Archive

Category Archives for "Networking"

Revocation

A compromised private key should not be accepted. An attacker might use a compromised private key to impersonate a site, and this vulnerability needs to be prevented to ensure that users can use services over the network with trust in their integrity and security. The way to stop a compromised key from being accepted is to disseminate the information that the key is no longer trustable, and this is achieved by revoking the public key certificate. But we are having some problems in taking this theory and creating practical implementations of certificate revocation.

Network performance update: Security Week

Network performance update: Security Week
Network performance update: Security Week

Almost a year ago, we shared extensive benchmarking results of last mile networks all around the world. The results showed that on a range of tests (TCP connection time, time to first byte, time to last byte), and on different measures (p95, mean), Cloudflare was the fastest provider in 49% of networks around the world. Since then, we’ve worked to continuously improve performance towards the ultimate goal of being the fastest everywhere. We set a goal to grow the number of networks where we’re the fastest by 10% every Innovation Week. We met that goal last year, and we’re carrying the work over to 2022.

Today, we’re proud to report we are the fastest provider in 71% of the top 1,000 most reported networks around the world. Of course, we’re not done yet, but we wanted to share the latest results and explain how we did it.

Measuring what matters

To quantify network performance, we have to get enough data from around the world, across all manner of different networks, comparing ourselves with other providers. We used Real User Measurements (RUM) to fetch a 100kb file from several different providers. Users around the world report the performance of different providers. Continue reading

A New One-Stop Shop for Network Security Topics

Your trusty NSX blog is going through a big change.

We’re uniting our VMware security content in the newly designed VMware Security blog.  

Don’t worry, you’ll still be able to find the latest on network automation, application mobility, and load balancing. All the networking content you count on, that’s staying right here.  

However, if you’re looking for current and future articles on network security and threat research, those will now be found in a new home—a blog that centralizes security content across VMware into a single channel.    

You no longer need to switch (blog) channels for security news, insights, and resources. The newly designed VMware Security Blog will become your new one-stop-shop for key perspectives from experts, specialists, and leaders across VMware NSX, Threat Analysis Unit, and Carbon Black.  

On the new blog, you can expect to find all the network security content you know and love — including:  

  • Important insights and announcements regarding threat research, endpoint security, and network security
  • Key analysis of recent ransomware attacks, insights on techniques deployed, and how threats can be detected and mitigated
  • Infographics, data points, and award recognition illustrating the strength of VMware security solutions
  • Invites Continue reading

Use Multi-Availability Zone Kubernetes for Disaster Recovery

Nicolas Vermandé Nicolas is the principal developer advocate at Ondat. He is an experienced hands-on technologist, evangelist and product owner who has been working in the fields of cloud native technologies, open source software, virtualization and data center networking for the past 17 years. Passionate about enabling users and building cool tech solving real-life problems, you'll often see him speaking at global tech conferences and online events. Outages and degraded performance are inevitable. Operators make mistakes; new protocols introduce errors, natural disasters damage equipment and more. That’s why rather than trust Amazon’s ability to design a hurricane-proof data center, most platform managers opt to spread their application’s infrastructure across multiple availability zones (AZs). AZ outages aren’t terribly common, but

Application security: Cloudflare’s view

Application security: Cloudflare’s view
Application security: Cloudflare’s view

Developers, bloggers, business owners, and large corporations all rely on Cloudflare to keep their applications secure, available, and performant.

To meet these goals, over the last twelve years we have built a smart network capable of protecting many millions of Internet properties. As of March 2022, W3Techs reports that:

“Cloudflare is used by 80.6% of all the websites whose reverse proxy service we know. This is 19.7% of all websites”

Netcraft, another provider who crawls the web and monitors adoption puts this figure at more than 20M active sites in their latest Web Server Survey (February 2022):

“Cloudflare continues to make strong gains amongst the million busiest websites, where it saw the only notable increases, with an additional 3,200 sites helping to bring its market share up to 19.4%”

The breadth and diversity of the sites we protect, and the billions of browsers and devices that interact with them, gives us unique insight into the ever-changing application security trends on the Internet. In this post, we share some of those insights we’ve gathered from the 32 million HTTP requests/second that pass through our network.

Definitions

Before we examine the data, it is useful to define Continue reading

New cities on the Cloudflare global network: March 2022 edition

New cities on the Cloudflare global network: March 2022 edition

If you follow the Cloudflare blog, you know that we love to add cities to our global map. With each new city we add, we help make the Internet faster, more reliable, and more secure. Today, we are announcing the addition of 18 new cities in Africa, South America, Asia, and the Middle East, bringing our network to over 270 cities globally. We’ll also look closely at how adding new cities improves Internet performance, such as our new locations in Israel, which reduced median response time (latency) from 86ms to 29ms (a 66% improvement) in a matter of weeks for subscribers of one Israeli Internet service provider (ISP).

The Cities

Without further ado, here are the 18 new cities in 10 countries we welcomed to our global network: Accra, Ghana; Almaty, Kazakhstan; Bhubaneshwar, India; Chiang Mai, Thailand; Joinville, Brazil; Erbil, Iraq; Fukuoka, Japan; Goiânia, Brazil; Haifa, Israel; Harare, Zimbabwe; Juazeiro do Norte, Brazil; Kanpur, India; Manaus, Brazil; Naha, Japan; Patna, India; São José do Rio Preto, Brazil; Tashkent, Uzbekistan; Uberlândia, Brazil.

Cloudflare’s ISP Edge Partnership Program

But let’s take a step back Continue reading

DC Fabric Webinar

Sorry for the short notice … I’m teaching a three-hour webinar on DC fabrics and control planes this coming Friday, the 25th, through Safari Books Online. This course covers the basics of spine-and-leaf fabrics, as well as some high level information on various DC fabric control plane options (BGP, RIFT, and IS-IS). Please register here.

How to Pass AWS CLF

AWS CLF Exam

How to pass the Certified Cloud Practitioner from AWS, exam details and type, and what to expect

AWS CLF Exam Content & Topics

The exam agenda starts with the concept of cloud computing and differences of it with on-premise networks.

then it shows you all the AWS services that will be more than enough to migrate or establish a network on AWS’s cloud

which will have all the facilities and can be fully or partially managed by AWS for you.

and of course everything comes for a price, AWS will declare the prices of their services, what is for FREE and what is not

and will provide many easy tools for costs calculation and best practices with AWS.

Amazon’s Touch in the CLF Exam

Amazon provides a free tier 12-month access to whomever creates an account for the 1st time with them

the account has a free access to many AWS services that will allow for both studying and actual testing/benefiting from their services.

AWS CLF Exam Nature & Type

The current version of this exam CLF-C01 has a 65 written question in the exam.

all the questions are single/multi-answer MCQs and no other type of questions Continue reading

What is AWS CLF

What is AWS CLF

Amazon Web Services (AWS) CLF or CCP, how you want to name it (CLF is the official exam and badge name).

as it stands for Certified Cloud Practitioner, with the current version of CLF-C01.

AWS CLF is the very first step for any engineer, regardless of their experience in the IT domain,

to start understanding and put a step in the world of cloud computing.

CLF with AWS Services

The exam/certificate focuses on many different aspects, some are shared with other exams from AWS, some are CLF-Focused.

This includes the concept of cloud computing, comparison of many aspects of networking between On-premise networks and cloud networks.

Introduction to AWS and how much does AWS covers/offers of on-premise services on their cloud, ready to be directly initiated and used.

AWS most critical aspect when you decide to network on their infrastructure, and that is “Billing”, this is a very important and critical concept to really understand and know how to deal with when you start working with AWS networks.

Is AWS-CLF important?

Many tends to skip this exam, and keeps spreading the idea that “SAA is the Associate exam of AWS Services, and it should be the Continue reading

What is IPv6, and why is adoption taking so long?

For the most part the dire warnings about running out of internet addresses have ceased because, slowly but surely, migration from the world of Internet Protocol Version 4 (IPv4) to IPv6 has begun, and software is in place to prevent the address apocalypse that many were predicting.But before we see where are and where we’re going with IPv6, let’s go back to the early days of internet addressing.What is IPv6 and why is it important? IPv6 is the latest version of the Internet Protocol, which identifies devices across the internet so they can be located. Every device that uses the internet is identified through its own IP address in order for internet communication to work. In that respect, it’s just like the street addresses and zip codes you need to know in order to mail a letter.To read this article in full, please click here

Using fail2ban on Fedora

The fail2ban tool in Linux monitors system logs for signs of attacks, putting offending systems into what is called "jail", and modifying firewall settings. It shows what systems are in jail at any given time, and requires root access to configure and view findings. It's generally used on Linux servers.fail2ban primarily focuses on SSH attacks, but can be configured to look for other kinds of attacks as well.How to install fail2ban on Fedora 34 To prepare for installing fail2ban, it's a good idea to update the system first:$ sudo dnf update && sudo dnf upgrade -y Then install fail2ban and verify its presence on your system with commands like these:To read this article in full, please click here

NaaS adoption will thrive despite migration challenges

Network-as-a-service (NaaS) is gaining momentum, providing a subscription-based model that eliminates the need for enterprises to own, build, and maintain their own network infrastructure. By replacing conventional hardware-centric VPNs, firewall appliances, load balancers, and MPLS connections, NaaS technology promises adopters the ability to rapidly scale up and down in lockstep with demand while eliminating hardware costs and bolstering network security and service levels.To read this article in full, please click here

Using fail2ban on Fedora

The fail2ban tool in Linux monitors system logs for signs of attacks, putting offending systems into what is called "jail", and modifying firewall settings. It shows what systems are in jail at any given time, and requires root access to configure and view findings. It's generally used on Linux servers.fail2ban primarily focuses on SSH attacks, but can be configured to look for other kinds of attacks as well.How to install fail2ban on Fedora 34 To prepare for installing fail2ban, it's a good idea to update the system first:$ sudo dnf update && sudo dnf upgrade -y Then install fail2ban and verify its presence on your system with commands like these:To read this article in full, please click here

Automating NSX-T Deployments

Nicholas Michel open-sourced an automation solution (video) that deploys the whole NSX-T infrastructure stack including:

  • NSX-T manager virtual machines
  • NSX-T uplink profiles and IP pools
  • Transport zones and transport nodes (NSX-T modules on ESXi hypervisors)
  • Edge clusters including BGP, EVPN and BFD

Once the infrastructure is set up, his solution uses a Terraform configuration file to deploy multiple tenants: external VLANs, tier-0 gateways, BGP neighbors, tier-1 gateways, and application segments.

While the infrastructure part of his solution might be fully reusable, the tenant deployments definitely aren’t, but they provide a great starting point if you decide to build a fully automated provisioning system.

Automating NSX-T Deployments

Nicholas Michel open-sourced an automation solution (video) that deploys the whole NSX-T infrastructure stack including:

  • NSX-T manager virtual machines
  • NSX-T uplink profiles and IP pools
  • Transport zones and transport nodes (NSX-T modules on ESXi hypervisors)
  • Edge clusters including BGP, EVPN and BFD

Once the infrastructure is set up, his solution uses a Terraform configuration file to deploy multiple tenants: external VLANs, tier-0 gateways, BGP neighbors, tier-1 gateways, and application segments.

While the infrastructure part of his solution might be fully reusable, the tenant deployments definitely aren’t, but they provide a great starting point if you decide to build a fully automated provisioning system.

Tools 9. Monitoring Availability of Customers via HTTP GET, ICMP, and DNS via Dockerised Prometheus

Hello my friend,

in the previous blogpost we’ve started the discussion how you can improve your customers’ experience in your network via better observability of the network health with Prometheus by means of periodic automated speedtest and iperf3 measurements. Albeit it is very important and useful, it doesn’t tell you if the customers’ or your own resources are available. By resource we mean any exposed service, such as web page, streaming service, etc. Today you will learn how to setup a monitoring with Docekrised Prometheus to make sure that you know for sure if the services are available for customers.


1
2
3
4
5
No part of this blogpost could be reproduced, stored in a
retrieval system, or transmitted in any form or by any
means, electronic, mechanical or photocopying, recording,
or otherwise, for commercial purposes without the
prior permission of the author.

Why to Automate Monitoring?

Monitoring allows to make you aware, what is the state of resources you are interested in. At a bare minimum, you shall be notified if the state of resources deviates from the acceptable value and, therefore, crosses some threshold. At the same time, this is just the first step. The end goal Continue reading

Unlocking QUIC’s proxying potential with MASQUE

Unlocking QUIC’s proxying potential with MASQUE
Unlocking QUIC’s proxying potential with MASQUE

In the last post, we discussed how HTTP CONNECT can be used to proxy TCP-based applications, including DNS-over-HTTPS and generic HTTPS traffic, between a client and target server. This provides significant benefits for those applications, but it doesn’t lend itself to non-TCP applications. And if you’re wondering whether or not we care about these, the answer is an affirmative yes!

For instance, HTTP/3 is based on QUIC, which runs on top of UDP. What if we wanted to speak HTTP/3 to a target server? That requires two things: (1) the means to encapsulate a UDP payload between client and proxy (which the proxy decapsulates and forward to the target in an actual UDP datagram), and (2) a way to instruct the proxy to open a UDP association to a target so that it knows where to forward the decapsulated payload. In this post, we’ll discuss answers to these two questions, starting with encapsulation.

Encapsulating datagrams

While TCP provides a reliable and ordered byte stream for applications to use, UDP instead provides unreliable messages called datagrams. Datagrams sent or received on a connection are loosely associated, each one is independent from a transport perspective. Applications that are built on top of Continue reading