In its second year as a virtual event, the Indigenous Connectivity Summit will take place on 12-15 October 2021. The COVID-19 pandemic showed us that those who lack connectivity face the effects of starker inequalities. Millions of people across Canada and the United States still can’t take advantage of the benefits of a fast, affordable, […]
The post Register for the 5th Annual Indigenous Connectivity Summit appeared first on Internet Society.
What is Open Policy Agent (OPA)? And what can someone do with it? These are some of the questions that episode 57 of the Full Stack Journey podcast tackles. In this episode, Scott is joined by Diego Comas (@diegocomas on Twitter), a user/consumer of OPA, to discuss his direct experience in using OPA in real production environments.
The post Full Stack Journey 057: Open Policy Agent appeared first on Packet Pushers.
Cloudflare for Teams gives your organization the ability to build rules that determine who can reach specified resources. When we first launched, those rules primarily relied on identity. This helped our customers replace their private networks with a model that evaluated every request for who was connecting, but this lacked consideration for how they were connecting.
In March, we began to change that. We announced new integrations that give you the ability to create rules that consider the device as well. Starting today, we’re excited to share that you can now build additional rules that consider several different factors about the device, like its OS, patch status, and domain join or disk encryption status. This has become increasingly important over the last year as more and more people began connecting from home. Powered by the Cloudflare WARP agent, your team now has control over more health factors about the devices that connect to your applications.
With Cloudflare for Teams, administrators can replace their Virtual Private Networks (VPNs), where users on the network were trusted, with an alternative that does not trust any connection by default—also known as a Zero Trust model.
Customers Continue reading
I’ve written before about the default ARP policer on Juniper MX. It can create some odd failure conditions when you’re connected to noisy networks such as large Internet Exchanges. Junos OS Evolved, as used on platforms like the PTX10003 has low default values for ARP and ICMPv6 ND DDoS protections. It will cause the same problems, but is easier to diagnose and mitigate.
Platforms like MX, QFX, PTX have Control Plane DDoS protections built in. These will automatically rate-limit various traffic types that hit the CPU. This is generally a Good Thing. Certain packet types get punted from the ASIC to the CPU, but the CPU can’t handle anywhere near the traffic levels that the forwarding ASIC can. Send enough special packets to a router, choke the CPU, and you might be able to knock things offline. So having default policies to rate-limit traffic makes sense.
Juniper might have “One Junos” but we know it’s not that simple. Behavior varies between platforms. Check these default values for some DDoS protections for different platforms:
Protocol | MX | QFX | PTX |
---|---|---|---|
ARP | 20,000 | 500 | 500 |
NDPv6 | 20,000 | N/A | 500 |
ICMP | 20,000 | N/A | 500 |
BGP | 20,000 | 3,000 | 5,000 |
Note Continue reading
In the Kubernetes ecosystem there are a variety of ways for you to provision your cluster, and which one you choose generally depends on how well it integrates with your existing knowledge or your organization’s established tools.
Kubespray is a tool built using Ansible playbooks, inventories, and variable files—and also includes supplemental tooling such as Terraform examples for provisioning infrastructure. If you’re already using Ansible for configuration management, Kubespray might be a good fit, and there’s even documentation for integrating with your existing Ansible repository.
There are other reasons Kubespray might be a good solution: maybe you want to use the same tooling to deploy clusters on both bare metal and in the cloud, or you might have a niche use case where you have to support different Linux distributions. Or perhaps you want to take advantage of the project’s composability, which allows you to select which components you’d like to use for a variety of services, such as your container runtime or ingress controller, or—particularly relevant to this blog post—your CNI.
In this post, we’ll go over enabling Calico when following the Quick Start tutorial or using Vagrant to deploy Kubernetes locally, as well as how to configure your Continue reading
Its not widely that DDOS attacks also cause damage from state exhaustion in devices. A recent study why Netscout surprised me that many engineers are aware of overload bandwidth or routing devices but give less considerations to state exhaustion in application aware devices.
Firewalls, IPS and reverse proxies are subject to overload failure when the internal state is exceeded. This includes server side caches (Varnish, memcache etc) and all this elements should be part of your DDOS strategy.
Roland Dobbins talks about the nature of these attacks and how to implement stateful protection while using stateless DDOS technology.
The post Tech Bytes: DDOS and State Exhaustion With Netscout Arbor appeared first on Packet Pushers.
My article on Internet centralization just published over at The Public Discourse—
The world of virtual donuts is supply constrained. Extreme Networks finally gets SDWAN buying Ipanema from Infovista at a bargain price. Research firms that does the numbers Dell'oro pitches that Education and Government markets will be spending big on WiFi6E - we aren't so sure that campus spending will be big just some spending but Dell'oro told us that government economic stimulus is the driver. Most will focus on distributed work.
Huawei posted 29% revenue reduction as the trade sanctions impact their overall business. A reminder that political solutions are slow if you have to make plans. And in space networking, SpaceX acquires pico-satellite company Swarm for IOT networking.
The post Network Break 346: Extreme Gets SDWAN, Huawei Struggles and SpaceX Swarms appeared first on Packet Pushers.
A locked-down Internet in Iran; Private pictures; More app choices; Returning the booty; Closing the divide.
The post The Week in Internet News: Iran Plans “Blanket Ban” of International Internet Services appeared first on Internet Society.
Open Source has proven instrumental in accelerating software development — providing developers with feature velocity, ease of customization, and quality reusable code. However, the open-source security landscape has clearly changed: it’s clear that the unwritten rule among the open-source community has expired, and open season on hacking open-source software projects has begun. Today’s threat actors have no qualms about injecting malicious code upstream as a way to target downstream applications. Developers need to recognize this new reality and rethink security across the software supply chain.
How did we get here? The push to accelerate digital transformation may be inadvertently introducing vulnerabilities into the software supply chain. Developers, under constant pressure to deliver new software to market faster, often rely on containerized open-source software and public repositories to meet dynamic, agile needs. According to Gartner, nearly three-quarters of global organizations will be running three or more containerized applications in their production environments by 2023. The Cloud Native Computing Foundation (CNCF) also confirmed a similar pattern in its survey, which found the use of containers in production has increased to 92 percent since 2019. With Kubernetes the dominant container orchestration solution, 32% of respondents in the CNCF survey indicated that security Continue reading