A container identity bootstrapping tool

Everybody has secrets. Software developers have many. Often these secrets—API tokens, TLS private keys, database passwords, SSH keys, and other sensitive data—are needed to make a service run properly and interact securely with other services. Today we’re sharing a tool that we built at Cloudflare to securely distribute secrets to our Dockerized production applications: PAL.

PAL is available on Github: https://github.com/cloudflare/pal.

Although PAL is not currently under active development, we have found it a useful tool and we think the community will benefit from its source being available. We believe that it's better to open source this tool and allow others to use the code than leave it hidden from view and unmaintained.

Secrets in production

CC BY 2.0 image by Personal Creations

How do you get these secrets to your services? If you’re the only developer, or one of a few on a project, you might put the secrets with your source code in your version control system. But if you just store the secrets in plain text with your code, everyone with access to your source repository can read them and use them for nefarious purposes (for example, stealing an API token and pretending to be Continue reading

Simple Python Script to Read from Device

There’s a lot of talk about network programmability and I recently had a simple use case that surfaced. The goal was locating a serial number in Cisco Devices. Basically, a script is required that will do the following.

  • Process a list of IP Addresses and/or hostnames
  • SSH into each device
  • Determine if the device has a given SN

There are many ways this can be accomplished, but the method I am using utilizes SSH. This example requires the use of Paramiko to implement SSHv2. The script can match other items in the output of show version and can easily be modified to have multiple matches and return additional information.

Prerequisites

  • Paramiko (can be installed using PIP)
  • Python (tested with 2.7)

It is worth noting that the script I’m sharing will automatically add public ssh keys and therefore may not be appropriate in a high security environment.

The Python and sample device files can be downloaded here.

Python Code

import paramiko
import getpass

#get user/password/substring (for search)
myuser = raw_input("Enter Username For Process: ")
mypass = getpass.getpass()
mysearch = raw_input("Please enter string to search: ")

#get a list of devices from devices.txt - one per line
qbfile = open("devices. Continue reading

Performance progression of IPv4 route lookup on Linux

TL;DR: Each of Linux 2.6.39, 3.6 and 4.0 brings notable performance improvements for the IPv4 route lookup process.

In a previous article, I explained how Linux implements an IPv4 routing table with compressed tries to offer excellent lookup times. The following graph shows the performance progression of Linux through history:

IPv4 route lookup performance

Two scenarios are tested:

  • 500,000 routes extracted from an Internet router (half of them are /24), and
  • 500,000 host routes (/32) tightly packed in 4 distinct subnets.

All kernels are compiled with GCC 4.9 (from Debian Jessie). This version is able to compile older kernels1 as well as current ones. The kernel configuration used is the default one with CONFIG_SMP and CONFIG_IP_MULTIPLE_TABLES options enabled (however, no IP rules are used). Some other unrelated options are enabled to be able to boot them in a virtual machine and run the benchmark.

The measurements are done in a virtual machine with one vCPU2. The host is an Intel Core i5-4670K and the CPU governor was set to “performance”. The benchmark is single-threaded. Implemented as a kernel module, it calls fib_lookup() with various destinations in 100,000 timed iterations and keeps the Continue reading

Back to Basics : Access-Lists and Types

Today I am going to talk about the Access Lists and how we can use that access lists in our network. These Access lists are used in many ways. We have different ways to use it and we also have different configurations for different Access Lists.

Before we start with the various access lists, let's talk about what the Access Lists actual are and why they are used. So answer to your question is Access-List is the way to filter the IP packets entering to the network. So with the use of Access-Lists you can permit or deny the IP packets on the base of IPs, Names, protocols and so on and the routing table decide the traffic routing on the basis of the set of rules we authorised.

Below is just a Sample diagram showing using the Access-Lists and has no relevance with any of the configuration used below.

Sample Diagram showing Access-Lists

We have different kinds of Access-lists and I am taking a short note and the configuration part of these access-lists one by one. These access-lists are :

  • Standard Access-Lists
  • Extended Access-Lists
  • IP Named Access-Lists
  • Lock and Key Access-Lists
  • Reflexive access-Lists
  • Context-Based Access Control
  • Turbo Access-Lists


Let's Continue reading

Docker Networking -Common issues and Troubleshooting

Docker Bangalore meetup is a very active group dedicated to topics around Docker and the ecosystem around it. There was a meetup conducted yesterday at IBM office. There was a mix of topics presented including Moby, Linuxkit, Docker for Windows and Docker multi-stage builds. Thanks to Neependra for organizing the meetup, Neependra created this meetup … Continue reading Docker Networking -Common issues and Troubleshooting

Yet more reasons to disagree with experts on nPetya

In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldn't return. Thus, it's the undamaged areas you need to protect.

This is called survivorship bias.

Many experts are making the same mistake with regards to the nPetya ransomware. 

I hate to point this out, because they are all experts I admire and respect, especially @MalwareJake, but it's still an error. An example is this tweet:


The context of this tweet is the discussion of why nPetya was well written with regards to spreading, but full of bugs with regards to collecting on the ransom. The conclusion therefore that it wasn't intended to be ransomware, but was intended Continue reading

All Of Ethan’s Podcasts And Articles For June 2017

Packet Pushers Community Blog

Packet Pushers News

Packet Pushers Weekly Podcast

Datanauts Podcast

Priority Queue Podcast

Citizens of Tech Podcast

Recruiters: Must Try Harder

Right now, it’s an employee’s market in the Bay Area. Technology firms are growing, and they’re always trying to hire more people. So I regularly receive emails from recruiters. This is not to brag, it’s just the way things are right now, based upon the economy, my background, my current location, and my age. I’m lucky.

Some of these approaches are outstanding. Well-crafted, tailored to the person and the role. Some are pathetically bad, and I don’t know why they try.

The Right Approach

A good approach goes like this:

Hi Lindsay!

I’m a recruiter at $CoolCompany. We’re looking for great people to work on our teams doing $InterestingThingOne and $InterestingThingsTwo! We’re hoping to do This, That and the Other Thing! Check out our projects on Github <here> and <here>.

We think this would be a good match because of your background working on $RecentProject in $PreviousIndustries.

We were thinking about someone to do these sorts of things: X, Y, Z. But mainly it’s about finding the right people, and we’re fine with re-working the role a bit to suit.

Let us know what you think

Regards, Good Recruiter

The Wrong Approach

Hi

We have a job opening for a Continue reading

Recruiters: Must Try Harder

Right now, it’s an employee’s market in the Bay Area. Technology firms are growing, and they’re always trying to hire more people. So I regularly receive emails from recruiters. This is not to brag, it’s just the way things are right now, based upon the economy, my background, my current location, and my age. I’m lucky.

Some of these approaches are outstanding. Well-crafted, tailored to the person and the role. Some are pathetically bad, and I don’t know why they try.

The Right Approach

A good approach goes like this:

Hi Lindsay!

I’m a recruiter at $CoolCompany. We’re looking for great people to work on our teams doing $InterestingThingOne and $InterestingThingsTwo! We’re hoping to do This, That and the Other Thing! Check out our projects on Github <here> and <here>.

We think this would be a good match because of your background working on $RecentProject in $PreviousIndustries.

We were thinking about someone to do these sorts of things: X, Y, Z. But mainly it’s about finding the right people, and we’re fine with re-working the role a bit to suit.

Let us know what you think

Regards, Good Recruiter

The Wrong Approach

Hi

We have a job opening for a Continue reading

A High Performance Hiatus

The Next Platform will be on summer holiday for the coming week.

We will return to our normal publishing schedule on Monday, July 10th.

For our U.S. readership, we hope you have an excellent Independence Day holiday week and for our many readers outside the states, here’s hoping you find time to relax and enjoy great weather.

Thanks as always for reading, and for our sponsors, we appreciate your support.

Cheers,

Timothy Prickett Morgan, Nicole Hemsoth

Co-Founders, Co-Editors, The Next Platform

A High Performance Hiatus was written by Nicole Hemsoth at The Next Platform.

Latest Ransomware Techniques Show Need for Layered Security

I think everyone that touches security has had multiple conversations about the hardened edge and soft center, commonly found in networks. This usually accompanies some discussion around the overlapping concepts of difference in depth, layered security and security ecosystems. It seems like many of the recent exploits have used a C2 connection for instructions. In those cases, assuming a perfect NGFW product and configuration actually existed that caught 100% of the malicious traffic, it would have the capability to impact those attacks.

However on June 27, Cisco Talos published an article about a ransomware variant known as Nyetya. As of today, Talos has been able to find no evidence of the more common initial infection vehicles. Both Cisco and Microsoft have cited the upgrade process for a tax accounting package as the initial point of infection.

Per Cisco Talos:

The identification of the initial vector is still under investigation. We have observed no use of email or Office documents as a delivery mechanism for this malware. We believe that infections are associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos is investigating this currently.

So what does this mean to the majority of the world that Continue reading

InfiniBand And Proprietary Networks Still Rule Real HPC

With the network comprising as much as a quarter of the cost of a high performance computing system and being absolutely central to the performance of applications running on parallel systems, it is fair to say that the choice of network is at least as important as the choice of compute engine and storage hierarchy. That’s why we like to take a deep dive into the networking trends present in each iteration of the Top 500 supercomputer rankings as they come out.

It has been a long time since the Top 500 gave a snapshot of pure HPC centers that

InfiniBand And Proprietary Networks Still Rule Real HPC was written by Timothy Prickett Morgan at The Next Platform.

Fix Your NAS With Metadata

Enterprises are purchasing storage by the truckload to support an explosion of data in the datacenter. IDC reports that in the first quarter of 2017, total capacity shipments were up 41.4 percent year-over-year and reached 50.1 exabytes of storage capacity shipped. As IT departments continue to increase their spending on capacity, few realize that their existing storage is a pile of gold that can be fully utilized once enterprises overcome the inefficiencies created by storage silos.

A metadata engine can virtualize the view of data for an application by separating the data (physical) path from the metadata (logical) path. This

Fix Your NAS With Metadata was written by Timothy Prickett Morgan at The Next Platform.

Not The Cisco of John Chambers Anymore

I just got back from Cisco Live 2017 last night and I had a blast at the show. There was a lot of discussion about new architectures, new licensing models, and of course, Tech Field Day Extra. However, one of the most interesting topics went largely under the radar. I think we’re fully in the transition of Cisco away from being the Company of John Chambers.

Steering A Tall Ship

John Chambers wasn’t the first CEO of Cisco. But he’s the one that most people would recognize. He transformed the company into the juggernaut that it is today. He watched Cisco ascend to the leader in the networking space and helped it transform into a company that embraced voice, security, and even servers and compute as new business models.

John’s Cisco is a very unique animal. It’s not a single company. It’s a collection of many independent companies with their own structures and goals all competing with each other for resources. If John decided that UCS was more important to his goals this quarter, he shifted some of the support assets to focus on that business unit. It was a featured product, complete with healthy discounts to encourage user adoption.

Continue reading

Worth Reading: The impact of more specifics in the DFZ

Here I’ll examine the collected statistics of the use of more specific routing advertisements in BGP in further detail, looking at the impact of more specifics on the growth of the routing system and the dynamics of BGP updates in the larger context of scaling BGP to meet the demands of an ever-larger Internet. —potaroo

The post Worth Reading: The impact of more specifics in the DFZ appeared first on rule 11 reader.

1 1,997 1,998 1,999 2,000 2,001 3,841