Archive

Category Archives for "Networking"

seccomp — Unsafe at any speed

I’ll just assert that there’s no way to use seccomp() correctly. Just like how there’s no way to use gets() correctly, causing it to eventually be removed from the C and C++ standards.

seccomp, briefly

seccomp allows you to filter syscalls with a ruleset.

The obvious thing is to filter anything your program isn’t supposed to be doing. If it doesn’t do file IO, don’t let it open files. If it’s not supposed to execute anything, don’t let it do that.

But whether you use a whitelist (e.g. only allow working with already open file descriptors), or a blacklist (e.g. don’t allow it to open these files), it’s fundamentally flawed.

1. Syscalls change. Sometimes without even recompiling

open() in your code actually becomes the openat syscall. Maybe. At least today. At least on my machine, today.

select() actually becomes pselect6. At least on Fridays.

If you upgrade libc or distribute a binary to other systems, this may start to fail.

2. Surprising syscalls

Calling printf() will call the syscall newfstatat, a syscall hard to even parse into words. But only the first time you call it! So after your first printf() you can block newfstatat.

Maybe Continue reading

Zero-trust for cloud-native workloads

There has been a huge uptick in microservices adoption in the data analytics domain, primarily aided by machine learning (ML) and artificial intelligence (AI) projects. Some of the reasons why containers are popular among ML developers is the ease of portability, scalability, and quick access to data using services—specifically network services. The rise of cloud-native applications, especially for big data in the analytics sector, makes these applications a prime target for cyber crime.

Preventing threat actors from breaching the network and accessing critical data or applications is a daunting task for one team or individual to take on alone. DevOps and security engineers, SREs, and platform architects all need to work together to facilitate the process. These teams are usually presented with two challenges:

  • Since the fundamental architecture model of microservices is distributed, it is imperative that east-west traffic is present. With most common deployments using a multi-cloud or hybrid model, there is no real network perimeter.
  • One or more microservices will access external services such as 3rd-party cloud services, APIs, and applications, resulting in multiple ingress/egress points for north-south traffic.

This article talks about what organizations need to know about zero trust for cloud-native workloads, and how zero trust Continue reading

Stream now supports SRT as a drop-in replacement for RTMP

Stream now supports SRT as a drop-in replacement for RTMP
Stream now supports SRT as a drop-in replacement for RTMP

SRT is a new and modern live video transport protocol. It features many improvements to the incumbent popular video ingest protocol, RTMP, such as lower latency, and better resilience against unpredictable network conditions on the public Internet. SRT supports newer video codecs and makes it easier to use accessibility features such as captions and multiple audio tracks. While RTMP development has been abandoned since at least 2012, SRT development is maintained by an active community of developers.

We don’t see RTMP use going down anytime soon, but we can do something so authors of new broadcasting software, as well as video streaming platforms, can have an alternative.

Stream now supports SRT as a drop-in replacement for RTMP

Starting today, in open beta, you can use Stream Connect as a gateway to translate SRT to RTMP or RTMP to SRT with your existing applications. This way, you can get the last-mile reliability benefits of SRT and can continue to use the RTMP service of your choice. It’s priced at $1 per 1,000 minutes, regardless of video encoding parameters.

You can also use SRT to go live on Stream Live, our end-to-end live streaming service to get HLS and DASH manifest URLs from your SRT input, and do simulcasting to multiple Continue reading

How Cloudflare verifies the code WhatsApp Web serves to users

How Cloudflare verifies the code WhatsApp Web serves to users
How Cloudflare verifies the code WhatsApp Web serves to users

How do you know the code your web browser downloads when visiting a website is the code the website intended you to run? In contrast to a mobile app downloaded from a trusted app store, the web doesn’t provide the same degree of assurance that the code hasn’t been tampered with. Today, we’re excited to be partnering with WhatsApp to provide a system that assures users that the code run when they visit WhatsApp on the web is the code that WhatsApp intended.

With WhatsApp usage in the browser growing, and the increasing number of at-risk users — including journalists, activists, and human rights defenders — WhatsApp wanted to take steps to provide assurances to browser-based users. They approached us to help dramatically raise the bar for third-parties looking to compromise or otherwise tamper with the code responsible for end-to-end encryption of messages between WhatsApp users.

So how will this work? Cloudflare holds a hash of the code that WhatsApp users should be running. When users run WhatsApp in their browser, the WhatsApp Code Verify extension compares a hash of that code that is executing in their browser with the hash that Cloudflare has — enabling them to easily see Continue reading

9 career boosting Wi-Fi certifications

If you’re looking to add more certifications to your resume, don’t forget about wireless! Whether you’re just starting your IT career, have been in IT before Wi-Fi was a thing, or even if you have a non-IT position, there are certifications to help prove your wireless knowledge and skills.For starters, there are vendor-neutral certifications from Certified Wireless Network Professionals (CWNP), one of most popular programs in the wireless world. These are great if you aren’t already loyal to a networking brand. And even if you already have a favorite brand, these go deeper into the 802.11 standards and radio frequency (RF) technology without all the proprietary details and brand specifics.To read this article in full, please click here

9 career-boosting Wi-Fi certifications

If you’re looking to add more certifications to your resume, don’t forget about wireless! Whether you’re just starting your IT career, have been in IT before Wi-Fi was a thing, or even if you have a non-IT position, there are certifications to help prove your wireless knowledge and skills.For starters, there are vendor-neutral certifications from Certified Wireless Network Professionals (CWNP), one of most popular programs in the wireless world. These are great if you aren’t already loyal to a networking brand. And even if you already have a favorite brand, these go deeper into the 802.11 standards and radio frequency (RF) technology without all the proprietary details and brand specifics.To read this article in full, please click here

WHAT YOU SHOULD KNOW ABOUT YOUR EXTENDED SOCIAL MEDIA NETWORK.

Social media is one of the most used sites all over the world used by most mobile users counting to hundreds of millions of users. It provides different services to its users. It can be used as a fun site to upload images and videos, as a means of communication, as a way to meet different people of different beliefs and cultures all over the world, to learn and explore new and different things, and also as a business place. You reading this article also includes you among the social media users and you’ll know that there is a lot to benefit from using these sites. Let’s consider some of the most popular social media sites and what you should know about them.

  • Facebook: This is one of the most popular social media sites used by over 350 million users. You get to be friends with other Facebook users. In this case, a friend request would be sent and it has to be accepted by the receiver. It is a platform where people mostly share images and videos of various content under various genres. You can always access your genre of interest by using the search icon shaped like a Continue reading

Should We Use LISP?

LISP started as yet-another ocean-boiling project focused initially on solving the “we use locators as identifiers” mess (not quite), and providing scalable IPv6 connectivity over IPv4-only transport networks by adding another layer of indirection and thus yet again proving RFC 1925 rule 6a. At least those are the diagrams I remember from the early “look at this wonderful tool” presentations explaining for example how Facebook is using LISP to deploy IPv6 (more details in this presentation).

Somehow that use case failed to gain traction and so the pivots1 started explaining how one can use LISP to solve IP mobility or IP multihoming or live VM migration, or to implement IP version of conversational learning in Cisco SD-Access. After a few years of those pivots, I started dismissing LISP with a short “cache-based forwarding never worked well” counterargument.

Should We Use LISP?

LISP started as yet-another ocean-boiling project focused initially on solving the “we use locators as identifiers” mess (not quite), and providing scalable IPv6 connectivity over IPv4-only transport networks by adding another layer of indirection and thus yet again proving RFC 1925 rule 6a. At least those are the diagrams I remember from the early “look at this wonderful tool” presentations explaining for example how Facebook is using LISP to deploy IPv6 (more details in this presentation).

Somehow that use case failed to gain traction and so the pivots1 started explaining how one can use LISP to solve IP mobility or IP multihoming or live VM migration, or to implement IP version of conversational learning in Cisco SD-Access. After a few years of those pivots, I started dismissing LISP with a short “cache-based forwarding never worked well” counterargument.

Using ClamAV to detect viruses on Linux

One popular and easy-to-use tool for detecting virus infections on Linux systems is ClamAV. It's open source and free, and runs on many Linux systems, Ubuntu and Fedora included. In this post, we'll take a look at how to install and use the tool on Ubuntu, Linux Mint, and related systems. Installing ClamAV on Linux Mint The first step for installing ClamAV on Ubuntu, Mint, and related distros should be to update your system.$ sudo apt update && sudo apt upgrade -y After that, you can install ClamAV and verify the installation with commands like these:$ sudo apt-get install clamav clamav-daemon $ clamscan --version ClamAV 0.103.5/26469/Wed Mar 2 04:27:25 2-22 ClamAV commands ClamAV's tools are clamscan to do the scanning and freshclam to update the list of known virus signatures.To read this article in full, please click here

Using ClamAV to detect viruses on Linux

One popular and easy-to-use tool for detecting virus infections on Linux systems is ClamAV. It's open source and free, and runs on many Linux systems, Ubuntu and Fedora included. In this post, we'll take a look at how to install and use the tool on Ubuntu, Linux Mint, and related systems. Installing ClamAV on Linux Mint The first step for installing ClamAV on Ubuntu, Mint, and related distros should be to update your system.$ sudo apt update && sudo apt upgrade -y After that, you can install ClamAV and verify the installation with commands like these:$ sudo apt-get install clamav clamav-daemon $ clamscan --version ClamAV 0.103.5/26469/Wed Mar 2 04:27:25 2-22 ClamAV commands ClamAV's tools are clamscan to do the scanning and freshclam to update the list of known virus signatures.To read this article in full, please click here

Micro-segmentation and Beyond with NSX Firewall

VMware-based workload environments are the norm in private clouds for enterprise-class customers. 100%[1] of Fortune 500 companies deploy vSphere/ESXi. Further, ~99% of Fortune 1000 and ~98%[2] of Forbes Global 2000 companies deploy vSphere/ESXi. VMware’s deep presence in enterprise private clouds has made NSX Firewall the preferred micro-segmentation solution for these enterprises.

Below, we expand on how the NSX Firewall has developed its prominent position in enterprise private clouds.

Agentless and Agent-based Operation

Virtualized x86 workloads on hypervisors represent ~80%[3] of all enterprise workloads. VMware’s hypervisor-based micro-segmentation solution – NSX Firewall – is the preferred agentless solution for such workloads because of the solution’s tight integration with the rest of the VMware eco-system.

~15% of workloads at enterprises are x86-based (Windows, Linux) but not virtualized. The NSX Firewall handles these workloads with NSX agents.

~5% of workloads at enterprises are non-x86-based. VMware provides an (agentless) layer 2-7 gateway firewall that supports micro-segmentation for these workloads. Note that the gateway firewall eliminates the need for integration with physical switches, routers, and load-balancers.

Between these mechanisms, 100% of all workloads in the private cloud are protected. In practice, given VMware’s penetration of enterprises, VMware’s agentless solutions apply to the vast Continue reading

Hedge 121: Computing in the Network with Marie-Jose Montpetit

Can computation be drawn into the network, rather than always being pushed to the edge of the network? Taking content distribution networks as a starting point, the COIN research group is looking at ways to make networks more content and computationally aware, bringing compute into the network itself. Join Alvaro Retana, Marie-Jose Montpetit, and Russ White, as we discuss the ongoing research around computing in the network.

download

What’s next for Ethernet?

Higher, more cost-efficient speeds and getting better integration between IT and operational technology (OT) environments are two of the hottest areas of Ethernet development.That was on display this week at the Optical Fiber Communication conference where the Ethernet Alliance issued its latest Ethernet Roadmap, and a variety of vendors showed off the interoperability of the ubiquitous networking technology, now nearly 50 years old.What is SDN and where it's going “Ethernet is the most important thing in the world that no one ever sees,” said Peter Jones, chair of the Ethernet Alliance and distinguished engineer with the Enterprise, Data Center & IoT Networks group at Cisco.To read this article in full, please click here