Bring your own CA for client certificate validation with API Shield

Bring your own CA for client certificate validation with API Shield
Bring your own CA for client certificate validation with API Shield

APIs account for more than half of the total traffic of the Internet. They are the building blocks of many modern web applications. As API usage grows, so does the number of API attacks. And so now, more than ever, it’s important to keep these API endpoints secure. Cloudflare’s API Shield solution offers a comprehensive suite of products to safeguard your API endpoints and now we’re excited to give our customers one more tool to keep their endpoints safe. We’re excited to announce that customers can now bring their own Certificate Authority (CA) to use for mutual TLS client authentication. This gives customers more security, while allowing them to maintain control around their Mutual TLS configuration.

The power of Mutual TLS (mTLS)

Traditionally, when we refer to TLS certificates, we talk about the publicly trusted certificates that are presented by servers to prove their identity to the connecting client. With Mutual TLS, both the client and the server present a certificate to establish a two-way channel of trust. Doing this allows the server to check who the connecting client is and whether or not they’re allowed to make a request. The certificate presented by the client - the client certificate Continue reading

The day my ping took countermeasures

The day my ping took countermeasures
The day my ping took countermeasures
The day my ping took countermeasures

Once my holidays had passed, I found myself reluctantly reemerging into the world of the living. I powered on a corporate laptop, scared to check on my email inbox. However, before turning on the browser, obviously, I had to run a ping. Debugging the network is a mandatory first step after a boot, right? As expected, the network was perfectly healthy but what caught me off guard was this message:

The day my ping took countermeasures

I was not expecting ping to take countermeasures that early on in a day. Gosh, I wasn't expecting any countermeasures that Monday!

Once I got over the initial confusion, I took a deep breath and collected my thoughts. You don't have to be Sherlock Holmes to figure out what has happened. I'm really fast - I started ping before the system NTP daemon synchronized the time. In my case, the computer clock was rolled backward, confusing ping.

While this doesn't happen too often, a computer clock can be freely adjusted either forward or backward. However, it's pretty rare for a regular network utility, like ping, to try to manage a situation like this. It's even less common to call it "taking countermeasures". I would totally expect ping to just print Continue reading

Catalyst SD-WAN – Introduction to Configuration Groups

One of the challenges with Catalyst SD-WAN is managing templates. Depending on how successful you are in standardizing your deployment, you risk ending up with many device templates. This can also be amplified if you have several platforms as each platform requires its own set of device templates. Feature templates, while reusable, offers no concept of grouping feature templates which means that there is a lot of work involved in building a new device template. To overcome some of these challenges, Cisco has introduced Configuration Groups starting with 20.8 and going forward where 20.11 currently has the most features implemented. This is also often referred to as UX 2.0 in some presentations. Let’s take a look at Configuration Groups by looking at the building blocks.

  • Configuration Group – Logical grouping of features or configuration that is applied to devices. Similar to a device template but it can be applied to different models.
  • Feature Profile – Building block of configurations that can be reused across different Configuration Groups. Example feature profiles are Transport Profile, System Profile, Service Profile.
  • Feature – The Feature Profile consists of features. The individual capability to be shared across Configuration Groups such as service Continue reading

Configuring Linux Traffic Control in a Sane Way

Smart engineers were forever using Linux (in particular, its traffic control/queue discipline functionality) to simulate WAN link impairment. Unfortunately, there’s a tiny hurdle you have to jump across: the tc CLI is even worse than iptables.

A long while ago someone published a tc wrapper that simulates shitty network connections and (for whatever reason) decided to call it Comcast. It probably does the job, but I would prefer to have something in Python. Daniel Dib found just that – tcconfig – and used it to simulate WAN link behavior on VMware vSphere.

Configuring Linux Traffic Control in a Sane Way

Smart engineers were forever using Linux (in particular, its traffic control/queue discipline functionality) to simulate WAN link impairment. Unfortunately, there’s a tiny hurdle you have to jump across: the tc CLI is even worse than iptables.

A long while ago someone published a tc wrapper that simulates shitty network connections and (for whatever reason) decided to call it Comcast. It probably does the job, but I would prefer to have something in Python. Daniel Dib found just that – tcconfig – and used it to simulate WAN link behavior on VMware vSphere.

Multiple SD-WAN vendors can complicate move to SASE

Enterprises over the past several years have embraced SD-WAN for many reasons, including the flexibility of cloud architecture, enhanced security, centralized management of distributed locations, and improved application availability and performance. In turn, the popularity of SD-WAN has helped propel interest in secure access service edge (SASE), a network architecture that converges connectivity and security services.To read this article in full, please click here

Multiple SD-WAN vendors can complicate move to SASE

Enterprises over the past several years have embraced SD-WAN for many reasons, including the flexibility of cloud architecture, enhanced security, centralized management of distributed locations, and improved application availability and performance. In turn, the popularity of SD-WAN has helped propel interest in secure access service edge (SASE), a network architecture that converges connectivity and security services.To read this article in full, please click here

Connection errors in Asia Pacific region on July 9, 2023

Connection errors in Asia Pacific region on July 9, 2023
Connection errors in Asia Pacific region on July 9, 2023

On Sunday, July 9, 2023, early morning UTC time, we observed a high number of DNS resolution failures — up to 7% of all DNS queries across the Asia Pacific region — caused by invalid DNSSEC signatures from Verisign .com and .net Top Level Domain (TLD) nameservers. This resulted in connection errors for visitors of Internet properties on Cloudflare in the region.

The local instances of Verisign’s nameservers started to respond with expired DNSSEC signatures in the Asia Pacific region. In order to remediate the impact, we have rerouted upstream DNS queries towards Verisign to locations on the US west coast which are returning valid signatures.

We have already reached out to Verisign to get more information on the root cause. Until their issues have been resolved, we will keep our DNS traffic to .com and .net TLD nameservers rerouted, which might cause slightly increased latency for the first visitor to domains under .com and .net in the region.

Background

In order to proxy a domain’s traffic through Cloudflare’s network, there are two components involved with respect to the Domain Name System (DNS) from the perspective of a Cloudflare data center: external DNS resolution, and upstream or origin DNS resolution.

Continue reading

Network Break 437: Ethernet Turns 50; TSMC Imports Workers For Arizona Fab; BT, HPE Partner On Managed LAN

On today's Network Break, Greg Ferro wishes Ethernet an unhappy birthday, HPE and BT want to manage your LAN, TSMC brings in Taiwanese workers to build new fabs in Arizona, Nokia touts new Fixed Wireless Access milestones, and more IT news.

The post Network Break 437: Ethernet Turns 50; TSMC Imports Workers For Arizona Fab; BT, HPE Partner On Managed LAN appeared first on Packet Pushers.

Lining Up The “El Capitan” Supercomputer Against The AI Upstarts

The question is no longer whether or not the “El Capitan” supercomputer that has been in the process of being installed at Lawrence Livermore National Laboratory for the past week – with photographic evidence to prove it – will be the most powerful system in the world.

The post Lining Up The “El Capitan” Supercomputer Against The AI Upstarts first appeared on The Next Platform.

Lining Up The “El Capitan” Supercomputer Against The AI Upstarts was written by Timothy Prickett Morgan at The Next Platform.

Cross Training for Career Completeness

Are you good at your job? Have you spent thousands of hours training to be the best at a particular discipline? Can you configure things with your eyes closed and are finally on top of the world? What happens next? Where do you go if things change?

It sounds like an age-old career question. You’ve mastered a role. You’ve learned all there is to learn. What more can you do? It’s not something specific to technology either. One of my favorite stories about this struggle comes from the iconic martial artist Bruce Lee. He spent his formative years becoming an expert at Wing Chun and no one would argue he wasn’t one of the best. As the story goes, in 1967 he engaged in a sparring match with a practitioner of a different art and, although he won, he was exhausted and thought things had gone on far too long. This is what encouraged him to develop Jeet Kun Do as a way to incorporate new styles together for more efficiency and eventually led to the development of mixed martial arts (MMA).

What does Bruce Lee have to do with tech? The value of cross training with different tech disciplines Continue reading

Creating a directory tree with a single command

The mkdir command can do more than create a single directory. It can create multiple directories at once and can even create an entire directory structure with a single command. The required command will be a tad complex, but not particularly challenging.NOTE: If you try to set up a multi-level directory structure with a command like the one shown below, it won't work if the initial directories ("this" and "that") don't already exist.$ mkdir this/that/the_othermkdir: cannot create directory ‘this/that/the_other’: No such file or directory Add a -p (for "parents") and the missing directories will be created and your this/that/the_other directory structure will be set up in your current directory as intended.To read this article in full, please click here

Creating a directory tree with a single command

The mkdir command can do more than create a single directory. It can create multiple directories at once and can even create an entire directory structure with a single command. The required command will be a tad complex, but not particularly challenging.NOTE: If you try to set up a multi-level directory structure with a command like the one shown below, it won't work if the initial directories ("this" and "that") don't already exist.$ mkdir this/that/the_othermkdir: cannot create directory ‘this/that/the_other’: No such file or directory Add a -p (for "parents") and the missing directories will be created and your this/that/the_other directory structure will be set up in your current directory as intended.To read this article in full, please click here

1 264 265 266 267 268 3,841