Archive

Category Archives for "Networking"

NTS RFC Published: New Standard to Ensure Secure Time on the Internet

The Internet Society is pleased to see the publication of RFC 8915: Network Time Security for the Network Time Protocol by the Internet Engineering Task Force (IETF). This standard represents a new security mechanism for one of the oldest protocols on the Internet, the Network Time Protocol (NTP).

Secure and Accurate Time

NTP enables the synchronization of time on computers connected by a network. Time is very important for many vital everyday functions, such as financial transactions and the correct operation of electrical power systems and transportation systems. Secure and accurate time is also crucial for many Internet security technologies including basic website security. As everything becomes more distributed and more online, synchronized time in computers becomes even more important. But despite all this, security for NTP has lagged behind in development and deployment. Network Time Security (NTS) was developed to fill this gap.

The publication of the NTS protocol on 1 October, 2020 represents the culmination of many years of work by the IETF NTP Working Group. NTS adds cryptographic security for the client-server mode of NTP. So, what does this mean? It means that NTP can now confirm the identity of the network clocks that are exchanging time Continue reading

NTS is now an RFC

NTS is now an RFC

Earlier today the document describing Network Time Security for NTP officially became RFC 8915. This means that Network Time Security (NTS) is officially part of the collection of protocols that makes the Internet work. We’ve changed our time service to use the officially assigned port of 4460 for NTS key exchange, so you can use our service with ease. This is big progress towards securing a ubiquitous Internet protocol.

Over the past months we’ve seen many users of our time service, but very few using Network Time Security. This leaves computers vulnerable to attacks that imitate the server they use to obtain NTP. Part of the problem was the lack of available NTP daemons that supported NTS. That problem is now solved: chrony and ntpsec both support NTS.

Time underlies the security of many of the protocols such as TLS that we rely on to secure our online lives. Without accurate time, there is no way to determine whether or not credentials have expired. The absence of an easily deployed secure time protocol has been a problem for Internet security.

Without NTS or symmetric key authentication there is no guarantee that your computer is actually talking NTP with the computer Continue reading

How sensors, ambient intelligence could revolutionize healthcare

Networks of radio-connected, intelligent sensors will propel the healthcare industry forward as increasing numbers of patients need care, researchers say. Two academic institutions recently shared details about how IoT-based technology might help mitigate clinical errors and improve caregiving in hospitals – an environment that's under increased strain due to coronavirus cases – as well as at home.The School of Engineering at Stanford University is exploring how a combination of electronic sensors and artificial intelligence could be installed in hospital rooms and elder care homes to help medical professionals monitor and treat patients more effectively.To read this article in full, please click here

BGP FlowSpec on Arista vEOS

BGP FlowSpec is an another Multiptocol-BGP extension with SAFI 133. Created for the purpose of DoS and DDoS attacks mitigation, it brings a new NLRI that collects 12 types of L3 and L4 information. These information creates a flow which defines criteria used for matching DDoS parameters. For instance, a flow can match victim's IP, […]
Continue reading...

Introducing API Shield

Introducing API Shield

APIs are the lifeblood of modern Internet-connected applications. Every millisecond they carry requests from mobile applications—place this food delivery order, “like” this picture—and directions to IoT devices—unlock the car door, start the wash cycle, my human just finished a 5k run—among countless other calls.

They’re also the target of widespread attacks designed to perform unauthorized actions or exfiltrate data, as data from Gartner increasingly shows: “by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 2019, and “Gartner predicted that, by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications”[1][2]. Of the 18 million requests per second that traverse Cloudflare’s network, 50% are directed towards APIs—with the majority of these requests blocked as malicious.

To combat these threats, Cloudflare is making it simple to secure APIs through the use of strong client certificate-based identity and strict schema-based validation. As of today, these capabilities are available free for all plans within our new “API Shield” offering. And as of today, the security benefits also extend to gRPC-based APIs, which use binary Continue reading

Announcing support for gRPC

Announcing support for gRPC

Today we're excited to announce beta support for proxying gRPC, a next-generation protocol that allows you to build APIs at scale. With gRPC on Cloudflare, you get access to the security, reliability and performance features that you're used to having at your fingertips for traditional APIs. Sign up for the beta today in the Network tab of the Cloudflare dashboard.

gRPC has proven itself to be a popular new protocol for building APIs at scale: it’s more efficient and built to offer superior bi-directional streaming capabilities. However, because gRPC uses newer technology, like HTTP/2, under the covers, existing security and performance tools did not support gRPC traffic out of the box. This meant that customers adopting gRPC to power their APIs had to pick between modernity on one hand, and things like security, performance, and reliability on the other. Because supporting modern protocols and making sure people can operate them safely and performantly is in our DNA, we set out to fix this.

When you put your gRPC APIs on Cloudflare, you immediately gain all the benefits that come with Cloudflare. Apprehensive of exposing your APIs to bad actors? Add security features such as WAF and Bot Management. Need Continue reading

Network Automation Isn’t Easy

Contrary to what some evangelists would love you to believe, getting fluent in network automation is a bit harder than watching 3-minute videos and cobbling playbooks together with google-and-paste… but then nothing really worth doing is ever easy, or everyone else would be doing it already.

Here’s a typical comment from a Building Network Automation Solutions attendee:

I’m loving the class. I feel more confused than I ever have in my 23 year career… but I can already see the difference in my perspective shift in all aspects of my work.

Read more …

Network Automation Isn’t Easy

Contrary to what some evangelists would love you to believe, getting fluent in network automation is a bit harder than watching 3-minute videos and cobbling playbooks together with google-and-paste… but then nothing really worth doing is ever easy, or everyone else would be doing it already.

Here’s a typical comment from a Building Network Automation Solutions attendee:

I’m loving the class. I feel more confused than I ever have in my 23 year career… but I can already see the difference in my perspective shift in all aspects of my work.

Read more …

Navigating your Linux files with ranger

Ranger is a unique and very handy file system navigator that allows you to move around in your Linux file system, go in and out of subdirectories, view text-file contents and even make changes to files without leaving the tool.It runs in a terminal window and lets you navigate by pressing arrow keys. It provides a multi-level file display that makes it easy to see where you are, move around the file system and select particular files.To install ranger, use your standard install command (e.g., sudo apt install ranger). To start it, simply type “ranger”. It comes with a lengthy, very detailed man page, but getting started with ranger is very simple.To read this article in full, please click here

Kubernetes Q3-2020: Threats, Exploits and TTPs

Kubernetes has become the world’s most popular container orchestration system and is taking the enterprise ecosystem by storm. At this disruptive moment it’s useful to look back and review the security threats that have evolved in this dynamic landscape. Identifying these threats and exploits and being a proactive learner may save you a lot of time and effort…as well as help you retain your reputation in the long run. In this blog we’ll look at some critical security issues faced by the Kubernetes ecosystem in the recent past, and examine the top tactics, techniques and procedures (TTPs) used by attackers.

Major Vulnerabilities

Everyday, new Kubernetes ecosystem Common Vulnerabilities and Exposures (CVEs) are published. Let’s take a closer look at some of the cloud shakers…

CVE-2020-14386: Using privilege escalation vulnerability to escape the pod
A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes.

We received notification that some instances in our cloud infrastructure are vulnerable to this CVE. When we took a closer look, it appeared to be a typical privilege escalation vulnerability using AF sockets on hosts. Unprivileged users with CAP_NET_RAW permissions can send packets Continue reading

Introducing VMware Transit Connect for networking and security on VMware Cloud on AWS

As you migrate and expand your deployments on VMware Cloud on AWS, your network connectivity provides the foundational infrastructure for all workloads in your SDDCs. When you then scale across multiple SDDCs — which also need to network with several data centers and tens or even hundreds of VPCs — scaling network connectivity becomes a critical challenge.  

In this context, we’re excited to announce a number of new networking and security capabilities on VMware Cloud on AWS. 

  • SDDC Groups – a way to organize SDDCs together for ease of management
  • VMware Transit Connect –high bandwidth, resilient connectivity for SDDCs in an SDDC Group
  • Multi-Edge SDDCs – the ability to add network capacity for north-south traffic to the SDDC

Together, these new features enable seamless connectivity to your SDDCs from on-prem data centers and AWS VPCs while unlocking the capacity you need to efficiently drive your workloads in the cloud. 

Let’s take a closer look at each one. 

SDDC Groups 

SDDC Groups enable customers to manage multiple SDDCs as a single logical entity. This simplifies operations while maintaining the flexibility that customers rely on. SDDCs in a Group can be interconnected with VMware Transit Connect, and Continue reading

Can You Spare a Minute? Network Time Security Featured on The Hedge Podcast

Are you interested in finding out more about Network Time Protocol (NTP), Network Time Security (NTS), and discovering why synchronized time is an essential foundation for online security?

Today is International Podcast Day, so why not spend it listening to the The Hedge Podcast #49: Karen O’Donoghue and Network Time Security.

Network Time Protocol (NTP) is one of the oldest Internet protocols in use. It enables the synchronization of clocks on computer networks to within a few milliseconds of standard universal coordinated time (UTC).  Accurate time is also a critical component for online security, and many security mechanisms, such as Transport Layer Security (TLS) and digital signature creation and verification, depend on accurate timekeeping. 

Updated Mechanism 

NTP’s security mechanisms, however, were designed back in an era when the risk of attack was unlikely. Due to the continued expansion of the Internet, these mechanisms have become outdated. Work has been underway for many years in the Internet Engineering Task Force (IETF) Network Time Protocol Working Group to develop replacement technology, which will help to secure the Internet’s time synchronization infrastructure well into the future. The result of this work is in the Continue reading

VMware amps up security for network, SASE, SD-WAN products

At its virtual VMworld 2020 conclave this week, VMware took the wraps off a number of security enhancements aimed at the growing COVID-driven remote workforce.For starters, the company boosted security for remote and mobile workers by extending its partnerships with zScaler and Menlo for its secure-access service edge (SASE) offering, VMware SD-WAN Zero Trust Service. VMware's SASE technology melds its Workspace ONE platform with its SD-WAN package. To read this article in full, please click here

1 767 768 769 770 771 3,478