0

Authorize Better: Istio Traffic Policies with OPA, Styra DAS

Adam Sandor Adam is a solution architect at Styra, helping companies to adopt OPA and Styra DAS. He has been working in the cloud native space for the past six years, focusing on Kubernetes adoption and software delivery. In his free time, Adam is a dedicated DCS World pilot and happy cyclist roaming the cycle paths of the Netherlands. Cloud native tooling for authorization is an emerging trend poised to revolutionize the way we approach this oft-neglected part of our applications. Styra DAS offer. When services are connected using the Istio service mesh, all those sidecar proxies running Envoy are great places to make authorization decisions. All HTTP requests flow through them with metadata included about the source and destination services. The capabilities of Envoy are exposed by Istio in the form of the

0

Automatic Remediation of Kubernetes Nodes

We use Kubernetes to run many of the diverse services that help us control Cloudflare’s edge. We have five geographically diverse clusters, with hundreds of nodes in our largest cluster. These clusters are self-managed on bare-metal machines which gives us a good amount of power and flexibility in the software and integrations with Kubernetes. However, it also means we don’t have a cloud provider to rely on for virtualizing or managing the nodes. This distinction becomes even more prominent when considering all the different reasons that nodes degrade. With self-managed bare-metal machines, the list of reasons that cause a node to become unhealthy include:

• Hardware failures
• Kernel-level software failures
• Kubernetes cluster-level software failures
• Degraded network communication
• Software updates are required
• Resource exhaustion¹

Unhappy Nodes

We have plenty of examples of failures in the aforementioned categories, but one example has been particularly tedious to deal with. It starts with the following log line from the kernel:

unregister_netdevice: waiting for lo to become free. Usage count = 1

The issue is further observed with the number of network interfaces on the node owned by the Container Network Interface (CNI) plugin getting out of proportion with the number of running pods:

$  Continue reading

0

Hedge 91: Leslie Daigle and IP Addresses Acting Badly

What if you could connect a lot of devices to the Internet—without any kind of firewall or other protection—and observe attackers trying to find their way “in?” What might you learn from such an exercise? One thing you might learn is a lot of attacks seem to originate from within a relatively small group of IP addresses—IP addresses acing badly. Listen in as Leslie Daigle of Thinking Cat and the Techsequences podcast, Tom Ammon, and Russ White discuss just such an experiment and its results.

download

0

Day Two Cloud 106: Towards A More Open Cloud

On today's Day Two Cloud we discuss the notion of open cloud. The premise is about reducing or minimizing costs of migrating from a public cloud. In theory, open cloud lets organizations keep their options open to make changes and reduces lock-in. But is open cloud even feasible? Our guest is Chris Psaltis, co-founder and CEO of Mist.io, a startup building an open-source, multi-cloud management platform.

The post Day Two Cloud 106: Towards A More Open Cloud appeared first on Packet Pushers.

0

Day Two Cloud 106: Towards A More Open Cloud

On today's Day Two Cloud we discuss the notion of open cloud. The premise is about reducing or minimizing costs of migrating from a public cloud. In theory, open cloud lets organizations keep their options open to make changes and reduces lock-in. But is open cloud even feasible? Our guest is Chris Psaltis, co-founder and CEO of Mist.io, a startup building an open-source, multi-cloud management platform.

0

5 Ways AIOps Can Simplify NetOps Teams’ Lives

AIOps has great potential to streamline workflows and increase productivity within IT and NetOps teams. This can improve business outcomes and allow for the reallocation of resources to other projects.

0

Free Speech is More than Words

A couple of weeks ago, I joined Leslie Daigle and Alexa Reid on Techsequences to talk about free speech and the physical platform—does the right to free speech include the right to build and operate physical facilities like printing presses and web hosting? I argue it does. Listen in if you want to hear my argument, and how this relates to situations such as the “takedown” of Parler.

Listen here

0

Data Center Fabric Monitoring & Visibility: Tools and Options

So far in our blog series on data center network trends, we have focused on options and best practices for...

The post Data Center Fabric Monitoring & Visibility: Tools and Options appeared first on Pluribus Networks.

0

IT Pro Salary Survey: What You Earned in 2020

Did you get a raise in 2020? The InformationWeek 2020 IT Salary Survey lets you know how you stacked up against your peers during a year that was like no other.

0

NATs, PATs, and Network Hygiene

While reading a research paper on address spoofing from 2019, I ran into this on NAT (really PAT) failures—

In the first failure mode, the NAT simply forwards the packets with the spoofed source address (the victim) intact … In the second failure mode, the NAT rewrites the source address to the NAT’s publicly routable address, and forwards the packet to the amplifier. When the server replies, the NAT system does the inverse translation of the source address, expecting to deliver the packet to an internal system. However, because the mapping is between two routable addresses external to the NAT, the packet is routed by the NAT towards the victim.

The authors state 49% of the NATs they discovered in their investigation of spoofed addresses fail in one of these two ways. From what I remember way back when the first NAT/PAT device (the PIX) was deployed in the real world (I worked in TAC at the time), there was a lot of discussion about what a firewall should do with packets sourced from addresses not indicated anywhere.

If I have an access list including 192.168.1.0/24, and I get a packet sourced from 192.168.2.24, Continue reading

0

Heavy Networking 588: Exploring The Hidden Realms Of Subsea Cables With Telstra (Sponsored)

Subsea communications cables are an essential part of the global Internet. On today's Heavy Networking, sponsored by Telstra, we dive into the realms of undersea cables to learn how they are laid, signalling methods, POPs and landing stations, how they can be damaged (and repaired), and more. Our Telstra guests are Andy Lumsden, Head of Network Engineering and Operations; and Jeff McHardy, General Manager, Network Development and Commercial Management.

The post Heavy Networking 588: Exploring The Hidden Realms Of Subsea Cables With Telstra (Sponsored) appeared first on Packet Pushers.

0

Heavy Networking 588: Exploring The Hidden Realms Of Subsea Cables With Telstra (Sponsored)

Subsea communications cables are an essential part of the global Internet. On today's Heavy Networking, sponsored by Telstra, we dive into the realms of undersea cables to learn how they are laid, signalling methods, POPs and landing stations, how they can be damaged (and repaired), and more. Our Telstra guests are Andy Lumsden, Head of Network Engineering and Operations; and Jeff McHardy, General Manager, Network Development and Commercial Management.

0

The Data Driven Enterprise

The rise of cloud migration for enterprises with mission critical applications is redefining the data center. The reality for any enterprise: a systematic approach balancing workloads in the cloud and premises while securing data. Data and applications must be managed as critical assets in the 21^st century.

0

The Data Driven Enterprise

The rise of cloud migration for enterprises with mission critical applications is redefining the data center. The reality for any enterprise: a systematic approach balancing workloads in the cloud and premises while securing data. Data and applications must be managed as critical assets in the 21^st century.

0

Installing fonts on your Linux system

Linux systems generally start out with a large number of fonts available, especially once you've installed LibreOffice. Even so, you might find yourself craving some highly distinctive or unusual fonts to add a special tone to some of your projects. If so, you're in luck. You're likely to find many thousands of free fonts available online – bold, italic, calligraphy, modern, script, hand lettering, cursive, brush lettering, symbolic and more.Here's a small sampling of popular sites that provide free fonts for easy downloading: dafont.com fontzone.net fonts.google.com fontspace.com You can also type "free fonts" into your favorite search engine. Expect to see a huge number of responses. Keep in mind that not all fonts are free, but plenty of free fonts are available, and they're easy to view, download and install.To read this article in full, please click here

0

Installing fonts on your Linux system

Linux systems generally start out with a large number of fonts available, especially once you've installed LibreOffice. Even so, you might find yourself craving some highly distinctive or unusual fonts to add a special tone to some of your projects. If so, you're in luck. You're likely to find many thousands of free fonts available online – bold, italic, calligraphy, modern, script, hand lettering, cursive, brush lettering, symbolic and more.Here's a small sampling of popular sites that provide free fonts for easy downloading: dafont.com fontzone.net fonts.google.com fontspace.com You can also type "free fonts" into your favorite search engine. Expect to see a huge number of responses. Keep in mind that not all fonts are free, but plenty of free fonts are available, and they're easy to view, download and install.To read this article in full, please click here

0

Tech Bytes: An IT Punch List For Reopening The Office (Sponsored)

If IT thinks it can take the office network out of mothballs and expect everything to be fine when employees show up, think again. On today's Tech Bytes podcast, sponsored by Netskope, guest Hansang Bae shares a punch list of tasks IT should complete before end users get back to the office.

The post Tech Bytes: An IT Punch List For Reopening The Office (Sponsored) appeared first on Packet Pushers.

0

Tech Bytes: An IT Punch List For Reopening The Office (Sponsored)

If IT thinks it can take the office network out of mothballs and expect everything to be fine when employees show up, think again. On today's Tech Bytes podcast, sponsored by Netskope, guest Hansang Bae shares a punch list of tasks IT should complete before end users get back to the office.

0

JFrog’s Private Distribution Network For Developers

DevOps platform provider JFrog is touting its new Private Distribution Network (PDN) as an “industry first,” because it allows DevOps teams to accelerate application updates through a lightweight solution that combines two network acceleration and optimization technologies —

0

Demo: Cloud Networking with Overlapping CIDR, L7 Firewalls, Segmentation, and Flow visibility

I created a live demo showing some cool capabilities of the Aviatrix Cloud Networking Platform. In this demo I play the role of a SaaS provider that onboards new customers via VPN, and needs to meet the following requirements:

• Easily onboard new customers even if their IP addressing overlaps with the SaaS provider.

• Provide secure segmentation and isolation between customers.

• Easily insert next gen firewalls between the customers and the SaaS for deep packet inspection and threat analysis.

• Have complete flow level visibility of customer network traffic, and operation tools to diagnose and troubleshoot problems.

• Provide end-to-end encryption to secure sensitive data in flight.

• And be able to meet all of these requirements using any cloud provider.

In the demo I show how easy it is to meet requirements like this using Aviatrix. And best of all, no matter which cloud provider(s) you’re using, the solution and architecture is exactly the same. This SaaS provider can use the services and global footprint of any or all cloud providers, and do it with consistent repeatable architecture.

You can leave comments on this post here: where I posted this on LinkedIN.

Is there a particular scenario you want to see in a Continue reading