Archive

Category Archives for "Networking"

The Tyranny of Technical Debt, Numerically

A Candlestick Phone (image courtesy of WIkipedia)

This week on the Gestalt IT Rundown, I talked about the plan by Let’s Encrypt to reuse some reserved IP address space. I’ve talked about this before and I said it was a bad idea then for a lot of reasons, mostly related to the fact that modern operating systems are coded not to allow 240/4 as a valid address space, for example. Yes, I realize that when the address space was codified back in the early days of the Internet that decisions were made to organize things and we “lost” a lot of addresses for experimental reasons. However, this is not the only time this has happened. Nor is it the largest example. For that, we need to talk about the device that you’re very likely reading this post on right now: your phone.

By the Numbers

We’re going to be referring to the North American Numbering Plan (NANP) in this post, so my non-US readers are going to want to click that link to understand how phone numbering works in the US. The NANP was devised back in the 1940s by AT&T as a way to assign numbers to the Continue reading

What Is Zero Trust Data Protection?

As cyberattacks continue to escalate; companies grow their use of tech services outside of their network perimeters and the government and other organizations work with ever more sensitive personal, corporate, and government data, there is increasing adoption of zero trust data protection. So, What Is Zero Trust Data Protection? Zero trust data protection is a security methodology that includes a framework of technologies and best practices that an organization needs to define and adopt across their IT environments over time, explained Steve Malone, Sumo Logic director of security product. “It’s the culmination of something that’s been happening in security over the last 20 years, which is the perimeter is not the point of enforcement anymore because of the way that technology works today.” Interest in operating in a zero trust data protection environment has gained plenty of interest in the last few years, according to Michael Gorelik,

Connecting to your Linux system with your Android phone

While using your cell phone to connect to your Linux system might not seem like much of a priority, it is possible and you might have a good reason to do this from time to time. If you have an Android cell phone, you can install a tool that will allow you to connect, open a terminal session on your Linux box and run commands just like you would if you were sitting in front of the system. Well, almost.The tool that I recommend is called JuiceSSH. It installs easily and leaves an icon with an image of a lemon with its name below it on your screen. Click on that icon and select Quick Connect to set up your connection.To read this article in full, please click here

Who is selling Zero Trust Network Access (ZTNA) and what do you get?

Enterprise interest in Zero Trust Network Access (ZTNA) has soared over the past two years among organizations trying to enable secure anywhere, anytime, any device access to IT resources for employees, contractors and third parties.Much of this interest has stemmed from organizations looking to replace VPNs as the primary remote access mechanism to their networks and data. But it is also being driven by organizations seeking to bolster security in an environment where enterprise data is scattered across on-premises and multi-cloud environments, and being accessed in more ways than ever before.To read this article in full, please click here

Connecting to your Linux system with your Android phone

While using your cell phone to connect to your Linux system might not seem like much of a priority, it is possible and you might have a good reason to do this from time to time. If you have an Android cell phone, you can install a tool that will allow you to connect, open a terminal session on your Linux box and run commands just like you would if you were sitting in front of the system. Well, almost.The tool that I recommend is called JuiceSSH. It installs easily and leaves an icon with an image of a lemon with its name below it on your screen. Click on that icon and select Quick Connect to set up your connection.To read this article in full, please click here

Who is selling Zero Trust Network Access (ZTNA) and what do you get?

Enterprise interest in Zero Trust Network Access (ZTNA) has soared over the past two years among organizations trying to enable secure anywhere, anytime, any device access to IT resources for employees, contractors and third parties.Much of this interest has stemmed from organizations looking to replace VPNs as the primary remote access mechanism to their networks and data. But it is also being driven by organizations seeking to bolster security in an environment where enterprise data is scattered across on-premises and multi-cloud environments, and being accessed in more ways than ever before.To read this article in full, please click here

Who is selling Zero Trust Network Access (ZTNA) and what do you get?

The last few years have seen an explosion of interest in Zero Trust Network Access (ZTNA). The zero trust approach replaces the perimeter defense model with a "least privilege" framework where users authenticate to access specific data and applications, and their activities are continuously monitored.ZTNA gained a boost in the wake of the COVID-19 pandemic, with more employees working remotely. The old perimeter defense model, exemplified by VPNs, provides a secured internet connection that gives remote users privileges as if they were on an internal private network. This doesn't match up with a zero trust mindset; and to make things worse, many organizations found that their infrastructure couldn't handle the traffic loads created by large numbers of remote workers connecting via VPN. To read this article in full, please click here

Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134

Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134
Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134

On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The vulnerability is as CVE-2022-26134 and affects Confluence Server version 7.18.0 and all Confluence Data Center versions >= 7.4.0.

No patch is available yet but Cloudflare customers using either WAF or Access are already protected.

Our own Confluence nodes are protected by both WAF and Access, and at the time of writing, we have found no evidence that our Confluence instance was exploited.

Cloudflare reviewed the security advisory, conducted our own analysis, and prepared a WAF mitigation rule via an emergency release. The rule, once tested, was deployed on June 2, 2022, at 23:38 UTC with a default action of BLOCK and the following IDs:

  • 100531 (for our legacy WAF)
  • 408cff2b  (for our new WAF)

All customers using the Cloudflare WAF to protect their self-hosted Confluence applications have automatically been protected since the new rule was deployed.

Customers who have deployed Cloudflare Access in front of their Confluence applications were protected from external exploitation attempts even before the emergency release. Access verifies every request made to a Confluence application to Continue reading

The Path the Resolverless DNS

Telecommunications infrastructure is not isolated from the world of politics, and its not just limited to pronoucments of who can provide 5G networks in various countries. The world of undersea cables is similarly being shaped by these same political tensions, and this is clearly evident in the western Pacific Ocean.

Hedge 132: DNS Complexity and the DNAME

We all intuitively know the DNS is complex—and becoming more complex over time. Describing just how complex, however, is difficult. Siva Kesava and Ryan Beckett just published a research paper taking on the task of describing DNS complexity, particularly in light of the new DNAME record type. It turns out its complex enough that you can no longer really validate zone files.

download

Network Service Mesh: Linking multicloud workloads

Networking multicloud-based enterprise workloads can be complicated and tedious, but there is an open-source software project underway that may change that.Called Network Service Mesh, the project would enable cloud-based Kubernetes workloads to communicate securely regardless of where they are located in disparate clouds and is under the auspices of the Cloud Native Computing Foundation, which is part of the Linux Foundation. [ Get regularly scheduled insights by signing up for Network World newsletters. ] And the need for such technology is growing.  Cisco recently issued a study that says organizations with 5,000 or more employees are likely use more than 10 public-cloud providers and 20 to 100 SaaS providers across categories such as email, collaboration and video calling, and customer-relationship and human-capital management.To read this article in full, please click here

Cisco, Kyndryl team up on edge networking, private cloud, managed services

Cisco and Kyndryl have partnered to help enterprise customers implement a broad range of technologies from private 5G to data-center gear to edge devices.Under the partnership the companies will also provide software-defined networking (SDN), and secure multi-network wide area network (WAN) technology delivered as services, the vendors stated.  [ Get regularly scheduled insights by signing up for Network World newsletters. ]To read this article in full, please click here

Using Ixia-c to test RTBH DDoS mitigation

Remote Triggered Black Hole Scenario describes how to use the Ixia-c traffic generator to simulate a DDoS flood attack. Ixia-c supports the Open Traffic Generator API that is used in the article to program two traffic flows: the first representing normal user traffic (shown in blue) and the second representing attack traffic (show in red).

The article goes on to demonstrate the use of remotely triggered black hole (RTBH) routing to automatically mitigate the simulated attack. The chart above shows traffic levels during two simulated attacks. The DDoS mitigation controller is disabled during the first attack. Enabling the controller for the second attack causes to attack traffic to be dropped the instant it crosses the threshold.

The diagram shows the Containerlab topology used in the Remote Triggered Black Hole Scenario lab (which can run on a laptop). The Ixia traffic generator's eth1 interface represents the Internet and its eth2 interface represents the Customer Network being attacked. Industry standard sFlow telemetry from the Customer router, ce-router, streams to the DDoS mitigation controller (running an instance of DDoS Protect). When the controller detects a denial of service attack it pushed a control via BGP to the ce-router, Continue reading

1 448 449 450 451 452 3,497