Dynamically Enabling the Azure CLI with Direnv

I’m a big fan of direnv, the tool that lets you load and unload environment variables depending on the current directory. It’s so very useful! Not too terribly long ago, I wanted to find a way to “dynamically activate” the Azure CLI using direnv. Basically, I wanted to be able to have the Azure CLI disabled (no configuration information) unless I was in a directory where I needed or wanted it to be active, and be able to make it active using direnv. I finally found a way to make it work, and in this blog post I’ll share how you can do this, too.

First, you’ll need both direnv and the Azure CLI installed (obviously). I’ll leave this as an exercise for the readers, but I’ll mention that if you want to use Azure CLI in a Python virtual environment you might find this article really helpful.

Next, you’ll want to create a couple of directories. I chose to “hide” these directories in a .config directory in my home directory. This directory is very commonly found (and used) on many Linux systems, but doesn’t typically exist on a macOS system. You can use this command to create the Continue reading

Integrating Turnstile with the Cloudflare WAF to challenge fetch requests

Two months ago, we made Cloudflare Turnstile generally available — giving website owners everywhere an easy way to fend off bots, without ever issuing a CAPTCHA. Turnstile allows any website owner to embed a frustration-free Cloudflare challenge on their website with a simple code snippet, making it easy to help ensure that only human traffic makes it through. In addition to protecting a website’s frontend, Turnstile also empowers web administrators to harden browser-initiated (AJAX) API calls running under the hood. These APIs are commonly used by dynamic single-page web apps, like those created with React, Angular, Vue.js.

Today, we’re excited to announce that we have integrated Turnstile with the Cloudflare Web Application Firewall (WAF). This means that web admins can add the Turnstile code snippet to their websites, and then configure the Cloudflare WAF to manage these requests. This is completely customizable using WAF Rules; for instance, you can allow a user authenticated by Turnstile to interact with all of an application’s API endpoints without facing any further challenges, or you can configure certain sensitive endpoints, like Login, to always issue a challenge.

Challenging fetch requests in the Cloudflare WAF

Millions of websites protected by Cloudflare’s WAF leverage our Continue reading

Review: Unnumbered Interfaces in netlab

A while ago, Chris Parker published a nice blog post explaining how to configure unnumbered interfaces with IS-IS in Junos. It’s well worth reading, but like my Unnumbered Ethernet Interfaces blog post, it only covers one network operating system. What if you want to do something similar on another platform?

How about using the collective efforts of the team developing device configuration templates for netlab? As of December 2023 netlab supports:

Review: Unnumbered Interfaces in netlab

A while ago, Chris Parker published a nice blog post explaining how to configure unnumbered interfaces with IS-IS in Junos. It’s well worth reading, but like my Unnumbered Ethernet Interfaces blog post, it only covers one network operating system. What if you want to do something similar on another platform?

How about using the collective efforts of the team developing device configuration templates for netlab? As of December 2023 netlab supports:

Cybersecurity, Cloud and AI: Top-of-mind themes heading into 2024

Recently I had the opportunity to host a group of forward-thinking CISOs, CIOs and other executive decision makers drawn from several enterprise organizations in the United States. The goal was to frame perspectives on trends and priorities emerging within their respective organizations while co-relating to broader industry trends.  Specifically, the intent here was not to x-ray the requirements of any single organization, but rather to identify, detect and understand patterns that could, in turn guide priorities over the next few years, benefiting the broader community. The discussions unearthed a lot of commonality in terms of shared pain points and higher order goals, and I thank the leaders that participated in the exercise, as well as the talented members of my team that came together to create a successful forum for discussion.

This multi-part blog series will summarize prominent patterns and insights that emerged from these sessions, that would hopefully serve as guideposts for the next 12-24 months, mostly in the areas of security, cloud infrastructure and deployment models.

Over a few sessions, broadly we had the cohort dive engage along three axis –

1. The first was to really examine their top pain points. Issues, that if solved, would help Continue reading

Debian on IPng’s VPP Routers

Introduction

When IPng Networks first built out a european network, I was running the Disaggregated Network Operating System [ref], initially based on AT&T’s “dNOS” software framework. Over time though, the DANOS project slowed down, and the developers with whom I had a pretty good relationship all left for greener pastures.

In 2019, Pierre Pfister (and several others) built a VPP router sandbox [ref], which graduated into a feature called the Linux Control Plane plugin [ref]. Lots of folks put in an effort for the Linux Control Plane, notably Neale Ranns from Cisco (these days Graphiant), and Matt Smith and Jon Loeliger from Netgate (who ship this as TNSR [ref], check it out!). I helped as well, by adding a bunch of Netlink handling and VPP->Linux synchronization code, which I’ve written about a bunch on this blog in the 2021 VPP development series [ref].

At the time, Ubuntu and CentOS were the supported platforms, so I installed a bunch of Ubuntu machines when doing the deploy with my buddy Fred from IP-Max [ref]. But as time went by, I fell back to my old habit of running Debian Continue reading

Worth Reading: The AI Supply Paradox

Eric Hoel published a spot-on analysis of AI disruptiveness, including this gem:

The easier it is to train an AI to do something, the less economically valuable that thing is. After all, the huge supply of the thing is how the AI got so good in the first place.

TL&DR: AI can easily disrupt things that are easy to generate and thus have little value. Seeing investors trying to recoup the billions pouring into the latest fad will be fun.

Worth Reading: The AI Supply Paradox

Eric Hoel published a spot-on analysis of AI disruptiveness, including this gem:

The easier it is to train an AI to do something, the less economically valuable that thing is. After all, the huge supply of the thing is how the AI got so good in the first place.

TL&DR: AI can easily disrupt things that are easy to generate and thus have little value. Seeing investors trying to recoup the billions pouring into the latest fad will be fun.

Worth Reading: State-of-the-Art AI

Gerben Wierda published another AI-buster article describing what exactly “state-of-the-art” means in AI benchmarks.

Hint: you give an AI model 32 step-by-step examples before asking a question, and it still gets it wrong 10% of the time.

Worth Reading: State-of-the-Art AI

Gerben Wierda published another AI-buster article describing what exactly “state-of-the-art” means in AI benchmarks.

Hint: you give an AI model 32 step-by-step examples before asking a question, and it still gets it wrong 10% of the time.

Weekend Reads 121523

NTT Data has opened a hotel at which it plans to watch people sleep, as part of a plan to gather – and of course sell – data about the snoozing habits of ten million people.

Business and technical leaders should prepare to focus on memory safety in software development, the US Cybersecurity and Infrastructure Agency (CISA) urged on Wednesday.

A proposed fork of the OpenPGP standard, called “LibrePGP” and initiated by GnuPG’s maintainer Werner Koch, has made a series of statements on its own website1 in order to justify its existence.

Cisco has quietly introduced changes to the licensing model for its Catalyst range, and will bring it to more products over time.

ICANN’s response to the European Union’s Network and Information Security Directive (NIS2) is a litmus test on whether its policy processes can address the needs of all stakeholders, instead of only satisfying the needs of the domain industry.

One of the joys of operational privacy professionals is getting that random, Friday afternoon Slack from someone on the product team asking, “Can we [insert questionable action] with our customer data?”

Lackluster security controls in one of Google’s cloud services for data scientists could allow hackers to Continue reading

HN714: Building The Branch Of The Future With SASE Powered By AI (Sponsored)

HN714: Building The Branch Of The Future With SASE Powered By AI (Sponsored)

SD-WAN and SASE are evolving to encompass more features and capabilities around security, application performance, network visibility, and more. On today's Heavy Networking, sponsored by Palo Alto Networks, we look at how AI is transforming SD-WAN and SASE to help build the branch of the future.

The post HN714: Building The Branch Of The Future With SASE Powered By AI (Sponsored) appeared first on Packet Pushers.

D2C225: Security KubeConversations Part 2 – Cloud-Native Security Challenges

D2C225: Security KubeConversations Part 2 – Cloud-Native Security Challenges

This is part two of a special edition of Day Two Cloud with conversations recorded at KubeCon 2023 in Chicago. These conversations cover the state of cloud-native security, getting a holistic view of your cloud-native environment, security challenges for Kubernetes, and the state of the software supply chain.

The post D2C225: Security KubeConversations Part 2 – Cloud-Native Security Challenges appeared first on Packet Pushers.

Conditional Git Configuration

Building on the earlier article on automatically transforming Git URLs, I’m back with another article on a (potentially powerful) feature of Git—the ability to conditionally include Git configuration files. This means you can configure Git to be configured (and behave) differently based on certain conditions, simply by including or not including Git configuration files. Let’s look at a pretty straightforward example taken from my own workflow.

Here’s a configuration stanza from my own system-wide Git configuration:

[includeIf "gitdir:~/Work/Code/Repos/"]
    path = ~/Work/Code/Repos/.gitconfig

The key here is the includeIf keyword. In this case, Git will include the referenced configuration file specified by path, if the location of the Git repository matches the path specification after gitdir. Basically, what this means is that all repositories under ~/Work/Code/Repos will trigger the inclusion of the additional configuration file.

Here’s the additional configuration file:

[user]
    email = name@work-domain.com
    name = Scott Lowe
[commit]
    gpgsign = false

As long as I group all work-relatd repositories in the specified directory path, these values override the system-wide values. This means I can specify my work e-mail address as the e-mail Continue reading

Video: Language Model Basics

After a brief introduction of how the language models fit into the AI/ML landscape, Javier Antich explained the language model basics, including auto-regression, types of language models, the specifics of large language models, and potential use cases,

Video: Language Model Basics

After a brief introduction of how the language models fit into the AI/ML landscape, Javier Antich explained the language model basics, including auto-regression, types of language models, the specifics of large language models, and potential use cases,

Fortinet Releases Advisor, Its GenAI Assistant Focused on Threat Investigation and Remediation

Optimizing NSX Performance Based on Workload and ROI

Optimizing NSX Performance Based on Workload

Overview

Performance tuning, in general, requires a holistic view of the application traffic profiles, features leveraged and the criteria for performance from the application perspective. In this blog, we will take a look at some of the factors to consider when optimizing NSX for performance.

Applications

In a typical data center, applications may have different requirements based on their traffic profile. Some applications such as backup services, log files and certain types of web traffic etc., may be able to leverage all the available bandwidth. These long traffic flows with large packets are called elephant flows. These applications with elephant flows, in general, are not sensitive to latency. 

In contrast, in-memory databases, message queuing services such as Kafka, and certain Telco applications may be sensitive to latency. These traffic flows, which are short lived and use smaller packets are generally called mice flows. Applications with mice flows are not generally bandwidth hungry.

While in general, virtual datacenters may be running a mixed set of workloads which should run as is without much tuning, there may be instances where one may have to tune to optimize performance for specific applications. For example, applications Continue reading