Secure by default: recommendations from the CISA’s newest guide, and how Cloudflare follows these principles to keep you secure

Secure by default: recommendations from the CISA’s newest guide, and how Cloudflare follows these principles to keep you secure
Secure by default: recommendations from the CISA’s newest guide, and how Cloudflare follows these principles to keep you secure

When you buy a new house, you shouldn’t have to worry that everyone in the city can unlock your front door with a universal key before you change the lock. You also shouldn’t have to walk around the house with a screwdriver and tighten the window locks and back door so that intruders can’t pry them open. And you really shouldn’t have to take your alarm system offline every few months to apply critical software updates that the alarm vendor could have fixed with better software practices before they installed it.

Similarly, you shouldn’t have to worry that when you buy a network discovery tool it can be accessed by any attacker until you change the password, or that your expensive hardware-based firewalls can be recruited to launch DDoS attacks or run arbitrary code without the need to authenticate.

This “default secure” posture is the focus of a recently published guide jointly authored by the Cybersecurity and Infrastructure Agency (CISA), NSA, FBI, and six other international agencies representing the United Kingdom, Australia, Canada, Germany, Netherlands, and New Zealand. In the guide, the authors implore technology vendors to follow Secure-by-Design and Secure-by-Default principles, shifting the burden of security as much Continue reading

Oxy: Fish/Bumblebee/Splicer subsystems to improve reliability

Oxy: Fish/Bumblebee/Splicer subsystems to improve reliability
Oxy: Fish/Bumblebee/Splicer subsystems to improve reliability

At Cloudflare, we are building proxy applications on top of Oxy that must be able to handle a huge amount of traffic. Besides high performance requirements, the applications must also be resilient against crashes or reloads. As the framework evolves, the complexity also increases. While migrating WARP to support soft-unicast (Cloudflare servers don't own IPs anymore), we needed to add different functionalities to our proxy framework. Those additions increased not only the code size but also resource usage and states required to be preserved between process upgrades.

To address those issues, we opted to split a big proxy process into smaller, specialized services. Following the Unix philosophy, each service should have a single responsibility, and it must do it well. In this blog post, we will talk about how our proxy interacts with three different services - Splicer (which pipes data between sockets), Bumblebee (which upgrades an IP flow to a TCP socket), and Fish (which handles layer 3 egress using soft-unicast IPs). Those three services help us to improve system reliability and efficiency as we migrated WARP to support soft-unicast.

Oxy: Fish/Bumblebee/Splicer subsystems to improve reliability

Splicer

Most transmission tunnels in our proxy forward packets without making any modifications. In other words, given Continue reading

SONiC test lab gains industry support

Enterprises that want to kick the tires on the open-source network operating system SONiC got a new option this week as Aviz Networks and a group of well-established industry vendors and organizations said they would collaborate on a new testing facility.The lab, the Open Networking Experience (ONE) Center for SONiC is being offered by SONiC startup Aviz and will be supported by collaboration with the Linux Foundation, The Open Compute Project, Celestica, Cisco, Edgecore, Nvidia, Ragile, Supermicro, Wistron, and Keysight.The center will feature online and in-person access at no cost for network operators to try out the capabilities of SONiC across a wide range of hardware, according to Aviz. To read this article in full, please click here

SONiC test lab gains industry support

Enterprises that want to kick the tires on the open-source network operating system SONiC got a new option this week as Aviz Networks and a group of well-established industry vendors and organizations said they would collaborate on a new testing facility.The lab, the Open Networking Experience (ONE) Center for SONiC is being offered by SONiC startup Aviz and will be supported by collaboration with the Linux Foundation, The Open Compute Project, Celestica, Cisco, Edgecore, Nvidia, Ragile, Supermicro, Wistron, and Keysight.The center will feature online and in-person access at no cost for network operators to try out the capabilities of SONiC across a wide range of hardware, according to Aviz. To read this article in full, please click here

Things Change. Some New content.

Once again it has been awhile. But I wanted to get some new content out. This year I was elected as a member of the board for WAA. Part of my time on the board will include writing articles for our membership. From the second I heard this I knew what I wanted to do. …

Day Two Cloud 191: Modernizing Cloud Security And Optimizing Costs With Jo Peterson

Today's Day Two Cloud delves into cloud security and cloud cost optimization for SaaS and public clouds. Our guest is Jo Peterson. On the security front, we compare and contrast traditional on-prem and cloud security challenges, explore the shared responsibility model of cloud security, and more. For cost optimization we discuss the growing concern about cloud costs, why optimization tools still need humans, tips for tracking multicloud spending, and more.

Day Two Cloud 191: Modernizing Cloud Security And Optimizing Costs With Jo Peterson

Today's Day Two Cloud delves into cloud security and cloud cost optimization for SaaS and public clouds. Our guest is Jo Peterson. On the security front, we compare and contrast traditional on-prem and cloud security challenges, explore the shared responsibility model of cloud security, and more. For cost optimization we discuss the growing concern about cloud costs, why optimization tools still need humans, tips for tracking multicloud spending, and more.

The post Day Two Cloud 191: Modernizing Cloud Security And Optimizing Costs With Jo Peterson appeared first on Packet Pushers.

DDR4 memory organization and how it affects memory bandwidth

DDR4 memory organization and how it affects memory bandwidth
DDR4 memory organization and how it affects memory bandwidth

When shopping for DDR4 memory modules, we typically look at the memory density and memory speed. For example a 32GB DDR4-2666 memory module has 32GB of memory density, and the data rate transfer speed is 2666 mega transfers per second (MT/s).

If we take a closer look at the selection of DDR4 memories, we will then notice that there are several other parameters to choose from. One of them is rank x organization, for example 1Rx8, 2Rx4, 2Rx8 and so on. What are these and does memory module rank and organization have an effect on DDR4 module performance?

In this blog, we will study the concepts of memory rank and organization, and how memory rank and organization affect the memory bandwidth performance by reviewing some benchmarking test results.

Memory rank

Memory rank is a term that is used to describe how many sets of DRAM chips, or devices, exist on a memory module. A set of DDR4 DRAM chips is always 64-bit wide, or 72-bit wide if ECC is supported. Within a memory rank, all chips share the address, command and control signals.

The concept of memory rank is very similar to memory bank. Memory rank is a term used Continue reading

New: Network Infrastructure as Code Resources

While I was developing Network Automation Concepts webinar and the network automation online course, I wrote numerous blog posts on the Network Infrastructure as Code (NIaC) concepts, challenges, implementation details, tools, and sample solutions.

In March 2023 I collected these blog posts into a dedicated NIaC resources page that also includes links to webinars, sample network automation solutions, and relevant GitHub repositories.

Explore

New: Network Infrastructure as Code Resources

While I was developing Network Automation Concepts webinar and the network automation online course, I wrote numerous blog posts on the Network Infrastructure as Code (NIaC) concepts, challenges, implementation details, tools, and sample solutions.

In March 2023 I collected these blog posts into a dedicated NIaC resources page that also includes links to webinars, sample network automation solutions, and relevant GitHub repositories.

Explore

The Internet Twenty-Five Years Later

In 1998 any lingering doubts about the ultimate success of the Internet as a global communications medium had been thoroughly dispelled. The Internet was no longer just a research experiment, or an intermediate way stop on the road to adoption of the Open Systems Interconnect (OSI) framework. There was nothing else left standing in the data communications landscape that could serve our emerging needs for data communications. IP was now the communications technology for the day, if not for the coming century. No longer could the traditional telecommunications enterprises view the Internet with some polite amusement or even overt derision. The Internet had arrived.
1 273 274 275 276 277 3,804