Infoblox Snaps Up SnapRoute, Eyes SASE Market

SEC 2. Data plane and control plane protection in the networking (Nokia, Cisco and Mellanox/Cumulus) for IPv6.

Hello my friend,

After the release of the previous article outlining the data and control plane security for IPv4 in Cisco, Nokia and Mellanox/Cumulus (link) I’ve got several requests about the security in IPv6. The requests were fair enough and with this article we close this gap.

1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission of the author.

Thanks

Special thanks for Avi Alkobi from Mellanox and Pete Crocker and Attilla de Groot from Cumulus for providing me the Mellanox switch and Cumulus license for the tests. 

Disclaimer

This is the fourth article in the series about the Mellanox/Cumulus switch. The three previous are:

• Building lab with Mellanox SN2010
• Configuring Segment Routing on Mellanox/Cumulus, Cisco IOS XR and Nokia SR OS and connecting physical and virtual networks
• Data and control plane protection in Mellanox/Cumulus, Cisco IOS XR and Nokia SR OS

Brief description

The importance of the security for the network in terms of the control and data plane protection was explained in the previous article Continue reading

VMware, Menlo Security Unite, Safeguard SD-WAN Stronghold

Fortinet Locks SD-WAN, WAF Into Azure

You can find out more about

Pica8’s Threshold Guns for Cisco, Legacy Vendors

Cisco SVP: Security’s Worst Enemy Is Complexity

VMware Project Maestro Orchestrates Telco Cloud

Announcing VMware NSX Distributed IDS/IPS

Six years ago, VMware pioneered the concept of micro-segmentation to stop the internal, lateral spread of malware. We then launched the NSX Service-defined Firewall, an internal firewall that’s built into the hypervisor, distributed, and application aware. Shortly thereafter we introduced NSX Intelligence to automate security rule recommendations, streamlining the deployment of micro-segmentation.

Now we are announcing that we will be taking internal security to the next level by introducing optional Intrusion Detection and Prevention (IDS/IPS) for our Service-defined Firewall. Built on the same philosophy, the new NSX Distributed IDS/IPS will allow enterprises to fortify applications across private and public clouds.

VMware’s Security Is Intrinsic. Here’s What That Means.

Intrinsic Security is security that’s built in, not bolted on. And that makes it better.

When security is bolted on, it’s never as good as built-in security. Imagine an apartment building where you add the alarm system, the security cameras, and the fire escape after the fact. It looks awkward and doesn’t work that well, either.

But when you design those things in upfront, the effect is completely different. Everything just works better, as parts of a whole system. The same thing is true for security.

More importantly, when you build in Continue reading

Former Contrail CEO Launches Volterra With $50M, 30 Customers

This is your first post

Fortinet Fortifies Firewall, SD-WAN Capabilities

Going Keyless Everywhere

Time flies. The Heartbleed vulnerability was discovered just over five and a half years ago. Heartbleed became a household name not only because it was one of the first bugs with its own web page and logo, but because of what it revealed about the fragility of the Internet as a whole. With Heartbleed, one tiny bug in a cryptography library exposed the personal data of the users of almost every website online.

Heartbleed is an example of an underappreciated class of bugs: remote memory disclosure vulnerabilities. High profile examples other than Heartbleed include Cloudbleed and most recently NetSpectre. These vulnerabilities allow attackers to extract secrets from servers by simply sending them specially-crafted packets. Cloudflare recently completed a multi-year project to make our platform more resilient against this category of bug.

For the last five years, the industry has been dealing with the consequences of the design that led to Heartbleed being so impactful. In this blog post we’ll dig into memory safety, and how we re-designed Cloudflare’s main product to protect private keys from the next Heartbleed.

Memory Disclosure

Perfect security is not possible for businesses with an online component. History has shown us that no matter how Continue reading

Delegated Credentials for TLS

Today we’re happy to announce support for a new cryptographic protocol that helps make it possible to deploy encrypted services in a global network while still maintaining fast performance and tight control of private keys: Delegated Credentials for TLS. We have been working with partners from Facebook, Mozilla, and the broader IETF community to define this emerging standard. We’re excited to share the gory details today in this blog post.

Also, be sure to check out the blog posts on the topic by our friends at Facebook and Mozilla!

Deploying TLS globally

Many of the technical problems we face at Cloudflare are widely shared problems across the Internet industry. As gratifying as it can be to solve a problem for ourselves and our customers, it can be even more gratifying to solve a problem for the entire Internet. For the past three years, we have been working with peers in the industry to solve a specific shared problem in the TLS infrastructure space: How do you terminate TLS connections while storing keys remotely and maintaining performance and availability? Today we’re announcing that Cloudflare now supports Delegated Credentials, the result of this work.

Cloudflare’s TLS/SSL features are among the top reasons Continue reading

Nokia’s SOAR Lineup Tackles 5G, IoT Security

What Scary Movies Can Teach Us About Internet Trust

Mad geniuses. Evil dolls. Slow zombies. This Halloween, we’ll see all of these horror film clichés come to life. Sure they’re fun, but are there lessons we can learn from them? What if they could teach us what not to do? We looked at seven scary tropes and what they might teach us about Internet trust.

The call is coming from inside the house.

The phone calls keep coming, each one scarier than the last. Ring. “Are you home alone?” Ring. “Have you locked the doors?” Ring. “Look in the basement.” It’s only then you realize the stalker has been in the house all along.

We lock our doors to make our homes more secure, but we don’t always think about the security of the things we connect to our home networks. An insecure connected device can put your whole network and the devices on it at risk. Meaning, yes, the cybersecurity threat could be coming from inside the house. By protecting your home network, you limit your devices’ exposure to online threats and help mitigate the risk they may pose to others. You can make your network more secure by using encryption, a strong password, and Continue reading

Announcing cfnts: Cloudflare’s implementation of NTS in Rust

Several months ago we announced that we were providing a new public time service. Part of what we were providing was the first major deployment of the new Network Time Security (NTS) protocol, with a newly written implementation of NTS in Rust. In the process, we received helpful advice from the NTP community, especially from the NTPSec and Chrony projects. We’ve also participated in several interoperability events. Now we are returning something to the community: Our implementation, cfnts, is now open source and we welcome your pull requests and issues.

The journey from a blank source file to a working, deployed service was a lengthy one, and it involved many people across multiple teams.

"Correct time is a necessity for most security protocols in use on the Internet. Despite this, secure time transfer over the Internet has previously required complicated configuration on a case by case basis. With the introduction of NTS, secure time synchronization will finally be available for everyone. It is a small, but important, step towards increasing security in all systems that depend on accurate time. I am happy that Cloudflare are sharing their NTS implementation. A diversity of software with NTS support is important for quick Continue reading

Deutsche Telekom Tackles Cyber Theft, Cloud Management

Qualcomm-Backed Particle Banks $40M to Expand IoT Platform

The TLS Post-Quantum Experiment

In June, we announced a wide-scale post-quantum experiment with Google. We implemented two post-quantum (i.e., not yet known to be broken by quantum computers) key exchanges, integrated them into our TLS stack and deployed the implementation on our edge servers and in Chrome Canary clients. The goal of the experiment was to evaluate the performance and feasibility of deployment in TLS of two post-quantum key agreement ciphers.

In our previous blog post on post-quantum cryptography, we described differences between those two ciphers in detail. In case you didn’t have a chance to read it, we include a quick recap here. One characteristic of post-quantum key exchange algorithms is that the public keys are much larger than those used by "classical" algorithms. This will have an impact on the duration of the TLS handshake. For our experiment, we chose two algorithms: isogeny-based SIKE and lattice-based HRSS. The former has short key sizes (~330 bytes) but has a high computational cost; the latter has larger key sizes (~1100 bytes), but is a few orders of magnitude faster.

During NIST’s Second PQC Standardization Conference, Nick Sullivan presented our approach to this experiment and some initial results. Quite accurately, Continue reading