Archive

Category Archives for "Networking"

How Cloudflare uses Cloudflare Spectrum: A look into an intern’s project at Cloudflare

How Cloudflare uses Cloudflare Spectrum: A look into an intern’s project at Cloudflare
How Cloudflare uses Cloudflare Spectrum: A look into an intern’s project at Cloudflare

Cloudflare extensively uses its own products internally in a process known as dogfooding. As part of my onboarding as an intern on the Spectrum (a layer 4 reverse proxy) team, I learned that many internal services dogfood Spectrum, as they are exposed to the Internet and benefit from layer 4 DDoS protection. One of my first tasks was to update the configuration for an internal service that was using Spectrum. The configuration was managed in Salt (used for configuration management at Cloudflare), which was not particularly user-friendly, and required an engineer on the Spectrum team to handle updating it manually.

This process took about a week. That should instantly raise some questions, as a typical Spectrum customer can create a new Spectrum app in under a minute through Cloudflare Dashboard. So why couldn’t I?

This question formed the basis of my intern project for the summer.

The Process

Cloudflare uses various IP ranges for its products. Some customers also authorize Cloudflare to announce their IP prefixes on their behalf (this is known as BYOIP). Collectively, we can refer to these IPs as managed addresses. To prevent Bad Stuff (defined later) from happening, we prohibit managed addresses from Continue reading

SDN startup Lumina Networks closes shop, citing Covid-19 impact

Lumina Networks, a startup spun-off from the purchase and splintering of Brocade in 2017, is shutting down, citing delays in customer deployments due in part to Covid-19, which starved it for cash. The company had raised $14 million in venture capital, including investments from AT&T and Verizon, but it wasn’t enough.Lumina Networks provided an open source-based SDN controller, called the Lumina SDN Controller, which was formerly the Brocade SDN Controller and power by the OpenDaylight technology. Lumina’s claim to fame was that the SDN Controller could manage both the physical and virtual from the same platform.To read this article in full, please click here

Introducing Deploy Buttons

Introducing Deploy Buttons
Introducing Deploy Buttons

When I first try out new development platforms, the first thing I do is get an OSS (Open Source Software) project I find on Github up and running. I used to start by following tutorials or digging through documentation. It’s a little bit counterintuitive. Let me share with you why. One reason is that Hello, World! examples rarely show the real “magic” of the platform. I want to feel excited and get a sense of how other people are creatively using the platform.

For example, I love it when I can build and deploy an OSS Pokedex app in a few minutes on Flutter to see if the platform actually lives up to the hype. It’s so much easier to do this than to spend a few hours following tutorials and documentation to get through the initial learning curve. You can think of it as shortening the time to first dopamine.

Another reason is that it makes learning the new platform much faster. Building off of an experienced developer’s work shows me which classes and functions are most useful to learn. There’s more nuance to building out full applications than is usually explained in the documentation. I can see how Continue reading

Pluribus bolsters software-defined data center software, Broadcom support

Pluribus Networks has rolled out new software and analytics packages that take aim at customers looking to build and manage software-defined data-center fabrics.The packages include a new release of the company’s core network operating system, Netvisor One, and the accompanying Unum management software as well as a new version of its Insight Analytics platform. They're all designed to simplify the operations of large-scale traditional and distributed edge data centers, the company said.[Get regularly scheduled insights by signing up for Network World newsletters.] Netvisor ONE is a virtualized NOS that provides Layer 2 and Layer 3 networking, distributed fabric intelligence. It virtualizes switch hardware and implements what the company calls an Adaptive Cloud Fabric. Adaptive Cloud Fabric operates without a controller and can be deployed across a single data center, or targeted to specific racks, pods, server farms or hyper-converged infrastructures, the company said. To read this article in full, please click here

Pluribus bolsters software-defined data center software, Broadcom support

Pluribus Networks has rolled out new software and analytics packages that take aim at customers looking to build and manage software-defined data-center fabrics.The packages include a new release of the company’s core network operating system, Netvisor One, and the accompanying Unum management software as well as a new version of its Insight Analytics platform. They're all designed to simplify the operations of large-scale traditional and distributed edge data centers, the company said.[Get regularly scheduled insights by signing up for Network World newsletters.] Netvisor ONE is a virtualized NOS that provides Layer 2 and Layer 3 networking, distributed fabric intelligence. It virtualizes switch hardware and implements what the company calls an Adaptive Cloud Fabric. Adaptive Cloud Fabric operates without a controller and can be deployed across a single data center, or targeted to specific racks, pods, server farms or hyper-converged infrastructures, the company said. To read this article in full, please click here

Internet Society and the Association for Progressive Communications Enter into a Memorandum of Understanding

The Internet Society and the Association for Progressive Communications (APC) have entered into a Memorandum of Understanding (MoU) to work together on designing and deploying community networks, ensuring local connectivity initiatives achieve long-term sustainability, and other areas of joint interest.

APC is an international network of civil society organizations founded in 1990 dedicated to empowering and supporting people working for peace, human rights, development, and protection of the environment, through the strategic use of information and communication technologies (ICTs).

Both organizations have vast experience in growing the Internet through capacity building, advocating for ICT and infrastructure policies, and engaging local communities. This MoU updates and replaces a previous version. We are excited to further advance the work we’ve been doing together for nearly ten years.

The MoU lays out two key areas of joint interest:

  • Developing an enabling environment for communities and local entrepreneurs to solve their own connectivity challenges through design and deployment of community networks, training and capacity building efforts, and highlighting the benefits of connecting the unconnected.
  • Ensuring that local connectivity initiatives are able to reach long-term sustainability, support development opportunities, and contribute to meeting Sustainable Development Goals (SDGs) in relation to connectivity.

“There remains a profound Continue reading

Require hard key auth with Cloudflare Access

Require hard key auth with Cloudflare Access

Last month, attackers compromised a Twitter team member’s access to an internal administrative panel in order to take over high-profile accounts. Full details of the breach are still pending, but Twitter has shared that the attackers stole credentials through a coordinated spear phishing attack.

The attackers convinced a team member to share login permissions, giving the attackers the ability to access the Twitter control plane. Once authenticated, they sent password reset flows to email accounts they controlled in order to hijack the Twitter accounts.

Administrative panels like Twitter’s are a rich target for phishing attacks because they give attackers a backdoor to privileged systems. Customer-facing teams at SaaS companies rely on these administrative panels to update end-user data and troubleshoot user account issues. If an attacker can compromise a single team member’s account they can potentially impact thousands of end users.

We have our own administrative panel at Cloudflare and we’ve deployed a number of safeguards over the last several years to keep it secure from phishing attacks. However, we had no way to enforce the security feature we think would most insulate us from phishing attacks: physical hard keys.

With hard keys, users can only login when they use Continue reading

Orange Clouding with Secondary DNS

What is secondary DNS?

Orange Clouding with Secondary DNS

In a traditional sense, secondary DNS servers act as a backup to the primary authoritative DNS server.  When a change is made to the records on the primary server, a zone transfer occurs, synchronizing the secondary DNS servers with the primary server. The secondary servers can then serve the records as if they were the primary server, however changes can only be made by the primary server, not the secondary servers. This creates redundancy across many different servers that can be distributed as necessary.

There are many common ways to take advantage of Secondary DNS, some of which are:

  1. Secondary DNS as passive backup - The secondary DNS server sits idle until the primary server goes down, at which point a failover can occur and the secondary can start serving records.
  2. Secondary DNS as active backup - The secondary DNS server works alongside the primary server to serve records.
  3. Secondary DNS with a hidden primary - The nameserver records at the registrar point towards the secondary servers only, essentially treating them as the primary nameservers.

What is secondary DNS Override?

Secondary DNS Override builds on the Secondary DNS with a hidden primary model by allowing our Continue reading

Doing Good for the Internet – Alex Band, Director @ NLnet Labs

NLnet Labs is a not-for-profit foundation with a long heritage in research and development, Internet architecture and governance, as well as stability and security in the area of DNS and inter-domain routing.

In this episode you will hear all about doing good for the internet with open source, DNS and RPKI.

In this episode you will hear all about doing good for the internet with open source, DNS and RPKI.

Which Public Cloud Should I Master First?

I got a question along these lines from a friend of mine:

Google recently announced a huge data center build in country to open new GCP regions. Does that mean I should invest into mastering GCP or should I focus on some other public cloud platform?

As always, the right answer is “it depends”, for example:

Vrnetlab – Run virtual routers in Docker containers

It’s time to have a look at some Network Automation tools. Today I want to introduce you to Vrnetlab, great piece of software that allows you to run virtual routers inside Docker containers. We’ll talk about what Vrnetlab does and what are its selling points. Then we’ll see how to bring up lab devices by hand and how to use them.

Contents

Vrnetlab overview

Vrnetlab provides convenient way of building virtualized network environments by leveraging existing Docker ecosystem.

This means that you can take image of virtual appliance provided by the vendor and use Vrnetlab to create containers for it. The selling point here is that the whole tool-chain was created with automation in mind, that is you can build your network automation CI pipeline on top of Vrnetlab and no human is needed to spin up the environment, and run Continue reading

ESXi VM – The CPU has been disabled by the guest operating system

For some weeks now, a couple of my virtual machines on ESXi would stop working out of nowhere. They were completely unresponsive (including via the ESXi VM Console). Nothing would help, except a shutdown / start of the VM. Just to find out later that, randomly, the VM would become unresponsive again. The only human … Continue reading ESXi VM – The CPU has been disabled by the guest operating system

Split-tunnel VPNs—friend or foe?

Virtual private networks (VPNs) provide security when remote workers access corporate networks, but they’re notoriously slow. Backhauling all traffic for all remote users through the corporate data center just isn’t practical when work from home really starts to scale. Fortunately, VPNs can be configured to operate in more than one way.

Today, most organizations—regardless of size—use some combination of on-premises and public cloud computing. This means that some requests need to go to one or more corporate data centers, while some need to find their way to the Internet.

Traditional VPNs send all requests—both corporate-bound and Internet-bound—through the corporate network because that’s where the corporate information security defenses are located. Today, this approach is causing significant performance problems.

Scaling …

The most popular traditional solution to the problem of VPN performance problems was to just buy a bigger router or firewall. The overhead of the VPN tunnel on throughput isn’t that large, and many traditional corporate applications weren’t latency sensitive. This meant that performance problems usually occurred because the device where the VPNs terminated—the router or firewall—just didn’t have enough processing power to handle the required number of concurrent sessions at the current level of throughput usage.

Times have changed, Continue reading