Enable GitOps for Kubernetes Security – Part 1
“How do I enable GitOps for my network policies?”
That is a common question we hear from security teams. Getting started with Kubernetes is relatively simple, but moving production workloads to Kubernetes requires alignment from all stakeholders – developers, platform engineering, network engineering, security.
Most security teams already have a high-level security blueprint for their data centers. The challenge is in implementing that in the context of a Kubernetes cluster and workload security. Network policy is a key element of Kubernetes security. Network policy is expressed as an YAML configuration, and works very well with GitOps.
We will do a 3 part blog series covering GitOps for network policies. In part 1 (this part), we cover the overview and getting started with a working example tutorial. In part 2, we will extend the tutorial to cover an enterprise-wide decentralized security architecture. In the final part, we will delve into policy assurance with examples. Note that all policies in Tigera Secure (network policy, RBAC, Threat detection, Logging configuration, etc.) are enforced as YAML configuration files, and can be enforced via a GitOps practice.
By adopting GitOps, security teams benefit as follows.
- Take your policies with you. Kubernetes cluster creation Continue reading
VMware Smart Assurance Gets Wize
VMware is integrating Cellwize’s automation and orchestration technology into its Smart Assurance...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
MobiledgeX, WWT, Dell, and VMware Team Up on MEC
The partners released their first mobile edge computing infrastructure blueprint, which uses Dell...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Teridion’s Cloud SD-WAN Service Glides Into China
The company aims to help multinational enterprises with branch offices in China shift their traffic...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Cloudflare response to CPDoS exploits
Three vulnerabilities were disclosed as Cache Poisoning Denial of Service attacks in a paper written by Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath of TH Köln - University of Applied Sciences. These attacks are similar to the cache poisoning attacks presented last year at DEFCON.
Most customers do not have to take any action to protect themselves from the newly disclosed vulnerabilities. Some configuration changes are recommended if you are a Cloudflare customer running unpatched versions of Microsoft IIS and have request filtering enabled on your origin or b) have forced caching of HTTP response code 400 through the use of page rules or Cloudflare Workers.
We have not seen any attempted exploitation of the vulnerabilities described in this paper.
Maintaining the integrity of our content caching infrastructure and ensuring our customers are able to quickly and reliably serve the content they expect to their visitors is of paramount importance to us. In practice, Cloudflare ensures caches serve the content they should in two ways:
- We build our caching infrastructure to behave in ways compliant with industry standards.
- We actively add defenses to our caching logic to protect customers from common caching pitfalls. We see our job as Continue reading
Nokia Stock Dives on Slashed 5G Outlook
The Finnish vendor slashed its profit outlook for the remainder of the year and 2020 amid...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
VMware on White House Cybersecurity: ‘The Night’s Watch Is Very Thin’
An internal memo warns that “the White House is posturing itself to be electronically compromised...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
What to Look for When Choosing a VPN
We welcome this guest post from Top10VPN.com, an Organization Member of the Internet Society.
The search for online privacy has driven a quarter of the world’s Internet users to download a Virtual Private Network (VPN). VPN services are now an important tool for anyone concerned about security and privacy on public networks.
There’s a world of difference between VPNs, though. Without clear and unbiased information many users are forced to navigate their choice of VPN without much clarity.
Why is choosing the right VPN provider so important?
Whenever you switch on a VPN you are entrusting its provider with your personal data, browsing activity, and sometimes even your security. For this reason, VPN providers must be held to a higher standard than most products. It’s important you do your due diligence when making a decision.
What should I look out for?
A good VPN will ensure that no one – even the VPN itself – can see what the user is doing online. Consider the following qualities:
Technical Security
The most secure VPN services will be transparent about the measures they have in place to safeguard their users and their business.
Any VPN worth its salt will offer Continue reading
Who DDoS’d Austin?
It was a scorching Monday on July 22 as temperatures soared above 37°C (99°F) in Austin, TX, the live music capital of the world. Only hours earlier, the last crowds dispersed from the historic East 6th Street entertainment district. A few blocks away, Cloudflarians were starting to make their way to the office. Little did those early arrivers know that they would soon be unknowingly participating in a Cloudflare time honored tradition of dogfooding new services before releasing them to the wild.
6th East Street, Austin Texas
Dogfooding is when an organization uses its own products. In this case, we dogfed our newest cloud service, Magic Transit, which both protects and accelerates our customers’ entire network infrastructure—not just their web properties or TCP/UDP applications. With Magic Transit, Cloudflare announces your IP prefixes via BGP, attracts (routes) your traffic to our global network edge, blocks bad packets, and delivers good packets to your data centers via Anycast GRE.
We decided to use Austin’s network because we wanted to test the new service on a live network with real traffic from real people and apps. Continue reading
Junos Policy Based VPNs – Part 4 of 4 – Recap
I figured I would take a moment and recap theses past few posts and talk about the different methods now …
The post Junos Policy Based VPNs – Part 4 of 4 – Recap appeared first on Fryguy's Blog.
Master the Alternate "Public Cloud Networking" Universe
You probably heard me say “networking engineer encountering a public cloud feels like Alice in Wonderland” - packet forwarding works in a different way in every public cloud, subnets are a mix between routed interfaces and VRFs, you cannot change IP addresses without involving the orchestration system…
We covered the networking aspects of Amazon Web Services and Azure in our cloud webinars, but you might need a bigger picture:
Read more ...AT&T, Sprint, T-Mobile US, Verizon CTOs Diverge on 5G
Some operators want to reverse mistakes of the past, and others simply recognize and want to...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Securing open source: a brief look at dependency management
Taking full advantage of all that IT automation and orchestration have to offer frequently involves combining IT infrastructure automation with in-house application development. To this end, open source software is often used to speed development. Unfortunately, incorporating third-party software into your application means incorporating that third-party software’s vulnerabilities, too.
Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management, and it’s increasingly considered a critical part of modern development. A recent report found that 60% of open source programs audited had a vulnerability that’s already been patched. With 96% of all code using open source libraries, this is a problem that impacts everyone.
There are many dependency management products available; too many to list in a single blog post. That said, we’ll look at some examples of well-known dependency management products that fall into three broad categories: free, open source software; commercial software with a free tier; and commercial software without a free tier.
Some dependency management products rely on open source vulnerability lists (the most famous of which is supplied by the National Institute of Standards and Technology [NIST]). Some products are commercial, and use closed databases (often in combination with the Continue reading