True to its name, Google’s famous Borg cluster controller has absorbed a lot of different ideas about how to manage server clusters and the applications that run atop them at the search engine and now cloud computing giant. …
Ma Bell, Not Google, Creates The Real Open Source Borg was written by Timothy Prickett Morgan at The Next Platform.
“How do I enable GitOps for my network policies?”
That is a common question we hear from security teams. Getting started with Kubernetes is relatively simple, but moving production workloads to Kubernetes requires alignment from all stakeholders – developers, platform engineering, network engineering, security.
Most security teams already have a high-level security blueprint for their data centers. The challenge is in implementing that in the context of a Kubernetes cluster and workload security. Network policy is a key element of Kubernetes security. Network policy is expressed as an YAML configuration, and works very well with GitOps.
We will do a 3 part blog series covering GitOps for network policies. In part 1 (this part), we cover the overview and getting started with a working example tutorial. In part 2, we will extend the tutorial to cover an enterprise-wide decentralized security architecture. In the final part, we will delve into policy assurance with examples. Note that all policies in Tigera Secure (network policy, RBAC, Threat detection, Logging configuration, etc.) are enforced as YAML configuration files, and can be enforced via a GitOps practice.
By adopting GitOps, security teams benefit as follows.
VMware is integrating Cellwize’s automation and orchestration technology into its Smart Assurance...
The partners released their first mobile edge computing infrastructure blueprint, which uses Dell...
The company aims to help multinational enterprises with branch offices in China shift their traffic...
Three vulnerabilities were disclosed as Cache Poisoning Denial of Service attacks in a paper written by Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath of TH Köln - University of Applied Sciences. These attacks are similar to the cache poisoning attacks presented last year at DEFCON.
Most customers do not have to take any action to protect themselves from the newly disclosed vulnerabilities. Some configuration changes are recommended if you are a Cloudflare customer running unpatched versions of Microsoft IIS and have request filtering enabled on your origin or b) have forced caching of HTTP response code 400 through the use of page rules or Cloudflare Workers.
We have not seen any attempted exploitation of the vulnerabilities described in this paper.
Maintaining the integrity of our content caching infrastructure and ensuring our customers are able to quickly and reliably serve the content they expect to their visitors is of paramount importance to us. In practice, Cloudflare ensures caches serve the content they should in two ways:
The Finnish vendor slashed its profit outlook for the remainder of the year and 2020 amid...
An internal memo warns that “the White House is posturing itself to be electronically compromised...
We welcome this guest post from Top10VPN.com, an Organization Member of the Internet Society.
The search for online privacy has driven a quarter of the world’s Internet users to download a Virtual Private Network (VPN). VPN services are now an important tool for anyone concerned about security and privacy on public networks.
There’s a world of difference between VPNs, though. Without clear and unbiased information many users are forced to navigate their choice of VPN without much clarity.
Why is choosing the right VPN provider so important?
Whenever you switch on a VPN you are entrusting its provider with your personal data, browsing activity, and sometimes even your security. For this reason, VPN providers must be held to a higher standard than most products. It’s important you do your due diligence when making a decision.
What should I look out for?
A good VPN will ensure that no one – even the VPN itself – can see what the user is doing online. Consider the following qualities:
Technical Security
The most secure VPN services will be transparent about the measures they have in place to safeguard their users and their business.
Any VPN worth its salt will offer Continue reading
It was a scorching Monday on July 22 as temperatures soared above 37°C (99°F) in Austin, TX, the live music capital of the world. Only hours earlier, the last crowds dispersed from the historic East 6th Street entertainment district. A few blocks away, Cloudflarians were starting to make their way to the office. Little did those early arrivers know that they would soon be unknowingly participating in a Cloudflare time honored tradition of dogfooding new services before releasing them to the wild.
Dogfooding is when an organization uses its own products. In this case, we dogfed our newest cloud service, Magic Transit, which both protects and accelerates our customers’ entire network infrastructure—not just their web properties or TCP/UDP applications. With Magic Transit, Cloudflare announces your IP prefixes via BGP, attracts (routes) your traffic to our global network edge, blocks bad packets, and delivers good packets to your data centers via Anycast GRE.
We decided to use Austin’s network because we wanted to test the new service on a live network with real traffic from real people and apps. Continue reading
I figured I would take a moment and recap theses past few posts and talk about the different methods now …
The post Junos Policy Based VPNs – Part 4 of 4 – Recap appeared first on Fryguy's Blog.
You probably heard me say “networking engineer encountering a public cloud feels like Alice in Wonderland” - packet forwarding works in a different way in every public cloud, subnets are a mix between routed interfaces and VRFs, you cannot change IP addresses without involving the orchestration system…
We covered the networking aspects of Amazon Web Services and Azure in our cloud webinars, but you might need a bigger picture:
Read more ...Some operators want to reverse mistakes of the past, and others simply recognize and want to...
Taking full advantage of all that IT automation and orchestration have to offer frequently involves combining IT infrastructure automation with in-house application development. To this end, open source software is often used to speed development. Unfortunately, incorporating third-party software into your application means incorporating that third-party software’s vulnerabilities, too.
Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management, and it’s increasingly considered a critical part of modern development. A recent report found that 60% of open source programs audited had a vulnerability that’s already been patched. With 96% of all code using open source libraries, this is a problem that impacts everyone.
There are many dependency management products available; too many to list in a single blog post. That said, we’ll look at some examples of well-known dependency management products that fall into three broad categories: free, open source software; commercial software with a free tier; and commercial software without a free tier.
Some dependency management products rely on open source vulnerability lists (the most famous of which is supplied by the National Institute of Standards and Technology [NIST]). Some products are commercial, and use closed databases (often in combination with the Continue reading