Top Questions from VMworld 2018


Last week, the Docker team had a chance to interact with the attendees of VMworld to talk about containers and container platforms. We spoke to companies in all stages of their containerization journey – some were just getting started and figuring out where containers may be used, others had started early containerization projects, some had mature container environments. Here are some of the most common questions we were asked.

Q: We have developers that are using Docker containers now, but what is the relevancy of containers to me (as an IT or virtualization admin)?

A: While developers were the first to adopt containers, there are many benefits of containers for IT:

  • Server consolidation: While virtualization did increase the number of virtual machines per server, studies show that servers are still greatly underutilized. On average, Docker Enterprise customers see 50% greater server consolidation with containerization. That means being able to pack more workloads onto existing infrastructure or even reducing the number of servers and therefore saving on licensing and hardware costs.
  • Easier patching and maintenance: Containerized applications can be updated easily through changes to the source image file. This also means it’s possible to update and rollback patches on the Continue reading

Protection from Struts Remote Code Execution Vulnerability (S2-057)

Protection from Struts Remote Code Execution Vulnerability (S2-057)

On August 22 a new vulnerability in the Apache Struts framework was announced. It allows unauthenticated attackers to perform Remote Code Execution (RCE) on vulnerable hosts.

As security researcher Man Yue Mo explained, the vulnerability has similarities with previous Apache Struts vulnerabilities. The Cloudflare WAF already mitigated these so adjusting our rules to handle the new vulnerability was simple. Within hours of the disclosure we deployed a mitigation with no customer action required.

OGNL, again

Apache Struts RCE payloads often come in the form of Object-Graph Navigation Library (OGNL) expressions. OGNL is a language for interacting with the properties and functions of Java classes and Apache Struts supports it in many contexts.

For example, the snippet below uses OGNL to dynamically insert the value "5" into a webpage by calling a function.

<s:property value="%{getSum(2,3)}" />

OGNL expressions can also be used for more general code execution:

${
    #_memberAccess["allowStaticMethodAccess"]=true,
    @java.lang.Runtime@getRuntime().exec('calc')
}

Which means if you can find a way to make Apache Struts execute a user supplied OGNL expression, you've found an RCE vulnerability. Security researchers have found a significant number of vulnerabilities where this was the root cause.

What’s different this time?

The major difference between Continue reading

Why monday.com Is The Universal Team Management Tool for Your Team

Every project management tool seeks to do the same instrumental thing: keep teams connected, on task and on deadline to get major initiatives done. But the market is getting pretty crowded, and for good reason — no platform seems to have gotten the right feel for what people need to see, and how that information should be displayed so that it’s both actionable/relevant, and contextualized. That’s why monday.com is worth a shot. The platform is based off a simple, but powerful idea: that as humans, we like to feel like we’re contributing to part of a greater/effort good — an idea that sometimes gets lost in the shuffle as we focus on the details of getting stuff done. So projects are put onto a task board (think of it like a digital whiteboard), where everyone can have the same level of visibility into anyone else who’s contributing set of tasks. That transparency breaks down the silos between teams that cause communication errors and costly project mistakes — and it’s a beautiful, simple way to connect people to the processes that drive forward big business initiatives. To read this article in full, please click here

Complicated Vs. Complexity

I am currently reading Team of Teams, an excellent book!

In it, it highlights an interesting fact that I think is very relevant for the networking world and that is the difference between something that is complicated versus something that is complex.

There is a distinct difference in that something complicated can be broken down into its building blocks and analysed with a high degree of certainty. Think of a car engine for example. It is a very complicated piece of machinery for sure, but it is not complex, since you can divide its functionality down into components. On the other hand think of something like a virus and how it evolves. This is a complex organism that you you can’t be certain that will evolve in a predetermined fashion.

So im thinking, the way we build networks today, are we building them to be “just” complicated or are they really complex in nature instead? – The answer to this question determines how we need to manage our infrastructure!

Just some food for thought!

/Kim

Our Right to Protect Our Autonomy and Human Dignity

We are entering a new world in which data may be more important than software.”
– Tim O’Reilly

In this digital era where modern technology has become as ubiquitous as air, a seismic shift in innovation, revenue generation, and lifestyle has transpired, whereby data has become the most valuable commodity. In Australia, many youths struggle to “disconnect” completely from digital devices, with the proliferation of wearable technologies and broadband access facilitating the unavoidable integration of technology into our everyday lives. As a 21st century youth, and part of the demographic who consumes the most Internet and digital media, there exists a stark disparity between the amount of time we spend engaging with digital devices and our actual understanding of Internet governance and/or legislation.

We have become so reliant on the Internet and technology, we rarely question the personal risks we take and potential breaches of law that occur. Our dependence on digital devices and instant gratification prompts us to accept “Terms and Conditions” without ever reading a word and allows cookies to be saved despite having no idea what they are. Alarmingly, in the event our data is exploited or shared without our consent, we are oblivious to the Continue reading

BrandPost: Choosing Cybersecurity Products

Cybercrime damage is projected to reach $6 trillion annually by 2021. That’s creating lots of demand for security protection—estimated at over $1 trillion cumulatively between 2017 and 2021. As a result, an estimated 1,200 vendors are competing to provide enterprise-class cybersecurity products, so how do you go about choosing which solution to use?There’s no doubt, cyberthreats are real—according to the Online Trust Alliance (OTA), the number of cyber incidents targeting businesses almost doubled from 82,000 in 2016 to 159,700 in 2017, and due to non-reporting of many incidents, the actual number for 2017 could well have exceeded 360,000.To read this article in full, please click here

What to expect when the internet gets a big security upgrade

Ready or not, the upgrade to an important internet security operation may soon be launched. Then again, it might not.The Internet Corporation for Assigned Names and Numbers (ICANN) will meet the week of Sept. 17 and will likely decide whether or not to give the go ahead on its multi-year project to upgrade the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol — commonly known as the root zone key signing key (KSK) — which secures the Internet's foundational servers.[ RELATED: Firewall face-off for the enterprise ] Changing these keys and making them stronger is an essential security step, in much the same way that regularly changing passwords is considered a practical habit by any Internet user, ICANN says. The update will help prevent certain nefarious activities such as attackers taking control of a session and directing users to a site that for example might steal their personal information.To read this article in full, please click here

What to expect when the internet gets a big security upgrade

Ready or not, the upgrade to an important internet security operation may soon be launched. Then again, it might not.The Internet Corporation for Assigned Names and Numbers (ICANN) will meet the week of Sept. 17 and will likely decide whether or not to give the go ahead on its multi-year project to upgrade the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol — commonly known as the root zone key signing key (KSK) — which secures the Internet's foundational servers.[ RELATED: Firewall face-off for the enterprise ] Changing these keys and making them stronger is an essential security step, in much the same way that regularly changing passwords is considered a practical habit by any Internet user, ICANN says. The update will help prevent certain nefarious activities such as attackers taking control of a session and directing users to a site that for example might steal their personal information.To read this article in full, please click here

What to expect when the internet gets a big security upgrade

Ready or not, the upgrade to an important internet security operation may soon be launched. Then again, it might not.The Internet Corporation for Assigned Names and Numbers (ICANN) will meet the week of Sept. 17 and will likely decide whether or not to give the go ahead on its multi-year project to upgrade the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol — commonly known as the root zone key signing key (KSK) — which secures the Internet's foundational servers.[ RELATED: Firewall face-off for the enterprise ] Changing these keys and making them stronger is an essential security step, in much the same way that regularly changing passwords is considered a practical habit by any Internet user, ICANN says. The update will help prevent certain nefarious activities such as attackers taking control of a session and directing users to a site that for example might steal their personal information.To read this article in full, please click here

What to expect when the Internet gets a big security upgrade

Ready or not, the upgrade to an important Internet security operation may soon be launched.  Then again, it might not.The Internet Corporation for Assigned Names and Numbers (ICANN) will meet the week of September 17 and will likely decide whether or not to give the go ahead on its multi-year project to upgrade the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol – commonly known as the root zone key signing key (KSK) –  which secures the Internet's foundational servers.RELATED: Firewall face-off for the enterprise Changing these keys and making them stronger is an essential security step, in much the same way that regularly changing passwords is considered a practical habit by any Internet  user, ICANN says. The update will help prevent certain nefarious activities such as attackers taking control of a session and directing users to a site that for example might steal their personal information.To read this article in full, please click here

The correct levels of backup save time, bandwidth, space

One of the most basic things to understand in backup and recovery is the concept of backup levels and what they mean.Without a proper understanding of what they are and how they work, companies can adopt bad practices that range from wasted bandwidth and storage to actually missing important data on their backups. Understanding these concepts is also crucial when selecting new data-protection products or services.[ Check out 10 hot storage companies to watch. | Get regularly scheduled insights by signing up for Network World newsletters. ] Full backupTo read this article in full, please click here

Network Infrastructure as Code Is Nothing New

Following “if you can’t explain it, you don’t understand it” mantra I decided to use blog posts to organize my ideas while preparing my Networking Infrastructure as Code presentation for the Autumn 2018 Building Network Automation Solutions online course. Constructive feedback is highly appreciated.

Let’s start with a simple terminology question: what exactly is Infrastructure as Code that everyone is raving about? Here’s what Wikipedia has to say on the topic:

Read more ...

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies from the Franken et al., USENIX Security 2018

This paper won a ‘Distinguished paper’ award at USENIX Security 2018, as well as the 2018 Internet Defense Prize. It’s an evaluation of the defense mechanisms built into browsers (and via extensions / add-ons) that seek to protect against user tracking and cross-site attacks. Testing across 7 browsers and 46 browser extensions, the authors find that for virtually every browser and extension combination there is a way to bypass the intended security policies.

Despite their significant merits, the way cookies are implemented in most modern browsers also introduces a variety of attacks and other unwanted behavior. More precisely, because cookies are attached to every request, including third-party requests, it becomes more difficult for websites to validate the authenticity of a request. Consequently, an attacker can trigger requests with a malicious payload from the browser of an unknowing victim… Next to cross-site attacks, the inclusion of cookies in third-party requests also allows fo users to be tracked across the various websites they visit.

When you visit a site A, it can set a cookie to be included in Continue reading

Taking EVPN & open networking to new heights with Broadcom Trident3 and Cumulus Linux

As highlighted in our recent press release, Cumulus Networks and Broadcom are expanding their commitment to open networking by introducing support of Cumulus Linux to the widely successful Broadcom Trident3  The Trident3-based switches will be available with Cumulus Linux in the Fall of 2018.

When Trident3 came to the market it offered a fully programming packet processing silicon as well as improved power efficiency. It’s additional benefit was a broad range of scalability, starting at 200 Gbps of throughput scaling all the way up to 3.2 Tbps on a single chip.

We are thrilled to have the world’s most powerful open network operating system, Cumulus Linux, now running on this innovative Broadcom chip. I see three benefits of utilizing these two solutions in data center networking 1) Simplified EVPN, 2) Scalable VXLAN, and 3) investment protection.

  1. Simplified EVPN operations

    With the Cumulus and Trident3 EVPN implementation, teams can utilize well-understood and simple networking protocols like BGP to effortlessly build a highly scalable, layer-3-routed, underlay fabric for different address families, including IPv4, IPv6 and EVPN routes. EVPN will automatically set up neighbors, discover information, and exchange that information among nodes. With just a few lines of code, you can Continue reading

Worth Reading: Using DNS as a Single Signon

Internet-wide identity management is one of the hot issues currently — dealing with hundreds of separate usernames and passwords is insecure and unfriendly for users. Increasingly, people use their social network accounts to log into websites, which works well, but forces you to allow either Google or Facebook to track all your logins — you don’t have a lot of choice. —Vittorio Bertola @APNIC

1 1,445 1,446 1,447 1,448 1,449 3,809