The End of SD-WAN’s Party In China

As I was listening to Network Break Episode 257 from my friends at Packet Pushers, I heard Greg and Drew talking about a new development in China that could be the end of SD-WAN’s big influence there.

China has a new policy in place, according to Axios, that enforces a stricter cybersecurity stance for companies. Companies doing business in China or with offices in China must now allow Chinese officials to get into their networks to check for security issues as well as verifying the supply chain for network security.

In essence, this is saying that Chinese officials can have access to your networks at any time to check for security threats. But the subtext is a little less clear. Do they get to control the CPE as well? What about security constructs like VPNs? This article seems to indicate that as of January 1, 2020, there will be no intra-company VPNs authorized by any companies in China, whether Chinese or foreign businesses in China.

Tunnel Collapse

I talked with a company doing some SD-WAN rollouts globally in China all the way back in 2018. One of the things that was brought up in that interview was that Continue reading

So, what exactly is NFA?

The post So, what exactly is NFA? appeared first on Noction.

Nominations Now Open for 2020 Internet Society Board of Trustees Elections

The Internet Society Nominations Committee is now inviting nominations for candidates to serve on the Board of Trustees.

The Board provides strategic direction, inspiration, and oversight to advance the Internet Society’s mission of preserving the open, globally-connected, trustworthy and secure Internet for everyone.

In 2020 Chapters will elect two (2) Trustees; Organization Members will elect one (1) Trustee; and the IETF will appoint one (1) Trustee. The term of office is 3 years, beginning in August 2020 and ending mid-year 2023.

The Internet Society is a global non-profit organization that champions the open Internet for everyone. With offices in Washington, DC, USA and Geneva, Switzerland, as well as regional bureaus throughout the world, it is dedicated to ensuring the open development, evolution, and use of the Internet for the benefit of people globally. ISOC is also the organizational home of the Internet Engineering Task Force (IETF) and other Internet-related bodies who together play a critical role in ensuring that the Internet develops in a stable and open manner. ISOC has more than 100 Organization Members, over 130 Chapters and Special Interest Groups, and more than 60,000 individual members that play a role in driving the mission and work of the Continue reading

Noction Flow Analyzer is now in Open Beta

The post Noction Flow Analyzer is now in Open Beta appeared first on Noction.

Weekly Wrap: Ex-Cisco Execs Launch Pensando, Target Amazon

Sprint Rouses IoT Offensive as CEO Skips MWC LA Keynote

Public keys are not enough for SSH security

If your organization uses SSH public keys, it’s entirely possible you have already mislaid one. There is a file sitting in a backup or on a former employee’s computer which grants the holder access to your infrastructure. If you share SSH keys between employees it’s likely only a few keys are enough to give an attacker access to your entire system. If you don’t share them, it’s likely your team has generated so many keys you long lost track of at least one.

If an attacker can breach a single one of your client devices it’s likely there is a known_hosts file which lists every target which can be trivially reached with the keys the machine already contains. If someone is able to compromise a team member’s laptop, they could use keys on the device that lack password protection to reach sensitive destinations.

Should that happen, how would you respond and revoke the lost SSH key? Do you have an accounting of the keys which have been generated? Do you rotate SSH keys? How do you manage that across an entire organization so consumed with serving customers that security has to be effortless to be adopted?

Cloudflare Access launched support Continue reading

NICT successfully demos petabit-per-second network node

Petabit-class networks will support more than 100-times the capacity of existing networks, according to scientists who have just demonstrated an optical switching rig designed to handle the significant amounts of data that would pour through future petabit cables. One petabit is equal to a thousand terabits, or a million gigabits.Researchers at the National Institute of Information and Communications Technology (NICT) in Japan routed signals with capacities ranging from 10 terabits per second to 1 petabit per second through their node. Those kinds of capacities, which could send 8K resolution video to 10 million people simultaneously, are going to be needed for future broadband video streaming and Internet of Things at scale, researchers believe. In-data-center applications and backhaul could benefit.To read this article in full, please click here

NICT successfully demos petabit-per-second network node

Petabit-class networks will support more than 100-times the capacity of existing networks, according to scientists who have just demonstrated an optical switching rig designed to handle the significant amounts of data that would pour through future petabit cables. One petabit is equal to a thousand terabits, or a million gigabits.Researchers at the National Institute of Information and Communications Technology (NICT) in Japan routed signals with capacities ranging from 10 terabits per second to 1 petabit per second through their node. Those kinds of capacities, which could send 8K resolution video to 10 million people simultaneously, are going to be needed for future broadband video streaming and Internet of Things at scale, researchers believe. In-data-center applications and backhaul could benefit.To read this article in full, please click here

OpenBGPD with Claudio Jeker on Software Gone Wild

Everyone is talking about FRRouting suite these days, while hidden somewhere in the background OpenBGPD has been making continuous progress for years. Interestingly, OpenBGPD project was started for the same reason FRR was forked - developers were unhappy with Zebra or Quagga routing suite and decided to fix it.

We discussed the history of OpenBGPD, its current deployments and future plans with Claudio Jeker, one of the main OpenBGPD developers, in Episode 106 of Software Gone Wild.

Task-based effectiveness of basic visualizations

Task-based effectiveness of basic visualizations Saket et al., IEEE Transactions on Visualization and Computer Graphics 2019

So far this week we’ve seen how to create all sorts of fantastic interactive visualisations, and taken a look at what data analysts actually do when they do ‘exploratory data analysis.’ To round off the week today’s choice is a recent paper on an age-old topic: what visualisation should I use?

No prizes for guessing “it depends!”

…the effectiveness of a visualization depends on several factors including task at the hand, and data attributes and datasets visualized.

Is this the paper to finally settle the age-old debate surrounding pie-charts??

Saket et al. look at five of the most basic visualisations —bar charts, line charts, pie charts, scatterplots, and tables— and study their effectiveness when presenting modest amounts of data (less than 50 visual marks) across 10 different tasks. The task taxonomy comes from the work of Amar et al., describing a set of ten low-level analysis tasks that describe users’ activities while using visualization tools.

1. Finding anomalies
2. Finding clusters (counting the number of groups with similar data attribute values)
3. Finding correlations (determining whether or not there is a correlation between Continue reading

Automation projects: A good time to switch vendors?

(Editor’s note: Enterprise Management Associates took a look at enterprise network automation initiatives and found that 89% of them contribute to IT an organization’s decision to purchase products from a new network infrastructure vendor. This article by EMA’s research director for network management, Shamus McGillicuddy, reviews three reasons enterprises might do so based on EMA’s recent report “Enterprise Network Automation for 2020 and Beyond.” For the report, 250 IT professionals directly involved in a formal network-automation initiative were surveyed, and one-on-one interviews were conducted with six such stakeholders.)To read this article in full, please click here

Ma Bell, Not Google, Creates The Real Open Source Borg

True to its name, Google’s famous Borg cluster controller has absorbed a lot of different ideas about how to manage server clusters and the applications that run atop them at the search engine and now cloud computing giant. …

Ma Bell, Not Google, Creates The Real Open Source Borg was written by Timothy Prickett Morgan at The Next Platform.

Enable GitOps for Kubernetes Security – Part 1

“How do I enable GitOps for my network policies?”

That is a common question we hear from security teams. Getting started with Kubernetes is relatively simple, but moving production workloads to Kubernetes requires alignment from all stakeholders – developers, platform engineering, network engineering, security.

Most security teams already have a high-level security blueprint for their data centers. The challenge is in implementing that in the context of a Kubernetes cluster and workload security. Network policy is a key element of Kubernetes security. Network policy is expressed as an YAML configuration, and works very well with GitOps.

We will do a 3 part blog series covering GitOps for network policies. In part 1 (this part), we cover the overview and getting started with a working example tutorial. In part 2, we will extend the tutorial to cover an enterprise-wide decentralized security architecture. In the final part, we will delve into policy assurance with examples. Note that all policies in Tigera Secure (network policy, RBAC, Threat detection, Logging configuration, etc.) are enforced as YAML configuration files, and can be enforced via a GitOps practice.

By adopting GitOps, security teams benefit as follows.

• Take your policies with you. Kubernetes cluster creation Continue reading

VMware Smart Assurance Gets Wize

MobiledgeX, WWT, Dell, and VMware Team Up on MEC

Teridion’s Cloud SD-WAN Service Glides Into China

Cloudflare response to CPDoS exploits

Three vulnerabilities were disclosed as Cache Poisoning Denial of Service attacks in a paper written by Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath of TH Köln - University of Applied Sciences. These attacks are similar to the cache poisoning attacks presented last year at DEFCON.

Most customers do not have to take any action to protect themselves from the newly disclosed vulnerabilities. Some configuration changes are recommended if you are a Cloudflare customer running unpatched versions of Microsoft IIS and have request filtering enabled on your origin or b) have forced caching of HTTP response code 400 through the use of page rules or Cloudflare Workers.

We have not seen any attempted exploitation of the vulnerabilities described in this paper.

Maintaining the integrity of our content caching infrastructure and ensuring our customers are able to quickly and reliably serve the content they expect to their visitors is of paramount importance to us. In practice, Cloudflare ensures caches serve the content they should in two ways:

1. We build our caching infrastructure to behave in ways compliant with industry standards.
2. We actively add defenses to our caching logic to protect customers from common caching pitfalls. We see our job as Continue reading

Nokia Stock Dives on Slashed 5G Outlook

VMware on White House Cybersecurity: ‘The Night’s Watch Is Very Thin’