0

mTLS client certificate revocation vulnerability with TLS Session Resumption

On December 16, 2022, Cloudflare discovered a bug where, in limited circumstances, some users with revoked certificates may not have been blocked by Cloudflare firewall settings. Specifically, Cloudflare’s Firewall Rules solution did not block some users with revoked certificates from resuming a session via mutual transport layer security (mTLS), even if the customer had configured Firewall Rules to do so. This bug has been mitigated, and we have no evidence of this being exploited. We notified any customers that may have been impacted in an abundance of caution, so they can check their own logs to determine if an mTLS protected resource was accessed by entities holding a revoked certificate.

What happened?

One of Cloudflare Firewall Rules’ features, introduced in March 2021, lets customers revoke or block a client certificate, preventing it from being used to authenticate and establish a session. For example, a customer may use Firewall Rules to protect a service by requiring clients to provide a client certificate through the mTLS authentication protocol. Customers could also revoke or disable a client certificate, after which it would no longer be able to be used to authenticate a party initiating an encrypted session via mTLS.

When Cloudflare receives Continue reading

0

Introducing Rollbacks for Workers Deployments

In November, 2022, we introduced deployments for Workers. Deployments are created as you make changes to a Worker. Each one is unique. These let you track changes to your Workers over time, seeing who made the changes, and where they came from.

When we made the announcement, we also said our intention was to build more functionality on top of deployments.

Today, we’re proud to release rollbacks for deployments.

Rollbacks

As nice as it would be to know that every deployment is perfect, it’s not always possible - for various reasons. Rollbacks provide a quick way to deploy past versions of a Worker - providing another layer of confidence when developing and deploying with Workers.

Via the dashboard

In the dashboard, you can navigate to the Deployments tab. For each deployment that’s not the most recent, you should see a new icon on the far right of the deployment. Hovering over that icon will display the option to rollback to the specified deployment.

Clicking on that will bring up a confirmation dialog, where you can enter a reason for rollback. This provides another mechanism of record-keeping and helps give more context for why the rollback was necessary.

Once you enter Continue reading

0

DHCP Relaying in EVPN VRFs

After figuring out how DHCP relaying works and testing it with VRFs and in VXLAN segments, it seems like a no-brainer to make it work with EVPN.

TL&DR: It works, at least when using Arista vEOS as the relay and Cisco CSR 1000v as the DHCP server.

Lab Topology

We’ll keep using the exact same “physical” topology we used in the VXLAN DHCP relaying lab, add EVPN and BGP to the control-plane cocktail, and put the VXLAN segment into a VRF. We’ll use CSR 1000v as the DHCP server because Cisco IOSv doesn’t support some of the DHCP option-82 sub-options we need.

0

DHCP Relaying in EVPN VRFs

After figuring out how DHCP relaying works and testing it with VRFs and in VXLAN segments, it seems like a no-brainer to make it work with EVPN.

TL&DR: It works, at least when using Arista vEOS as the relay and Cisco CSR 1000v as the DHCP server.

Lab Topology

We’ll keep using the exact same “physical” topology we used in the VXLAN DHCP relaying lab, add EVPN and BGP to the control-plane cocktail, and put the VXLAN segment into a VRF. We’ll use CSR 1000v as the DHCP server because Cisco IOSv doesn’t support some of the DHCP option-82 sub-options we need.

0

New Juniper Rack Mount Kit

Juniper has a new enhanced four-post rack mount kit “JNP-4PST-RMK-1U-E” for their 1RU datacenter devices. It works with devices like the QFX5120 and PTX10001-36MR. It is much improved over the legacy rack mount kit. It are not as good as some competitors, but it is backwards compatible. It makes switch installation quicker and safer.

Background: Current 4-post rail kit

Juniper has used the same 4-post kit for their 1RU datacenter switches and routers for many years. The same kit works on QFX5100, QFX5110 and QFX5120-48Y switches. The MX204 uses a slight variation, but is almost identical. Oddly, the QFX5120-32C uses something completely different. Devices are secured to the front and rear posts. 2-post mounting is unwise for modern deep devices with heavy PSUs. You can still get away with 2-post mounting for lighter, shallower access switches. Modern servers and deep switches/routers need 4-post mounting, or some sort of shelf.

The current kit “EX-4PST-RMK” has 2 parts per side:

One piece screws in to each side of the switch. Note that there are 8 holes per side, but Juniper supplies a total of 12 very small screws. As you can imagine, installing 12 very small screws per switch is no fun Continue reading

0

Controversial Reads 040123

Last year, around the Thanksgiving holiday, Ohio businessman Michael Larkin received a request for video from his Amazon Ring security system from Hamilton city police.

Once upon a time there live a tribe who lived on the plains. They were an adventurous tribe, constantly wanting to explore. At night they would see the moon drift lazily overhead, and became curious.

If I’ve written in this space before about “convenience of the employer” rules a lot of late, it’s because they are so pernicious. These rules essentially require taxpayers who switch from working in-person in one state to working remotely in another to continue paying income taxes to the state they used to work in, not the one they currently work in.

A federal judge yesterday ruled that Google intentionally destroyed evidence and must be sanctioned, rejecting the company’s argument that it didn’t need to automatically preserve internal chats involving employees subject to a legal hold.

From a national security perspective, banning TikTok seems to be a reasonable step in protecting U.S. citizens. After all, TikTok is merely a video sharing app that is widely used by children; thus, its ability to harm us far outweighs its utility.

And so Continue reading

0

Weekend Reads 033123

Late posting due to a conference this weekend …

The rapid rise in IT power density, however, now means that plausible design assumptions regarding future power density and environmental conditions are starting to depart from these standard, narrow ranges.

Globalization is over, at least for the chip industry, and this will mean higher chip prices, according to semiconductor contract manufacturer giant TSMC.

Are your online customers being lured away? Learn why retailers must prevent audience hijacking tactics to keep shoppers focused and not distracted by unwanted or malicious in-browser interruptions.

I surveyed the status of RPKI ROA registration for IXPs operating in the Asia Pacific region and several IXPs in the European region on 17 February 2023. My first impression is that both regions lack a sense of unity, with RPKI ROA registration being inconsistent.

Active DNS measurement is fundamental to understanding and improving the DNS ecosystem. However, the absence of an extensible, high-performance and easy-to-use DNS toolkit has limited both the reproducibility and coverage of DNS research.

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating Continue reading

0

Worth Reading: The Death of CLI

Jeff McLaughlin wrote a nice blog post on the death of CLI (and why it has been greatly exaggerated):

The GUI-based layout tool [for iOS app development] is going away in favor of UI-as-code! The black screen always comes back!

As I’ve been saying for ages: people optimizing their productivity use CLI.

0

Worth Reading: The Death of CLI

Jeff McLaughlin wrote a nice blog post on the death of CLI (and why it has been greatly exaggerated):

The GUI-based layout tool [for iOS app development] is going away in favor of UI-as-code! The black screen always comes back!

As I’ve been saying for ages: people optimizing their productivity use CLI.

0

Hybrid Work Dictates Converged Endpoint Security and Operations Management

Hybrid work has made it essential for visibility across these functions to provide IT and enterprise managers with a complete view of any issue that might arise.

0

MAC Flooding Attack

Unlike a hub, a switch is a network device that typically does not forward a […]

The post MAC Flooding Attack first appeared on Brezular's Blog.

0

Is the US IT Industry Prepared for a Chinese Invasion of Taiwan?

There's hope that the high cost of a Taiwan invasion will dissuade China from attacking. Still, IT organizations are advised to prepare for a worst-case scenario.

0

Ask JJX: Lynyrd Skynyrd Answers “Who Should Create an Org’s BYOD Policy?”

After LastPass's latest breach through a personal laptop, most boards, CIOs, and CISOs are taking the opportunity to reevaluate their Bring Your Own Device (BYOD) policies.

Here's how, why, and a lesson learned from Lynyrd Skynyrd. 

The post Ask JJX: Lynyrd Skynyrd Answers “Who Should Create an Org’s BYOD Policy?” appeared first on Packet Pushers.

0

Demo Bytes: Managing Your SD-WAN Deployment Lifecycle With LiveAction’s LiveNX (Sponsored) – Video

Sponsor LiveAction demonstrates how its LiveNX product can be used to deploy, monitor and repair multi-vendor SD-WANs. Our guest is Ron Groulx, Senior Systems Sales Engineer at LiveNX. LiveNX can manage and monitor your SD-WAN lifecycle from day zero (baselining your network performance) to day one (building policies to optimize performance) to day two (deployment […]

The post Demo Bytes: Managing Your SD-WAN Deployment Lifecycle With LiveAction’s LiveNX (Sponsored) – Video appeared first on Packet Pushers.

0

Heavy Networking 672: Overcoming Your Imposter Syndrome

Lots of folks suffer from impostor syndrome. Tech is complex--how could you know what you’re doing? And yet, many of us are responsible for incredibly complex IT systems. Fake it ‘til you make it, right? To handle the cognitive dissonance of impostor syndrome, we overcompensate. In doing so, we pay a personal price. Today's Heavy Networking guest is Matt Vitale. He's here to share what he's learned about coping with and overcoming imposter syndrome.

The post Heavy Networking 672: Overcoming Your Imposter Syndrome appeared first on Packet Pushers.

0

Heavy Networking 672: Overcoming Your Imposter Syndrome

Lots of folks suffer from impostor syndrome. Tech is complex--how could you know what you’re doing? And yet, many of us are responsible for incredibly complex IT systems. Fake it ‘til you make it, right? To handle the cognitive dissonance of impostor syndrome, we overcompensate. In doing so, we pay a personal price. Today's Heavy Networking guest is Matt Vitale. He's here to share what he's learned about coping with and overcoming imposter syndrome.

0

Upgrading one of the oldest components in Cloudflare’s software stack

Cloudflare serves a huge amount of traffic: 45 million HTTP requests per second on average (as of 2023; 61 million at peak) from more than 285 cities in over 100 countries. What inevitably happens with that kind of scale is that software will be pushed to its limits. As we grew, one of the problems we faced was related to deploying our code. Sometimes, a release would be delayed because of inadequate hardware resources on our servers. Buying more and more hardware is expensive and there are limits to e.g. how much memory we can realistically have on a server. In this article, we explain how we optimised our software and its release process so that no additional resources are needed.

In order to handle traffic, each of our servers runs a set of specialised proxies. Historically, they were based on NGINX, but increasingly they include services created in Rust. Out of our proxy applications, FL (Front Line) is the oldest and still has a broad set of responsibilities.

At its core, it’s one of the last uses of NGINX at Cloudflare. It contains a large amount of business logic that runs many Cloudflare products, using a variety of Continue reading

0

Google picks Qatar for second Middle Eastern cloud region

Google is adding a second cloud availability region in the Middle East, at Doha, to cater to demand from Qatar’s government and enterprises in the region, it said on Friday.The new cloud region will help the Qatari government achieve its Qatar National Vision 2030 plan to sustain development and provide a high standard of living for its people, according to Google Cloud’s country manager for Qatar, Ghassan Kosta.“This new region is a strong step towards building regional capacity that meets the needs of the Qatari digital economy, from availability and data residency, to digital sovereignty and sustainability,” Kosta wrote in a blog post.To read this article in full, please click here

0

Video: Sample Kubernetes SDN Implementations

It’s time for another Kubernetes video. After Stuart Charlton explained the Kubernetes SDN architecture, he described architectural approaches of Kubernetes SDN implementations, using Flannel as a sample implementation.

0

Video: Sample Kubernetes SDN Implementations

It’s time for another Kubernetes video. After Stuart Charlton explained the Kubernetes SDN architecture, he described architectural approaches of Kubernetes SDN implementations, using Flannel as a sample implementation.