Book Review: Infrastructure as Code

As part of my 2018 projects, I committed to reading and reviewing more technical books this year. As part of that effort, I recently finished reading Infrastructure as Code, authored by Kief Morris and published in September 2015 by O’Reilly (more details here). Infrastructure as code is very relevant to my current job function and is an area of great personal interest, and I’d been half-heartedly working my way through the book for some time. Now that I’ve completed it, here are my thoughts.

Overall, Morris does a great job of crisply defining infrastructure as code (a somewhat vague and amorphous term at times) and outlining the key principles that are involved. Morris also does a really good job of staying high-level as he works through the various aspects of infrastructure as code and discusses some of the considerations, patterns (and anti-patterns), and recommended practices in each aspect.

The book’s high-level focus is, however, both its greatest strength as well as its greatest weakness. Because infrastructure as code can be implemented in a variety of ways with a variety of tools, the book must necessarily be high-level and somewhat abstract. As I mentioned, Morris does a really Continue reading

How to Fully Uninstall Kaspersky’s NDIS Filter

I like Kaspersky anti-virus, and I use it regularly… (Not on my own PC mind you, but on the clients)

While I do believe they provide the best anti-virus in the market, I am not a fan of most of their other products. That goes for the Firewall, Safe Browsing, SSL Hijacking, and of course their newest addition, Secure Connection…

Kaspersky Bloated Meme

In a previous post, I talked about how to optimize OpenVPN by adjusting the MTU to your links. That however, is likely not going work on windows clients running Kaspersky products.

On these clients, once a packet reaches the MTU, further packets could be dropped. Furthermore, OpenVPN process and the whole tunnel could come to a halt.

Investigating further, it turned out the so called Kaspersky Anti-Virus NDIS 6 Filter is to blame. This NDIS driver seems to be incompatible with any MTU other than 1500.

The solution

The solution is to either disable the NDIS filter for the affecting interfaces (e.g. TAP interface), or completely uninstall it as a whole. Kaspersky’s support page seems to be against disabling the filter and recommends uninstalling it instead:

“It is not recommended to use Kaspersky Anti-Virus NDIS Filter by disabling Continue reading

Amazon Web Services Networking Overview

Traditional networking engineers, or virtualization engineers familiar with vSphere or VMware NSX, often feel like Alice in Wonderland when entering the world of Amazon Web Services. Everything looks and sounds familiar, and yet it all feels a bit different

I decided to create a half-day workshop (first delivery: June 13th in Zurich, Switzerland) to make it easier to grasp the fundamentals of AWS networking, and will publish high-level summaries as a series of blog posts. Let’s start with an overview of what’s different:

Read more ...

zkLedger: privacy-preserving auditing for distributed ledgers

zkLedger: privacy-preserving auditing for distributed ledgers Narula et al., NSDI’18

Somewhat similarly to Solidus that we looked at late last year, zkLedger (presumably this stands for zero-knowledge Ledger) provides transaction privacy for participants in a permissioned blockchain setting. zkLedger also has an extra trick up its sleeve: it provides rich and fully privacy-preserving auditing capabilities. Thus a number of financial institutions can collectively use a blockchain-based settlement ledger, and an auditor can measure properties such as financial leverage, asset illiquidity, counter-party risk exposures, and market concentration, either for the system as a whole, or for individual participants. It provides a cryptographically verified level of transparency that’s a step beyond anything we have today.

The goals of zkLedger are to hide the amounts, participants, and links between transactions while maintaining a verifiable transaction ledger, and for the Auditor to receive reliable answers to its queries. Specifically, zkLedger lets banks issue hidden transfer transactions which are still publicly verifiable by all other participants; every participant can confirm a transaction conserves assets and assets are only transferred with the spending bank’s authority.

Setting the stage

A zkLedger system comprises n banks and an auditor that verifies certain operational aspects of transactions Continue reading

APNIC Labs/CloudFlare DNS 1.1.1.1 Outage: Hijack or Mistake?

At 29-05-2018 08:09:45 UTC, BGPMon (A very well known BGP monitoring system to detect prefix hijacks, route leaks and instability) detected a possible BGP hijack of 1.1.1.0/24 prefix. Cloudflare Inc has been announcing this prefix from AS 13335 since 1st April 2018 after signing an initial 5-year research agreement with APNIC Research and Development (Labs) to offer DNS services.

Shanghai Anchang Network Security Technology Co., Ltd. (AS58879) started announcing 1.1.1.0/24 at 08:09:45 UTC, which is normally announced by Cloudflare (AS13335). The possible hijack lasted only for less than 2min. The last announcement of 1.1.1.0/24 was made at 08:10:27 UTC. The BGPlay screenshot of 1.1.1.0/24 is given below:

Anchang Network (AS58879) peers with China Telecom (AS4809), PCCW Global (AS3491), Cogent Communications (AS174), NTT America, Inc. (AS2914), LG DACOM Corporation (AS3786), KINX (AS9286) and Hurricane Electric LLC (AS6939). Unfortunately, Hurricane Electric (AS6939) allowed the announcement of 1.1.1.0/24 originating from Anchang Network (AS58879). Apparently, all other peers blocked this announcement. NTT (AS2914) and Cogent (AS174) are also MANRS Participants and actively filter prefixes.

Dan Goodin (Security Editor at Ars Technica, who extensively covers malware, computer espionage, botnets, and hardware hacking) reached Continue reading

Simple, Efficient, and Modern: VMware NSX introduces new HTML5 UI

Along with the advancements in context-aware micro-segmentation and network virtualization, we are also continually raising the bar on making VMware NSX simple to deploy, manage, and operationalize at scale – and that, of course, involves a responsive and easy-to-use HTML-based UI to access VMware NSX functionality.

With VMware NSX for vSphere 6.4.1, you can now access all NSX installation and security functionality through a responsive HTML-based vSphere Client, including Distributed Firewall, Service Composer, Application Rule Manager, and more. This modern interface does not have any dependencies on browser plugins (e.g. Adobe Flash), has a more minimalistic look-and-feel, and loads so much faster! Beyond the immediate aesthetic improvements, here’s a quick look at some of the key enhancements to how we’re simplifying the NSX user experience.

 

NSX Firewall – Better Visibility and Efficient Rule Management

 

Given how feature-rich the NSX Firewall page is, our usability designers focused extra attention on streamlining the day-to-day tasks of creating, managing and troubleshooting firewall rules.

For starters, at the top of the Firewall page, we’ve introduced a new Status Bar and elevated table-level actions (like Publish and Save) to their own dedicated Toolbar. Now, at a glance, you can immediately Continue reading

Datanauts 136: ChatOps Using PoshBot With Brandon Olin

On this episode of Datanauts, we chat with Brandon Olin, the creator of PoshBot, a PowerShell based chatbot for ops teams. What does PoshBot do? How was PoshBot built? How do chatbots impact Brandon’s delivery model?

ChatBots?

Bots have been around for a long time. They re really handy, too, often being able to answer simple questions by submitting a special command that has some sort of prefix or identifier associated with them. Especially if you re on Twitch and want to know how long your favorite streamer has been online.

Maybe that isn t the most helpful thing in the world, but what if we changed the narrative to be all about operations and how talking to a bot (with your peers watching) could actually up-level your day-to-day enjoyment of IT?

That’s our conversation today.

What is PoshBot?

PoshBot is a chat bot written in PowerShell. It makes extensive use of classes introduced in PowerShell 5.0. PowerShell modules are loaded into PoshBot and instantly become available as bot commands. PoshBot currently supports connecting to Slack to provide you with awesome ChatOps goodness.

For More Information About PoshBot

IDG Contributor Network: Houston, we have a networking problem

We’ve covered networking on our home planet. But what happens when we send signals where no man has gone before?Space networking is two-way communication between base stations on Earth, and unmanned space probes, planetary rovers, orbital satellites or manned spacecraft. These radio signals bring back messages, images and scientific discoveries. Someday they’ll be used to communicate between colonies on Earth and the moon or Mars.Of course, we can’t just “call” Mars. Networking in outer space is vastly different from what we experience on Earth.Communications travel at the speed of light. This means that it can take 20 minutes or more for a radio signal to reach a Martian planetary rover. It’s like going back to dial-up.To read this article in full, please click here

IDG Contributor Network: Houston, we have a networking problem

We’ve covered networking on our home planet. But what happens when we send signals where no man has gone before?Space networking is two-way communication between base stations on Earth, and unmanned space probes, planetary rovers, orbital satellites or manned spacecraft. These radio signals bring back messages, images and scientific discoveries. Someday they’ll be used to communicate between colonies on Earth and the moon or Mars.Of course, we can’t just “call” Mars. Networking in outer space is vastly different from what we experience on Earth.Communications travel at the speed of light. This means that it can take 20 minutes or more for a radio signal to reach a Martian planetary rover. It’s like going back to dial-up.To read this article in full, please click here

New Features of Docker Enterprise Edition 2.0 – Top 12 Questions from the Docker Virtual Event

In the recent Docker Virtual Event, Unveiling Docker Enterprise Edition 2.0, we demonstrated some of the key new capabilities of the Docker Enterprise Edition – the enterprise-ready container platform that enables IT leaders to choose how to cost-effectively build and manage their entire application portfolio at their own pace, without fear of architecture and infrastructure lock-in. Designed to address enterprise customers’ needs, these net-new features extend across both Swarm and Kubernetes (Part 1 of this blog) and across Windows and Linux applications (Part 2 of this blog).

In this blog post, we’ll go over some of the most common questions about these new features as well as some of the common questions that were asked about how Docker Enterprise Edition is packaged and deployed.

If you missed the live event, don’t worry! You can still catch the recording on-demand here.

Docker Enterprise Edition 2.0 Features

 Secure Application Zones

Q: Can I connect my corporate directory to permissions inside Docker Enterprise Edition?

A: Yes! You can integrate your corporate LDAP or Active Directory to Docker Enterprise Edition. Permissions can be mapped to one of the 5 built-in roles or administrators can create very granular and flexible Continue reading

1 1,544 1,545 1,546 1,547 1,548 3,796