A Tale of Two (APT) Transports

A Tale of Two (APT) Transports

Securing access to your APT repositories is critical. At Cloudflare, like in most organizations, we used a legacy VPN to lock down who could reach our internal software repositories. However, a network perimeter model lacks a number of features that we consider critical to a team’s security.

As a company, we’ve been moving our internal infrastructure to our own zero-trust platform, Cloudflare Access. Access added SaaS-like convenience to the on-premise tools we managed. We started with web applications and then moved resources we need to reach over SSH behind the Access gateway, for example Git or user-SSH access. However, we still needed to handle how services communicate with our internal APT repository.

We recently open sourced a new APT transport which allows customers to protect their private APT repositories using Cloudflare Access. In this post, we’ll outline the history of APT tooling, APT transports and introduce our new APT transport for Cloudflare Access.

A brief history of APT

Advanced Package Tool, or APT, simplifies the installation and removal of software on Debian and related Linux distributions. Originally released in 1998, APT was to Debian what the App Store was to modern smartphones - a decade ahead of its time!

Continue reading

BrandPost: Assessing Your Current WAN State is Key to Making Effective Changes

If your wide-area network (WAN) has been with you for many years, it may be time to think about an upgrade, especially given the emergence of technologies such as software-defined WANs (SD-WAN). But rather than just dive in, assuming SD-WAN will be a good fit, it’s helpful to perform an assessment of your current situation and what outcomes you’d like to see out of an upgrade.Making this type of assessment means asking a series of questions, the answers to which may – or may not – lead you toward adopting SD-WAN technology. To learn what sort of questions to ask, I talked with Mike Lawson, Manager of SD-WAN/NFV Solutions Architecture for CenturyLink, a global network provider.Lawson spends his time in the trenches with network architects and customers, accumulating an excellent sense of whether a company is a good candidate for SD-WAN.To read this article in full, please click here

I Was A 10x Engineer. And I’m Sorry.

You probably saw the big discussion this past weekend on Twitter about 10x Engineers. It all started with a tweet about how to recognize a 10x Engineer, followed by tons of responses about how useless they were and how people that had encountered them were happy to be rid of them. All that discussion made me think back to my old days as a Senior Network Rock Star. As I reminisced I realized that I was, in fact, a 10x Engineer. And I was miserable.

Pour Some Work On Me

I wasn’t always the epitome of engineering hatred. I used to be a wide-eyed technician with a hunger to learn things. I worked on a variety of systems all over the place. In fact, I was rising through the ranks of my company as a Novell Engineer in an environment with plenty of coverage. I was just learning the ropes and getting ready to take my place in a group of interchangeable people.

Then I started getting into networking. I spent more time learning about routers and switches and even firewalls. That meant that my skill set was changing from servers to appliances. It also meant that I was Continue reading

Campus design feature set-up : Part 6

I’ve been going through how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in a 6-part blog series and I’m happy to say we’ve made it to the last one.

If you’ve stuck with me through this series, you’d know that in blogs 1-5 we had guides for Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass, Wired 802.1x using Cisco ISE and Wired MAC Authentication using Cisco ISE

Now that we’re at the end of the road, this final guide will enable Multi-Domain Authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4, Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE and read part four and part five of this blog series.

Over the past year, Cumulus Networks has made a concerted effort to expand the breadth and scope of the campus features within Cumulus Linux. Hot off the press in 3.7.5 is one of those features, Multi-Domain Authentication (MDA).

Classically, MDA allows for a Voice VLAN and Data VLAN to be configured Continue reading

Docker’s Contribution to Authentication for Windows Containers in Kubernetes

When Docker Enterprise added support for Windows containers running on Swarm with the release of Windows Server 2016, we had to tackle challenges that are less pervasive in pure Linux environments. Chief among these was Active Directory authentication for container-based services using Group Managed Service Accounts, or gMSAs. With nearly 3 years of experience deploying and running Windows container applications in production, Docker has solved for a number of complexities that come with managing gMSAs in a container-based world. We are pleased to have contributed that work to upstream Kubernetes.

Challenges with gMSA in Containerized Environments

Aside from being used for authentication across multiple instances, gMSAs solves for two additional problems: 
  1. Containers cannot join the domain, and;
  2. When you start a container, you never really know which host in your cluster it’s going to run on. You might have three replicas running across hosts A, B, and C today and then tomorrow you have four replicas running across hosts Q, R, S, and T. 
One way to solve for this transience is to place the gMSA credential specifications for your service on each and every host where the containers for that service might run, and then repeat that for Continue reading

Public internet should be all software-defined

The public internet should migrate to a programmable backbone-as-a-service architecture, says a team of network engineers behind NOIA, a startup promising to revolutionize global traffic. They say the internet will be more efficient if internet protocols and routing technologies are re-worked and then combined with a traffic-trading blockchain.It’s “impossible to use internet for modern applications,” the company says on its website. “Almost all global internet companies struggle to ensure uptime and reliable user experience.”That’s because modern techniques aren’t being introduced fully, NOIA says. The engineers say algorithms should be implemented to route traffic and that segment routing technology should be adopted. Plus, blockchain should be instigated to trade internet transit capacity. A “programmable internet solves the web’s inefficiencies,” a representative from NOIA told me.To read this article in full, please click here

Datanauts 169: Understanding RESTful APIs For Infrastructure Engineers

RESTful APIs are the subject, Ethan Banks is the student, and Chris Wahl is the teacher in today's Datanaut's podcast. Chris and Ethan explore foundational concepts about RESTful APIs and how they work, examine the anatomy of an API conversation, and discuss why APIs are a key to automation.

The post Datanauts 169: Understanding RESTful APIs For Infrastructure Engineers appeared first on Packet Pushers.

IDG Contributor Network: How edge computing is driving a new era of CDN

We are living in a hyperconnected world where anything can now be pushed to the cloud. The idea of having content located in one place, which could be useful from the management’s perspective, is now redundant. Today, the users and data are omnipresent.The customer’s expectations have up-surged because of this evolution. There is now an increased expectation of high-quality service and a decrease in customer’s patience. In the past, one could patiently wait 10 hours to download the content. But this is certainly not the scenario at the present time. Nowadays we have high expectations and high-performance requirements but on the other hand, there are concerns as well. The internet is a weird place, with unpredictable asymmetric patterns, buffer bloat and a list of other performance-related problems that I wrote about on Network Insight. [Disclaimer: the author is employed by Network Insight.]To read this article in full, please click here

Accessible, Clear, and Appropriate: An Open Letter to Amazon on Privacy Policies

With great power comes great responsibility.

Online marketplaces, such as Amazon, are becoming increasingly common. But can consumers count on these marketplaces to help safeguard their privacy? On Monday, coinciding with Amazon Prime Day, the Internet Society partnered with Mozilla and other organizations to publish An Open Letter to Amazon about Privacy.

We call for Amazon to require vendors of connected devices to have “a privacy policy that is easily accessible, written in language that is easily understood, and appropriate for the person using the device or service.”

This is one of the five minimum guidelines we called for in a joint statement with Mozilla and Consumers International during the 2018 holiday buying season: “Minimum Standards for Tackling IoT Security.” The other guidelines cover strong passwords, software upgradability, ability to manage reported vulnerabilities, and encryption of data. However, these five guidelines are just baseline recommendations. A full set of principles addressing security, privacy, and lifecycle issues is outlined in our IoT Trust Framework.

We urge everyone involved in the production and sales of connected products to step up and help protect their customers by ensuring that trust by design – making privacy and security the default – Continue reading

Mastering user groups on Linux

User groups play an important role on Linux systems. They provide an easy way for a select groups of users to share files with each other. They also allow sysadmins to more effectively manage user privileges, since they can assign privileges to groups rather than individual users.While a user group is generally created whenever a user account is added to a system, there’s still a lot to know about how they work and how to work with them. [ Two-Minute Linux Tips: Learn how to master a host of Linux commands in these 2-minute video tutorials ] One user, one group? Most user accounts on Linux systems are set up with the user and group names the same. The user "jdoe" will be set up with a group named "jdoe" and will be the only member of that newly created group. The user’s login name, user id, and group id will be added to the /etc/passwd and /etc/group files when the account is added, as shown in this example:To read this article in full, please click here

MPLS is hanging on in this SD-WAN world

The SD-WAN networking market is booming and is expected to grow to $17 billion by 2025, and no wonder. Software-defined wide-area networking eliminates the need for expensive routers and does all the network connectivity in the cloud.Among its advantages is the support for secure cloud connectivity, one area where multiprotocol label switching (MPLS) falls short. MPLS is a data protocol from before the internet took off and while ideal for communications within the corporate firewall, it doesn’t lend itself to cloud and outside communications well.To read this article in full, please click here

Spousevitivities at VMworld 2019

This year VMworld—VMware’s annual user conference—moves back to San Francisco from Las Vegas. Returning to the Bay Area with VMworld is Spousetivities, which is happening again this year for the 11th year at VMworld. Better get your tickets sooner rather than later, there’s quite a good chance these activities will sell out!

Registration is open right now.

This year’s activities are funded in part by the generous and community-minded support of Veeam and VMUG, who are “putting their money where their mouth is” when it comes to promoting strong work/life balance at events like VMworld.

Here’s a quick look at what’s planned for VMworld 2019 in San Francisco:

Monday, August 26: Spousetivities kicks off the week with a walking food tour. This tour, like all the others, will depart from the Marriott Marquis.

Tuesday, August 27: This full-day event will take participants up to Wine Country for several wine tastings. Transportion is provided, of course, and participants will enjoy lunch on the tour as well.

Wednesday, August 28: Nature, shopping, tranquility, and quaint towns—this tour has it all! Participants will visit the Golden Gate Bridge, the Marin headlands, Muir Woods, and Sausalito. Transportion and Continue reading

Cloudflare em Lisboa

Cloudflare em Lisboa

Eu fui o 24º funcionário da Cloudflare e o primeiro a trabalhar fora de São Francisco. A trabalhar num escritório improvisado em minha casa, e escrevi um pedaço grande do software da Cloudflare antes de ter contratato uma equipa em Londres. Hoje, Cloudflare London, a nossa a sede da EMEA a região da Europa, Médio Oriente e África tem mais de 200 pessoas a trabalhar no edifício histórico County Hall á frente do Parlamento Britânico. O meu escritório improvisado é agora história antiga.

Cloudflare em Lisboa
CC BY-SA 2.0 image by Sridhar Saraf

Cloudflare não parou em Londres. Temos pessoas em Munique, Singapura, Pequim, Austin, Texas, Chicago e Champaign, Illinois, Nova York, Washington,DC, São José, Califórnia, Miami, Florida, Sydney, Austrália e também em Sao Francisco e Londres. Hoje estamos a anunciar o estabelecimento de um novo escritório em Lisboa, Portugal. Como parte da abertura do escritório este Verão irei me deslocar para Lisboa juntamente com um pequeno número de pessoal técnico de outros escritórios da Cloudflare.

Estamos a recrutar em Lisboa neste momento. Pode visitar este link para ver todas as oportunidades actuais. Estamos á procura de candidatos para preencher os cargos de Engenheiro, Segurança, Produto, Produto de Estratégia, Investigação Tecnológica e Continue reading

Cloudflare’s new Lisbon office

Cloudflare's new Lisbon office

I was the 24th employee of Cloudflare and the first outside of San Francisco. Working out of my spare bedroom, I wrote a chunk of Cloudflare’s software before starting to recruit a team in London. Today, Cloudflare London, our EMEA headquarters, has more than 200 people working in the historic County Hall building opposite the Houses of Parliament. My spare bedroom is ancient history.

Cloudflare's new Lisbon office
CC BY-SA 2.0 image by Sridhar Saraf

And Cloudflare didn’t stop at London. We now have people in Munich, Singapore, Beijing, Austin, TX, Chicago and Champaign, IL, New York, Washington, DC, San Jose, CA, Miami, FL, and Sydney, Australia, as well as San Francisco and London. And today we’re announcing the establishment of a new technical hub in Lisbon, Portugal. As part of that office opening I will be relocating to Lisbon this summer along with a small number of technical folks from other Cloudflare offices.

We’re recruiting in Lisbon starting today. Go here to see all the current opportunities. We’re looking for people to fill roles in Engineering, Security, Product, Product Strategy, Technology Research, and Customer Support.

Cloudflare's new Lisbon office
CC BY-SA 2.0 Image by Rustam Aliyev

My first real idea of Lisbon dates to 30 Continue reading

1 1,187 1,188 1,189 1,190 1,191 3,841