Securing Memory at EPYC Scale

Security is a serious business, one that we do not take lightly at Cloudflare. We have invested a lot of effort into ensuring that our services, both external and internal, are protected by meeting or exceeding industry best practices. Encryption is a huge part of our strategy as it is embedded in nearly every process we have. At Cloudflare, we encrypt data both in transit (on the network) and at rest (on the disk). Both practices address some of the most common vectors used to exfiltrate information and these measures serve to protect sensitive data from attackers but,  what about data currently in use?

Can encryption or any technology eliminate all threats? No, but as Infrastructure Security, it’s our job to consider worst-case scenarios. For example, what if someone were to steal a server from one of our data centers? How can we leverage the most reliable, cutting edge, innovative technology to secure all data on that host if it were in the wrong hands? Would it be protected? And, in particular, what about the server’s RAM?

Data in random access memory (RAM) is usually stored in the clear. This can leave data vulnerable to software or hardware probing by Continue reading

CCIE Enterprise Infrastructure Training

What happens if you redistribute BGP full view into OSPF

Yes, this has already happened to many networks across the globe. And for sure will happen again. Maybe to your network?

TL;DR:

The network will go down. OSPF sessions will start flapping, some routers might run out of memory and …

Video: End-to-End Latency Is Not Zero

After the “shocking” revelation that a network can never be totally reliable, I addressed another widespread lack of common sense: due to laws of physics, the client-server latency is never zero (and never even close to what a developer gets from the laptop’s loopback interface).

Video: End-to-End Latency Is Not Zero

After the “shocking” revelation that a network can never be totally reliable, I addressed another widespread lack of common sense: due to laws of physics, the client-server latency is never zero (and never even close to what a developer gets from the laptop’s loopback interface).

Gandalf: an intelligent, end-to-end analytics service for safe deployment in cloud-scale infrastructure

NS1 Builds on DNS to Speed Traffic Management

When user experience is increasingly synonymous with speed and reliability, new traffic management sub-teams are appearing at elite digital enterprises. In this episode of The New Stack Makers podcast, we talk to NS1, the networking automation company or, as he calls it, “the system of record for many, many of the key domains and the applications on the internet today.” Subscribe: Fireside.fm | Stitcher | Overcast | TuneIn He says that each of us interacts with NS1 dozens of times a day, like when we are connecting on LinkedIn or sharing files on DropBox. NS1 sits at the base of this new traffic management stack, steering that traffic across our increasingly complex and distributed systems. This stack also includes content networking delivery networks (CDN), load-balancing tooling, edge networking footprints, service meshes, and software for service discovery and egress optimization. This new role isn’t just about measuring if traffic is working correctly, but really understanding both your users and systems Continue reading

Networking with a Purpose Using Technology

Technology is here to stay, and it is only natural that technology has started to play a role in networking. Social media, cell phones, texting, and even sites such as YouTube all can help you use technology in networking with a purpose.

Here are some ways you can engage in networking with a purpose using technology.

Use Those Social Media Sites to Sustain Your Relationship with Contacts

One of the most difficult things to do is to try and maintain the relationships with the contacts you have made through networking efforts. Texting and social media make it easier to maintain those relationships and to check in with those in your network semi-regularly. Even if the contact is just a brief message asking about their family or about their interests, your contacts will notice your sincere interest in them.

Technology Can Keep Your Informed Regarding a Contact’s Need That You May Fill

When networking with a purpose, the first thing you should do is to find out what your contact needs and try and fill that need without asking anything in return. It doesn’t have to be all about business, you might be able to recommend a dentist to a client Continue reading

Daily Roundup: Huawei Security Concern Ignites RSA Panel

Sprint Expands Its VeloCloud SD-WAN Global Reach

Sanjay Poonen Talks VMware’s Multi-Billion-Dollar Security Strategy

Nutanix Hammered by Coronavirus-Tainted Outlook

Akamai: The Financial Sector Is Seeing More APIs-Based Attacks

Cyberattackers are now increasingly targeting APIs, especially in the financial sector, according to content delivery network Akamai’s between 15% and 30% of all web traffic. The Cambridge, Massachusetts-based company hAndy Ellis neatly summarized the resultsemail to VentureBeat, Akamai explained some of the advantages of automation: criminals “use bots and tools that allow threading, or multiple simultaneous connections, to attempt multiple logins at once.” And by targeting APIs, “they hope to avoid some front-end defenses and speed up their validation times.” A recent Franck V. on 

Microsoft’s Ann Johnson: Security Needs AI With Human Spirit

Region and Endpoint Match in AWS API Requests

Interacting directly with the AWS APIs—using a tool like Postman (or, since I switched back to macOS, an application named Paw)—is something I’ve been doing off and on for a little while as a way of gaining a slightly deeper understanding of the APIs that tools like Terraform, Pulumi, and others are calling when automating AWS. For a while, I struggled with AWS authentication, and after seeing Mark Brookfield’s post on using Postman to authenticate to AWS I thought it might be helpful to share what I learned as well.

The basis of Mark’s post (I highly encourage you to go read it) is that he was having a hard time getting authenticated to AWS in order to automate the creation of some Route 53 DNS records. The root of his issue, as it turns out, was a mismatch between the region specified in his request and the API endpoint for Route 53. I know this because I ran into the exact same issue (although with a different service).

The secret to uncovering this mismatch can be found in this “AWS General Reference” PDF. Specifically with regard to Route 53, check out this quote from the document:

Continue reading

My Personal Notes on Corona Virus (COVID-19) And Travelling

Or why you should stop travelling for a while

The post My Personal Notes on Corona Virus (COVID-19) And Travelling appeared first on EtherealMind.

Gen X Performance Tuning

We are using AMD 2nd Gen EPYC 7642 for our tenth generation “Gen X” servers. We found many aspects of this processor compelling such as its increase in performance due to its frequency bump and cache-to-core ratio. We have partnered with AMD to get the best performance out of this processor and today, we are highlighting our tuning efforts that led to an additional 6% performance.

Thermal Design Power & Dynamic Power

Thermal design power (TDP) and dynamic power, amongst others, play a critical role when tuning a system. Many share a common belief that thermal design power is the maximum or average power drawn by the processor. The 48-core AMD EPYC 7642 has a TDP rating of 225W which is just as high as the 64-core AMD EPYC 7742. It comes to mind that fewer cores should translate into lower power consumption, so why is the AMD EPYC 7642 expected to draw just as much power as the AMD EPYC 7742?

Let’s take a step back and understand that TDP does not always mean the maximum or average power that the processor will draw. At a glance, Continue reading

Announcement: Ansible Contributor Summit Europe

For the past few years we’ve held a conference specifically for contributors at the same time as AnsibleFest. The additional days brought together existing contributors to the open source Ansible code base and those wanting to get involved.

It is with great pleasure that we announce a European Contributor Summit will be held in Gothenburg, Sweden, ahead of the usual summit at AnsibleFest! On March 29 we’ll be welcoming new and old contributors alike. So if you already contribute to Ansible, or would like to, but don’t know how or where to start, this event is for you.

Contributor Summit US will again be held the day before this year’s AnsibleFest event in San Diego. You can sign up for AnsibleFest updates here.

Ansible Contributor Summit is a day-long working session with the core developer team and key contributors. We’ll discuss important issues affecting the Ansible community, and you can take part in person or online. Information for remote participation will be announced about a week beforehand. There is an additional hackathon the following day, on March 30, where you can sit down with fellow contributors to work through anything specific.

The event is free to attend, although registration is Continue reading

Upcoming Events and Webinars (March 2020)

Starting with a short message to anyone interested in our on-site events in Switzerland: on March 10th we’re running our first 2020 workshop, focusing on Docker and containers.

I totally reworked the material, adding tons of new Docker networking examples (including deep dive into iptables) and a few fun things like building an Ansible container, or starting the whole NetBox stack with a single command. Even if you don’t plan to deploy containers in your production network, you might drop by just for that part.

And now for the upcoming webinars:

Upcoming Events and Webinars (March 2020)

Starting with a short message to anyone interested in our on-site events in Switzerland: on March 10th we’re running our first 2020 workshop, focusing on Docker and containers.

I totally reworked the material, adding tons of new Docker networking examples (including deep dive into iptables) and a few fun things like building an Ansible container, or starting the whole NetBox stack with a single command. Even if you don’t plan to deploy containers in your production network, you might drop by just for that part.

And now for the upcoming webinars: