BGP FlowSpec on Arista vEOS
BGP FlowSpec is an another Multiptocol-BGP extension with SAFI 133. Created for the purpose of DoS and DDoS attacks mitigation, it brings a new NLRI that collects 12 types of L3 and L4 information. These information creates a flow which defines criteria used for matching DDoS parameters. For instance, a flow can match victim's IP, […]Continue reading...
Introducing API Shield
APIs are the lifeblood of modern Internet-connected applications. Every millisecond they carry requests from mobile applications—place this food delivery order, “like” this picture—and directions to IoT devices—unlock the car door, start the wash cycle, my human just finished a 5k run—among countless other calls.
They’re also the target of widespread attacks designed to perform unauthorized actions or exfiltrate data, as data from Gartner increasingly shows: “by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 2019, and “Gartner predicted that, by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications”[1][2]. Of the 18 million requests per second that traverse Cloudflare’s network, 50% are directed towards APIs—with the majority of these requests blocked as malicious.
To combat these threats, Cloudflare is making it simple to secure APIs through the use of strong client certificate-based identity and strict schema-based validation. As of today, these capabilities are available free for all plans within our new “API Shield” offering. And as of today, the security benefits also extend to gRPC-based APIs, which use binary Continue reading
Announcing support for gRPC
Today we're excited to announce beta support for proxying gRPC, a next-generation protocol that allows you to build APIs at scale. With gRPC on Cloudflare, you get access to the security, reliability and performance features that you're used to having at your fingertips for traditional APIs. Sign up for the beta today in the Network tab of the Cloudflare dashboard.
gRPC has proven itself to be a popular new protocol for building APIs at scale: it’s more efficient and built to offer superior bi-directional streaming capabilities. However, because gRPC uses newer technology, like HTTP/2, under the covers, existing security and performance tools did not support gRPC traffic out of the box. This meant that customers adopting gRPC to power their APIs had to pick between modernity on one hand, and things like security, performance, and reliability on the other. Because supporting modern protocols and making sure people can operate them safely and performantly is in our DNA, we set out to fix this.
When you put your gRPC APIs on Cloudflare, you immediately gain all the benefits that come with Cloudflare. Apprehensive of exposing your APIs to bad actors? Add security features such as WAF and Bot Management. Need Continue reading
Network Automation Isn’t Easy
Contrary to what some evangelists would love you to believe, getting fluent in network automation is a bit harder than watching 3-minute videos and cobbling playbooks together with google-and-paste… but then nothing really worth doing is ever easy, or everyone else would be doing it already.
Here’s a typical comment from a Building Network Automation Solutions attendee:
I’m loving the class. I feel more confused than I ever have in my 23 year career… but I can already see the difference in my perspective shift in all aspects of my work.
Less Noise, More Security: Remaking the SOC
Having the needed data at the right stage of the incident response process, security analysts can quickly cull false and low-priority incidents to focus on the threats that really matter.Kubernetes Q3-2020: Threats, Exploits and TTPs
Kubernetes has become the world’s most popular container orchestration system and is taking the enterprise ecosystem by storm. At this disruptive moment it’s useful to look back and review the security threats that have evolved in this dynamic landscape. Identifying these threats and exploits and being a proactive learner may save you a lot of time and effort…as well as help you retain your reputation in the long run. In this blog we’ll look at some critical security issues faced by the Kubernetes ecosystem in the recent past, and examine the top tactics, techniques and procedures (TTPs) used by attackers.
Major Vulnerabilities
Everyday, new Kubernetes ecosystem Common Vulnerabilities and Exposures (CVEs) are published. Let’s take a closer look at some of the cloud shakers…
CVE-2020-14386: Using privilege escalation vulnerability to escape the pod
A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes.
We received notification that some instances in our cloud infrastructure are vulnerable to this CVE. When we took a closer look, it appeared to be a typical privilege escalation vulnerability using AF sockets on hosts. Unprivileged users with CAP_NET_RAW permissions can send packets Continue reading
Introducing VMware Transit Connect for networking and security on VMware Cloud on AWS
As you migrate and expand your deployments on VMware Cloud on AWS, your network connectivity provides the foundational infrastructure for all workloads in your SDDCs. When you then scale across multiple SDDCs — which also need to network with several data centers and tens or even hundreds of VPCs — scaling network connectivity becomes a critical challenge.
In this context, we’re excited to announce a number of new networking and security capabilities on VMware Cloud on AWS.
- SDDC Groups – a way to organize SDDCs together for ease of management
- VMware Transit Connect –high bandwidth, resilient connectivity for SDDCs in an SDDC Group
- Multi-Edge SDDCs – the ability to add network capacity for north-south traffic to the SDDC
Together, these new features enable seamless connectivity to your SDDCs from on-prem data centers and AWS VPCs while unlocking the capacity you need to efficiently drive your workloads in the cloud.
Let’s take a closer look at each one.
SDDC Groups
SDDC Groups enable customers to manage multiple SDDCs as a single logical entity. This simplifies operations while maintaining the flexibility that customers rely on. SDDCs in a Group can be interconnected with VMware Transit Connect, and Continue reading
Can You Spare a Minute? Network Time Security Featured on The Hedge Podcast
Are you interested in finding out more about Network Time Protocol (NTP), Network Time Security (NTS), and discovering why synchronized time is an essential foundation for online security?
Today is International Podcast Day, so why not spend it listening to the The Hedge Podcast #49: Karen O’Donoghue and Network Time Security.
Network Time Protocol (NTP) is one of the oldest Internet protocols in use. It enables the synchronization of clocks on computer networks to within a few milliseconds of standard universal coordinated time (UTC). Accurate time is also a critical component for online security, and many security mechanisms, such as Transport Layer Security (TLS) and digital signature creation and verification, depend on accurate timekeeping.
Updated Mechanism
NTP’s security mechanisms, however, were designed back in an era when the risk of attack was unlikely. Due to the continued expansion of the Internet, these mechanisms have become outdated. Work has been underway for many years in the Internet Engineering Task Force (IETF) Network Time Protocol Working Group to develop replacement technology, which will help to secure the Internet’s time synchronization infrastructure well into the future. The result of this work is in the Continue reading
The Hedge Podcast 54: Bob Friday and AI in Networks
AI in networks is a hotly contested subject—so we asked Bob Friday, CTO of Mist Systems, to explain the value and future of AI in networks. Bob joins Tom Ammon and Russ White for this episode.
Offered Mid-Career Advice
A meeting with Duan Lightfoot from Lab Everyday to discuss mid-career choices.
Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored)
Today's show explores cloud visibility with sponsor Riverbed. Perhaps best known for its Steelhead WAN optimization appliances, Riverbed has a suite of solutions that target cloud performance and visibility, and we'll get to know them. Our Riverbed guests are Dr. Vincent Berk, VP, Chief Architect Security, CTO; and Brandon Carroll, Director, Technical Evangelist, Worldwide Marketing Management.
The post Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored) appeared first on Packet Pushers.
Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored)
Today's show explores cloud visibility with sponsor Riverbed. Perhaps best known for its Steelhead WAN optimization appliances, Riverbed has a suite of solutions that target cloud performance and visibility, and we'll get to know them. Our Riverbed guests are Dr. Vincent Berk, VP, Chief Architect Security, CTO; and Brandon Carroll, Director, Technical Evangelist, Worldwide Marketing Management.You Can’t Do Everything, And That’s Okay
You’re a responsible human–a reliable person who does everything that’s expected and more. Congratulations! Here’s more work to do.
Yep, that’s the rub. If you’re good at your job and other people notice, you get never-ending opportunities to prove once again how good you are. More work to do, and more work to do, and more. The balance in your life is lost as you drown under a pile of opportunities and challenges with deliverables, due dates, and project managers scheduling recurring meetings to get status updates.
No Good Deed Goes Unpunished
If you’ve been through a few jobs, no doubt you’re familiar with this cycle. You leave the old job with a sense of relief, having transitioned your projects to others in a ceremony known as “the hand-off.” You chuckle a bit to yourself as your co-workers and manager who clearly didn’t grasp what all you were handling go glassy-eyed as you talk them through it.
You start the new job with a lightness in your heart. No projects. No due dates. No recurring meetings. The anxiety of getting familiar with a new company, figuring out your role, learning the politics, sure–there’s all that to contend with. But Continue reading
Nigeria’s IXPs – Enabling Better Connectivity, Faster Internet Delivery, and Improving Internet Service
Nigeria grew its local Internet traffic from 30% to 70% in the past eight years, connecting more people, increasing speed, and reducing costs. They did this through Internet Exchange Points (IXPs), according to the Internet Society report Anchoring the African Internet Ecosystem: Lessons from Kenya and Nigeria’s Internet Exchange Points Growth.
Between 2012 and 2020, the number of peering networks has grown from 30 to 71 and new exchange platforms have been set up in Abuja, Kano, and Port Harcourt. More networks and more IXPs increased the amount of Internet traffic exchanged in Nigeria from 300 Mbps to peak traffic of 125 Gbps in Lagos.
Muhammed Rudman started the Internet Exchange Point of Nigeria (IXPN) in 2006, when the industry was developing. Most networks did not peer in Nigeria. One major submarine cable, Sat3, offered services across the country with others getting service via VSATs. This meant ninety-nine percent of websites were hosted abroad.
“The terrain was tough,” says Rudman, an IT veteran and founding Chief Executive Officer of IXPN, which is based in Lagos, Nigeria’s largest city. Approaching Internet service providers, he was often asked how many networks were already peering. Without any networks exchanging traffic, he’d often hear, “When you Continue reading
BGP Routing Security Discussion on Linkedin
After I published the Telstra’s hijack effecting many networks post on Linkedin, one of my students asked couple good questions under that post.
I thought sharing that post here would be beneficial for those who follow orhanergun.net blog, as I explained couple important frequently asked questions about BGP Global routing security.
John Ojo sent the below question/comment:
Orhan Ergun thanks for the insights. Hence the need for IRR & RPKI. I attended your BGP Zero to Hero training now this makes more sense to me haven seen flowspec a few weeks ago previously from Centurylink to this protonmail /24 prefix highjack. But my questions are; 1. Why do all these companies not implement these path validation controls?
2. Is it lack of competent BGP Engineers or Peering Coordinators can BGPSec not be automated to avoid human errors? BGP Security controls seem to overwhelm a lot of companies and not all the Security approaches are full proof anyway. Should they just wait until it happens? The need for continuous training and retraining cannot be overemphasized on BGP in-depth. I recommend them to train at Orhan Ergun LLC www.orhanergun.net
My answer to his Continue reading
Python Pieces: PyEnv and Venvs
In my last post, we talked about PyEnv and how it can help manage your local Python environments. As it turns out it can also help you manage virtual environments as well! However – pursuing this functionality took me down a rabbit hole that was a bit deeper than expected. The way that PyEnv works causes some behaviors (and on my end assumptions) to change which made me start questioning some of the things that I’ve always just taken for granted. In other words – prepare yourself to go down the rabbit hole with me.
At first glance PyEnv promised the same sort of awesome automagically context switching craziness that we saw previously work with Python versions. However – the virtual environment management implementation with PyEnv felt rather foreign (and maybe a little clunky?) to me. Most notably, as I pointed out in my last post, the .zshrc alias provided to make the auto activation piece work slows down my terminal immensely which is why I omitted using it. A slow terminal is about the worst thing I can think of…
That said – I still think it’s worth reviewing what it can offer so you can Continue reading