Heavy Networking 685: Opengear With Zero Trust Approach in the Out of Band (sponsored)

Remote operation of infrastructure has renewed importance in the era of remote working. Opengear offers secure, zero trust and segmented methods to reach serial & LAN ports plus GUI interfaces. You can add observability agents like Thousand Eyes into containers so that your worst day becomes just another day.

The post Heavy Networking 685: Opengear With Zero Trust Approach in the Out of Band (sponsored) appeared first on Packet Pushers.

AWS customers struggle for hours after a major outage

Amazon Web Services (AWS) on Tuesday said its North Virginia (US-East-1) region faced disruption in services for nearly four hours, affecting thousands of customers.“Between 11:49 AM PDT and 3:37 PM PDT, we experienced increased error rates and latencies for multiple AWS Services in the US-EAST-1 region,” AWS wrote on its health status page, adding that at least 104 of its services were affected during the outage.AWS services that were malfunctioning during these four hours included the likes of AWS Management Console, Amazon SageMaker, AWS Glue, Amazon Connect, AWS Fargate, and Amazon GuardDuty.To read this article in full, please click here

EIGRP Stub Routers

Years ago I wrote an article describing how EIGRP stub routers work and how you should use them in redundant remote sites to make sure link- or node failures don’t result in partial connectivity. That article is now available on ipSpace.net; I hope at least someone will find it useful. I know it’s about ancient technology, but then people are still running COBOL on mainframes.

EIGRP Stub Routers

Years ago I wrote an article describing how EIGRP stub routers work and how you should use them in redundant remote sites to make sure link- or node failures don’t result in partial connectivity. That article is now available on ipSpace.net; I hope at least someone will find it useful. I know it’s about ancient technology, but then people are still running COBOL on mainframes.

The Third Time Charm Of AMD’s Instinct GPU

The great thing about the Cambrian explosion in compute that has been forced by the end of Dennard scaling of clock frequencies and Moore’s Law lowering in the cost of transistors is not only that we are getting an increasing diversity of highly tuned compute engines and broadening SKU stacks across those engines, but also that we are getting many different interpretations of the CPU, GPU, DPU, and FPGA themes.

The Third Time Charm Of AMD’s Instinct GPU was written by Timothy Prickett Morgan at The Next Platform.

Sharing, compressing and password-protecting files on Linux

Keeping your files private from anyone but those with superuser (root) access is easy on Linux. File permissions provide everything you need. By default, you'll have a username and primary group assigned to your account, and you can use the chmod (change mode) command to control what anyone else can view or change.(If permissions like "750" and "rwxr-x---" don't ring any bells for you, check out these posts for insights into how file permissions work on Linux: A deeper dive into Linux permissions and Unix: beyond group and everyone else)To read this article in full, please click here

Sharing, compressing and password-protecting files on Linux

Keeping your files private from anyone but those with superuser (root) access is easy on Linux. File permissions provide everything you need. By default, you'll have a username and primary group assigned to your account, and you can use the chmod (change mode) command to control what anyone else can view or change.(If permissions like "750" and "rwxr-x---" don't ring any bells for you, check out these posts for insights into how file permissions work on Linux: A deeper dive into Linux permissions and Unix: beyond group and everyone else)To read this article in full, please click here

How to secure the cluster in an air gap environment with Calico Cloud

The concern about securing the clusters has grown exponentially and one of the ways to secure it is by isolating the cluster from the Internet to lower the risk of eventual attack. Enterprises that deal with confidential customer data and work with regulatory agencies, such as financial and insurance institutions, require air gap environments for their clusters to create highly secure environments.

What’s an air gap?

The air gap is a security configuration in which the cluster, network, or workload will not have access to the Internet, unless it is explicitly authorized to do so. It is a highly controlled environment and prevents the cluster from establishing external connections without prior authorizations.

The diagram below shows an air gap network:

 

In a containerized environment, the cluster needs to pull the images for spinning up containers and it is usually done by pulling the images from a repository located on the cloud or Internet. However, as the air gap network doesn’t have access to the Internet, pulling images from the Internet is not possible. To address this situation, it is necessary to create a private registry/repository in the air gap network and pull all required images for the cluster into Continue reading

Using Kerberos for Windows in Ansible Automation Platform 2

Kerberos is often the preferred authentication method for managing Windows servers in a domain environment. Red Hat Ansible Automation Platform has allowed customers to leverage Kerberos authentication for a number of years now. So why revisit this subject? 

Ansible Automation Platform 2 was released in July 2021 and was a major re-architecture of the platform. One of the fundamental changes was the introduction of automation execution environments  - the use of containers to consistently package, distribute and execute Ansible Playbooks. Without going into the weeds, automation execution environments consist of a RHEL base image, Ansible Core and any dependencies required to execute our Ansible automation - these are typically Ansible Content Collections and Python libraries. 

The move to containers means that we sometimes need to consider that localhost is now a container. There is an excellent blog post that goes into the details of how localhost isn’t what it seems when it comes to automation execution environments.

With all of this in mind, let’s go through a guided example of how to configure Kerberos authentication in Ansible Automation Platform 2, how to test the configuration and how to configure automation controller to use Kerberos.

 

Example configuration

Continue reading

NVA Part V: NVA Redundancy with Azure Internal Load Balancer – On-Prem Connec

 Introduction


In Chapter Five, we deployed an internal load balancer (ILB) in the vnet-hub. It was attached to the subnet 10.0.0.0/24, where it obtained the frontend IP (FIP) 10.0.1.6. Next, we created a backend pool and associated our NVAs with it. Finally, we bound the frontend IP 10.0.1.6 to the backend pool to complete the ILB setup.


Next, in vnet-spoke1, we created a route table called rt-spoke1. This route table contained a user-defined route (UDR) for 10.2.0.0/24 (vnet-spoke2) with the next-hop set as 10.0.1.6. We attached this route table to the subnet 10.1.0.0/24. Similarly, in vnet-spoke2, we implemented a user-defined route for 10.1.0.0/24 (vnet-spoke1). By configuring these UDRs, we ensured that the spoke-to-spoke traffic would pass through the ILB and one of the NVAs on vnet-hub. Note that in this design, the Virtual Network Gateway is not required for spoke-to-spoke traffic.


In this chapter, we will add a Virtual Network Gateway (VGW) into the topology and establish an IPsec VPN connection between the on-premises network edge router and VGW. Additionally, we will deploy a new route table called "rt-gw-snet" where we add routing entries to the spoke VNets with the next-hop IP address 10.0.1.6 (ILB's frontend IP). Besides, we will add a routing entry 10.3.0.0/16 > 10.0.1.6 into the existing route tables on vnet-spoke-1 and vnet-spoke-2 (not shown in figure 6-1). This configuration will ensure that the spoke to spoke and spoke to on-prem flows are directed through one of the Network Virtual Appliances (NVAs) via ILB. The NVAs use the default route table, where the VGW propagates all the routes learned from VPN peers. However, we do not propagate routes from the default route table into the "rt-gw-snet" and "rt-prod-1" route tables. To enable the spoke VNets to use the VGW on the hub VNet, we allow it in VNet peering configurations.


  1. The administrator of the mgmt-pc opens an SSH session to vm-prod-1. The connection initiation begins with the TCP three-way handshake. The TCP SYN message is transmitted over the VPN connection to the Virtual Gateway (VGW) located on the vnet-hub. Upon receiving the message, the VGW first decrypts it and performs a routing lookup. The destination IP address, 10.1.0.4, matches the highlighted routing entry in the route table rt-gw-snet.
  2. The VGW determines the location (the IP address of the hosting server) of 10.1.0.6, encapsulates the message with tunnel headers, and forwards it to an Internal Load Balancer (ILB) using the destination IP address 10.1.0.6 in the tunnel header.
  3. The Internal Load Balancer receives the TCP SYN message. As the destination IP address in the tunnel header matches one of its frontend IPs, the ILB decapsulates the packet. It then checks which backend pool (BEP) is associated with the frontend IP (FIP) 10.0.1.6 to determine to which VMs it can forward the TCP SYN message. Using a hash algorithm (in our example, the 5-tuple), the ILB selects a VM from the backend pool members, in this case, NVA2. The ILB performs a location lookup for the IP address 10.1.0.5, encapsulates the TCP SYN message with tunnel headers, and finally sends it to NVA2.
  4. The message reaches the hosting server of NVA2, which removes the encapsulation since the destination IP in the tunnel header belongs to itself. Based on the Syn flag set in the TCP header, the packet is identified as the first packet of the flow. Since this is the initial packet of the flow, there is no flow entry programmed into the Generic Flow Table (GFT) related to this connection. The parser component generates a metadata file from the L3 and L4 headers of the message, which then is processed by the Virtual Filtering Platform (VFP) layers associated with NVA2. Following the VFP processing, the TCP SYN message is passed to NVA2, and the GFT is updated with flow information and associated actions (Allow and Encapsulation instructions). Besides, the VFP process creates a corresponding entry for the return packets into the GFT (reversed source and destination IPs and ports). Please refer to the first chapter for more detailed information on VFP processes.
  5. We do not have any pre-routing or post-routing policies configured on either NVA. As a result, NVA2 simply routes the traffic out of the eth0 interface based on its routing table. The ingress TCP SYN message has already been processed by the VFP layers, and the GFT has been updated accordingly. Consequently, the egress packet can be forwarded based on the GFT without the need for additional processing by the VFP layers.
  6. Subsequently, the encapsulated TCP SYN message is transmitted over VNet peering to vm-prod-1, located on vnet-spoke-1. Upon reaching the hosting server of vm-prod-1, the packet is processed in a similar manner as we observed with NVA. The encapsulation is removed, and the packet undergoes the same VFP processing steps as before.


Figure 6-1: ILB Example Topology.

Continue reading

Exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test

Exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test
Exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test

Over the last several years, governments in a number of countries in the Middle East/Northern Africa (MENA) region have taken to implementing widespread nationwide shutdowns in an effort to prevent cheating on nationwide academic exams. Although it is unclear whether such shutdowns are actually successful in curbing cheating, it is clear that they take a financial toll on the impacted countries, with estimated losses in the millions of US dollars.

During the first two weeks of June 2023, we’ve seen Iraq implementing a series of multi-hour shutdowns that will reportedly occur through mid-July, as well as Algeria taking similar actions to prevent cheating on baccalaureate exams. Shutdowns in Syria were reported to begin on June 7, but there’s been no indication of them in traffic data as of this writing (June 13). These actions echo those taken in Iraq, Syria, Sudan, and Algeria in 2022 and in Syria and Sudan in 2021.

(Note: The interactive graphs below have been embedded directly into the blog post using a new Cloudflare Radar feature. This post is best viewed in landscape mode when on a mobile device.)

Iraq

Iraq had reportedly committed on May 15 to not implementing Internet shutdowns during the Continue reading

Cato boasts 5Gbps encrypted tunnel throughput

Cato Networks said today that it has successfully created an encrypted tunnel capable of 5Gbps of throughput, offering reassurance to network administrators worried about traffic overhead created by Secure Access Service Edge (SASE) platforms.The company’s announcement said that increasing uptake of SASE, particularly by large enterprises, has created a need for faster encrypted connections that still support the full array of security technologies present in SASE. The speed boost, Cato said, was made possible by improved performance in the company’s Single Pass Processing Engine, which is the umbrella of services that runs in its various points of presence.To read this article in full, please click here

1 241 242 243 244 245 3,803