Archive

Category Archives for "Networking"

Heavy Networking 594: TLS 1.3 Down Deep With Ed Harmoush

Like anything in the world of IT, TLS has gone through various versions. TLS 1.1 and 1.2 are still commonly used, but TLS 1.3 is really where it’s at. Our guest is Ed Harmoush. Ed’s a professional instructor who’s researched TLS 1.3 and more as he’s prepped for his latest course offering, Practical TLS, which you can find at http://pracnet.net/tls. Use coupon PacketPushers100 to get $100 off this deep dive course from Ed.

Heavy Networking 594: TLS 1.3 Down Deep With Ed Harmoush

Like anything in the world of IT, TLS has gone through various versions. TLS 1.1 and 1.2 are still commonly used, but TLS 1.3 is really where it’s at. Our guest is Ed Harmoush. Ed’s a professional instructor who’s researched TLS 1.3 and more as he’s prepped for his latest course offering, Practical TLS, which you can find at http://pracnet.net/tls. Use coupon PacketPushers100 to get $100 off this deep dive course from Ed.

The post Heavy Networking 594: TLS 1.3 Down Deep With Ed Harmoush appeared first on Packet Pushers.

Data protection controls with Cloudflare Browser Isolation

Data protection controls with Cloudflare Browser Isolation
Data protection controls with Cloudflare Browser Isolation

Starting today, your team can use Cloudflare’s Browser Isolation service to protect sensitive data inside the web browser. Administrators can define Zero Trust policies to control who can copy, paste, and print data in any web based application.

In March 2021, for Security Week, we announced the general availability of Cloudflare Browser Isolation as an add-on within the Cloudflare for Teams suite of Zero Trust application access and browsing services. Browser Isolation protects users from browser-borne malware and zero-day threats by shifting the risk of executing untrusted website code from their local browser to a secure browser hosted on our edge.

And currently, we’re democratizing browser isolation for any business by including it with our Teams Enterprise Plan at no additional charge.1

A different approach to zero trust browsing

Web browsers, the same tool that connects users to critical business applications, is one of the most common attack vectors and hardest to control.

Browsers started as simple tools intended to share academic documents over the Internet and over time have become sophisticated platforms that replaced virtually every desktop application in the workplace. The dominance of web-based applications in the workplace has created a challenge for security teams who Continue reading

Attack that defeats AMD chip security possible, unlikely

AMD likes to crow about how its Epyc server processors can encrypt the content of virtal machines while they’re in operation so they are secure and isolated, preventing other VMs on the processor from accessing the encrypted contents.Well, researchers from the Technical University of Berlin have found a weakness in that feature, known as Secure Encrypted Virtualization (SEV), and published a theoretical attack that defeats the protection.The paper ”One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization” details how the researchers succeeded in mounting a voltage fault-injection attack.To read this article in full, please click here

Attack that defeats AMD chip security possible, unlikely

AMD likes to crow about how its Epyc server processors can encrypt the content of virtal machines while they’re in operation so they are secure and isolated, preventing other VMs on the processor from accessing the encrypted contents.Well, researchers from the Technical University of Berlin have found a weakness in that feature, known as Secure Encrypted Virtualization (SEV), and published a theoretical attack that defeats the protection.The paper ”One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization” details how the researchers succeeded in mounting a voltage fault-injection attack.To read this article in full, please click here

Announcing Tenant Control in Cloudflare Gateway

Announcing Tenant Control in Cloudflare Gateway
Announcing Tenant Control in Cloudflare Gateway

The tools we use at work are starting to look like the apps we use in our personal lives. We send emails for our jobs using Google Workspace and respond to personal notes in Gmail. We download PDFs from our team’s Dropbox and then upload images to our personal account. This can lead to confusion and mistakes—made worse by remote work when we forget to log off for the day.

Today, we’re excited to announce Tenant Control in Cloudflare Gateway, a new feature that helps keep our work at work. Organizations can deploy Cloudflare Gateway to their corporate devices and apply rules ensuring that employees can only log in to the corporate version of the tools they need. Now, teams can prevent users from logging in to the wrong instance of popular applications. What’s more, they can make sure corporate data stays within corporate accounts.

Controlling the application, alone, isn’t sufficient

Cloudflare Gateway provides security from threats on the Internet by sending all traffic leaving a device to Cloudflare’s network where it can be filtered. Organizations send traffic to Cloudflare by deploying the WARP agent, a WireGuard-based client built on feedback from our popular consumer app.

Announcing Tenant Control in Cloudflare Gateway

Cloudflare Gateway can be Continue reading

Running Code

There was a discussion in a working group session at the recent IETF 111 meeting over a proposal that the working group should require at least two implementations of a draft before the working group would consider the document ready. What's going on here?

kOps adds support for Calico’s eBPF data plane

Kubernetes operations (kOps) is one of the official Kubernetes (K8s) projects. The kOps project allows for rapid deployment of production-grade K8s clusters in multiple cloud platforms. By leveraging yaml manifests, kOps delivers a familiar experience to users who have worked with kubectl. Similar to K8s clusters in popular cloud platforms, kOps helps set up self-managed clusters to easily deliver high availability. Given its ease of use, it is a very popular choice when users want to deploy self-hosted Kubernetes clusters.

With the recent release of kOps (v1.19), support for the Calico eBPF data plane was added to the utility. In addition to the above-mentioned features, the latest kOps update offers an effortless way to autodeploy K8s clusters utilizing Project Calico for networking and the Calico eBPF data plane. Calico eBPF data plane implementation replaces kube-proxy and delivers equivalent functionality; it also leverages the most optimal datapath for traffic. These changes deliver a network performance boost and source IP preservation to your cluster.

In this blog post, we will showcase the steps required to deploy a cluster that utilizes these newly available features.

What is eBPF?

eBPF is a virtual machine embedded within the Linux kernel. Continue reading

Cisco: Product sales jump, so do some prices

Cisco’s 4Q and year-end financial reports highlight growth in many categories that are important to enterprise customers including wireless, campus switching, routing and security products.CEO Chuck Robbins said that the company’s fourth quarter boasts the strongest product-order growth rate the company has seen in over a decade, citing a 30% product order growth year on year, and more than 17% order growth versus pre-COVID Q4 fiscal 19 product bookings.The 10 most powerful companies in enterprise networking 2021 “In Q4, we saw double-digit revenue growth in campus switching, Catalyst 9000, high-end routing, wireless, and in our Zero Trust solutions, along with strength in our security endpoint portfolio. We also had a very strong adoption of our Acacia optical solutions,” Robbins said.To read this article in full, please click here

Building a Pet Cam using a Raspberry Pi, Cloudflare Tunnels and Teams

Building a Pet Cam using a Raspberry Pi, Cloudflare Tunnels and Teams
Building a Pet Cam using a Raspberry Pi, Cloudflare Tunnels and Teams

I adopted Ziggy in late 2020. It took me quite a while to get used to his routine and mix it with mine. He consistently jumped on the kitchen counter in search of food, albeit only when no one was around. And I only found out when he tossed the ceramic butter box. It shattered and made a loud bang in the late hours of the night. Thankfully, no one was asleep yet.

This got me thinking that I should keep an eye on his mischievous behaviour, even when I'm not physically at home. I briefly considered buying a pet cam, but I remembered I had bought a Raspberry Pi a few months before. It was hardly being used, and it had a case (like this) allowing a camera module to be added. I hadn’t found a use for the camera module — until now.

This was a perfect weekend project: I would set up my own pet cam, connect it to the Internet, and make it available for me to check from anywhere in the world. I also wanted to ensure that only I could access it and that it had some easy way to login, possibly using Continue reading

Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported

Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported

Earlier this summer, Cloudflare’s autonomous edge DDoS protection systems automatically detected and mitigated a 17.2 million request-per-second (rps) DDoS attack, an attack almost three times larger than any previous one that we're aware of. For perspective on how large this attack was: Cloudflare serves over 25 million HTTP requests per second on average. This refers to the average rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this attack reached 68% of our Q2 average rps rate of legitimate HTTP traffic.

Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported
Comparison graph of Cloudflare’s average request per second rate versus the DDoS attack

Automated DDoS mitigation with Cloudflare’s autonomous edge

This attack, along with the additional attacks provided in the next sections, were automatically detected and mitigated by our autonomous edge DDoS protection systems. The system is powered by our very own denial of service daemon (dosd). Dosd is a home-grown software-defined daemon. A unique dosd instance runs in every server in each one of our data centers around the world. Each dosd instance independently analyzes traffic samples out-of-path. Analyzing traffic out-of-path allows us to scan asynchronously for DDoS attacks without causing latency and impacting performance. DDoS findings are also shared between the Continue reading