My Belated Review of Cisco Live 2023

It’s been a couple of weeks since Cisco Live US 2023 and I’m just now getting around to writing about it. I was thrilled to attend my 18th Cisco Live and it was just the thing I needed to reconnect with the community. The landscape of Cisco Live looks a little different than it has in years past. There are some challenges that are rising that need to be studied and understood before they become bigger than the event itself.

Showstopping Reveals? Or Consistent Improvement?

What was the big announcement from Cisco this year? What was the thing that was said on stage that stopped the presses and got people chattering? Was it a switch? A firewall? Was it a revolutionary new AI platform? Or a stable IP connection to Mars? Do you even know? Or was it more of a discussion of general topics with some technologies brought up alongside them?

In the last few years you may have noticed that the number of huge big announcements coinciding with the big yearly conferences has come down a bit. Rather than having some big news drop the morning of the keynote the big reveals are being given their own time Continue reading

Overcoming security gaps with active vulnerability management

Organizations can reduce security risks in containerized applications by actively managing vulnerabilities through scanning, automated image deployment, tracking runtime risk and deploying mitigating controls to reduce risk.

Kubernetes and containers have become de facto standards for cloud-native application development due to their ability to accelerate the pace of innovation and codify best practices for production deployments, but such acceleration can introduce risk if not operationalized properly.

In the architecture of containerized applications, it is important to understand that there are highly dynamic containers distributed across cloud environments. Some are ephemeral and short-lived, while others are more long-term. Traditional approaches to securing applications do not apply to cloud-native workloads because most deployments of containers occur automatically with an orchestrator that removes the manual step in the process. This automatic deployment requires that the images be continuously scanned to identify any vulnerabilities at the time of development in order to mitigate the risk of exploit during runtime.

In addition to these challenges, software supply chain adds complexity to vulnerability scanning and remediation. Applications increasingly depend on containers and components from third-party vendors and projects. As a result, it can take weeks or longer to patch the affected components and release new software Continue reading

Upcoming Training: BGP Policy

On July 21st I’ll be teaching BGP Policy over at Safari Books Online. From the description:

This course begins by simplifying the entire BGP policy space into three basic kinds of policies that operators implement using BGP—selecting the outbound path, selecting the inbound path, and “do not transit.” A use case is given for each of these three kinds, or classes, of policies from the perspective of a transit provider, and another from the perspective of a nontransit operator connected to the edge of the ‘net. With this background in place, the course will then explore each of the many ways these classes of policy may be implemented using local preference, AS Path prepending, various communities, AS Path poisoning, and other techniques. Positive and negative aspects of each implementation path will be considered.

Please register here.

My courses are going through a bit of updating, but I think August and September will be How the Internet Really Works, followed by an updated course on troubleshooting. I’m incorporating more tools into the course, including (of course!) ChatGPT. Watch this space for upcoming announcements.

Cisco to buy network-monitoring firm SamKnows for better last-mile visibility

Cisco again opened its checkbook this week and snatched up privately held broadband-network monitoring company SamKnows for an undisclosed amount.Founded in 2008, the London-based firm uses a global network of software agents located in everything from home systems to mobile devices and service provider netoworks to get a real-time measurement of internet performance and customer experience. Through a central dashboard the  company can analyze the results and identify faults and the root cause of problems to help with remediation.SamKnows technology will be integrated into Cisco’s ThousandEyes cloud-based network intelligence software that analyzes everything from the performance of local and wide-area networks to ISP, cloud, and collaboration-application performance to the health of the internet.To read this article in full, please click here

Using PuTTY to connect to Linux

PuTTY is a great tool for connecting between systems of different types. In case you’re not familiar with the tool, the name has no connection to Silly Putty. Instead, the capitalization of the TTY part of the name suggests its connection with the acronym tty. It provides an easy way to log into a Linux system from Windows as well as many other systems.Say you want to log into your Linux system from a Windows system. This tool will allow you to set up a connection (IP address, host name, etc.) and control the size, colors and font to be used. This post explains how to set PuTTY up to optimize your view of the Linux command line. PuTTY was actually born on Windows to make this kind of connection possible.To read this article in full, please click here

Using PuTTY to connect to Linux

PuTTY is a great tool for connecting between systems of different types. In case you’re not familiar with the tool, the name has no connection to Silly Putty. Instead, the capitalization of the TTY part of the name suggests its connection with the acronym tty. It provides an easy way to log into a Linux system from Windows as well as many other systems.Say you want to log into your Linux system from a Windows system. This tool will allow you to set up a connection (IP address, host name, etc.) and control the size, colors and font to be used. This post explains how to set PuTTY up to optimize your view of the Linux command line. PuTTY was actually born on Windows to make this kind of connection possible.To read this article in full, please click here

What’s new in Ansible Automation Platform 2.4

 

2.4 banner

We are excited to announce the general availability of Red Hat Ansible Automation Platform 2.4, which continues to build on our core promise to help customers “Create, Manage, and Scale” their automation.

This blog post outlines a number of new features and capabilities found in the 2.4 release, including the long-anticipated general availability of Event-Driven Ansible. Ansible Automation Platform 2.4 is going to greatly expand the scope of both what and how organizations are able to automate with Ansible—so let’s dive right in.  

Event-Driven Ansible

Back at AnsibleFest 2022, we introduced the Event-Driven Ansible developer preview and the results have been very exciting. By developing this set of capabilities in the upstream community, we worked alongside the Ansible community, partners and customers to release numerous certified and community source plugins right at launch. Now fully supported as a component of Ansible Automation Platform 2.4, Event-Driven Ansible comes with a new webUI, Event-Driven Ansible controller, to help you integrate your Event-Driven Ansible with Ansible Automation Platform and take advantage of a host of new capabilities.

Event-Driven Ansible controller for Event-Driven Ansible - Getting Started

Event-Driven Ansible connects intelligent sources of events with corresponding actions via rules. Continue reading

HN687 Juniper CORA Coherent Optics Enabling IPoDWDM

Its about reducing the cost and complexity of DWDM coherent optical networks. Connecting the DWDM network directly to your router removes the DWDM edge equipment which simplifies operation, reduce cost,space & power while improving provisioning time. How is Juniper entering this market and what do you need to know ?

The post HN687 Juniper CORA Coherent Optics Enabling IPoDWDM appeared first on Packet Pushers.

Cloudflare Zaraz supports JSONata

Cloudflare Zaraz supports JSONata
Cloudflare Zaraz supports JSONata

Cloudflare users leverage Zaraz for loading their third-party JavaScript tools. Tools like analytics, conversion pixels, widgets and alike, load faster and safer when loaded through Zaraz.

When configuring a tool in Zaraz, users can specify the payload to be included when sending information to it. This allows for the transmission of more detailed data. For example, when sending the "Button Clicked" event to Google Analytics, users can include additional information such as the ID of the button element and the content of the user_id cookie at the time of the button press. In Zaraz, users have the flexibility to add as many fields as desired when configuring the action.

Typically, information reaches Zaraz through the execution of zaraz.track("event name", { properties }) within the website's code. The properties object can contain relevant details that will be sent to third-party tools, such as the button ID in the previous example. However, there are cases where users may need to process and manipulate the information before sending it to their third-party tools.

To address this requirement, we recently introduced Worker Variables, which enables users to send information to a Cloudflare Worker, perform manipulations on it, and return a modified value. Continue reading

Cato Networks launches AI-powered tracker for malware command and control

Cato Networks’ new deep learning algorithms are designed to identify malware command and control domains and block them more quickly than traditional systems based on domain reputation, thanks to extensive training on the company’s own data sets.Cato, a SASE provider based in Tel Aviv, announced the new algorithmic security system today. The system is predicated on the idea that domain reputation tracking is insufficient to quickly identify the command servers used to remotely control malware. That’s because most modern malware uses a domain generation algorithm (DGA) to rapidly generate pseudorandom domain names — which the deployed malware also has a copy of.To read this article in full, please click here

Cato Networks launches AI-powered tracker for malware command and control

Cato Networks’ new deep learning algorithms are designed to identify malware command and control domains and block them more quickly than traditional systems based on domain reputation, thanks to extensive training on the company’s own data sets.Cato, a SASE provider based in Tel Aviv, announced the new algorithmic security system today. The system is predicated on the idea that domain reputation tracking is insufficient to quickly identify the command servers used to remotely control malware. That’s because most modern malware uses a domain generation algorithm (DGA) to rapidly generate pseudorandom domain names — which the deployed malware also has a copy of.To read this article in full, please click here

What’s new in Calico Enterprise 3.17: Namespace isolation, WireGuard support for AKS and EKS, and more!

We are excited to introduce the early preview releases for Calico Enterprise 3.17. This release focuses on helping enterprises have a strong security posture for their containers and Kubernetes clusters. Let’s go through some of the highlights of this release.

Namespace isolation with automatic Security Policy Recommendations

Calico will now automatically generate security policies based on workload dependencies and incoming and outgoing traffic to isolate namespaces in your Kubernetes cluster.

WireGuard support for AKS and EKS with Calico CNI 

Users can now protect data-in-transit data in Microsoft AKS and Amazon EKS clusters by enabling WireGuard encryption with the Calico CNI.

Improved management of  Workload-based WAF 

Secure specific workload-to-workload communications at the application level with Calico’s workload-based web application firewall (WAF) by selecting and deselecting specific services.

Policy-based routing for egress gateways

Define policies on which egress gateway to use (or none at all) depending on the destination of egress traffic.

We hope you’ll enjoy these product upgrades and enhancements. We will continue to deliver new releases with innovative solutions to solve container and Kubernetes security challenges. Watch this space for future updates and details about how to leverage these features in your environment.

Check out our self-paced workshops for Continue reading

Japan bolsters its chip industry with buyout of equipment maker JSR

Japanese semiconductor equipment maker JSR has accepted a buyout offer of $6.4 billion (909.3 billion yen) from the Japanese government, in the country’s latest move to bolster its domestic chip industry.JSR is the world's leading maker of photoresists , the chemicals used for the process of printing circuit designs on chip wafers. It is also one of three Japanese companies that controls the world’s supply of fluorinated polyimide and hydrogen fluoride, compounds which are used to make the semiconductors found in supercomputers, AI-harnessing data centers and iPhones.Under the plan, Japan Investment Corp (JIC) – state-backed investment enterprise of Japan, specializing in private equity and venture capital investments primarily in Japan – would offer JSR $31.25 (4,350 yen) per share, a price that represents a 35% premium on the company’s share price when the markets closed on Friday. The resulting deal will see the company go private and provide Japan with a greater control over a technological process of which it is already a global leader.To read this article in full, please click here

Lost in transit: debugging dropped packets from negative header lengths

Lost in transit: debugging dropped packets from negative header lengths
Lost in transit: debugging dropped packets from negative header lengths

Previously, I wrote about building network load balancers with the maglev scheduler, which we use for ingress into our Kubernetes clusters. At the time of that post we were using Foo-over-UDP encapsulation with virtual interfaces, one for each Internet Protocol version for each worker node.

To reduce operational toil managing the traffic director nodes, we've recently switched to using IP Virtual Server's (IPVS) native support for encapsulation. Much to our surprise, instead of a smooth change, we instead observed significant drops in bandwidth and failing API requests. In this post I'll discuss the impact observed, the multi-week search for the root cause, and the ultimate fix.

Recap and the change

To support our requirements we've been creating virtual interfaces on our traffic directors configured to encapsulate traffic with Foo-Over-UDP (FOU). In this encapsulation new UDP and IP headers are added to the original packet. When the worker node receives this packet, the kernel removes the outer headers and injects the inner packet back into the network stack. Each virtual interface would be assigned a private IP, which would be configured to send traffic to these private IPs in "direct" mode.

Lost in transit: debugging dropped packets from negative header lengths

This configuration presents several problems for our operations teams.

Continue reading

Recapping Speed Week 2023

Recapping Speed Week 2023

This post is also available in Deutsch.

Recapping Speed Week 2023

Speed Week 2023 is officially a wrap.

In our Welcome to Speed Week 2023 blog post, we set a clear goal:

“This week we will help you measure what matters. We’ll help you gain insight into your performance, from Zero Trust and API’s to websites and applications. And finally we’ll help you get faster. Quickly.”.

This week we published five posts on how to measure performance, explaining which metrics and approaches make sense and why. We had a deep dive on the latest Core Web Vital, “Interaction to Next Paint”, what it means and how we can help. There was a post on Time To First Byte (TTFB) and why it isn't a good way to measure good web performance. We also wrote about how to measure Zero Trust performance, and announced the Internet Quality page of Cloudflare Radar - giving everyone the ability to compare Internet connection quality across Internet Service Providers, countries, and more.

We launched new products such as Observatory, Digital Experiencing Monitoring and Timing Insights. These products give an incredible window into how your applications and websites are performing through the eyes of website visitors Continue reading

How to deploy Red Hat Ansible Automation Platform on AWS to AWS GovCloud in the United States

This blog is co-authored by Zack Kayyali and Hicham (he-sham) Mourad

Deploying Red Hat Ansible Automation Platform Foundation

The steps below detail how to install Ansible Automation Platform on AWS United States GovCloud from the AWS Marketplace. The steps to deploy into AWS GovCloud and AWS Commercial cloud are nearly identical. Before starting your deployment process, please ensure the AWS account you are using to deploy has the following IAM roles. These IAM roles are required to deploy the AWS foundation stack offering. The foundation stack offering here refers to the base Ansible Automation Platform 2 deployment.

This blog details how to deploy Ansible Automation Platform on AWS and access the application. This deployment process will be configured to set up Ansible Automation Platform in its own Virtual Private Cloud (VPC) that it creates and manages. We also support deploying into an existing VPC.

To begin, first log into your Commercial AWS account. If you have a private offer, ensure that these are accepted for both the foundation and extension node offerings.

Note: 

  • The foundation offer refers to the “Red Hat Ansible Automation Platform 2 - Up to 100 Managed Nodes” marketplace item. 
  • The extension node offer refers to Continue reading
1 195 196 197 198 199 3,764