Phased Approach to Securing a Data Center
In the fight against relentless cyberattacks, organizations have long relied on traditional perimeter firewalls to protect sensitive workloads and information in the data center. But today, in the era of distributed applications and hybrid cloud environments, we know that perimeter defenses are not enough to stop cybercriminals.
To improve security postures inside corporate networks — which means protecting against both bad actors who penetrate perimeter defenses and malicious insiders — organizations must monitor, detect, and block hostile east-west (internal) traffic using internal firewalls.
To date, network and security professionals have generally viewed securing east-west traffic as too complex, expensive, and time-consuming for their brownfield, and even greenfield, data centers. At VMware, we agree with that perception: it’s certainly true for organizations trying to detect and prevent the lateral movement of attackers by employing traditional, appliance-based perimeter firewalls as internal firewalls.
There’s a Better Way to Secure the Data Center
Instead of awkwardly forcing appliance-based firewalls to serve as internal firewalls, organizations should employ a distributed, scale-out internal firewall specifically Continue reading
Why I’m Helping Cloudflare Grow in Japan
If you'd like to read this post in Japanese click here.
I’m excited to say that I’ve recently joined the Cloudflare team as Head of Japan. Cloudflare has had a presence in Japan for a while now, not only with its network spanning the country, but also with many Japanese customers and partners which I’m now looking forward to growing with. In this new role, I’m focused on expanding our capabilities in the Japanese market, building upon our current efforts, and helping more companies in the region address and put an end to the technical pain points they are facing. This is an exciting time for me and an important time for the company. Today, I’m particularly eager to share that we are opening Cloudflare’s first Japan office, in Tokyo! I can’t wait to grow the Cloudflare business and team here.
Why Cloudflare?
The web was built 25 years ago. This invention changed the way people connected—to anyone and anywhere—and the way we work, play, live, learn, and on. We have seen this become more and more complex. With complexities come difficulties, such as ensuring security, performance, and reliability while online. Cloudflare is helping to solve these challenges that businesses Continue reading
EIGRP Behavior with IP Unnumbered
Carl Zellers asked an excellent question on how EIGRP works when run over FlexVPN with IP unnumbered, considering that routers will not be on a common subnet. I thought this was a great question so I took some help from my great friend, the EIGRP guru, Peter Palúch.
First, let’s examine behavior when EIGRP is run on numbered interface. I have built a very simple lab consisting of three routers, R1, R2, and R3, where R1 and R3 are separated by R2. To demonstrate that EIGRP checks that incoming hellos are received on a common subnet, the following simple configurations were applied to R1 and R2:
R1:
interface GigabitEthernet1 ip address 10.0.0.1 255.255.255.0 ! router eigrp LAB ! address-family ipv4 unicast autonomous-system 64512 ! topology base exit-af-topology network 10.0.0.0 0.0.0.255 exit-address-family
R2:
interface GigabitEthernet1 ip address 10.0.1.1 255.255.255.0 ! router eigrp LAB ! address-family ipv4 unicast autonomous-system 64512 ! topology base exit-af-topology network 10.0.1.0 0.0.0.255 exit-address-family
This results in the well familiar messages on the console:
*Jul 15 08:53:20.966: %DUAL-6-NBRINFO: EIGRP-IPv4 64512: Neighbor 10.0.0.1 (GigabitEthernet1) is blocked: not Continue reading
Cloudflare outage on July 17, 2020
Today a configuration error in our backbone network caused an outage for Internet properties and Cloudflare services that lasted 27 minutes. We saw traffic drop by about 50% across our network. Because of the architecture of our backbone this outage didn’t affect the entire Cloudflare network and was localized to certain geographies.
The outage occurred because, while working on an unrelated issue with a segment of the backbone from Newark to Chicago, our network engineering team updated the configuration on a router in Atlanta to alleviate congestion. This configuration contained an error that caused all traffic across our backbone to be sent to Atlanta. This quickly overwhelmed the Atlanta router and caused Cloudflare network locations connected to the backbone to fail.
The affected locations were San Jose, Dallas, Seattle, Los Angeles, Chicago, Washington, DC, Richmond, Newark, Atlanta, London, Amsterdam, Frankfurt, Paris, Stockholm, Moscow, St. Petersburg, São Paulo, Curitiba, and Porto Alegre. Other locations continued to operate normally.
For the avoidance of doubt: this was not caused by an attack or breach of any kind.
We are sorry for this outage and have already made a global change to the backbone configuration that will prevent it from being able to occur Continue reading
Dictionary : simplicitarian
Using fancy words gives you credibility.
The post Dictionary : simplicitarian appeared first on EtherealMind.
Heavy Networking 530: Everything You Need To Know About Wireless ISPs
Today's Heavy Networking dives into wireless Internet Service Providers, or WISPs. WISPs typically serve rural areas that have limited access to fiber or copper, but they also serve metro and urban areas and industrial sectors such as energy. Our guests to inform and instruct us about WISPs are Kevin Myers, Senior Network Architect at IP ArchiTechs; and Cory Steele, Senior Consultant at STIGroup.
The post Heavy Networking 530: Everything You Need To Know About Wireless ISPs appeared first on Packet Pushers.
Heavy Networking 530: Everything You Need To Know About Wireless ISPs
Today's Heavy Networking dives into wireless Internet Service Providers, or WISPs. WISPs typically serve rural areas that have limited access to fiber or copper, but they also serve metro and urban areas and industrial sectors such as energy. Our guests to inform and instruct us about WISPs are Kevin Myers, Senior Network Architect at IP ArchiTechs; and Cory Steele, Senior Consultant at STIGroup.The Silver (Peak) Lining For HPE and Cloud
You no doubt saw the news this week that HPE announced that they’re buying Silver Peak for just shy of $1 billion dollars. It’s a good exit for Silver Peak and should provide some great benefits for both companies. There was a bit of interesting discussion around where this fits in the bigger picture for HPE, Aruba, and the cloud. I figured I’d throw my hat in the ring and take a turn discussing it.
Counting Your Chickens
First and foremost, let’s discuss where this acquisition is headed. HPE announced it and they’re the ones holding the purse strings. But the acquisition post was courtesy of Keerti Melkote, who runs the Aruba, a Hewlett Packard Enterprise Company (Aruba) side of the house. Why is that? It’s because HPE “reverse acquired” Aruba and sent all their networking expertise and hardware down to the Arubans to get things done.
I would venture to say that Aruba’s acquisition was the best decision HPE could have made. It gave them immediate expertise in an area they sorely needed help. It gave Aruba a platform to build on and innovate from. And it ultimately allowed HPE to shore up their campus networking story while trying Continue reading
Auto BGP
The NVIDIA® Cumulus Linux 4.2.0 release introduces a nifty new feature called auto BGP, which makes BGP ASN assignment in a two-tier leaf and spine network configuration a breeze. Auto BGP does the work for you without making changes to standard BGP behavior or configuration so that you don’t have to think about which numbers to allocate to your switches. This helps you build optimal ASN configurations in your data center and avoid suboptimal routing and path hunting, which occurs when you assign the wrong spine ASNs.
If you don’t care about ASNs then this feature is for you. But if you do, you can always configure BGP the traditional way where you have control over which ASN to allocate to your switch. What I like about this feature is that you can mix and match; you don’t have to use auto BGP across all switches in your configuration – you can use it to configure one switch but allocate ASN numbers manually to other switches.
So, how does auto BGP assign ASNs?
We use private 32-bit ASN numbers in the range 4200000000 through 4294967294. This is the private space defined in RFC 6996. Each leaf is Continue reading
Building a diverse and strong Internet Society Board of Trustees
[Published on behalf of the Internet Society Board of Trustees.]
The Internet Society’s 2020 AGM (Annual General Meeting) is going to be held on the first weekend of August. While the meeting had originally been planned as a face-to-face meeting, the Board decided to turn it into an online meeting instead given the current COVID-19 pandemic.
The AGM is the meeting where we say goodbye to the outgoing trustees. We want to thank them for all their efforts during their terms and wish them good luck in their future endeavours. We are confident they will continue supporting the Internet Society down the road.
The AGM is also the meeting where we welcome the incoming trustees. This year is special because we will be welcoming five new trustees. This represents a significant Board turnover for a Board of twelve voting trustees. Therefore, we are currently running a comprehensive onboarding process to get our new trustees up to speed as efficiently as possible.
As you know, the Board is selected and elected by our community, with the IETF, Organizational Members, and Chapters each independently choosing a third of the Trustees. Next year, at the 2021 AGM, three trustees will be reaching Continue reading
In Africa, An Open Internet Standards Course for Universities
Seventy university students from the Democratic Republic of Congo (DRC), Ethiopia, Kenya, and Ghana gained insights into open Internet standards
Many of the Internet standards that make the Internet work today are developed using open processes. Early exposure to these processes could significantly help future engineers play a role in the evolution of the Internet.
Next Generation of Open Internet Standards Experts in Africa
To expose the next generation of African experts to open Internet standards, the Internet Society put together a short pilot course on Internet Protocol Security (IPSec). IPSec is a technology used to improve communication security between devices on the Internet.
To promote the teaching of open Internet standards in African Universities, the one-month course brought together 70 students from 4 African universities from DRC, Ethiopia, Kenya, and Ghana. The pilot course was designed to provide university lecturers with additional training material to support existing courses at universities.
Facilitators
Technology experts Dr. Daniel Migault, Professor Nabil Benamar, and Loganaden Velvindron facilitated the learning experience. Between March and April 2020, they delivered online lectures for three weeks before opening up a week for student assignments.
The Internet Society’s Regional Vice President for Africa Dawit Bekele said the course Continue reading
Serverless Rendering with Cloudflare Workers
Cloudflare’s Workers platform is a powerful tool; a single compute platform for tasks as simple as manipulating requests or complex as bringing application logic to the network edge. Today I want to show you how to do server-side rendering at the network edge using Workers Sites, Wrangler, HTMLRewriter, and tools from the broader Workers platform.
Each page returned to the user will be static HTML, with dynamic content being rendered on our serverless stack upon user request. Cloudflare’s ability to run this across the global network allows pages to be rendered in a distributed fashion, close to the user, with miniscule cold start times for the application logic. Because this is all built into Cloudflare’s edge, we can implement caching logic to significantly reduce load times, support link previews, and maximize SEO rankings, all while allowing the site to feel like a dynamic application.
A Brief History of Web Pages
In the early days of the web pages were almost entirely static - think raw HTML. As Internet connections, browsers, and hardware matured, so did the content on the web. The world went from static sites to more dynamic content, powered by technologies like CGI, PHP, Flash, CSS, JavaScript, and Continue reading
Social Networking Do’s and Don’ts
In this era of growing technology, social media plays a significant role when it comes to networking. Unlike the traditional practices, social media sites like Facebook and LinkedIn are heavily relied on when it comes to networking. Now these sites are even used to look for the new talent as recruiters use it as a recruitment tool to fill in new positions at their workplaces. Social networking plays an important role in getting to know new people and building strong public relations.
In this article we will cover the Do’s and Don’ts of Social Networking and how you can make the most of it.
The Do’s:
Do Maintain a Proper Profile
Usually people fail to maintain a proper profile on their social media accounts, because they seem to think it is not that important. Wrong! In order to network socially, it is crucial that you have a small but complete and updated profile so that people do not consider you fake or a scam.
Do Add Value
One of the best ways to maintain an online presence that is unique and different is by being visible and by adding value. It is important to get to know people by joining Continue reading
Visibility into dropped packets
Devlink Trap describes recent changes to the Linux drop monitor service that provide visibility into packets dropped by switch ASIC hardware. When a packet is dropped by the ASIC, an event is generated that includes the header of the dropped packet and the reason why it was dropped. A hardware policer is used to limit the number of events generated by the ASIC to a rate that can be handled by the Linux kernel. The events are delivered to userspace applications using the Linux netlink service.
Running the dropwatch command line tool on an Ubuntu 20 system demonstrates the instrumentation:
pp@ubuntu20:~$ sudo dropwatch
Initializing null lookup method
dropwatch> set alertmode packet
Setting alert mode
Alert mode successfully set
dropwatch> start
Enabling monitoring...
Kernel monitoring activated.
Issue Ctrl-C to stop monitoring
drop at: __udp4_lib_rcv+0xae5/0xbb0 (0xffffffffb05ead95)
origin: software
input port ifindex: 2
timestamp: Wed Jul 15 23:57:36 2020 223253465 nsec
protocol: 0x800
length: 128
original Continue reading
Cloudflare’s first year in Lisbon
A year ago I wrote about the opening of Cloudflare’s office in Lisbon, it’s hard to believe that a year has flown by. At the time I wrote:
Lisbon’s combination of a large and growing existing tech ecosystem, attractive immigration policy, political stability, high standard of living, as well as logistical factors like time zone (the same as the UK) and direct flights to San Francisco made it the clear winner.
We landed in Lisbon with a small team of transplants from other Cloudflare offices. Twelve of us moved from the UK, US and Singapore to bootstrap here. Today we are 35 people with another 10 having accepted offers; we’ve almost quadrupled in a year and we intend to keep growing to around 80 by the end of 2020.
If you read back to my description of why we chose Lisbon only one item hasn’t turned out quite as we expected. Sure enough TAP Portugal does have direct flights to San Francisco but the pandemic put an end to all business flying worldwide for Cloudflare. We all look forward to getting back to being able to visit our colleagues in other locations.
The pandemic also put us in the Continue reading
Happy 10-year Anniversary Lostintransit
Wow! I can’t believe it. I’ve been blogging for 10 years! Where did time go? July 16th 2010 is when I posted the first time to this blog. It was a post saying “I’m game” and I included Radia Perlman’s Algorhyme.
August 27th 2010, I wrote that I wanted to pass the CCIE lab within two years. Turns out I wasn’t too far from the truth. I passed late October 2012. Greg Ferro himself popped in to wish me good luck:
January 2011, I passed the written. I had a little different approach to many where I spent a considerate amount of time, around 200h if I remember correctly, to build a strong foundation before moving on to labbing. Today you would take the ENCOR exams, of course. But I still think this is a valid strategy.
It took me a little more than 6 months to get my first 5000 views. It’s good to remember that. Especially for those of you just starting out. This site has now had more than a million views but it took some time to get there. It doesn’t get as many views as you probably think, either.
I took my first stab at Continue reading