Area 1 threat indicators now available in Cloudflare Zero Trust

Over the last several years, both Area 1 and Cloudflare built pipelines for ingesting threat indicator data, for use within our products. During the acquisition process we compared notes, and we discovered that the overlap of indicators between our two respective systems was smaller than we expected. This presented us with an opportunity: as one of our first tasks in bringing the two companies together, we have started bringing Area 1’s threat indicator data into the Cloudflare suite of products. This means that all the products today that use indicator data from Cloudflare’s own pipeline now get the benefit of Area 1’s data, too.

Area 1 built a data pipeline focused on identifying new and active phishing threats, which now supplements the Phishing category available today in Gateway. If you have a policy that references this category, you’re already benefiting from this additional threat coverage.

How Cloudflare identifies potential phishing threats

Cloudflare is able to combine the data, procedures and techniques developed independently by both the Cloudflare team and the Area 1 team prior to acquisition. Customers are able to benefit from the work of both teams across the suite of Cloudflare products.

Cloudflare curates a set of data feeds Continue reading

What Is Zero Trust Architecture?

Zero Trust Architecture (ZTA) builds on the foundational principles of zero trust security as defined by the National Institute of Standards and Technology (NIST) in publication Ansible, Puppet, and Crowdstrike offer products that cover the entire spectrum of detecting and protecting endpoints within a corporate network. This would include everything from antivirus and antimalware to abnormal network activity monitoring. Microsoft, Trend Micro, and SentinelOne offer similar capabilities and made Gartner’s upper quadrant in their 2021 Endpoint Protection report. Wrap up Zero Trust Architecture The real answer to the question of what is zero trust architecture depends on your most important corporate assets. Any network design should also include consideration of the humans with access to those critical assets. Trust but verify applies to corporate employees as well as geopolitical relationships. Choosing the right vendors and partners to meet your specific objectives will help you implement a solid Zero Trust Architecture. Once implemented it comes down to diligence and persistence. New threats pop up regularly and must be met with an adaptive security posture. Those who don’t adapt and change will be doomed to failure. The post What Is Zero Trust Architecture? appeared first on The New Stack.

Video: IPv6 RA Guard and Extension Headers

Last week’s IPv6 security video introduced the rogue IPv6 RA challenges and the usual countermeasure – RA guard. Unfortunately, IPv6 tends to be a wonderfully extensible protocol, creating all sorts of opportunities for nefarious actors and security researchers.

For years, the networking vendors were furiously trying to plug the holes created by the academically minded IPv6 designers in love with fragmented extension headers. In the meantime, security researches had absolutely no problem finding yet another weird combination of IPv6 headers that would bypass any IPv6 RA guard implementation until IETF gave up and admitted one cannot have “infinitely extensible” and “secure” in the same sentence.

For more details watch the video by Christopher Werny describing how one could use IPv6 extension headers to circumvent IPv6 RA guard

Video: IPv6 RA Guard and Extension Headers

Last week’s IPv6 security video introduced the rogue IPv6 RA challenges and the usual countermeasure – RA guard. Unfortunately, IPv6 tends to be a wonderfully extensible protocol, creating all sorts of opportunities for nefarious actors and security researchers.

For years, the networking vendors were furiously trying to plug the holes created by the academically minded IPv6 designers in love with fragmented extension headers. In the meantime, security researches had absolutely no problem finding yet another weird combination of IPv6 headers that would bypass any IPv6 RA guard implementation until IETF gave up and admitted one cannot have “infinitely extensible” and “secure” in the same sentence.

For more details watch the video by Christopher Werny describing how one could use IPv6 extension headers to circumvent IPv6 RA guard

Zero Trust vs. Microsegmentation: Establish a Winning Strategy

Rivalries sometimes last a lifetime… and then turn to mist. zero trust architecture or achieve microsegmentation may seem different, the end goal of protecting systems and information from increasingly sophisticated attacks is the priority. Zero Trust as a Model for Security Strategy When

Cloudflare mitigates 26 million request per second DDoS attack

Last week, Cloudflare automatically detected and mitigated a 26 million request per second DDoS attack — the largest HTTPS DDoS attack on record.

The attack targeted a customer website using Cloudflare’s Free plan. Similar to the previous 15M rps attack, this attack also originated mostly from Cloud Service Providers as opposed to Residential Internet Service Providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack — as opposed to much weaker Internet of Things (IoT) devices.

Record-breaking attacks

Over the past year, we’ve witnessed one record-breaking attack after the other. Back in August 2021, we disclosed a 17.2M rps HTTP DDoS attack, and more recently in April, a 15M rps HTTPS DDoS attack. All were automatically detected and mitigated by our HTTP DDoS Managed Ruleset which is powered by our autonomous edge DDoS protection system.

The 26M rps DDoS attack originated from a small but powerful botnet of 5,067 devices. On average, each node generated approximately 5,200 rps at peak. To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices. The latter, larger botnet wasn’t able to generate more than one Continue reading

Video: Rogue IPv6 RA Challenges

IPv6 security-focused presentations were usually an awesome opportunity to lean back and enjoy another round of whack-a-mole, often starting with an attacker using IPv6 Router Advertisements to divert traffic (see also: getting bored at Brussels airport) .

Rogue IPv6 RA challenges and the corresponding countermeasures are thus a mandatory part of any IPv6 security training, and Christopher Werny did a great job describing them in IPv6 security webinar.

Video: Rogue IPv6 RA Challenges

IPv6 security-focused presentations were usually an awesome opportunity to lean back and enjoy another round of whack-a-mole, often starting with an attacker using IPv6 Router Advertisements to divert traffic (see also: getting bored at Brussels airport) .

Rogue IPv6 RA challenges and the corresponding countermeasures are thus a mandatory part of any IPv6 security training, and Christopher Werny did a great job describing them in IPv6 security webinar.

Private Access Tokens: eliminating CAPTCHAs on iPhones and Macs with open standards

This post is also available in 日本語, Español.

Today we’re announcing Private Access Tokens, a completely invisible, private way to validate that real users are visiting your site. Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data. This will eliminate nearly 100% of CAPTCHAs served to these users.

What does this mean for you?

If you’re an Internet user:

• We’re making your mobile web experience more pleasant and more private than other networks at the same time.
• You won’t see a CAPTCHA on a supported iOS or Mac device (other devices coming soon!) accessing the Cloudflare network.

If you’re a web or application developer:

• Know your user is coming from an authentic device and signed application, verified by the device vendor directly.
• Validate users without maintaining a cumbersome SDK.

If you’re a Cloudflare customer:

• You don’t have to do anything!  Cloudflare will automatically ask for and utilize Private Access Tokens
• Your visitors won’t see a CAPTCHA, and we’ll ask for less data from their devices.

Introducing Private Access Tokens

Over the past year, Cloudflare has collaborated Continue reading

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends

Today, a cluster of Internet standards were published that rationalize and modernize the definition of HTTP - the application protocol that underpins the web. This work includes updates to, and refactoring of, HTTP semantics, HTTP caching, HTTP/1.1, HTTP/2, and the brand-new HTTP/3. Developing these specifications has been no mean feat and today marks the culmination of efforts far and wide, in the Internet Engineering Task Force (IETF) and beyond. We thought it would be interesting to celebrate the occasion by sharing some analysis of Cloudflare's view of HTTP traffic over the last 12 months.

However, before we get into the traffic data, for quick reference, here are the new RFCs that you should make a note of and start using:

• HTTP Semantics - RFC 9110
  • HTTP's overall architecture, common terminology and shared protocol aspects such as request and response messages, methods, status codes, header and trailer fields, message content, representation data, content codings and much more. Obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.
• HTTP Caching - RFC 9111
  • HTTP caches and related header fields to control the behavior of response caching. Obsoletes RFC 7234.
• Continue reading

Cisco CyberOps Associate

What Is Zero Trust Data Protection?

As cyberattacks continue to escalate; companies grow their use of tech services outside of their network perimeters and the government and other organizations work with ever more sensitive personal, corporate, and government data, there is increasing adoption of zero trust data protection. So, What Is Zero Trust Data Protection? Zero trust data protection is a security methodology that includes a framework of technologies and best practices that an organization needs to define and adopt across their IT environments over time, explained Steve Malone, Sumo Logic director of security product. “It’s the culmination of something that’s been happening in security over the last 20 years, which is the perimeter is not the point of enforcement anymore because of the way that technology works today.” Interest in operating in a zero trust data protection environment has gained plenty of interest in the last few years, according to Michael Gorelik,

The Zero Trust Approach to Data Management

Results of a September 2021 increased by 82% from 2020 to 2021 while big game hunting (BGH) ransomware attacks became more common. As attackers have become more sophisticated and more adaptable, they Continue reading

The Future of Zero Trust in a Hybrid World

In the first article in this series, we discussed what zero trust security is and why it matters. In the second article in this series, we talked about the benefits of zero trust network access. In this third article installment, we will dive into using zero trust models within container security. In this fourth article, we will discuss the future of zero trust in a world that is increasingly remote.  While remote work originally appeared en masse as a Band-Aid fix for organizations to keep working during the COVID-19 pandemic, it is now decidedly here to stay. According to research from McKinsey shows that most executives no longer plan to have non-essential staff working on-site five days a week. And employees are happily abiding.

Mind the Air Gap

I recently talked to some security friends on a CloudBytes podcast recording that will be coming out in a few weeks. One of the things that came up was the idea of an air gapped system or network that represents the ultimate in security. I had a couple of thoughts that felt like a great topic for a blog post.

The Gap is Wide

I can think of a ton of classical air gapped systems that we’ve seen in the media. Think about Mission: Impossible and the system that holds the NOC list:

Makes sense right? Totally secure unless you have Tom Cruise in your ductwork. It’s about as safe as you can make your data. It’s also about as inconvenient as you can make your data too. Want to protect a file so no one can ever steal it? Make it so no one can ever access it! Works great for data that doesn’t need to be updated regularly or even analyzed at any point. It’s offline for all intents and purposes.

Know what works great as an air gapped system? Root certificate authority servers. Even Microsoft agrees. So secure that you have to dig it out of storage Continue reading

Cloudflare achieves key cloud computing certifications — and there’s more to come

This post is also available in French, German and Spanish.

Back in the early days of the Internet, you could physically see the hardware where your data was stored. You knew where your data was and what kind of locks and security protections you had in place. Fast-forward a few decades, and data is all “in the cloud”. Now, you have to trust that your cloud services provider is putting security precautions in place just as you would have if your data was still sitting on your hardware. The good news is, you don’t have to merely trust your provider anymore. There are a number of ways a cloud services provider can prove it has robust privacy and security protections in place.

Today, we are excited to announce that Cloudflare has taken three major steps forward in proving the security and privacy protections we provide to customers of our cloud services: we achieved a key cloud services certification, ISO/IEC 27018:2019; we completed our independent audit and received our Cloud Computing Compliance Criteria Catalog (“C5”) attestation; and we have joined the EU Cloud Code of Conduct General Assembly to help increase the impact of the trusted cloud ecosystem and encourage Continue reading

BGP Graceful Restart on the Cisco FTD: Part 2 – Seeing it “In Action”

In Part 1 we set the stage and configure the FTD to BGP (w/ GR enabled) with the N9K. In part two it is now time to play! 🙂 What Will be Covered in Part 2 Basically I’m going to... Read More ›

The post BGP Graceful Restart on the Cisco FTD: Part 2 – Seeing it “In Action” appeared first on Networking with FISH.

BGP Graceful Restart on the Cisco FTD: Part 1 – Configuring

Enabling BGP Graceful Restart on the Cisco Firepower Threat Defense (FTD) just got so easy! I’m stoked! So the other day I needed to put together an environment with the FTD eBGP peering with graceful restart enabled and test it.... Read More ›

The post BGP Graceful Restart on the Cisco FTD: Part 1 – Configuring appeared first on Networking with FISH.

Cloud Native Security Hasn’t Solved Compliance Challenges

Modern, cloud-based, distributed networks may lack a defined perimeter to protect, but they still need network security. And nearly all organizations know that:

Ethernet Encryptor Market Overview (2022 Edition)

Christoph Jaggi, the author of Ethernet Encryption webinar, published a new version of Ethernet Encryptor Market Overview including:

• Network standards and platforms
• Data plane encryption
• Control plane security
• Key- and system management
• Relevant approvals
• Vendors and products, including detailed feature support matrices.