Archive

Category Archives for "Networking"

How to buy SASE

Wouldn’t it be great if there were a cloud-based service that combined networking and security so that users located anywhere could safely and efficiently access applications and data located anywhere? That’s the aim of SASE (rhymes with gassy). SASE isn’t a single product, but rather it’s an approach, a platform, a collection of capabilities, an aspiration.Gartner coined the term Secure Access Service Edge in a 2019 research report, and the name stuck. Vendors have been doing backflips trying to cobble together complete SASE offerings, which would include at a minimum software-defined WAN (SD-WAN), secure Web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS) and zero trust network access (ZTNA).To read this article in full, please click here

How to buy SASE

Wouldn’t it be great if there were a cloud-based service that combined networking and security so that users located anywhere could safely and efficiently access applications and data located anywhere? That’s the aim of SASE (rhymes with gassy). SASE isn’t a single product, but rather it’s an approach, a platform, a collection of capabilities, an aspiration.Gartner coined the term Secure Access Service Edge in a 2019 research report, and the name stuck. Vendors have been doing backflips trying to cobble together complete SASE offerings, which would include at a minimum software-defined WAN (SD-WAN), secure Web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS) and zero trust network access (ZTNA).To read this article in full, please click here

Highlights: Multi-Threaded Routing Daemons

The multi-threaded routing daemons blog post generated numerous in-depth comments here and on LinkedIn. As always, thanks a million for keeping me honest and providing more details or additional perspectives. Here are some of the best bits.

Jeff Tantsura provided the first dose of reality:

All modern routing protocols implementations are multi-threaded, with a minimum separation of adjacency handling, route calculations and update generation. Note - writing multi-threaded code for complex tasks is a non trivial exercise (you could search for thread safety and similar artifacts and what happens when not implemented correctly). Moving to a multi-threaded code in early 2010s resulted in a multi-release (year) effort and 100s of related bugs all around.

Dr. Tony Przygienda added his hands-on experience (he’s been developing routing protocol software for ages):

Highlights: Multi-Threaded Routing Daemons

The multi-threaded routing daemons blog post generated numerous in-depth comments here and on LinkedIn. As always, thanks a million for keeping me honest and providing more details or additional perspectives. Here are some of the best bits.

Jeff Tantsura provided the first dose of reality:

All modern routing protocols implementations are multi-threaded, with a minimum separation of adjacency handling, route calculations and update generation. Note - writing multi-threaded code for complex tasks is a non trivial exercise (you could search for thread safety and similar artifacts and what happens when not implemented correctly). Moving to a multi-threaded code in early 2010s resulted in a multi-release (year) effort and 100s of related bugs all around.

Dr. Tony Przygienda added his hands-on experience (he’s been developing routing protocol software for ages):

Amazon announces third generation of Graviton processors

At its annual re:Invent conference, Amazon Web Services announced the newest generation of its Arm-based Graviton processors, the Graviton 3, which the company claims will be 25% or more faster than the last-generation chips  in key workloads.The 25% is likely for integer workloads, because AWS also said the Graviton 3 boasts double the floating-point performances (FLOP), a three-fold performance improvement in machine-learning workloads, and better cryptographic performance. AWS also claims the new chips will use 60% less power.[Get regularly scheduled insights by signing up for Network World newsletters.] The chips will power new EC2 C7g instances in the AWS cloud. The chips and instances will be the first to use DDR5 memory, which delivers 50% higher bandwidth than DDR4 but with a much lower power draw.To read this article in full, please click here

Amazon announces third generation of Graviton processors

At its annual re:Invent conference, Amazon Web Services announced the newest generation of its Arm-based Graviton processors, the Graviton 3, which the company claims will be 25% or more faster than the last-generation chips  in key workloads.The 25% is likely for integer workloads, because AWS also said the Graviton 3 boasts double the floating-point performances (FLOP), a three-fold performance improvement in machine-learning workloads, and better cryptographic performance. AWS also claims the new chips will use 60% less power.[Get regularly scheduled insights by signing up for Network World newsletters.] The chips will power new EC2 C7g instances in the AWS cloud. The chips and instances will be the first to use DDR5 memory, which delivers 50% higher bandwidth than DDR4 but with a much lower power draw.To read this article in full, please click here

Cisco hit with software and physical issues

Cisco Systems has been hit with an unusual double-whammy of issues, one of them in software and one in hardware.First, the more serious issue, a firewall flaw. Security researcher Positive Technologies, which hunts for security vulnerabilities, posted a warning that a vulnerability in Cisco firewall appliances could allow hackers to cause them to fail.The problem is in the Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) firewalls. Forrester Research says there are more than a million of them deployed worldwide. Positive assessed the severity level of vulnerability as high and recommended users should install updates, which are available, as soon as possible.To read this article in full, please click here

Cisco hit with software and physical issues

Cisco Systems has been hit with an unusual double-whammy of issues, one of them in software and one in hardware.First, the more serious issue, a firewall flaw. Security researcher Positive Technologies, which hunts for security vulnerabilities, posted a warning that a vulnerability in Cisco firewall appliances could allow hackers to cause them to fail.The problem is in the Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) firewalls. Forrester Research says there are more than a million of them deployed worldwide. Positive assessed the severity level of vulnerability as high and recommended users should install updates, which are available, as soon as possible.To read this article in full, please click here

Use dmseg to check your Linux system’s kernel message buffer

The dmesg command displays the content of the kernel's message buffer since the system's most recent boot. It displays a lot of details on how the system is working and problems it might be running into that you won't normally see. That can be a lot of data, but there are several tricks for paring it down.For example, Even though the system queried below has only been up a little more than three days, it's collected more than a thousand lines of data.$ dmesg | wc -l 1034 Linux security: Cmd provides visibility, control over user activity [Get regularly scheduled insights by signing up for Network World newsletters.] If you type only dmesg, you will see all available data. Sudo access is not required. You can also pipe the output of dmesg to the more and less commands to scan through it or simply pipe the output to grep, but the command itself provides a lot of options for selecting the most relevant information from the file.To read this article in full, please click here

Use dmseg to check your Linux system’s kernel message buffer

The dmesg command displays the content of the kernel's message buffer since the system's most recent boot. It displays a lot of details on how the system is working and problems it might be running into that you won't normally see. That can be a lot of data, but there are several tricks for paring it down.For example, Even though the system queried below has only been up a little more than three days, it's collected more than a thousand lines of data.$ dmesg | wc -l 1034 Linux security: Cmd provides visibility, control over user activity [Get regularly scheduled insights by signing up for Network World newsletters.] If you type only dmesg, you will see all available data. Sudo access is not required. You can also pipe the output of dmesg to the more and less commands to scan through it or simply pipe the output to grep, but the command itself provides a lot of options for selecting the most relevant information from the file.To read this article in full, please click here

Bumps in the road for open RAN

Open standards for radio access networking (RAN) technology have long been hyped as a way for mobile network operators to control the costs of 5G deployment, but some experts are beginning to question that potential, and legal difficulties for vendors working on the standard continue to arise.The idea behind open RAN is relatively simple. Using a standards-based approach to carrier radio equipment would allow carriers to mix and match the gear they use in base stations--freeing them from the traditional vertical integration of such equipment and potentially making the market more competitive, driving prices down.[Get regularly scheduled insights by signing up for Network World newsletters.] But this requires a considerable degree of coordination from companies like Ericsson, Nokia and Samsung that aren’t used to working cooperatively with one another. And some reports suggest that the hype around open RAN is considerably exaggerated.To read this article in full, please click here

They’ll Remember The Rage Monster

I was tired. Very tired. Tired in my brain. Tired in my body. I needed to eat, puke, and scream…all of those things as soon as possible. Big cutovers are like that. You know the kind of change I’m talking about. The kind where you only get a maintenance window twice a year, so you plan to throw in the new core switch pair because that’s easy, re-tool the BGP peering that twelve other changes are waiting for, and bring up the new firewall all in one night.

Stupid! Unthinkable! Small changes only!! I mean…obviously. Of course. But sometimes, that’s just not the way it works out. And so it was that after several hours of executing a meticulously planned change that would create the network foundation for the company’s big plans, I needed to eat, puke, and scream.

You see, the change hadn’t got entirely well. It had only gone mostly well. The core switch upgrade really was easy. The BGP peering work went well enough. The new firewall was a fight, though.

At first, the firewall pair wouldn’t pass traffic. At all. Despite a lovely routing table and so on. After sitting in the freezing data center for Continue reading

No REST For The Wicked

So far, this series has explored applying the Model, View, Controller (MVC) software design pattern to infrastructure with purely Python-driven network automation. We have created a fully function infrastructure-as-software application using the out-of-the-box Django framework; a PostgreSQL database (Model); pyATS jobs (Controller); and the trinity of Python URLs and Views and Django Templating Language (DTL) […]

The post No REST For The Wicked appeared first on Packet Pushers.

Tech Bytes: The Security Fabric Advantage With Fortinet (Sponsored)

Today's Tech Bytes podcast is a security conversation--specifically security fabrics or ‘security mesh’ architectures: an integrated set of products that work together to help you manage risk in the network, on endpoints, and to do things like improve detection and response. Fortinet is our sponsor.

The post Tech Bytes: The Security Fabric Advantage With Fortinet (Sponsored) appeared first on Packet Pushers.

Real-time Kubernetes cluster monitoring example

The Sunburst GPU chart updates every second to show a real-time view of the share of GPU resources being consumed by namespaces operating on the Nautilus hyperconverged Kubernetes cluster. The Nautilus cluster tightly couples distributes storage, GPU, and CPU resources to share among the participating research organizations.

The Sunburst Process chart provides an up to the second view of the cluster-wide share of CPU resources used by each namespace.

The Sunburst DNS chart shows a real-time view of network activity generated by each namespace. The chart is produced by looking up DNS names for network addresses observed in packet flows using the Kubernetes DNS service. The domain names contain information about the namespace, service, and node generating the packets. Most traffic is exchanges between nodes within the cluster (identified as local). The external (not local) traffic is also shown by DNS name.
The Sunburst Protocols chart shows the different network protocols being used to communicate between nodes in the cluster. The chart shows the IP over IP tunnel traffic used for network virtualization.
Clicking on a segment in the Sunburst Protocols chart allows the selected traffic to be examined in detail using the Flow Browser. In this example, Continue reading

Network Break 362: AWS Announces Private 5G Service; FTC Says No To Nvidia’s Arm Grab

Today's Network Break covers two AWS announcements including a private 5G offering and new networking service, discusses why the FTC is against Nvidia acquiring Arm Holdings, examines a new security feature in Aviatrix, and more tech news.

The post Network Break 362: AWS Announces Private 5G Service; FTC Says No To Nvidia’s Arm Grab appeared first on Packet Pushers.