0

Calico monthly roundup: July 2023

Welcome to the Calico monthly roundup: July edition! From open source news to live events, we have exciting updates to share—let’s get into it!

 

 

Customer case study: Upwork Using Calico, Upwork was able to enforce zero-trust security for its newly migrated containerized applications on Amazon EKS. Read our new case study to find out how. Read case study.

Container security – Self-paced workshop This self-paced tutorial is designed to help you prevent, detect, and stop breaches in containers and Kubernetes. Learn how to secure all aspects of your containerized applications—all at your own pace! Get started.

Open source news

• Calico Live – Join the Calico community every Wednesday at 2:00 pm ET for a live discussion about learning how to leverage Calico and Kubernetes for networking and security. We will explore Kubernetes security and policy design, network flow logs and more. Join us live on Linkedin or YouTube.
• CNCF webinar – Watch our CNCF on-demand webinar, Container and Kubernetes security policy design: 10 critical best practices, here.
• Calico eBPF and XDP – Learn how to implement eBPF security policies and XDP to achieve better performance in your Kubernetes cluster. Hands-on lab environment available here.
• Calico Wall of Continue reading

0

IPv6 Buzz 132: Down The Rabbit Hole Of IPv6 Router Advertisements

In this episode, Ed, Scott, and Tom get technical with a discussion of IPv6 Router Advertisements (RAs), what they are, what they're for, what information they contain, new and future RA options, and what you need to know about them to help deploy IPv6 effectively.

0

IPv6 Buzz 132: Down The Rabbit Hole Of IPv6 Router Advertisements

In this episode, Ed, Scott, and Tom get technical with a discussion of IPv6 Router Advertisements (RAs), what they are, what they're for, what information they contain, new and future RA options, and what you need to know about them to help deploy IPv6 effectively.

The post IPv6 Buzz 132: Down The Rabbit Hole Of IPv6 Router Advertisements appeared first on Packet Pushers.

0

Cisco bolsters mobile core technology with Working Group Two buy

Cisco continued filling its shopping bag with various technology firms – this time saying it intended to acquire cloud native mobile core developer Working Group Two (WG2) for an undisclosed amount.The WG2 buy is Cisco’s fifth since June and its nineth this year.  WG2 is known for its mobile technology that helps public and private service providers and enterprise customers build secure and scalable mobile backbones.The technology will become part of Cisco’s Mobility Services platform which offers a full-stack cloud-native converged core network and distributed edge support.Introduced in February, the Mobility Service is designed to simplify how service providers build, manage, and deliver new mobile services globally at scale and supports a variety of technologies to bring 5G, edge, and cloud technologies, Cisco says.To read this article in full, please click here

0

VXLAN/EVPN – What Are the Challenges in L2-based Networks?

Before diving into a new technology, it is always useful to understand the previous generation of technology, what the limitations where, and how the new technology intends to overcome them. In this post, let’s look at what some of the challenges were with L2-based networks and how VXLAN/EVPN can overcome them. Before starting, I want to balance the messaging a bit on the bad reputation that STP gets:

• Radia Perlman did an excellent job with what was available at that time.
• A lot of the bad reputation comes from a misunderstanding of the protocol.
• STP-based networks can run just fine but they are often misconfigured (related to the point above).
• Many issues come from misbehaving end user devices where protection mechanisms have not been implemented (see the point above).
• It’s natural for technologies to evolve as more compute becomes available and we gain experience.

Keep in mind that the original 802.1D standard was published in 1990. This was long before internet was generally available and our networks were critically important to us. At that time we didn’t measure outages in seconds or even minutes. That said, let’s look at the limitations of a traditional L2 network.

Convergence – In Continue reading

0

Nvidia flexes generative AI muscle at SIGGRAPH with new GPUs, development software

Looking to solidify its position as the dominant global supplier of chips that support generative AI workoads, Nvidia announced new GPUs and servers as well as a range of new software offerings at the SIGGRAPH conference in Los Angeles this week.On the hardware side, Nvidia announced a new line of servers, the OVX series. The server line is designed to use up to eight of the company’s L40S GPUs. The GPUs are based on the company's Ada Lovelace architecture, which succeeded Ampere as the microarchitecture in use in its main line graphics cards. Each L40S packs 48GB of memory and is designed with complex AI workloads in mind, boasting 1.45 petaflops of tensor processing power.To read this article in full, please click here

0

Automated namespace isolation with Calico

Calico has recently introduced a powerful new policy recommendation engine that enables DevOps, SREs, and Kubernetes operators to automatically generate Calico policies to implement namespace isolation and improve the security posture of their clusters.

This new recommendation engine is unique for three reasons:

1. Calico’s policy recommendations work continuously in the background over a user-configurable time period. This ensures that less frequent traffic flows are also accounted for in recommended policies.
2. Policy recommendations leverage Calico’s policy tiers. Tiers enforce an order of precedence on how Calico policies are evaluated and enforced. The recommended policies are placed in their own tier and Calico ensures each generated rule does not conflict with other policies you have implemented.
3. Recommended policies are StagedNetworkPolicies, allowing admins and operators to audit the behavior of these security policies before actively enforcing them.

In this blog, we’ll dive into each of these areas in more detail and provide an in-depth overview of how policy recommendations work and how it can improve the security posture of your cluster.

Before we get started, let’s quickly talk about namespace isolation and why it’s so important.

Why is namespace isolation important?

Namespaces are a foundational concept within Kubernetes. They help divide your Continue reading

0

BrandPost: Using a Hybrid Mesh Firewall to Increase Network Security

Cybercriminals aren’t slowing down, and their campaigns are becoming more complex and harder to detect. Between advanced persistent attacks, attempts to infiltrate nontraditional devices, and the increase in multifaceted attack strategies, networks are under constant siege. At the same time, the rise of the Internet of Things (IoT), hybrid-cloud computing, and remote work demands, as well as the continued shortage of skilled security professionals, all make it more challenging than ever to secure and manage enterprise environments. To read this article in full, please click here

0

Day Two Cloud 206: Making The Most Of Red Teaming With Gemma Moore

Red teams attack a customer's security systems. The idea of a red team, whether consultants or in-house, is to approach the target like an attacker would. A red team includes technical and human-based exploit and attempts to test defenses, probe for weaknesses, and identify vulnerable systems and processes. On today's episode we look at how to get the most out of a red team engagement--it's much more than just an attack and a report.

0

Day Two Cloud 206: Making The Most Of Red Teaming With Gemma Moore

Red teams attack a customer's security systems. The idea of a red team, whether consultants or in-house, is to approach the target like an attacker would. A red team includes technical and human-based exploit and attempts to test defenses, probe for weaknesses, and identify vulnerable systems and processes. On today's episode we look at how to get the most out of a red team engagement--it's much more than just an attack and a report.

The post Day Two Cloud 206: Making The Most Of Red Teaming With Gemma Moore appeared first on Packet Pushers.

0

HPE teams with PhoenixNAP for bare metal cloud offerings

IT cloud services provider PhoenixNAP is expanding its bare metal cloud offerings by deploying HPE ProLiant servers with Ampere’s Arm-based server processors rather than x86 chips.Ampere, the chip startup founded by former Intel executive Renee James, makes Arm-based server processors specifically for cloud use. It doesn't use multithreading in its chips, unlike Intel and AMD, because it feels performance is not consistent across threads. Rather, it goes for core count, delivering chips that have 80 to 128 cores.The new server, the HPE ProLiant RL300 Gen11, is a cloud-native server designed for service providers and enterprises. HPE says it offers improved compute performance and energy savings over x86 systems.To read this article in full, please click here

0

Can We Trust Worldcoin’s Aspirin For AI Headaches?

This post originally appeared in the Packet Pushers’ Human Infrastructure newsletter, a weekly mailing of essays, links to technical blogs and IT news, and whatever else think is interesting. Subscribe for free here. Let’s say I invent an autonomous mobile robot. It can lift heavy items for you, wash your dishes, do your grocery shopping, […]

The post Can We Trust Worldcoin’s Aspirin For AI Headaches? appeared first on Packet Pushers.

0

Pipes and more pipes on Linux

Most people who spend time on the Linux command line move quickly into using pipes. In fact, pipes were one of the things that really got me excited when I first used the command line on a Unix system. My appreciation of their power and convenience continues even after decades of using Linux. Using pipes, I discovered how much I could get done by sending the output of one command to another command, and sometimes a command after that, to further tailor the output that I was looking for. Commands incorporating pipes – like the one shown below – allowed me to extract just the information that I needed without having to compile a program or prepare a script.To read this article in full, please click here

0

Pipes and more pipes on Linux

Most people who spend time on the Linux command line move quickly into using pipes. In fact, pipes were one of the things that really got me excited when I first used the command line on a Unix system. My appreciation of their power and convenience continues even after decades of using Linux. Using pipes, I discovered how much I could get done by sending the output of one command to another command, and sometimes a command after that, to further tailor the output that I was looking for. Commands incorporating pipes – like the one shown below – allowed me to extract just the information that I needed without having to compile a program or prepare a script.To read this article in full, please click here

0

Navigating the Connectivity Landscape: Best Practices for Securing Network Architecture

Connectivity is no longer just an enabler. Network architecture must now take security and resilience into account, as well.

0

Navigating the Connectivity Landscape: Best Practices for Securing Network Architecture

Connectivity is no longer just an enabler. Network architecture must now take security and resilience into account, as well.

0

Kyndryl taps Microsoft generative AI for new service, moves toward future profitability

Kyndryl said it would tap into Microsoft’s enterprise-grade generative AI technology to develop business applications with Microsoft Cloud.The IT infrastructure provider announced the joint project with Microsoft on the heels of announcing significant 1Q 2024 earnings where Kyndryl executives said the company will return to profitability in the next year, at least a year ahead of what financial analysts predicted after the company spun out of IBM in November 2021.In addition, Kyndryl chairman and chief executive officer Martin Schroeter told analysts on the company’s first quarter financial call that he expects the company to return to revenue growth in calendar year 2025 and that the company will reach its medium-term profit goals – in what he called significant progress for a company that has been independent for only 6 quarters.To read this article in full, please click here

0

Introducing per hostname TLS settings — security fit to your needs

One of the goals of Cloudflare is to give our customers the necessary knobs to enable security in a way that fits their needs. In the realm of SSL/TLS, we offer two key controls: setting the minimum TLS version, and restricting the list of supported cipher suites. Previously, these settings applied to the entire domain, resulting in an “all or nothing” effect. While having uniform settings across the entire domain is ideal for some users, it sometimes lacks the necessary granularity for those with diverse requirements across their subdomains.

It is for that reason that we’re excited to announce that as of today, customers will be able to set their TLS settings on a per-hostname basis.

The trade-off with using modern protocols

In an ideal world, every domain could be updated to use the most secure and modern protocols without any setbacks. Unfortunately, that's not the case. New standards and protocols require adoption in order to be effective. TLS 1.3 was standardized by the IETF in April 2018. It removed the vulnerable cryptographic algorithms that TLS 1.2 supported and provided a performance boost by requiring only one roundtrip, as opposed to two. For a user to benefit from Continue reading

0

Bulk API in Automation Controller

Automation Controller API:

Automation controller has a rich ReSTful API. REST stands for Representational State Transfer and is sometimes spelled as “ReST”. It relies on a stateless, client-server, and cacheable communications protocol, usually the HTTP protocol. REST APIs provide access to resources (data entities) via URI paths. You can visit the automation controller REST API in a web browser at: http://<server name>/api/

 

API Usage:

Many automation controller customers use the API to build their own event driven automation type solutions that draw data from their environment and then trigger jobs in the automation controller. This type of architecture can lead to incredibly high frequency and volume of requests to the controller API pushing controller’s API to the breaking point.

The API is the simplest and most straightforward way to interact with automation controller for any external system. These external systems and tools integrate with the automation controller API to mainly launch the jobs and get results about the jobs. Additionally, the inventory information is stored in an external system and pushed to the automation controller via API too. Given the fact that we have seen enterprises manage  thousands of hosts via automation controller, the number of API calls Continue reading

0

Top Security Benefits of Improving Network Resiliency

In this archived panel discussion sponsored by Absolute Software, Steve Fallin connects with Ariel Robinson and Sherelle Moore to deliver an in-depth conversation detailing the 'Security Benefits of Improving Network Resiliency' during our 'Network Resilience Boot Camp' presented by Data Center Knowledge and Network Computing. This excerpt is from our live 'Network Resilience Boot Camp' virtual event moderated by Bonnie D. Graham on June 29, 2023.