NetworkingNexus.net

Introducing Automatic SSL/TLS: securing and simplifying origin connectivity

During Birthday Week 2022, we pledged to provide our customers with the most secure connection possible from Cloudflare to their origin servers automatically. I’m thrilled to announce we will begin rolling this experience out to customers who have the SSL/TLS Recommender enabled on August 8, 2024. Following this, remaining Free and Pro customers can use this feature beginning September 16, 2024 with Business and Enterprise customers to follow.

Although it took longer than anticipated to roll out, our priority was to achieve an automatic configuration both transparently and without risking any site downtime. Taking this additional time allowed us to balance enhanced security with seamless site functionality, especially since origin server security configuration and capabilities are beyond Cloudflare's direct control. The new Automatic SSL/TLS setting will maximize and simplify the encryption modes Cloudflare uses to communicate with origin servers by using the SSL/TLS Recommender.

We first talked about this process in 2014: at that time, securing connections was hard to configure, prohibitively expensive, and required specialized knowledge to set up correctly. To help alleviate these pains, Cloudflare introduced Universal SSL, which allowed web properties to obtain a free SSL/TLS certificate to enhance the security of connections between browsers Continue reading

Celebrating one year of Project Cybersafe Schools

August 8, 2024, is the first anniversary of Project Cybersafe Schools, Cloudflare’s initiative to provide free security tools to small school districts in the United States.

Cloudflare announced Project Cybersafe Schools at the White House on August 8, 2023 as part of the Back to School Safely: K-12 Cybersecurity Summit hosted by First Lady Dr. Jill Biden. The White House highlighted Cloudflare’s commitment to provide free resources to small school districts in the United States. Project Cybersafe Schools supports eligible K-12 public school districts with a package of Zero Trust cybersecurity solutions – for free, and with no time limit. These tools help eligible school districts minimize their exposure to common cyber threats.

Cloudflare’s mission is to help build a better Internet. One way we do that is by supporting organizations that are particularly vulnerable to cyber threats and lack the resources to protect themselves through projects like Project Galileo, the Athenian Project, the Critical Infrastructure Defense Project, Project Safekeeping, and most recently, Project Secure Health.

Schools are vulnerable to cyber attacks

In Q2 2024, education ranked 4th on the list of most attacked industries. Between 2016 and 2022, there were 1,619 K-12 cyber incidents. Continue reading

Introducing Automatic SSL/TLS: securing and simplifying origin connectivity

During Birthday Week 2022, we pledged to provide our customers with the most secure connection possible from Cloudflare to their origin servers automatically. I’m thrilled to announce we will begin rolling this experience out to customers who have the SSL/TLS Recommender enabled on August 8, 2024. Following this, remaining Free and Pro customers can use this feature beginning September 16, 2024, with Business and Enterprise customers to follow.

Celebrating one year of Project Cybersafe Schools

August 8, 2024, is the first anniversary of Project Cybersafe Schools, Cloudflare’s initiative to provide free security tools to small school districts in the United States.

Schools are vulnerable to cyber attacks

In Q2 2024, education ranked 4th on the list of most attacked industries. Between 2016 and 2022, there were 1,619 K-12 cyber incidents. Continue reading

Hedge 238: What Went Wrong? (Crowdstrike)

The massive failure resulting from a failed update to 8.5 million Windows hosts by Crowdstrike will live in Internet history for years to come. The failure will be studied by engineering teams and college classes to understand what went wrong and how we can stop this from happening in the future. Derick Winkworth (@cloudtoad), Eyvonne Sharp, Tom Ammon, and Russ White hang out at the hedge to talk about what happened and lessons learned from a network engineering perspective.

download

Crowdstrike released a detailed description of the problematic update here.

Building Layer-3-Only EVPN Lab

A few weeks ago, Roman Dodin mentioned layer-3-only EVPNs: a layer-3 VPN design with no stretched VLANs in which EVPN is used to transport VRF IP prefixes.

The reality is a bit muddier (in the VXLAN world) as we still need transit VLANs and router MAC addresses; the best way to explore what’s going on behind the scenes is to build a simple lab.

D2DO248: Using Creativity and Empathy to Ease the Pain of Compliance Audits

On today’s Day Two DevOps we talk with Jen Stone, a technical security assessor and aerial arts competition organizer. Jen shares her journey from IT service desk to becoming a security assessor. She emphasizes the importance of creativity and empathy in regulatory compliance while advocating for a collaborative approach to assessments and auditing Episode Guest:... Read more »

HW033: Repeater, Extender or Something Else? What Is the LATYS Focus?

Today on Heavy Wireless we discuss the LATYS Focus device.This innovative RF technology amplifies and directs signals without traditional networking layers. Our guest is Artmiz Golkaramnay, Founder of LATYS. Artmiz explains the device’s functionality, which includes a directional antenna for focused signal amplification; its technical specifications; practical applications in industrial settings; cost benefits; and ease... Read more »

Network Traffic Modeling Approaches

The greatest value of a picture is when it forces us to notice what we never expected to see. - John Tukey

PP025: Wi-Fi Security Part 2 – Listener Q&A

On today’s Packet Protector we answer listener questions about Wi-Fi security with guest Stephen Orr. Stephen is Chair of the Security Technical Task Group for the Wi-Fi Alliance and a Distinguished Solutions Engineer at Cisco. Questions include what recommendations Stephen would make for using multiple SSIDs vs. role-based device segmentation, what he sees as the... Read more »

GenAI Only As Good As Its Data And Platforms

COMMISSIONED: Whether you’re using one of the leading large language models (LLM), emerging open-source models or a combination of both, the output of your generative AI service hinges on the data and the foundation that supports it. …

GenAI Only As Good As Its Data And Platforms was written by Martin Courtney at The Next Platform.

The backbone behind Cloudflare’s Connectivity Cloud

The modern use of "cloud" arguably traces its origins to the cloud icon, omnipresent in network diagrams for decades. A cloud was used to represent the vast and intricate infrastructure components required to deliver network or Internet services without going into depth about the underlying complexities. At Cloudflare, we embody this principle by providing critical infrastructure solutions in a user-friendly and easy-to-use way. Our logo, featuring the cloud symbol, reflects our commitment to simplifying the complexities of Internet infrastructure for all our users.

This blog post provides an update about our infrastructure, focusing on our global backbone in 2024, and highlights its benefits for our customers, our competitive edge in the market, and the impact on our mission of helping build a better Internet. Since the time of our last backbone-related blog post in 2021, we have increased our backbone capacity (Tbps) by more than 500%, unlocking new use cases, as well as reliability and performance benefits for all our customers.

A snapshot of Cloudflare’s infrastructure

As of July 2024, Cloudflare has data centers in 330 cities across more than 120 countries, each running Cloudflare equipment and services. The goal of delivering Cloudflare products and services everywhere remains consistent, although Continue reading

The backbone behind Cloudflare’s Connectivity Cloud

A snapshot of Cloudflare’s infrastructure

Migrating a Data Center Fabric to VXLAN

Darko Petrovic made an excellent remark on one of my LinkedIn posts:

The majority of the networks running now in the Enterprise are on traditional VLANs, and the migration paths are limited. Really limited. How will a business transition from traditional to whatever is next?

The only sane choice I found so far in the data center environment (and I know it has been embraced by many organizations facing that conundrum) is to build a parallel fabric (preferably when the organization is doing a server refresh) and connect the new fabric with the old one with a layer-3 link (in the ideal world) or an MLAG link bundle.

Debian Installation on Raspberry Pi

This guide demonstrates how to install Debian 12 (bookworm), also known as "bookworm," on a […]

The post Debian Installation on Raspberry Pi first appeared on Brezular's Blog.

Palo Alto Object and Policy Cleanup with pan-os-php

Hi all, welcome back to yet another Palo Alto Automation post. If you work with firewalls, you know that one of the most time-consuming tasks is decommissioning a single resource or an entire subnet from the firewall (aka removing all the references related to the resource). Let's imagine you have thousands of address objects and several hundred security policies. Now, suppose we decommissioned a server and our task is to remove any references we may have in the firewall. It could be an address object, a member in an address group, or a reference in a security policy. Removing this manually would take a lot of time, so in this blog post, let's look at a very simple way of cleaning this up using pan-os-php.

The Problem with the Manual Approach

Here is the problem with the manual approach. Let’s say we are trying to decommission the IP address 10.10.10.25. Let's say we have an address object created for this server, and it has been referenced in a few address groups and several security policies. If you try to remove the address object first, the firewall will complain because the object is being referenced elsewhere. So, you Continue reading

Bootstrapping Talos Linux over SSH

For those that aren’t aware, Talos Linux is a purpose-built Linux distribution designed for running Kubernetes. Bootstrapping a Talos Linux cluster is normally done via the Talos API, but this requires direct network access to the Talos Linux nodes. What happens if you don’t have direct network access to the nodes? In this post, I’ll share with you how to bootstrap a Talos Linux cluster over SSH.

In all honesty, if you can establish direct network access to the Talos Linux nodes then that’s the recommended approach. Consider what I’m going to share here as a workaround—a backup plan, if you will—in the event you can’t establish direct network access. I figured out how to bootstrap a Talos Linux cluster over SSH only because I was not able to establish direct network access.

Before getting into the details, I think it’s useful to point out that I’m talking about using SSH port forwarding (SSH tunneling) here, but Talos Linux doesn’t support SSH (as in, you can’t SSH into a Talos Linux system). In this case, you could do the same thing I did and use an SSH bastion host to handle the port forwarding.

There are two parts to bootstrapping Continue reading

NB489: Shareholders Sue CrowdStrike; Intel to Fire 15,000 Employees

Take a Network Break! This week we discuss a proposed class action lawsuit against CrowdStrike, while Delta investigates options to seek damages from CrowdStrike and Microsoft. Microsoft Azure goes down after a DDoS defense error, campus switch sales are forecast to drop significantly in 2024, and DigiCert warns customers that an error it made will... Read more »

Understanding-BGP-Route-Reflector-Mysteries

It’s been while I was away from tech blog writing , this week end I powered on my EVE-NG based lab running on Dell R820 Edge Server and explored some mysteries behind BGP Route Reflector. Please read through it on my Github (https://github.com/kashif-nawaz/Understanding-BGP-Route-Reflector-Mysteries)

Linux: Mount Remote Directories With SSHFS

The Secure Shell (SSH) isn’t just about allowing you to remote into servers to tackle admin tasks. Thanks to this secure networking protocol, you can also mount remote directories with the help of the SSH File System (SSHF). SSHFS uses SFTP (SSH File Transfer Protocol) to mount remote directories to a local machine using secure encryption, which means the connection is far more secure than your standard FTP. As well, once a remote directory is mounted, it can be used as if it was on the local machine. Consider SSHFS to be a more secure way of creating network shares, the only difference is you have to have SSHFS installed on any machine that needs to connect to the share (whereas with Samba, you only have to have it installed on the machine hosting the share). Let’s walk through the process of getting SSHFS up and running, so you can securely mount remote directories to your local machine. What You’ll Need To make this work, you’ll need at least two Linux machines. These machines can be Ubuntu or Fedora-based, because SSHFS is found in the standard repositories for most Linux distributions. You’ll also need a user with Continue reading

« Previous 1 … 113 114 115 116 117 … 3,836 Next »