Mind the Air Gap
I recently talked to some security friends on a CloudBytes podcast recording that will be coming out in a few weeks. One of the things that came up was the idea of an air gapped system or network that represents the ultimate in security. I had a couple of thoughts that felt like a great topic for a blog post.
The Gap is Wide
I can think of a ton of classical air gapped systems that we’ve seen in the media. Think about Mission: Impossible and the system that holds the NOC list:
Makes sense right? Totally secure unless you have Tom Cruise in your ductwork. It’s about as safe as you can make your data. It’s also about as inconvenient as you can make your data too. Want to protect a file so no one can ever steal it? Make it so no one can ever access it! Works great for data that doesn’t need to be updated regularly or even analyzed at any point. It’s offline for all intents and purposes.
Know what works great as an air gapped system? Root certificate authority servers. Even Microsoft agrees. So secure that you have to dig it out of storage Continue reading
Cloudflare achieves key cloud computing certifications — and there’s more to come
This post is also available in French, German and Spanish.
Back in the early days of the Internet, you could physically see the hardware where your data was stored. You knew where your data was and what kind of locks and security protections you had in place. Fast-forward a few decades, and data is all “in the cloud”. Now, you have to trust that your cloud services provider is putting security precautions in place just as you would have if your data was still sitting on your hardware. The good news is, you don’t have to merely trust your provider anymore. There are a number of ways a cloud services provider can prove it has robust privacy and security protections in place.
Today, we are excited to announce that Cloudflare has taken three major steps forward in proving the security and privacy protections we provide to customers of our cloud services: we achieved a key cloud services certification, ISO/IEC 27018:2019; we completed our independent audit and received our Cloud Computing Compliance Criteria Catalog (“C5”) attestation; and we have joined the EU Cloud Code of Conduct General Assembly to help increase the impact of the trusted cloud ecosystem and encourage Continue reading
BGP Graceful Restart on the Cisco FTD: Part 2 – Seeing it “In Action”
In Part 1 we set the stage and configure the FTD to BGP (w/ GR enabled) with the N9K. In part two it is now time to play! 🙂 What Will be Covered in Part 2 Basically I’m going to... Read More ›
The post BGP Graceful Restart on the Cisco FTD: Part 2 – Seeing it “In Action” appeared first on Networking with FISH.
BGP Graceful Restart on the Cisco FTD: Part 1 – Configuring
Enabling BGP Graceful Restart on the Cisco Firepower Threat Defense (FTD) just got so easy! I’m stoked! So the other day I needed to put together an environment with the FTD eBGP peering with graceful restart enabled and test it.... Read More ›
The post BGP Graceful Restart on the Cisco FTD: Part 1 – Configuring appeared first on Networking with FISH.
Ethernet Encryptor Market Overview (2022 Edition)
Christoph Jaggi, the author of Ethernet Encryption webinar, published a new version of Ethernet Encryptor Market Overview including:
- Network standards and platforms
- Data plane encryption
- Control plane security
- Key- and system management
- Relevant approvals
- Vendors and products, including detailed feature support matrices.
A new era for Cloudflare Pages builds
Music is flowing through your headphones. Your hands are flying across the keyboard. You’re stringing together a masterpiece of code. The momentum is building up as you put on the finishing touches of your project. And at last, it’s ready for the world to see. Heart pounding with excitement and the feeling of victory, you push changes to the main branch…. only to end up waiting for the build to execute each step and spit out the build logs.
Starting afresh
Since the launch of Cloudflare Pages, there is no doubt that the build experience has been its biggest source of criticism. From the amount of waiting to inflexibility of CI workflow, Pages had a lot of opportunity for growth and improvement. With Pages, our North Star has always been designing a developer platform that fits right into your workflow and oozes simplicity. User pain points have been and always will be our priority, which is why today we are thrilled to share a list of exciting updates to our build times, logs and settings!
Over the last three quarters, we implemented a new build infrastructure that speeds up Pages builds, so you can iterate quickly and efficiently. In February, Continue reading
Open source Managed Components for Cloudflare Zaraz
In early 2020, we sat down and tried thinking if there’s a way to load third-party tools on the Internet without slowing down websites, without making them less secure, and without sacrificing users’ privacy. In the evening, after scanning through thousands of websites, our answer was “well, sort of”. It seemed possible: many types of third-party tools are merely collecting information in the browser and then sending it to a remote server. We could theoretically figure out what it is that they’re collecting, and then instead just collect it once efficiently, and send it server-side to their servers, mimicking their data schema. If we do this, we can get rid of loading their JavaScript code inside websites completely. This means no more risk of malicious scripts, no more performance losses, and fewer privacy concerns.
But the answer wasn’t a definite “YES!” because we realized this is going to be very complicated. We looked into the network requests of major third-party scripts, and often it seemed cryptic. We set ourselves up for a lot of work, looking at the network requests made by tools and trying to figure out what they are doing – What is this parameter? When is Continue reading
The Cloudflare Bug Bounty program and Cloudflare Pages
The Cloudflare Pages team recently collaborated closely with security researchers at Assetnote through our Public Bug Bounty. Throughout the process we found and have fully patched vulnerabilities discovered in Cloudflare Pages. You can read their detailed write-up here. There is no outstanding risk to Pages customers. In this post we share information about the research that could help others make their infrastructure more secure, and also highlight our bug bounty program that helps to make our product more secure.
Cloudflare cares deeply about security and protecting our users and customers — in fact, it’s a big part of the reason we’re here. But how does this manifest in terms of how we run our business? There are a number of ways. One very important prong of this is our bug bounty program that facilitates and rewards security researchers for their collaboration with us.
But we don’t just fix the security issues we learn about — in order to build trust with our customers and the community more broadly, we are transparent about incidents and bugs that we find.
Recently, we worked with a group of researchers on improving the security of Cloudflare Pages. This collaboration resulted in several security vulnerability Continue reading
Video: Practical Aspects of IPv6 Security
Christopher Werny has tons of hands-on experience with IPv6 security (or lack thereof), and described some of his findings in the Practical Aspects of IPv6 Security part of IPv6 security webinar, including:
- Impact of dual-stack networks
- Security implications of IPv6 address planning
- Isolation on routing layer and strict filtering
- IPv6-related requirements for Internet- or MPLS uplinks
You need Free ipSpace.net Subscription to watch the video.
Privacy And Networking Part 3: Is An IP Address Protected Information For Privacy?
Does an IP address need to be treated like other Personally Indentifiable Information (PII)?
The post Privacy And Networking Part 3: Is An IP Address Protected Information For Privacy? appeared first on Packet Pushers.
Secret Management with HashiCorp Vault
Many applications these days require authentication to external systems with resources, such as users and passwords to access databases and service accounts to access cloud services, and so on. In such cases, private information, like passwords and keys, becomes necessary. It is essential to take extra care in managing such sensitive data. For example, if you write your AWS key information or password in a script for deployment and then push it to a Git repository, all users who can read it will also be able to access it, and you could be in trouble. Even if it's an internal repository, you run the risk of a potential leak.
How we were managing secrets in the service
Before we talk about Vault, let's take a look at how we've used to manage secrets.
Salt
We use SaltStack as a bare-metal configuration management tool. The core of the Salt ecosystem consists of two major components: the Salt Master and the Salt Minion. The configuration state is owned by Salt Master, and thousands of Salt Minions automatically install packages, generate configuration files, and start services to the node based on the state. The state may contain secrets, such as passwords and API Continue reading
Protecting The Hybrid Workforce With Palo Alto Networks Secure, Flexible SASE Solution
Palo Alto Networks announces new innovations for Prisma SASE for protecting the hybrid workforce, including the general availability of Prisma SD-WAN bandwidth licensing on-demand and Okyo Garde Enterprise Edition.
The post Protecting The Hybrid Workforce With Palo Alto Networks Secure, Flexible SASE Solution appeared first on Packet Pushers.
Building many private virtual networks through Cloudflare Zero Trust
We built Cloudflare’s Zero Trust platform to help companies rely on our network to connect their private networks securely, while improving performance and reducing operational burden. With it, you could build a single virtual private network, where all your connected private networks had to be uniquely identifiable.
Starting today, we are thrilled to announce that you can start building many segregated virtual private networks over Cloudflare Zero Trust, beginning with virtualized connectivity for the connectors Cloudflare WARP and Cloudflare Tunnel.
Connecting your private networks through Cloudflare
Consider your team, with various services hosted across distinct private networks, and employees accessing those resources. More than ever, those employees may be roaming, remote, or actually in a company office. Regardless, you need to ensure only they can access your private services. Even then, you want to have granular control over what each user can access within your network.
This is where Cloudflare can help you. We make our global, performant network available to you, acting as a virtual bridge between your employees and private services. With your employees’ devices running Cloudflare WARP, their traffic egresses through Cloudflare’s network. On the other side, your private services are behind Cloudflare Tunnel, accessible Continue reading
On Securing BGP
The US Federal Communications Commission recently asked for comments on securing Internet routing. While I worked on the responses offered by various organizations, I also put in my own response as an individual, which I’ve included below.
I am not providing this answer as a representative of any organization, but rather as an individual with long experience in the global standards and operations communities surrounding the Internet, and with long experience in routing and routing security.
I completely agree with the Notice of Inquiry that “networks are essential to the daily functioning of critical infrastructure [yet they] can be vulnerable to attack” due to insecurities in the BGP protocol. While proposed solutions exist that would increase the security of the BGP routing system, only some of these mechanisms are being widely deployed. This response will consider some of the reasons existing proposals are not deployed and suggest some avenues the Commission might explore to aid the community in developing and deploying solutions.
9: Measuring BGP Security.
At this point, I only know of the systems mentioned in the query for measuring BGP routing security incidents. There have been attempts to build other systems, but none of these systems have been Continue reading
Legal and Ethical Aspects of Privacy
My second post on privacy for network engineers is up over at Packet Pushers—
Meet The New WPA3 Wi-Fi Security Suite
WPA3, the latest Wi-Fi security suite, is finally making its way into products around the world. Here’s what you need to know for using it at home and in enterprise networks. What Is WPA? Wi-Fi Protected Access (WPA) is the suite of standards that define security for both WPA-Personal (passphrase) and WPA-Enterprise (802.1X) based wireless […]
The post Meet The New WPA3 Wi-Fi Security Suite appeared first on Packet Pushers.
Privacy And Networking Part 2: Legal And Ethical Privacy
Given the arguments from the first article in this series, if privacy should be and is essential—what does the average network engineer do with this information? How does privacy impact network design and operations? To answer this question, we need to look at two other questions. First, what is private information, precisely? The network carries […]
The post Privacy And Networking Part 2: Legal And Ethical Privacy appeared first on Packet Pushers.