0

Hedge 255: Open Multi-perspective Issuance

One of the various attack surfaces in encryption is insuring the certificates used to share the initial set of private keys are not somehow replaced by an attacker. In systems where a single server or source is used to get the initial certificates, however, it is fairly easy for an attacker to hijack the certificate distribution process.

Henry Birge-Lee joins us on this episode of the Hedge to talk about extensions to existing certificate systems where a certificate is pulled from more than one source. You can find his article here.

download

0

HN764: Should You Pursue a Technical Leadership Role?

Do you think you have what it takes to be a manager? Should you go for it? Laura Santamaria, host of the Technically Leadership podcast, joins Ethan Banks to discuss those questions. They talk about the motivations for moving into a management role, the challenges of managing people, and the need to understand the business... Read more »

0

Public Videos: Leaf-and-Spine Fabric Design

The initial videos of the Leaf-and-Spine Fabric Architectures webinar are now public. You can watch the Leaf-and-Spine Fabric Basics, Physical Fabric Design, and Layer-3 Fabrics sections without an ipSpace.net account.

0

N4N009: High-Speed Ethernet Lanes Explained

On today’s episode, we’re explaining high-speed Ethernet lanes at the request of listener Matthew. We cover lanes, channels, and their physical representation in networking – think actual cables. We explain both 40Gb and 100Gb technologies and compare them to Link Aggregation Control Protocol (LACP). We also have a discussion on standards and practical implications for... Read more »

0

Lab: Level-1 and Level-2 IS-IS Routing

One of the recipes for easy IS-IS deployments claims that you should use only level-2 routing (although most vendors enable level-1 and level-2 routing by default).

What does that mean, and why does it matter? You’ll find the answers in the Optimize Simple IS-IS Deployments lab exercise.

0

Securely Deploying & Running Multiple Tenants on Kubernetes

As Kubernetes becomes the backbone of modern cloud native applications, organizations increasingly seek to consolidate workloads and resources by running multiple tenants within the same Kubernetes infrastructure. These tenants could be:

• Internal teams: Departments within a company that share a Kubernetes cluster for development and production.
• External clients: SaaS providers hosting customer workloads on shared infrastructure.

While multitenancy offers cost efficiency and centralized management, it also introduces security and operational challenges:

• How do you ensure strong isolation between tenants?
• How do you manage resources and prevent one tenant from affecting another?
• How do you meet regulatory and compliance requirements?

To address these concerns, practitioners have three primary options for deploying multiple tenants securely on Kubernetes.

How to Deploy Multiple Tenants on Kubernetes

Option 1: Namespace-Based Isolation with Network Policies, RBAC and Security Controls

Namespaces are Kubernetes’ built-in mechanism for logical isolation. This approach uses:

• Namespaces: Logical boundaries for separating tenant workloads.
• RBAC (role-based access control): Restricts tenant access to their namespace and resources.
• Network policies: Controls ingress and egress traffic between pods and namespaces.
• Resource quotas: Limits CPU, memory and other resources to prevent noisy neighbors.

Advantages:

• Cost-effective: Tenants share the cluster infrastructure.
• Simple to manage: Centralized operations within a Continue reading

0

Cloud Monitoring’s Blind Spot: The User Perspective

The evolution of internet-centric application delivery has worsened IT’s visibility gaps into what impacts an end user’s experience. This problem is exacerbated when these gaps lead to negative business consequences, such as loss of revenue or lower Net Promoter Scores (NPS). The need to address this worsening visibility gap problem is reinforced by Gartner’s recent publication of its first

0

NAN082: Mastering Python One Bite at a Time

How do you master Python? One bite at a time. On today’s show we talk with Bob Belderbos, co-founder of PyBites, a community and learning platform for Python. Bob shares his philosophy for learning Python in small bites with practical exercises, hands-on learning, and daily coding for improvement. We discuss the importance of small wins,... Read more »

0

Comparing IGP and BGP Data Center Convergence

A Thought Leader¹ recently published a LinkedIn article comparing IGP and BGP convergence in data center fabrics². In it, they³ claimed that:

iBGP designs would require route reflectors and additional processing, which could result in slightly slower convergence.

Let’s see whether that claim makes any sense.

TL&DR: No. If you’re building a simple leaf-and-spine fabric, the choice of the routing protocol does not matter (but you already knew that if you read this blog).

0

Kerberos tickets on Mac OS

I’m using Mac at work and I found out that Kerberos needs sometimes a “kick” for the SSO to work properly. Sometimes after being offline the renewal of Kerberos ticket fails (especially when remote and connected via ZTA or VPN), even though everything looks alright in the “Ticket Viewer” app. Here is we where the […]

<p>The post Kerberos tickets on Mac OS first appeared on IPNET.</p>

0

HS092: Make a Plan…and Change It!

It’s better to plan for your IT strategy than not. But sometimes circumstances arise such that the plan, no matter how well conceived, just doesn’t work any more. On today’s Heavy Strategy, we explore how and why you should change a plan in the context of IT and business objectives. Sometimes this means small changes... Read more »

0

PP045: Reducing the Risk of Compromised Digital Certificates with CAA and Certificate Transparency

Transport Layer Security (TLS) relies on certificates to authenticate Web sites and enable encryption. On today’s Packet Protector we look at mechanisms that domain owners can take to ensure the validity of their digital certificates. More specifically, we cover Certification Authority Authorization (CAA) and Certificate Transparency (CT). Our guest is Ed Harmoush. Ed is a... Read more »

0

Demonstrating reduction of vulnerability classes: a key step in CISA’s “Secure by Design” pledge

In today’s rapidly evolving digital landscape, securing software systems has never been more critical. Cyber threats continue to exploit systemic vulnerabilities in widely used technologies, leading to widespread damage and disruption. That said, the United States Cybersecurity and Infrastructure Agency (CISA) helped shape best practices for the technology industry with their Secure-by-Design pledge. Cloudflare signed this pledge on May 8, 2024, reinforcing our commitment to creating resilient systems where security is not just a feature, but a foundational principle.

We’re excited to share an update aligned with one of CISA’s goals in the pledge: To reduce entire classes of vulnerabilities. This goal aligns with the Cloudflare Product Security program’s initiatives to continuously automate proactive detection and vigorously prevent vulnerabilities at scale.   

Cloudflare’s commitment to the CISA pledge reflects our dedication to transparency and accountability to our customers. This blog post outlines why we prioritized certain vulnerability classes, the steps we took to further eliminate vulnerabilities, and the measurable outcomes of our work.

Cloudflare’s core security philosophy is to prevent security vulnerabilities from entering production environments. One of the goals for Cloudflare’s Product Security team is to champion this philosophy and ensure Continue reading

0

Weird Junos IS-IS Metrics

As part of the netlab development process, I run almost 200 integration tests on more than 20 platforms (over a dozen operating systems), and the amount of weirdness I discover is unbelievable.

Today’s special: Junos is failing the IS-IS metrics test.

The test is trivial:

• The device under test is connected to two IS-IS routers (X1 and X2)
• It has a low metric configured on the link with X1 and a high metric configured on the link with X2

The validation process is equally trivial:

0

NB509: FCC to Raise Funds for Rip-and-Replace of Chinese Telco Gear; Billionaire Space Race Takes Off

Take a Network Break! We start with serious CVEs for Perl and Ivanti. On the news front, the FCC wants to license spectrum to raise money to help US telcos rip out Chinese network equipment–even though there’s no evidence Chinese equipment led to telco intrusions by Chinese attackers. Verizon boasts of 5.5Gbps download speeds on... Read more »

0

netlab: Multi-Site VLANs

Imagine you want to create a simple multi-site network with netlab:

• The lab should have two sites (A and B).
• Each site has a layer-3 switch, a single VLAN (VLAN 100), and two hosts connected to that VLAN.
• As you don’t believe in the magic powers of stretched VLANs, you have a layer-3 (IPv4) link between sites.

0

From Python to Go 010. Dealing With Text Files. And Tiny Bit On Regexp.

Hello my friend,

So far the only way to provide user input to your Python and Go (Golang) applications we’ve shared with you in these blog series was the environment. Whilst it is a powerful way, which is heavily used especially in cloud native world, where we utilize Kubernetes, it is not the only way to provide user input. Today we’ll review another mechanism, which is text files.

Is Software Development Not Valuable Job Anymore?

Lately I’ve seen more and more posts on LinkedIn that AI is taking software development jobs away and/or making them less profitable. I’m myself use various AIs as code assistants, so I can see massive massive boost in productivity. At the same time, often AI generates code, which simply doesn’t work regardless the amount of iterations you try it with different prompts. Or it does generates working code, which is far less performance optimized that it can be. Therefore, I’m convinced that software engineers are here to stay for quite a bit. Moreover, network and IT infrastructure automation is a specific domain, which knowledge is even less acquirable by AI now due to lack of structured data for models training. Which means, you shall Continue reading

0

AI for Network Engineers: LSTM-Based RNN

Recap of the Operation of an LSTM Cell

The previous section introduced the construction and operation of a single Long Short-Term Memory (LSTM) cell. This section briefly discusses an LSTM-based Recurrent Neural Network (RNN). Before diving into the details, let’s recap how an individual LSTM cell operates with a theoretical, non-mathematical example.

Suppose we want our model to produce the sentence: “It was cloudy, but it is raining now.” The first part of it refers to the past, and one of the LSTM cells has stored the tense “was” in its internal cell state. However, the last portion of the sentence refers to the present. Naturally, we want the model to forget the previous tense “was” and update its state to reflect the current tense “is.”

The Forget Gate plays a role in discarding unnecessary information. In this case, the forget gate suppresses the word “was” by closing its gate (outputting 0). The Input Gate  is responsible for providing a new candidate cell state, which in this example is the word “is.” The input gate is fully open (outputting 1) to allow the latest information to be introduced.

The Identification function computes the updated cell state by Continue reading

0

IP Addresses in 2024

Time for another annual roundup from the world of IP addresses. Let's see what has changed in the past 12 months in addressing the Internet and look at how IP address allocation information can inform us of the changing nature of the network itself.

0

Palo Alto URL Filtering and SSL Decryption

In my previous blog posts (linked below), we looked at how to allow or block specific websites using URL filtering. In this post, we'll look into how to use URL filtering with SSL decryption for more granular control.

Palo Alto Allow Access To Certain URLs Matching A Blocked URL Category

If you use URL filtering on your Palo Alto firewalls, you may come across situations where a specific URL category is set to block, but you need to allow certain sites.

PacketswitchSuresh Vina

Palo Alto How to Block Specific URLs?

In this blog post, we’ll explore how to block specific sites using a Palo Alto firewall. There are two ways to achieve this, and we’ll cover both options.

PacketswitchSuresh Vina

Why Do We Need SSL Decryption?

Previously, we saw how to block sites like facebook.com or cnn.com, or allow specific websites blocked by a URL Filtering profile. However, these methods fall short when more granular access is required. Most website traffic today is encrypted with HTTPS, meaning the firewall cannot inspect what's happening within those sessions.

Without SSL decryption, the Palo Alto firewall (or any NGFW) relies on the SNI or CN of the certificate Continue reading