Archive

Category Archives for "Networking"

Hedge 108: In Defense of Boring Technology with Andrew Wertkin

Engineers (and marketing folks) love new technology. Watching an engineer learn or unwrap some new technology is like watching a dog chase a squirrel—the point is not to catch the squirrel, it’s just that the chase is really fun. Join Andrew Wertkin (from BlueCat Networks), Tom Ammon, and Russ White as we discuss the importance of simple, boring technologies, and moderating our love of the new.

download

Non-Stop Routing (NSR) 101

After Non-Stop Forwarding, Stateful Switchover and Graceful Restart, it’s time for the pinnacle of high-availability switching: Non-Stop Routing (NSR)1.

The PowerPoint-level description of this idea sounds fantastic:

  • A device runs two active copies of its control plane.
  • There is no cold/warm start of the backup control plane. The failover is almost instantaneous.
  • The state of all control plane protocols is continuously synchronized between the two control plane instances. If one of them fails, the other one continues running.
  • A failure of a control plane instance is thus invisible from the outside.

If this sounds an awful lot like VMware Fault Tolerance, you’re not too far off the mark.

Non-Stop Routing (NSR) 101

After Non-Stop Forwarding, Stateful Switchover and Graceful Restart, it’s time for the pinnacle of high-availability switching: Non-Stop Routing (NSR)1.

The PowerPoint-level description of this idea sounds fantastic:

  • A device runs two active copies of its control plane.
  • There is no cold/warm start of the backup control plane. The failover is almost instantaneous.
  • The state of all control plane protocols is continuously synchronized between the two control plane instances. If one of them fails, the other one continues running.
  • A failure of a control plane instance is thus invisible from the outside.

If this sounds an awful lot like VMware Fault Tolerance, you’re not too far off the mark.

We’ve just published a book on container and cloud-native application security and observability

We are excited to announce the release of our O’Reilly book, Kubernetes security and observability: A holistic approach to securing containers and cloud-native applications. The book, authored by Tigera’s Brendan Creane and Amit Gupta, helps you learn how to adopt a holistic security and observability strategy for building and securing cloud-native applications running on Kubernetes.

Security practitioners are faced with a wide range of considerations when securing, observing, and troubleshooting containerized workloads on Kubernetes. These considerations range from infrastructure choices and cluster configuration to deployment controls and runtime and network security. Although securing cloud-native applications can be a daunting task, our book will give you the knowledge and confidence you’ll need to establish security and observability for your cloud-native applications.

In 11 chapters, the book covers topics relevant to containers and cloud-native applications in detail, including:

  • Infrastructure security
  • Workload deployment controls and runtime security
  • Network policy
  • Managing trust across teams
  • Exposing services to external clients
  • Encryption of data in transit
  • Threat defense and intrusion detection
  • And more…

After reading the book, you’ll have gained an understanding of key concepts behind security and observability for cloud-native applications, how to determine the best strategy, and which technology choices are available to support Continue reading

Day Two Cloud 123: Managing Multi-Cloud Applications And Infrastructure With vRealize Operations Cloud (Sponsored)

Welcome to Day Two Cloud, where the topic is visibility. Hybrid cloud visibility with a side of Kubernetes, to be specific. VMware has come alongside as today’s sponsor for a discussion about vRealize Operations Cloud to give you that visibility into applications and infrastructure running in complex, multi-cloud environments.

The post Day Two Cloud 123: Managing Multi-Cloud Applications And Infrastructure With vRealize Operations Cloud (Sponsored) appeared first on Packet Pushers.

Day Two Cloud 123: Managing Multi-Cloud Applications And Infrastructure With vRealize Operations Cloud (Sponsored)

Welcome to Day Two Cloud, where the topic is visibility. Hybrid cloud visibility with a side of Kubernetes, to be specific. VMware has come alongside as today’s sponsor for a discussion about vRealize Operations Cloud to give you that visibility into applications and infrastructure running in complex, multi-cloud environments.

How to Accelerate Your Digital Transformation with VMware’s Cloud Networking Capabilities

Realize What’s Possible with Advanced Cloud Networking Capabilities 

VMworld 2021 – what a whirlwind. Thank you for attending and making the virtual event a success. With so many sessions and so little time, we thought it was important to point out one of the most notable networking sessions of this year: Automation is Modernizing Networks, delivered by Tom Gills, SVP & General Manager, Networking and Advanced Security. 

In case you missed it, we’re going to catch you up on essential insights, networking news, and more. 

Networking by the Numbers 

 The vision behind VMware’s cloud networking is to centralize policy and networking infrastructure. Today, there are more than 23,000 customers using VMware’s virtual networking products. 96 out of the Fortune 100 have chosen VMware to virtualize their network infrastructure. VMware has replaced more than 12,000 power-hungry, hardware load balancer appliances. There are more than 450,000 branch sites globally, accelerating the digital transformation for enterprises of all kinds. 

Leveling Up  

Taking a step back, we can see how clearly all of these developments are enhancing digital operations for our various constituents. With two strokes of a key, our customers can send applications directly into production. This includes scanning for security/compliance violations, enforcing these security and compliance Continue reading

Cisco’s ThousandEyes can peer into SaaS performance

Cisco has broadened the scope of its ThousandEyes network-intelligence gathering software to let customers watch over their growing expanse of software-as-a-service applications.In addition to its existing Internet Insights platform, ThousandEyes has a new program called Application Outages that promises to provide views into the availability of the SaaS applications employees are using.Internet Insights gathers data from what Cisco says are tens of thousands of ThousandEyes Cloud Agents and Enterprise Agents spread across the internet and enterprise networks globally. ThousandEyes’ technology warns when a user’s experience is less than ideal and can pinpoint failures.To read this article in full, please click here

AMD launches big data-center push vs. Intel, Nvidia

AMD has emerged from its long defensive crouch to taking the fight directly to Intel and Nvidia, a bold move but one backed by a company that's been racking up wins lately.Coming on the heels of a record-setting quarter, AMD announced new EPYC server CPUs, a new line of Instinct brand GPUs it says are faster in than Nvidia’s best, the next generation of its CPU architecture, and a deal with Meta, formerly known as Facebook.[Get regularly scheduled insights by signing up for Network World newsletters.] EPYC Milan-X CPU AMD CEO Lisa Su introduced the EPYC Milan-X processors, an iteration of its third-generation server processors with a 3D-stacked L3 cache called 3D V-Cache. One problem with increasing cache is you get transistor sprawl and the die gets progressively bigger. 3D stacking reduces the physical size while increasing density.To read this article in full, please click here

AMD launches big data-center push vs. Intel, Nvidia

AMD has emerged from its long defensive crouch to taking the fight directly to Intel and Nvidia, a bold move but one backed by a company that's been racking up wins lately.Coming on the heels of a record-setting quarter, AMD announced new EPYC server CPUs, a new line of Instinct brand GPUs it says are faster in than Nvidia’s best, the next generation of its CPU architecture, and a deal with Meta, formerly known as Facebook.[Get regularly scheduled insights by signing up for Network World newsletters.] EPYC Milan-X CPU AMD CEO Lisa Su introduced the EPYC Milan-X processors, an iteration of its third-generation server processors with a 3D-stacked L3 cache called 3D V-Cache. One problem with increasing cache is you get transistor sprawl and the die gets progressively bigger. 3D stacking reduces the physical size while increasing density.To read this article in full, please click here

Drone demo shows it’s possible to protect 5G-managed devices from DDoS, exfiltration attacks

A demonstration earlier this year at Stanford School of Engineering proved that a small fleet of computer-controlled drones can maintain their flight integrity in the face of continual cyberattacks on the 5G network used to manage the devices through the deployment of software-defined networking (SDN).For enterprise IT pros charged with securing devices wirelessly across a 5G network, the drone test results are promising evidence that SDN can help networks under cyberattack to recover almost instantaneously.To read this article in full, please click here

Drone demo shows it’s possible to protect 5G-managed devices from DDoS, exfiltration attacks

A demonstration earlier this year at Stanford School of Engineering proved that a small fleet of computer-controlled drones can maintain their flight integrity in the face of continual cyberattacks on the 5G network used to manage the devices through the deployment of software-defined networking (SDN).For enterprise IT pros charged with securing devices wirelessly across a 5G network, the drone test results are promising evidence that SDN can help networks under cyberattack to recover almost instantaneously.To read this article in full, please click here

Python Script Pulling AWS IP Prefixes – Part 3

The two previous posts described what the script does and modules used as well as how the script leverages YAML.

This time, we will go through the function that generates the access-list name. The code for this is below:

def generate_acl_name(interface_name: str) -> str:
    """Generate unique ACL name to avoid conflicts with any existing ACLs
    by appending a random number to the outside interface name"""
    # Create a random number between 1 and 999
    random_number = random.randint(1, 999)
    acl_name = f"{interface_name}_{random_number}"
    return acl_name

The goal with this code is to generate a new access-list with a unique name. Note that the script doesn’t do any check if this access-list already exists which is something I will look into in an improved version of the script. I wanted to first start with something that works and take you through the process together with myself as I learn and improve on the existing code.

The function takes an interface_name which is a string. This is provided by the YAML data that we stored in the yaml_dict earlier. The function is then called like this:

acl_name = generate_acl_name(yaml_dict["outside_interface"])

The name is stored in the yaml_dict under the outside_interface mapping:

In [6]: yaml_dict  Continue reading

Building a Separate Infrastructure for Guest Access

One of my readers sent me an age-old question:

I have my current guest network built on top of my production network. The separation between guest- and corporate network is done using a VLAN – once you connect to the wireless guest network, you’re in guest VLAN that forwards your packets to a guest router and off toward the Internet.

Our security team claims that this design is not secure enough. They claim a user would be able to attach somehow to the switch and jump between VLANs, suggesting that it would be better to run guest access over a separate physical network.

Decades ago, VLAN implementations were buggy, and it was possible (using a carefully crafted stack of VLAN tags) to insert packets from one VLAN to another (see also: VLAN hopping).

Building a Separate Infrastructure for Guest Access

One of my readers sent me an age-old question:

I have my current guest network built on top of my production network. The separation between guest- and corporate network is done using a VLAN – once you connect to the wireless guest network, you’re in guest VLAN that forwards your packets to a guest router and off toward the Internet.

Our security team claims that this design is not secure enough. They claim a user would be able to attach somehow to the switch and jump between VLANs, suggesting that it would be better to run guest access over a separate physical network.

Decades ago, VLAN implementations were buggy, and it was possible (using a carefully crafted stack of VLAN tags) to insert packets from one VLAN to another (see also: VLAN hopping).

Juniper’s marketing lags its technology

Like a lot of other people, I remember the Juniper ads of decades ago that used cartoons to poke fun at competitors. It was in-your-face marketing, and it seemed to pay off for Juniper in visibility.Then they got quiet, and while Juniper continued to innovate at the product level, they didn’t make news like they used to. Then they held their Nov. 2 analyst event, and they got in their competitors’ faces again. Why, and how?The why is related to a principle of marketing I’ve talked about for decades: trajectory management. All sales processes these days aim at converting “suspects” into “customers” through a series of steps. First you get mentioned in tech news articles and analyst briefs. Second, those who see those mentions go to your website for more information, which leads them to the third step—a request to talk to a salesperson. In-your-face marketing gets good ink, and Juniper got more coverage of its event than it’s gotten for anything else in years.To read this article in full, please click here