The Hedge Podcast 54: Bob Friday and AI in Networks
AI in networks is a hotly contested subject—so we asked Bob Friday, CTO of Mist Systems, to explain the value and future of AI in networks. Bob joins Tom Ammon and Russ White for this episode.
Offered Mid-Career Advice
A meeting with Duan Lightfoot from Lab Everyday to discuss mid-career choices.
Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored)
Today's show explores cloud visibility with sponsor Riverbed. Perhaps best known for its Steelhead WAN optimization appliances, Riverbed has a suite of solutions that target cloud performance and visibility, and we'll get to know them. Our Riverbed guests are Dr. Vincent Berk, VP, Chief Architect Security, CTO; and Brandon Carroll, Director, Technical Evangelist, Worldwide Marketing Management.
The post Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored) appeared first on Packet Pushers.
Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored)
Today's show explores cloud visibility with sponsor Riverbed. Perhaps best known for its Steelhead WAN optimization appliances, Riverbed has a suite of solutions that target cloud performance and visibility, and we'll get to know them. Our Riverbed guests are Dr. Vincent Berk, VP, Chief Architect Security, CTO; and Brandon Carroll, Director, Technical Evangelist, Worldwide Marketing Management.You Can’t Do Everything, And That’s Okay
You’re a responsible human–a reliable person who does everything that’s expected and more. Congratulations! Here’s more work to do.
Yep, that’s the rub. If you’re good at your job and other people notice, you get never-ending opportunities to prove once again how good you are. More work to do, and more work to do, and more. The balance in your life is lost as you drown under a pile of opportunities and challenges with deliverables, due dates, and project managers scheduling recurring meetings to get status updates.
No Good Deed Goes Unpunished
If you’ve been through a few jobs, no doubt you’re familiar with this cycle. You leave the old job with a sense of relief, having transitioned your projects to others in a ceremony known as “the hand-off.” You chuckle a bit to yourself as your co-workers and manager who clearly didn’t grasp what all you were handling go glassy-eyed as you talk them through it.
You start the new job with a lightness in your heart. No projects. No due dates. No recurring meetings. The anxiety of getting familiar with a new company, figuring out your role, learning the politics, sure–there’s all that to contend with. But Continue reading
Nigeria’s IXPs – Enabling Better Connectivity, Faster Internet Delivery, and Improving Internet Service
Nigeria grew its local Internet traffic from 30% to 70% in the past eight years, connecting more people, increasing speed, and reducing costs. They did this through Internet Exchange Points (IXPs), according to the Internet Society report Anchoring the African Internet Ecosystem: Lessons from Kenya and Nigeria’s Internet Exchange Points Growth.
Between 2012 and 2020, the number of peering networks has grown from 30 to 71 and new exchange platforms have been set up in Abuja, Kano, and Port Harcourt. More networks and more IXPs increased the amount of Internet traffic exchanged in Nigeria from 300 Mbps to peak traffic of 125 Gbps in Lagos.
Muhammed Rudman started the Internet Exchange Point of Nigeria (IXPN) in 2006, when the industry was developing. Most networks did not peer in Nigeria. One major submarine cable, Sat3, offered services across the country with others getting service via VSATs. This meant ninety-nine percent of websites were hosted abroad.
“The terrain was tough,” says Rudman, an IT veteran and founding Chief Executive Officer of IXPN, which is based in Lagos, Nigeria’s largest city. Approaching Internet service providers, he was often asked how many networks were already peering. Without any networks exchanging traffic, he’d often hear, “When you Continue reading
BGP Routing Security Discussion on Linkedin
After I published the Telstra’s hijack effecting many networks post on Linkedin, one of my students asked couple good questions under that post.
I thought sharing that post here would be beneficial for those who follow orhanergun.net blog, as I explained couple important frequently asked questions about BGP Global routing security.
John Ojo sent the below question/comment:
Orhan Ergun thanks for the insights. Hence the need for IRR & RPKI. I attended your BGP Zero to Hero training now this makes more sense to me haven seen flowspec a few weeks ago previously from Centurylink to this protonmail /24 prefix highjack. But my questions are; 1. Why do all these companies not implement these path validation controls?
2. Is it lack of competent BGP Engineers or Peering Coordinators can BGPSec not be automated to avoid human errors? BGP Security controls seem to overwhelm a lot of companies and not all the Security approaches are full proof anyway. Should they just wait until it happens? The need for continuous training and retraining cannot be overemphasized on BGP in-depth. I recommend them to train at Orhan Ergun LLC www.orhanergun.net
My answer to his Continue reading
Python Pieces: PyEnv and Venvs
In my last post, we talked about PyEnv and how it can help manage your local Python environments. As it turns out it can also help you manage virtual environments as well! However – pursuing this functionality took me down a rabbit hole that was a bit deeper than expected. The way that PyEnv works causes some behaviors (and on my end assumptions) to change which made me start questioning some of the things that I’ve always just taken for granted. In other words – prepare yourself to go down the rabbit hole with me.
At first glance PyEnv promised the same sort of awesome automagically context switching craziness that we saw previously work with Python versions. However – the virtual environment management implementation with PyEnv felt rather foreign (and maybe a little clunky?) to me. Most notably, as I pointed out in my last post, the .zshrc alias provided to make the auto activation piece work slows down my terminal immensely which is why I omitted using it. A slow terminal is about the worst thing I can think of…
That said – I still think it’s worth reviewing what it can offer so you can Continue reading
Introducing Cloudflare Radar
Unlike the tides, Internet use ebbs and flows with the motion of the sun not the moon. Across the world usage quietens during the night and picks up as morning comes. Internet use also follows patterns that humans create, dipping down when people stopped to applaud healthcare workers fighting COVID-19, or pausing to watch their country’s president address them, or slowing for religious reasons.
And while humans leave a mark on the Internet, so do automated systems. These systems might be doing useful work (like building search engine databases) or harm (like scraping content, or attacking an Internet property).
All the while Internet use (and attacks) is growing. Zoom into any day and you’ll see the familiar daily wave of Internet use reflecting day and night, zoom out and you’ll likely spot weekends when Internet use often slows down a little, zoom out further and you might spot the occasional change in use caused by a holiday, zoom out further and you’ll see that Internet use grows inexorably.
And attacks don’t only grow, they change. New techniques are invented while old ones remain evergreen. DDoS activity continues day and night roaming from one victim to another. Automated scanning tools look Continue reading
Speeding up HTTPS and HTTP/3 negotiation with… DNS
In late June, Cloudflare's resolver team noticed a spike in DNS requests for the 65479 Resource Record thanks to data exposed through our new Radar service. We began investigating and found these to be a part of Apple’s iOS14 beta release where they were testing out a new SVCB/HTTPS record type.
Once we saw that Apple was requesting this record type, and while the iOS 14 beta was still on-going, we rolled out support across the Cloudflare customer base.
This blog post explains what this new record type does and its significance, but there’s also a deeper story: Cloudflare customers get automatic support for new protocols like this.
That means that today if you’ve enabled HTTP/3 on an Apple device running iOS 14, when it needs to talk to a Cloudflare customer (say you browse to a Cloudflare-protected website, or use an app whose API is on Cloudflare) it can find the best way of making that connection automatically.
And if you’re a Cloudflare customer you have to do… absolutely nothing… to give Apple users the best connection to your Internet property.
Negotiating HTTP security and performance
Whenever a user types a URL in the browser box without specifying a Continue reading
The Next Generation of Cognitive Campus Workspaces
Campus networks are undergoing another massive transition in the COVID teleworking era. With this fundamental shift and as administrators consider an interconnected IoT (Internet of Things) environment, the boundary between the office, home, teleworker and user is converging. Security concerns with ever-increasing threat vectors are substantiated. How does one secure an IoT environment and guard against malware and outbreaks? How is the network impacted as some workloads shift to the cloud? Why do we cope with wired and wireless silos? The challenge lies in successfully transitioning the existing siloed campus into an integral data-driven model for clients, users and devices from IoT to cloud with a common experience, while addressing security and availability needs with lower operational costs. These are the key requirements of the third-generation campus evolution as shown in the figure below.
The Next Generation of Cognitive Campus Workspaces
Campus networks are undergoing another massive transition in the COVID teleworking era. With this fundamental shift and as administrators consider an interconnected IoT (Internet of Things) environment, the boundary between the office, home, teleworker and user is converging. Security concerns with ever-increasing threat vectors are substantiated. How does one secure an IoT environment and guard against malware and outbreaks? How is the network impacted as some workloads shift to the cloud? Why do we cope with wired and wireless silos? The challenge lies in successfully transitioning the existing siloed campus into an integral data-driven model for clients, users and devices from IoT to cloud with a common experience, while addressing security and availability needs with lower operational costs. These are the key requirements of the third-generation campus evolution as shown in the figure below.
Telstra’s Hijack effected many networks today!
Today I woke up with a Telstra’s ProtonMail Hijack news. In fact, one of my Linkedin connections, friend, sent me the ITNews post about the incident.
When I saw it, obviously it was Hijack, not Route Leak or other type of attacks but, the post was not explaining any technical detail, what kind of attack it was, can it be prevented somehow ,etc.
Thus, I wanted to mention briefly about those points, explaining technically, while trying to keep it understandable.
By the way, BGP Security and many other topics about BGP was covered in my week long BGP Zero to Hero course. If you are technical person, don’t miss it!.
Before I start explaining this incident, I should mention that, this incident was totally different than recent Century Link caused outage. In Century Link case, issue was their routing policy. In fact, carrying security policy over routing (I know sounds complex, thus I won’t mention, lack of feedback loop with Flowspec, RFC 5575).
Okay, what happened with Telstra’s Hijack?
Swiss email provider ProtonMail shared a tweet that Telstra was announcing its 185.70.40.0/24.
This subnet belongs to ProtonMail and Telstra announcing it as Continue reading
Post-Quantum Cryptography: Hype and Reality
Post-quantum cryptography (algorithms resistant to quantum computer attacks) is quickly turning into another steaming pile of hype vigorously explored by various security vendors.
Christoph Jaggi made it his task to debunk at least some of the worst hype, collected information from people implementing real-life solutions in this domain, and wrote an excellent overview article explaining the potential threats, solutions, and current state-of-the art.
You (RFC 6919) OUGHT TO read his article before facing the first vendor presentation on the topic.
Post-Quantum Cryptography: Hype and Reality
Post-quantum cryptography (algorithms resistant to quantum computer attacks) is quickly turning into another steaming pile of hype vigorously explored by various security vendors.
Christoph Jaggi made it his task to debunk at least some of the worst hype, collected information from people implementing real-life solutions in this domain, and wrote an excellent overview article explaining the potential threats, solutions, and current state-of-the art.
You (RFC 6919) OUGHT TO read his article before facing the first vendor presentation on the topic.
Improving Network Security By Effective Deflecting Strategies
Network deflection measures are essential for creating defensive "depth" and increasing the friction intruders face when entering a compromised system.Countering the Rise of Adversarial ML
The security community has found an important application for machine learning (ML) in its ongoing fight against cybercriminals. Many of us are turning to ML-powered security solutions like NSX Network Detection and Response that analyze network traffic for anomalous and suspicious activity. In turn, these ML solutions defend us from threats better than other solutions can by drawing on their evolving knowledge of what a network attack looks like.
Attackers are well-aware of the fact that security solutions are using AI and ML for security purposes. They also know that there are certain limitations when it comes to applying artificial intelligence to computer security. This explains why cyber criminals are leveraging ML to their advantage in something known as adversarial machine learning.
In this post I’ll explain just what adversarial machine learning is and what it is not. To start, the label itself can be a bit misleading. It sounds like criminals are actually using ML as part of their attack. But that is not the case. The simple explanation is that they’re using more conventional methods to understand how security solutions are using ML so that they can then figure out how to Continue reading