0

OSPF Convergence In a Hub and Spoke Topology

My dear friend Micheline Murphy posted an excellent question on OSPF in a Hub and Spoke topology at the Cisco Learning Network. The scenario is a Hub and Spoke topology with two Hub routers that are ABRs belonging to area 100 and area 200. SP-101 and SP-102 belong to area 100. SP-201 and SP-202 belong to area 200. The topology is shown below:

The OSPF areas are shown below:

Some facts about the setup and intent of this post:

• All routers are Catalyst8000v running IOS-XE 17.6.3.
• Hub routers are connected to area 0 where the prefix 198.51.100.0/24 is being advertised.
• Each spoke advertises a /28 from 192.0.2.0/24.
• All interfaces are point to point as the purpose is not to simulate a NBMA topology.
• The intent is to verify what happens in a failure scenario but lab first shows the stable topology.

The expectation is that in a stable topology each Spoke will have two ECMP routes, one via each Hub, to the other spokes. The router SP-202 will be used to demonstrate. First let’s verify that everything is working as expected. SP-202 is a router in area 200:

SP-202#show ip ospf 1
  Continue reading

0

Unmasking the top exploited vulnerabilities of 2022

The Cybersecurity and Infrastructure Security Agency (CISA) just released a report highlighting the most commonly exploited vulnerabilities of 2022. With our role as a reverse proxy to a large portion of the Internet, Cloudflare is in a unique position to observe how the Common Vulnerabilities and Exposures (CVEs) mentioned by CISA are being exploited on the Internet.

We wanted to share a bit of what we’ve learned.

Based on our analysis, two CVEs mentioned in the CISA report are responsible for the vast majority of attack traffic seen in the wild: Log4J and Atlassian Confluence Code Injection. Although CISA/CSA discuss a larger number of vulnerabilities in the same report, our data clearly suggests a major difference in exploit volume between the top two and the rest of the list.

The top CVEs for 2022

Looking at the volume of requests detected by WAF Managed Rules that were created for the specific CVEs listed in the CISA report, we rank the vulnerabilities in order of prevalence:

Popularity rank	Description	CVEs
1. Improper Input Validation caused Remote Code execution in Apache Log4j logging library	Log4J	CVE-2021-44228
2. Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability	Atlassian Confluence Code Injection	CVE-2022-26134
Continue reading

0

Chip makers team up to take on Arm with RISC-V

Five companies that manufacture semiconductors for smartphones, automobiles and more have announced that they will form a company designed to advance the open source RISC-V architecture, in a move widely seen as being designed to reduce their dependence on licensed technology from Arm.The companies — Qualcomm, Robert Bosch, Infineon Technologies, NXP Semiconductors and Nordic Semiconductors — have yet to name this joint venture, but said in a statement issued Friday that the company will be registered in Germany, and that its focus will be on providing reference architectures and establishing industry solutions. The initial focus, according to the statement, will be on the automotive industry, but plans are in place to expand into mobile and IoT use cases.To read this article in full, please click here

0

Hedge 189: Data Center Careers with Carrie Goetz

When network engineers think of a data center, we think of fabrics and routers and switches. There is a lot more to a data center, though—there is power, building construction, environmentals, and a lot of others. What possible jobs are out there in the data center space for people who want to work in IT, but don’t either want to code or build networks? Carrie Goetz, author of Jumpstart Your Career in Data Centers joins Tom Ammon and Russ White to tell us about a few, and about the importance of other careers in the data center.

download

In case you didn’t see it I’m uploading the rough “machine generated” transcript of each episode about a week after the episode airs. It takes a little time for the transcription to be created, and then for me to log back in and upload the file.

0

Heavy Networking 693: Securing Workforce Transformation With Cloud SWG (Sponsored)

On today's sponsored Heavy Networking we dig into cloud-delivered Secure Web Gateways (SWGs), which help guard end users against Web-based threats and enforce corporate Web access policies. As employees split time between home, office, and who knows where else, and as more applications move online, cloud-based SWGs help connect and protect workers. Our sponsor is Palo Alto Networks.

0

Heavy Networking 693: Securing Workforce Transformation With Cloud SWG (Sponsored)

On today's sponsored Heavy Networking we dig into cloud-delivered Secure Web Gateways (SWGs), which help guard end users against Web-based threats and enforce corporate Web access policies. As employees split time between home, office, and who knows where else, and as more applications move online, cloud-based SWGs help connect and protect workers. Our sponsor is Palo Alto Networks.

The post Heavy Networking 693: Securing Workforce Transformation With Cloud SWG (Sponsored) appeared first on Packet Pushers.

0

DNSOP at IETF117

After the flurry of work in various aspects of DNS privacy, the IETF’s agenda for DNS has shifted towards more maintenance and update. This does not mean that the volume of work has abated in any way, but it has dropped the more focussed stance of previous meetings to a broader diversity of topics in operating DNS infrastructure.

0

IEPG at IETF117

The IEPG meets for a couple of hours before each IETF meeting. It's a somewhat eclectic collection of presentations, with some vague common thread of relevance to Internet operations. Here's a summary of my impression from these IEPG session presentations for IETF 117.

0

Zscaler Report Finds VPNs are No Longer Cutting the Mustard

The report finds that since VPNs can expose an organization to various cyber threats, enterprises are starting to prioritize zero trust adoption.

0

Gen-AI HPC infrastructure provider CoreWeave scores $2.3 billion financing deal

CoreWeave, a specialist cloud provider offering high performance computing services to meet growing corporate demand for generative AI workloads, announced Thursday that it has received a $2.3 billion debt financing package from several asset management firms.The key to CoreWeave’s focus on the AI market is in its hardware. The company sells primarily GPU-based virtual machines, which are particularly well-suited for AI workloads. According to Gartner vice president and analyst Arun Chandrasekaran, CoreWeave’s advertised low cost is a function of its ties to Nvidia, with which, CoreWeave has said, it has a preferred supplier arrangement, enabling it to pass on savings.To read this article in full, please click here

0

Gen-AI HPC infrastructure provider CoreWeave scores $2.3 billion financing deal

CoreWeave, a specialist cloud provider offering high performance computing services to meet growing corporate demand for generative AI workloads, announced Thursday that it has received a $2.3 billion debt financing package from several asset management firms.The key to CoreWeave’s focus on the AI market is in its hardware. The company sells primarily GPU-based virtual machines, which are particularly well-suited for AI workloads. According to Gartner vice president and analyst Arun Chandrasekaran, CoreWeave’s advertised low cost is a function of its ties to Nvidia, with which, CoreWeave has said, it has a preferred supplier arrangement, enabling it to pass on savings.To read this article in full, please click here

0

Fortinet bolsters SD-WAN services, security with new software, next-generation firewalls

Fortinet has added new features to its SD-WAN software and a next-generation firewall series that promise to help customers better monitor and protect distributed enterprise resources.On the SD-WAN front, Fortinet is introducing two services – a network underlay and overlay option to let customers better manage WAN traffic to remote sites. The Underlay Performance Monitoring Service for SD-WAN utilizes the vendor’s core central management system FortiManager and FortiGuard’s database of hundreds of popular SaaS and cloud implementations, to offer visibility into the performance of the underlay network.  The underlay network is typically made up if the physical network infrastructure supporting traffic between distributed cloud or remote office resources.To read this article in full, please click here

0

Fortinet bolsters SD-WAN services, security with new software, next-generation firewalls

Fortinet has added new features to its SD-WAN software and a next-generation firewall series that promise to help customers better monitor and protect distributed enterprise resources.On the SD-WAN front, Fortinet is introducing two services – a network underlay and overlay option to let customers better manage WAN traffic to remote sites. The Underlay Performance Monitoring Service for SD-WAN utilizes the vendor’s core central management system FortiManager and FortiGuard’s database of hundreds of popular SaaS and cloud implementations, to offer visibility into the performance of the underlay network.  The underlay network is typically made up if the physical network infrastructure supporting traffic between distributed cloud or remote office resources.To read this article in full, please click here

0

Using Web Application Firewall at container-level for network-based threats

The microservices architecture provides developers and DevOps engineers significant agility that helps them move at the pace of the business. Breaking monolithic applications into smaller components accelerates development, streamlines scaling, and improves fault isolation. However, it also introduces certain security complexities since microservices frequently engage in inter-service communications, primarily through HTTP-based APIs, thus broadening the application’s attack surface. This scenario is similar to breaking a chunk of ice into smaller pieces, increasing its surface area. It is crucial that enterprises address these security challenges before benefiting from adopting a microservice architecture.

Challenges implementing defense-in-depth for containers with perimeter-based Web Application Firewall

Kubernetes is the de-facto standard for microservices orchestration. However, as organizations increasingly adopt Kubernetes, they run the risk of inadvertently introducing security gaps. This is often the result of attempts to integrate traditional security tooling into a cloud-native ecosystem that is highly dynamic, ephemeral, and non-deterministic. Instead of implementing security around the platform, DevOps, security, and platform teams must look at enforcing defenses through the platform.

Let’s look at an example of a web application firewall (WAF) which is typically deployed at the ingress of a network or application. As shown in the diagram below, HTTP traffic is Continue reading

0

What’s Causing Cloud Outages? A Network Managers’ Guide

From fat-finger errors to fishing boats, here are the leading reasons cloud outages at AWS, Microsoft, and others are a growing network resilience challenge.

0

How to use the redirect command

In this Linux tip, we’re going to look at the greater than and greater than x2 operators and how they work. The greater than operator will take the output of the command preceding it and put it into the file that follows it.

0

Failure Simulations Fireside Chat Presented by Panduit

In this archived panel discussion, Panduit’s Bob Wagner and Jeff Paliga deliver a fireside chat during our 'Network Resilience Boot Camp' presented by Data Center Knowledge and Network Computing. This excerpt is from our live 'Network Resilience Boot Camp' virtual event moderated by Bonnie D. Graham on June 29, 2023.

0

Integrate Cloudflare Zero Trust with Datadog Cloud SIEM

Cloudflare's Zero Trust platform helps organizations map and adopt a strong security posture. This ranges from Zero Trust Network Access, a Secure Web Gateway to help filter traffic, to Cloud Access Security Broker and Data Loss Prevention to protect data in transit and in the cloud. Customers use Cloudflare to verify, isolate, and inspect all devices managed by IT. Our composable, in-line solutions offer a simplified approach to security and a comprehensive set of logs.

We’ve heard from many of our customers that they aggregate these logs into Datadog’s Cloud SIEM product. Datadog Cloud SIEM provides threat detection, investigation, and automated response for dynamic, cloud-scale environments. Cloud SIEM analyzes operational and security logs in real time – regardless of volume – while utilizing out-of-the-box integrations and rules to detect threats and investigate them. It also automates response and remediation through out-of-the-box workflow blueprints. Developers, security, and operations teams can also leverage detailed observability data and efficiently collaborate to accelerate security investigations in a single, unified platform. We previously had an out-of-the-box dashboard for Cloudflare CDN available on Datadog. These help our customers gain valuable insights into product usage and performance metrics for response times, HTTP status codes, cache hit rate. Continue reading

0

Ansible data manipulation with a Filter

This year at Summit, an attendee posed a question about how to work with setting facts and changing data in Ansible. Many times we’ve come across people using task after task to manipulate data, to turn items into lists, filter our options, trying to do heavy data manipulation and to turn data from one source into another. Trying to make these programmatic changes using a mixture of YAML and Jinja inside of roles and playbooks is a headache of its own. While many of these options will work, they aren’t very efficient or easy to implement. Ansible Playbooks were never meant for programming.

One solution that is usually overlooked is to do the manipulation in Python inside of a module or a filter. This article will detail how to create a filter to manipulate data. In addition, a repository for all code referenced in this article has been created.

This example was first developed as a module. However after review, it was determined that these data transformations are best done as filters. Filters can take multiple data inputs, do the programmatic operations, and then can be used in line where they are used as input or set as a fact. Continue reading

0

Ansible data manipulation with a Filter

Background:

This year at Summit, an attendee posed a question about how to work with setting facts and changing data in Ansible. Many times we’ve come across people using task after task to manipulate data, to turn items into lists, filter our options, trying to do heavy data manipulation and to turn data from one source into another. Trying to make these programmatic changes using a mixture of YAML and Jinja inside of roles and playbooks is a headache of its own. While many of these options will work, they aren’t very efficient or easy to implement. Ansible Playbooks were never meant for programming.

One solution that is usually overlooked is to do the manipulation in Python inside of a module or a filter. This article will detail how to create a filter to manipulate data. In addition, a repository for all code referenced in this article has been created. 

This example was first developed as a module. However after review, it was determined that these data transformations are best done as filters. Filters can take multiple data inputs, do the programmatic operations, and then can be used in line where they are used as input or set as Continue reading