEs and track the uplink (interface and/of BGP session) to determine the active gateway.
Let’s see what could possibly go wrong with that design.
Tech Bytes: ThousandEyes Enhances Data Correlation With OpenTelemetry (Sponsored)
Today on the Tech Bytes podcast we’re talking about OpenTelemetry with sponsor Cisco ThousandEyes. OpenTelemetry is an open collection of tools, APIs, and SDKs to help share telemetry data among different monitoring and analysis platforms to improve data correlation and visibility. ThousandEyes, the first network visibility platform to support OpenTelemetry, joins the podcast to discuss how it works, use cases, and more.
The post Tech Bytes: ThousandEyes Enhances Data Correlation With OpenTelemetry (Sponsored) appeared first on Packet Pushers.
Tech Bytes: ThousandEyes Enhances Data Correlation With OpenTelemetry (Sponsored)
Today on the Tech Bytes podcast we’re talking about OpenTelemetry with sponsor Cisco ThousandEyes. OpenTelemetry is an open collection of tools, APIs, and SDKs to help share telemetry data among different monitoring and analysis platforms to improve data correlation and visibility. ThousandEyes, the first network visibility platform to support OpenTelemetry, joins the podcast to discuss how it works, use cases, and more.Why Do YOU Have To Do It?
One of the things that I’ve seen as a common thread among people in the industry as of late is the subject of burnout. Sure, burnout is a common topic no matter what year we’re in but a lot more of what I’m starting to hear about is self-inflicted burnout. Taking on too many projects, doing more than one job, and even having too many things going on outside of your specific role are all contributors to burnout. How can we keep that from happening?
Atlas and His Burden
For me, one of the biggest reasons why I find myself swimming in frustration is because I am very quick to volunteer to do things. In part it’s because I want to make sure the job is done correctly. In another part it’s because I want to be seen as someone that is always willing to get things done. Add in a dash of people pleasing and you can see how this spirals out of control. I’m sure you’ve even heard that as a career advice at some point. I’ve even railed against it many times on this blog.
How can you overcome the impulse to want to volunteer to do Continue reading
Network Break 419: HPE Buys Athonet For Private 5G; Exit Public Cloud, Save Millions?
Is the private 5G market big enough to justify HPE's acquisition of Athonet? Is saving money worth retreating from public cloud? Why are organizations still getting bit by basic cloud misconfigurations? Will an appetite for AI deliver results for Nvidia? We explore these and other questions in the latest Network Break podcast.
The post Network Break 419: HPE Buys Athonet For Private 5G; Exit Public Cloud, Save Millions? appeared first on Packet Pushers.