Split Tunneling with vpnc

vpnc is a fairly well-known VPN connectivity package available for most Linux distributions. Although the vpnc web site describes it as a client for the Cisco VPN Concentrator, it works with a wide variety of IPSec VPN solutions. I’m using it to connect to a Palo Alto Networks-based solution, for example. In this post, I’d like to share how to set up split tunneling for vpnc.

Split tunneling, as explained in this Wikipedia article, allows remote users to access corporate resources over the VPN while still accessing non-corporate resources directly (as opposed to having all traffic routed across the VPN connection). Among other things, split tunneling allows users to access things on their home LAN—like printers—while still having access to corporate resources. For users who work 100% remotely, this can make daily operations much easier.

vpnc does support split tunneling, but setting it up doesn’t seem to be very well documented. I’m publishing this post in an effort to help spread infomation on how it can be done.

First, go ahead and create a configuration file for vpnc. For example, here’s a fictional configuration file:

IPSec gateway vpn.company.com
IPSec ID VPNGroup
IPSec secret donttellanyone
Xauth username bobsmith

Continue reading

How to shop for CDN services

Content delivery networks have been around for more than a decade, but many enterprises are taking a new look at the perks and specialization that today’s CDN services have to offer.Why the renewed interest? The cloud-first movement, all-things-video, IoT and edge computing are all bringing sexy back to CDNs. The content delivery network market was valued at $7.3 billion in 2017 and is expected to reach $29.5 billion by 2023, a compound annual growth rate of 26 percent, according to ResearchAndMarkets.com.To read this article in full, please click here

Use Network Automation to Detect Software Bugs

This blog post was initially sent to subscribers of my SDN and Network Automation mailing list. Subscribe here.

Here’s a question I got from one of the attendees of my network automation online course:

We had a situation where HSRP was configured on two devices and then a second change was made to use a different group ID. The HRSP mac address got "corrupted" into one of devices and according to the vendor FIB was in an inconsistent state. I know this may be vendor specific but was wondering if there is any toolkit available with validation procedures to check if FIB is consistent after implementing L3 changes.

The problem is so specific (after all, he’s fighting a specific bug) that I wouldn’t expect to find a generic tool out there that would solve it.

Read more ...

Happy Birthday to the World Wide Web!

Happy Birthday to the World Wide Web!
Happy Birthday to the World Wide Web!

Today, March 12th 2019, marks the 30th birthday of the World Wide Web! Cloudflare is helping to celebrate in coordination with the Web Foundation, as part of a 30 hour commemoration of the many ways in which the Web has changed our lives. As we post this blog, Sir Tim Berners Lee is kicking off his journey of the web at CERN, where he wrote the first web browser.

The Web Foundation (@webfoundation) is organizing a Twitter timeline of the web, where each hour corresponds to a year starting now with 1989 at 00:00PT/ 08:00 CET. We (@cloudflare) will be tweeting out milestones in our history and the web’s history, as well as some fun infographics. We hope you will follow the journey on Twitter and contribute your own memories and thoughts to the timeline by tweeting and using #Web30 #ForTheWeb. Celebrate with us and support the Web!

IPv6 Security Frequently Asked Questions (FAQ)

The Internet Society recognises that global deployment of the IPv6 protocol is paramount to accommodating the growth of the Internet. Given the scale at which IPv6 must be deployed, it is also important that the possible security implications of IPv6 are well understood and considered during the design and deployment of IPv6 networks, rather than as an afterthought.

We are therefore publishing our IPv6 Security Frequently Asked Questions (FAQ), which highlights and provides answers to the most important aspects of IPv6 security.

Be sure also to check our IPv6 Security page as well!

Further Information

The post IPv6 Security Frequently Asked Questions (FAQ) appeared first on Internet Society.

Nvidia grabs Mellanox out from under Intel’s nose

After months of speculation, Mellanox found a suitor -- and it was a surprise, to say the least. GPU leader Nvidia snatched up the networking vendor for $6.9 billion, topping a rumored previous offer of $6 billion from Nvidia’s nemesis, Intel.The acquisition ends months of rumors of a suitor for Mellanox. Intel, Microsoft, and Xilinix were all reportedly bidding for the Israeli company, which specializes in high-speed networking. [ Read also: How to plan a software-defined data-center network ] Mellanox Technology was formed in 1999 by a former Intel executive and was a pioneer in the early adoption of InfiniBand interconnect technology, which along with its high-speed Ethernet products is now used in over half of the world’s fastest supercomputers and in many leading hyperscale data centers.To read this article in full, please click here

Nvidia grabs Mellanox out from under Intel’s nose

After months of speculation, Mellanox found a suitor -- and it was a surprise, to say the least. GPU leader Nvidia snatched up the networking vendor for $6.9 billion, topping a rumored previous offer of $6 billion from Nvidia’s nemesis, Intel.The acquisition ends months of rumors of a suitor for Mellanox. Intel, Microsoft, and Xilinix were all reportedly bidding for the Israeli company, which specializes in high-speed networking. [ Read also: How to plan a software-defined data-center network ] Mellanox Technology was formed in 1999 by a former Intel executive and was a pioneer in the early adoption of InfiniBand interconnect technology, which along with its high-speed Ethernet products is now used in over half of the world’s fastest supercomputers and in many leading hyperscale data centers.To read this article in full, please click here

Connecting The Dots On Why Nvidia Is Buying Mellanox

The related but distinct HPC and AI markets gave Nvidia a taste for building systems, and it looks like the company wants to control more of the hardware and systems software stack than it currently does given that it is willing to shell out $6.9 billion – just about all of the cash it has on hand – to acquire high-end networking equipment provider and long-time partner Mellanox Technologies.

Connecting The Dots On Why Nvidia Is Buying Mellanox was written by Timothy Prickett Morgan at .

Software-defined perimeter brings trusted access to multi-cloud applications, network resources

Many companies today have a hybrid approach to their networking and IT infrastructure. Some elements remain in an on-premise data center, while other portions have gone to the cloud and even to multi-cloud. As a result, the network perimeter is permeable and elastic. This complicates access requirements at a time when it’s more important than ever to enable accessibility while preventing unauthorized access to applications and data.To reduce risk, some organizations are applying a zero-trust strategy of “verification before trust” by incorporating stronger, stateful user and device authentication; granular access control; and enhanced segmentation no matter where the applications and resources reside.To read this article in full, please click here

Software-defined perimeter brings trusted access to multi-cloud applications, network resources

Many companies today have a hybrid approach to their networking and IT infrastructure. Some elements remain in an on-premise data center, while other portions have gone to the cloud and even to multi-cloud. As a result, the network perimeter is permeable and elastic. This complicates access requirements at a time when it’s more important than ever to enable accessibility while preventing unauthorized access to applications and data.To reduce risk, some organizations are applying a zero-trust strategy of “verification before trust” by incorporating stronger, stateful user and device authentication; granular access control; and enhanced segmentation no matter where the applications and resources reside.To read this article in full, please click here

Research: Practical Challenge-Response for DNS

Because the speed of DNS is so important to the performance of any connection on the ‘net, a lot of thought goes into making DNS servers fast, including optimized software that can respond to queries in milliseconds, and connecting DNS servers to the ‘net through high bandwidth links. To set the stage for massive DDoS attacks based in the DNS system, add a third point: DNS responses tend to be much larger than DNS queries. In fact, a carefully DNS response can be many times larger than the query.

To use a DNS server as an amplifier in a DDoS attack, then, the attacker sends a query to some number of publicly accessible DNS servers. The source of this query is the address of the system to be attacked. If the DNS query is carefully crafted, the attacker can send small packets that cause a number of DNS servers to send large responses to a single IP address, causing large amounts of traffic to the system under attack.

Rami Al-Dalky, Michael Rabinovich, and Mark Allman. 2018. Practical Challenge-Response for DNS. In Proceedings of the Applied Networking Research Workshop (ANRW ’18). ACM, New York, NY, USA, 74-74. DOI: https://doi.org/10.1145/3232755. Continue reading

1 1,303 1,304 1,305 1,306 1,307 3,856