What’s new in Calico Enterprise 3.14: WAF, Calico CNI on AKS, and support for RKE2
At Tigera, we strive to innovate at every opportunity thrown at us and deliver what you need! We have listened to what users ask and today we are excited to announce the early preview of Calico Enterprise 3.14. From new capabilities to product supportability and extending partnerships with our trusted partners, let’s take a look at some of the new features in this release.
Web application firewall (WAF)
Web applications are a critical aspect of any business, whether they are public facing or internal. There has been a fundamental shift in the way these applications are developed—as they have become more container-based and API-based, we refer to these as cloud-native applications.
To keep these modern web applications secure, we need to analyze all HTTP communication and block any malicious traffic traversing the web application. However, in a cloud-native environment, we can’t achieve this using simple network policies or by using perimeter network firewalls. Instead, a cloud-native web application firewall (WAF) would be necessary.
Fig. 1: Service annotation for workload-based WAF using Calico
This is why we have introduced a cloud-native WAF into Calico Enterprise that’s different from the traditional WAFs you may know. While most traditional WAFs are deployed Continue reading
HS025 Did You Know Your IT is a Crime Scene ?
Does planning for cybersecurity failure include the concept of 'crime scene' ? Can you provide evidence to an external investigation sufficient to get justice or simply prove to insurance investigator that you met the policy requirements ? Should you be lobbying governments ? How does this drive your cyber spending - defense, microsegmentation, detection or evidence collection ?
The post HS025 Did You Know Your IT is a Crime Scene ? appeared first on Packet Pushers.
HS025 Did You Know Your IT is a Crime Scene ?
Does planning for cybersecurity failure include the concept of 'crime scene' ? Can you provide evidence to an external investigation sufficient to get justice or simply prove to insurance investigator that you met the policy requirements ? Should you be lobbying governments ? How does this drive your cyber spending - defense, microsegmentation, detection or evidence collection ?
OSPF Router IDs: Do They Actually Have To Be Unique?
This article uses the example of duplicate Router IDs to explore the distribution of Link State Advertisements (LSAs) in the OSPF routing protocol. It covers multiple types of LSAs, Area Border Routers, and more.
The post OSPF Router IDs: Do They Actually Have To Be Unique? appeared first on Packet Pushers.
Making Data Centers Cool Again
As compute power in data centers increases, so too, does cooling requirements. Some of the biggest providers in the world are beginning to look to liquid immersion to keep their systems cool and working.Let’s celebrate the 8th anniversary of Project Galileo!
This post is also available in 日本語, Deutsch, Français, Español and Português.
We started Project Galileo in 2014 with the simple idea that organizations that work in vulnerable yet essential areas of human rights and democracy building should not be taken down because of cyber attacks. In the past eight years, this idea has grown to more than just keeping them secure from a DDoS attack, but also how to foster collaboration with civil society to offer more tools and support to these groups. In March 2022, after the war in Ukraine started, we saw an increase in applications to Project Galileo by 177%.
Read ahead for details on all of our eighth anniversary announcements:
- Two new civil society partners helping choose participants
- New insights on attack patterns using data from Cloudflare Radar
- A portal designed to ease onboarding for Galileo participants
- Details on our sessions at RightsCon this week
- New case studies highlighting Galileo participants and the important work they are doing
Announcing two new Project Galileo partners
This year, we are excited to welcome two new partners, International Media Support and CyberPeace Institute. As we introduce new partners, we are able to expand the project Continue reading
MLAG Deep Dive: Dynamic MAC Learning
In the first blog post of the MLAG Technology Deep Dive series, we explored the components of an MLAG system and the fundamental control plane requirements.
This post focuses on a major building block of the layer-2 data plane functionality: MAC learning. We’ll keep using the same network topology with two switches and five hosts, and assume our system tries its best to implement hot-potato switching (sending the frames toward the destination MAC address on the shortest possible path).
MLAG Deep Dive: Dynamic MAC Learning
In the first blog post of the MLAG Technology Deep Dive series, we explored the components of an MLAG system and the fundamental control plane requirements.
This post focuses on a major building block of the layer-2 data plane functionality: MAC learning. We’ll keep using the same network topology with two switches and five hosts, and assume our system tries its best to implement hot-potato switching (sending the frames toward the destination MAC address on the shortest possible path).
Tech Bytes: How Aruba NaaS Changes Network Consumption (Sponsored)
Today on the Tech Bytes podcast we’re talking about Network as a Service with sponsor Aruba, a Hewlett Packard Enterprise company, including how Aruba defines NaaS, the market appetite for network as a service, customer examples, and more.
The post Tech Bytes: How Aruba NaaS Changes Network Consumption (Sponsored) appeared first on Packet Pushers.
Tech Bytes: How Aruba NaaS Changes Network Consumption (Sponsored)
Today on the Tech Bytes podcast we’re talking about Network as a Service with sponsor Aruba, a Hewlett Packard Enterprise company, including how Aruba defines NaaS, the market appetite for network as a service, customer examples, and more.Network Break 385: VMware, Juniper Release New Security Tools; Judge Orders IBM To Pay BMC $1.6 Billion
Today's Network Break podcast discusses a new threat analytics product from VMware, new security features from Juniper's cloud-delivered security service, a report from Morgan Stanley on why the big network vendors are chasing the enterprise campus, and more IT news.HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends
Today, a cluster of Internet standards were published that rationalize and modernize the definition of HTTP - the application protocol that underpins the web. This work includes updates to, and refactoring of, HTTP semantics, HTTP caching, HTTP/1.1, HTTP/2, and the brand-new HTTP/3. Developing these specifications has been no mean feat and today marks the culmination of efforts far and wide, in the Internet Engineering Task Force (IETF) and beyond. We thought it would be interesting to celebrate the occasion by sharing some analysis of Cloudflare's view of HTTP traffic over the last 12 months.
However, before we get into the traffic data, for quick reference, here are the new RFCs that you should make a note of and start using:
- HTTP Semantics - RFC 9110
- HTTP's overall architecture, common terminology and shared protocol aspects such as request and response messages, methods, status codes, header and trailer fields, message content, representation data, content codings and much more. Obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.
- HTTP Caching - RFC 9111
- HTTP caches and related header fields to control the behavior of response caching. Obsoletes RFC 7234.
- Continue reading
Revisiting BGP Convergence
My video on BGP convergence elicited a lot of . . . feedback, mainly concerning the difference between convergence in a data center fabric and convergence in the DFZ. Let’s begin here—BGP hunt and the impact of the MRAI are very real in the DFZ. Withdrawing a route can take several minutes.
What about the much more controlled environment of a data center fabric?
Several folks pointed out that the MRAI is often set to 0 in DC fabrics (and many implementations by default). Further, almost all implementations will use an MRAI of 0 for the first received update, holding the second and subsequent advertisements by the MRAI. Several folks also pointed out that all the paths through a DC fabric are the same length, so the second part of the equation is also very small.
These are good points—how do they impact BGP convergence? Let’s use the network below, a small slice of a five-stage butterfly fabric, to think it through. Assume every router is in a different AS, so all the peering sessions are eBGP.
Start with A losing its connection to 101::/64—
- T1: A withdraws its route from B and C
- T2: B withdraws its route from D and E, Continue reading