Using JUNOS Firewall Filters for Troubleshooting & Verification | QFX5110

The Junos firewall filter feature can be a really useful tool for troubleshooting and verification scenarios. I was recently troubleshooting a packet loss fault and I was fairly sure it was an asymmetrical routing issue but I needed a quick way of verifying. And then a colleague said, “hey, how about a firewall filter?”. Of course, assuming IP traffic, we can use a Junos firewall filter to capture specific traffic flows.

Overview

In this scenario, we have a pair of Juniper QFX5110 switches that are both connected to an upstream IP transit provider. They are also connected to a local network via a VMware NSX edge. We’re going to use a firewall filter on QFX1 and QFX2 to identify which QFX is being used for egress traffic and which QFX is being used for ingress traffic. More specifically, the flow is an ICMP flow between a host on 212.134.79.62 and Cloudflare’s DNS service.

Topology

Junos Firewall Filters topology

 

Firewall Filter

So we’re essentially going to create a firewall filter to count specific egress traffic and apply as an import filter on both QFX switches. We’re also going to create another firewall filter to count the return traffic and apply Continue reading

Registration Open for “Cyber Diplomacy Meets InfoSec and Technology” Alongside IETF 102

As we recently announced, the Global Commission on the Stability of Cyberspace (GCSC) will host a lunch panel on “Cyber Diplomacy Meets InfoSec and Technology” alongside IETF 102 on Tuesday, 17 July. Registration opens today in two time slots for global time zone fairness, at 08:00 UTC and 20:00 UTC. Register here.

The Global Commission on the Stability of Cyberspace is developing norms and policy initiatives that intend to counter the risk to the overall security and stability of cyberspace due to rise of offensive cyber-activities, and especially those by states. During this session, the Commission wants to inform and engage with the IETF community on its work so far and the work that is in the pipeline.

The Internet Society is assisting with logistics. Internet Society Chief Internet Technology Officer and GCSC Commissioner Olaf Kolkman will moderate the panel. The panelists are:

  • Irina Rizmal, researcher at the DiploFoundation specialized in policy analysis in matters pertaining to national security and defense.
  • Bill Woodcock, Commissioner and Executive Director at Packet Clearing House, the non-profit agency that supports critical Internet infrastructure.
  • Jeff Moss, Commissioner, founder of Black Hat and Defcon, member of the DHS security council, Continue reading

Comparing Serverless Performance for CPU Bound Tasks

Comparing Serverless Performance for CPU Bound Tasks

This post is a part of an ongoing series comparing the performance of Cloudflare Workers with other Serverless providers. In our past tests we intentionally chose a workload which imposes virtually no CPU load (returning the current time). For these tests, let's look at something which pushes hardware to the limit: cryptography.

tl;dr Cloudflare Workers are seven times faster than a default Lambda function for workloads which push the CPU. Workers are six times faster than Lambda@Edge, tested globally.

Slow Crypto

The PBKDF2 algorithm is designed to be slow to compute. It's used to hash passwords; its slowness makes it harder for a password cracker to do their job. Its extreme CPU usage also makes it a good benchmark for the CPU performance of a service like Lambda or Cloudflare Workers.

We've written a test based on the Node Crypto (Lambda) and the WebCrypto (Workers) APIs. Our Lambda is deployed to with the default 128MB of memory behind an API Gateway in us-east-1, our Worker is, as always, deployed around the world. I also have our function running in a Lambda@Edge deployment to compare that performance as well. Again, we're using Catchpoint to test from hundreds of locations around Continue reading

End of term

It’s time to take my regular summer break from writing The Morning Paper – normal service will resume again on Monday 6th August. I’ll be topping up my paper backlog and scouting out interesting research during the break. If you’ve seen any great papers I haven’t already covered and that you think ‘The Morning Paper’ readers would enjoy, please do send them my way.

In the meantime, here are a few picks from papers we’ve covered this term in case you missed any of them. (In order of publication on the blog)

Many thanks to all of you that follow along and support the blog – the accountability keeps me sticking at it when I’m snowed under, and Continue reading

How To Minikube + Cloudflare

How To Minikube + Cloudflare

The following is a guest blog post by Nathan Franzen, Software Engineer at StackPointCloud. StackPointCloud is the creator of Stackpoint.io, the leading multi-cloud management platform for cloud native workloads. They are the developers of the Cloudflare Ingress Controller for Kubernetes.

Deploying Applications on Minikube with Argo Tunnels

This article assumes basic knowledge of Kubernetes. If you're not familiar with Kubernetes, visit https://kubernetes.io/docs/tutorials/kubernetes-basics/ to learn the basics.

Minikube is a tool which allows you to run a Kubernetes cluster locally. It’s not only a great way to experiment with Kubernetes, but also a great way to try out deploying services using a reverse tunnel.

At Cloudflare, we've created a product called Argo Tunnel which allows you to host services through a tunnel using Cloudflare as your edge. Tunnels provide a way to expose your services to the internet by creating a connection to Cloudflare's edge and routing your traffic over it. Since your service is creating its own outbound connection to the edge, you don’t have to open ports, configure a firewall, or even have a public IP address for your service. All traffic flows through Cloudflare, blocking attacks and intrusion attempts before they ever make it to Continue reading

Redirecting DNS Requests to Umbrella with FTD

A few days ago I shared an article that described redirecting DNS requests with ASA. A good use case for this might be if an organization is using Cisco Umbrella but there is no way to get every host is pointed toward the correct DNS server(s) in a timely manner. In that case, a configuration of destination NAT in the ASA can force those misconfigured clients to use one of the OpenDNS addresses.

This article is very similar, but we will share a method for doing this with Firepower Threat Defence. The concept is the same but all configuration is done in Firepower Management Console. Before starting on the NAT configuration, it is important to configure the following network objects (Objects, Object Management, Network).

  • obj_any – 0.0.0.0/0
  • Umbrella1 – 208.67.220.220
  • Umbrella2 – 208.67.222.222

It is also important to confirm the existence of two port objects (Objects, Object Management, Network).

  • DNS_over_TCP  –  TCP Port 53
  • DNS_over_UDP –  UDP Port 53

Most of the configuration will be done on the NAT policy for the device we are managing (Device, NAT, select edit for the appropriate NAT policy).

We will need four rules that Continue reading

Redirecting DNS Requests to Umbrella with FTD

A few days ago I shared an article that described redirecting DNS requests with ASA. A good use case for this might be if an organization is using Cisco Umbrella but there is no way to get every host is pointed toward the correct DNS server(s) in a timely manner. In that case, a configuration of destination NAT in the ASA can force those misconfigured clients to use one of the OpenDNS addresses.

This article is very similar, but we will share a method for doing this with Firepower Threat Defence. The concept is the same but all configuration is done in Firepower Management Console. Before starting on the NAT configuration, it is important to configure the following network objects (Objects, Object Management, Network).

  • obj_any – 0.0.0.0/0
  • Umbrella1 – 208.67.220.220
  • Umbrella2 – 208.67.222.222

It is also important to confirm the existence of two port objects (Objects, Object Management, Network).

  • DNS_over_TCP  –  TCP Port 53
  • DNS_over_UDP –  UDP Port 53

Most of the configuration will be done on the NAT policy for the device we are managing (Device, NAT, select edit for the appropriate NAT policy).

We will need four rules that Continue reading

We’ve Added New Dates To Our Bootcamp Calendar!



CCIE Routing & Switching:


Online Graded Practice Lab

January 2-4
April 15-18
April 16-19
May 28-31


5 Day Bootcamp

January 7-11


Written Exam Bootcamp

January 7-11
April 15-19
June 24-28


Lab Exam Bootcamp

January 28 – February 3
February 4-10
February 25 – March 3
March 25-31
May 13-19
June 10-16
June 24-30



CCIE Security:


5 Day Bootcamp

January 7-11


Written Exam Bootcamp

January 14-18
March 25-29


Lab Exam Bootcamp

January 21-27
February 25 – March 3
April 1-7
June 17-23



CCIE Data Center:


Lab Exam Bootcamp

January 7-13
February 4-10
March 18-24
April 29 – May 5
June 17-23



CCIE Service Provider:


Lab Exam Bootcamp

March 18-24
June 3-9



CCIE Collaboration:


Lab Exam Bootcamp

January 28 – February 3
March 4-10
April 8-14



CCNP Routing & Switching:


7 Day Bootcamp

January 28 – February 3
February 11-15
March 11-17
April 29 – May 5
May 13-17



CCNA Routing & Switching:


5 Day Bootcamp

February 25 – March 1
April 15-19
June 10-14



CCNA Security:


5 Day Bootcamp

April 1-5
June 24-28

Visit our Bootcamps Site to purchase your course today!

Weekend Reads 070618

Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol. —David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper

To be fair, the tech sector has been the United States’ economic pride and joy in recent decades, a seemingly endless wellspring of innovation. The speed and power of Google’s search engine is breathtaking, putting extraordinary knowledge at our fingertips. Internet telephony allows friends, relatives, and co-workers to interact face to face from halfway around the world, at very modest cost. Yet, despite all this innovation, the pace of productivity growth in the broader economy remains lackluster. —Kenneth Rogoth @MarketWatch

The world of scholarly communication is broken. Giant, corporate publishers with racketeering business practices and profit margins that exceed Apple’s treat life-saving research as a private commodity to be sold at exorbitant profits. Only around 25 per cent of the global corpus of research knowledge is ‘open access’, or accessible to the public for free and without subscription, which is a real impediment to resolving major problems, such as the United Nations’ Sustainable Continue reading

Kernel of Truth episode 03 — Linux: the kernel, the community & beyond

Listen, you can’t name an open networking podcast “Kernel of Truth,” and NOT have an episode dedicated to the Linux kernel! So we got two of the brightest, most enthusiastic Linux experts we know into the recording booth and let them wax poetic about the language of the data center. As I soon found out, it’s harder to get Linux fans to STOP talking about Linux that it is to get them going — but hey, that just makes my job as host a lot easier! There’s nothing like listening to knowledgeable people discuss something they’re passionate about, and that’s what we’ve got in store for you.

In this episode, I’m joined by Roopa Prabhu, leader of the kernel team at Cumulus Networks, and Shrijeet Mukherjee, Cumulus’ former VP of Engineering. Specifically, our discussion revolves around the Linux kernel and Linux community. We get into some pretty interesting questions: why Linux in the data center? What has Cumulus contributed to the kernel? How has the prolific Linux community evolved? What the heck is a “boffin”?? I’m not a fan of spoilers, (thanks for ruining Avengers: Infinity War for me, Twitter!) so I’ll let you guys tune in and find Continue reading

NetQ is now a 2018 “New Product” Award Winner!

IT World Awards recognizes Cumulus NetQ

Cumulus NetQ is on FIRE!!

Just one year ago, Cumulus launched a new product that fundamentally changes the way organizations validate and troubleshoot not just their network, but the entire Linux ecosystem as a whole. The product was named NetQ (think Network Query). It provides deep insight on the connectivity of all network devices either now or in the past — including all switches, Linux hosts, inside Linux hosts (Containers, direct interaction with container orchestration tools like Kubernetes, VMs, Openstack environment) and any other devices running a Linux-based operating system connected to the network. No more manual box-by-box troubleshooting, no more wondering what happened last night, no more pulling cables to find where the issue was stemming from, no more finger pointing, no more human-led misconfigurations and no more frustration of not having sight past the edge of the network.

Instead, Cumulus NetQ, the agent-based technology that runs on anything Linux, changes all that. NetQ brings the efficiencies of web-scale to network operations with an algorithmic, preventive, centralized telemetry system built for the modern automated cloud network. NetQ aggregates and maintains data from across all Linux nodes in the data center in a time-series database, making the fabric-wide events, Continue reading

The Privacy Pickle

I recorded a fantastic episode of The Network Collective last night with some great friends from the industry. The topic was privacy. Originally I thought we were just going to discuss how NAT both was and wasn’t a form of privacy and how EUI-64 addressing wasn’t the end of days for people worried about being tracked. But as the show wore on, I realized a few things about privacy.

Booming In Peace

My mom is a Baby Boomer. We learn about them as a generation based on some of their characteristics, most notably their rejection of the values of their parents. One of things they hold most dear is their privacy. They grew up in a world where they could be private people. They weren’t living in a 1 or 2 room house with multiple siblings. They had the right of privacy. They could have a room all to themselves if they so chose.

Baby Boomers, like my mom, are intensely private adults. They marvel at the idea that targeted advertisements can work for them. When Amazon shows them an ad for something they just searched for they feel like it’s a form of dark magic. They also aren’t trusting Continue reading

Stuff The Internet Says On Scalability For July 6th, 2018

Hey, it's HighScalability time:

 

Could RAINB (Redundant Array of Independent Neanderthal ‘minibrains’replace TPUs as the future AI core? 

 

Do you like this sort of Stuff? Please lend me your support on Patreon. It would mean a great deal to me. And if you know anyone looking for a simple book that uses lots of pictures and lots of examples to explain the cloud, then please recommend my new book: Explain the Cloud Like I'm 10. They'll love you even more.

 

  • $100m: Fortnite iOS revenue in 90 days; $2.5 Billion: SUSE Linux acquisition; 500,000: different orgs on Slack; 6.1%: chance of breaking change in each library; 10: years of the Apple app store; 2021: Japan goes exascale;

  • Quoteable Quotes:
    • jedberg: > Yes, that's how Amazon creates lock-in.
      That is the cynical way to look at it. It also creates value because it lets you do more with what you already have.
    • Paul Ingles: We didn’t change our organisation because we wanted to use Kubernetes, we used Kubernetes because we wanted to change our organisation.
    • ThousandEyes: The Internet is made up of thousands of autonomous networks that Continue reading
1 1,542 1,543 1,544 1,545 1,546 3,841