Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Protect your key server with Keyless SSL and Cloudflare Tunnel integration
Protect your key server with Keyless SSL and Cloudflare Tunnel integration

Today, we’re excited to announce a big security enhancement to our Keyless SSL offering. Keyless SSL allows customers to store their private keys on their own hardware, while continuing to use Cloudflare’s proxy services. In the past, the configuration required customers to expose the location of their key server through a DNS record - something that is publicly queryable. Now, customers will be able to use our Cloudflare Tunnels product to send traffic to the key server through a secure channel, without publicly exposing it to the rest of the Internet.

A primer on Keyless SSL

Security has always been a critical aspect of online communication, especially when it comes to protecting sensitive information. Today, Cloudflare manages private keys for millions of domains which allows the data communicated by a client to stay secure and encrypted. While Cloudflare adopts the strictest controls to secure these keys, certain industries such as financial or medical services may have compliance requirements that prohibit the sharing of private keys.In the past, Cloudflare required customers to upload their private key in order for us to provide our L7 services. That was, until we built out Keyless SSL in 2014, a feature that allows customers Continue reading

Super Bot Fight Mode is now configurable!

Super Bot Fight Mode is now configurable!
Super Bot Fight Mode is now configurable!

Millions of customers around the world use Cloudflare to keep their applications safe by blocking bot traffic to their website. We block an average of 336 million requests per day for self-service customers using a service called Super Bot Fight Mode. It is a crucial part of how customers keep their websites online.

While most customers use Cloudflare’s Verified Bot directory to securely allow good, automated traffic, some customers also like to write their own localized integration scripts to crawl and update their website, or perform other necessary maintenance functions. Because these bots are only used on a single website, they don’t fit our verified bot criteria the way a Google or Bing crawler does. This makes Super Bot Fight Mode difficult to manage for these types of customers.

Super Bot Fight Mode: now configurable!

Previously, Super Bot Fight Mode ran as an independent service on our global network and other Cloudflare security services were unable to affect its configuration. To solve this, we’ve rewritten Super Bot Fight Mode behind the scenes. It’s now a new managed ruleset in the new WAF, just like the OWASP Core Ruleset or the Cloudflare Managed Ruleset. This doesn’t change the interface, but Continue reading

No, AI did not break post-quantum cryptography

No, AI did not break post-quantum cryptography
No, AI did not break post-quantum cryptography

News coverage of a recent paper caused a bit of a stir with this headline: “AI Helps Crack NIST-Recommended Post-Quantum Encryption Algorithm”. The news article claimed that Kyber, the encryption algorithm in question, which we have deployed world-wide, had been “broken.” Even more dramatically, the news article claimed that “the revolutionary aspect of the research was to apply deep learning analysis to side-channel differential analysis”, which seems aimed to scare the reader into wondering what will Artificial Intelligence (AI) break next?

Reporting on the paper has been wildly inaccurate: Kyber is not broken and AI has been used for more than a decade now to aid side-channel attacks. To be crystal clear: our concern is with the news reporting around the paper, not the quality of the paper itself. In this blog post, we will explain how AI is actually helpful in cryptanalysis and dive into the paper by Dubrova, Ngo, and Gärtner (DNG), that has been misrepresented by the news coverage. We’re honored to have Prof. Dr. Lejla Batina and Dr. Stjepan Picek, world-renowned experts in the field of applying AI to side-channel attacks, join us on this blog.

We start with some Continue reading

Post-quantum crypto should be free, so we’re including it for free, forever

Post-quantum crypto should be free, so we’re including it for free, forever
Post-quantum crypto should be free, so we’re including it for free, forever

At Cloudflare, helping to build a better Internet is not just a catchy saying. We are committed to the long-term process of standards development. We love the work of pushing the fundamental technology of the Internet forward in ways that are accessible to everyone. Today we are adding even more substance to that commitment. One of our core beliefs is that privacy is a human right. We believe that to achieve that right the most advanced cryptography needs to be available to everyone, free of charge, forever. Today, we are announcing that our implementations of post-quantum cryptography will meet that standard: available to everyone, and included free of charge, forever.

We have a proud history of taking paid encryption products and launching it to the Internet at scale for Free. Even at the cost of short and long-term revenue because it’s the right thing to do. In 2014, we made SSL free for every Cloudflare customer with Universal SSL. As we make our implementations of post-quantum cryptography free forever today, we do it in the spirit of that first major announcement:

“Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default Continue reading

Kubernetes Meets Event-Driven Ansible

Kubernetes + EDA

In today’s fast paced world, every second counts and the ability to react to activities in a timely fashion can mean the difference between satisfying the needs of consumers and meeting Service-Level Agreements. Each are goals of Event-Driven Ansible, which seeks to further the reach of Ansible based automation by responding to events that meet certain criteria. These events can originate from a variety of sources, such as from an HTTP endpoint, messages on a queue or topic, or from public cloud resources. Kubernetes has become synonymous with managing infrastructure and applications in cloud native architectures and many organizations are reliant on these systems for running their business critical workloads. Automation and Kubernetes go hand in hand and Ansible already plays a role within this ecosystem. A new capability leveraging the Event-Driven Ansible framework is now available that extends the integration between both Ansible and Kubernetes so that Ansible automation activities can be triggered based on events and actions occurring within a Kubernetes cluster.

Event-Driven Ansible is designed using a concept called Rulebooks which consists of three main components:

  • Actions - Triggering the execution of assets including an Ansible Playbook or module 
  • Rules - Determination of whether received events Continue reading

Advantages of Using Generalized TTL Security Mechanism (GTSM) with EBGP

A few weeks ago I described why EBGP TCP packets have TTL set to one (unless you configured EBGP multihop). Although some people claim that (like NAT) it could be a security feature, it’s not a good one. Generalized TTL Security Mechanism (GTSM, described in RFC 5082) is much better.

Most BGP implementations set TTL field in outgoing EBGP packets to one. That prevents a remote intruder that manages to hijack a host route to an adjacent EBGP peer from forming a BGP session as the TCP replies get lost the moment they hit the first router in the path.

Read more …

Advantages of Using Generalized TTL Security Mechanism (GTSM) with EBGP

A few weeks ago I described why EBGP TCP packets have TTL set to one (unless you configured EBGP multihop). Although some people claim that (like NAT) it could be a security feature, it’s not a good one. Generalized TTL Security Mechanism (GTSM, described in RFC 5082) is much better.

Most BGP implementations set TTL field in outgoing EBGP packets to one. That prevents a remote intruder that manages to hijack a host route to an adjacent EBGP peer from forming a BGP session as the TCP replies get lost the moment they hit the first router in the path.

Read more …

Cloudflare’s Channel Partner Award winners of 2022

Cloudflare’s Channel Partner Award winners of 2022
Cloudflare’s Channel Partner Award winners of 2022

We are thrilled to announce Cloudflare’s worldwide 2022 Channel Partner Award winners. Each of these partner companies and individuals went above and beyond, demonstrating outstanding commitment to working closely with Cloudflare to build technical competencies and to deliver compelling, integrated security and performance solutions for customers around the globe.

This past year was another milestone year, with record-setting growth for Cloudflare and our partners. The Cloudflare Channel and Alliances Partner Program received the highest, 5-star rating in CRN’s Partner Program Guide. New customer bookings acquired through partners jumped over 28% year over year.

In June, we announced the Cloudflare One Partner Specialization, with tailored enablement and new partner go-to-market resources for Cloudflare One, our SASE solution which includes the industry’s first, 100% Cloud-native Zero Trust platform. More than 1,600 partner sellers and technical sellers have completed Cloudflare Zero Trust training courses, enabling them to deliver the most comprehensive security needed in today’s connect-from-anywhere economy.The Cloudflare Channel Partner Network contributed to the significant market traction we’ve seen for Cloudflare One, including partner-sourced pipeline for Cloudflare One growing 240% from Q1 through Q4 of 2022.

As organizations across industries and the public sector require a fast and secure path to Zero Continue reading

Palo Alto bolsters AI support in SASE, SD-WAN products

Palo Alto Networks has added a variety of new features to its SASE and SD-WAN packages to help enterprises streamline network operations and better secure distributed WAN resources.The updates center around new automation capabilities in Palo Alto’s Prisma SASE, IoT support for its Prisma SD-WAN, and a new connector for its zero-trust offering. Coined by research firm Gartner, secure access service edge (SASE) refers to a network architecture that integrates SD-WAN and security functionality in a unified cloud service.To read this article in full, please click here

Sending Slack Messages with Python

Here’s a quick summary of what we’ve talked about in the last few posts — all with Python.

This is all fine and dandy, but I would guess that you’re not the only engineer in the company and production maintenance scripts don’t run off of your laptop. We need a way to let a group of people know what’s happening when one of your scripts is run. And please don’t say email. Email has been worthless for alerting for over a decade, and there are better ways to do it. Search your feelings…you know it to be true!

At this point, we all have some magic messaging tool that someone in upper management decided we needed. There are others out there, but I would guess that the majority of companies are using Microsoft Teams or Slack with some Webex Teams sprinkled in there. These are great tools with lots of features and are probably not yet overused to point of making users ignore the messages, so they are Continue reading

Sending Slack Messages with Python

Here’s a quick summary of what we’ve talked about in the last few posts — all with Python.

This is all fine and dandy, but I would guess that you’re not the only engineer in the company and production maintenance scripts don’t run off of your laptop. We need a way to let a group of people know what’s happening when one of your scripts is run. And please don’t say email. Email has been worthless for alerting for over a decade, and there are better ways to do it. Search your feelings…you know it to be true!

At this point, we all have some magic messaging tool that someone in upper management decided we needed. There are others out there, but I would guess that the majority of companies are using Microsoft Teams or Slack with some Webex Teams sprinkled in there. These are great tools with lots of features and are probably not yet overused to point of making users ignore the messages, so they are Continue reading

Dell offers bare metal cloud via colocation

A new deal between Dell and colocation services provider Cyxtera will enable enterprises to access Dell’s PowerEdge infrastructure for bare-metal deployments in Cyxtera facilities.“Bare metal” cloud services means you get the hardware with no software loaded. Typically, a cloud services provider offers an operating system, usually Linux, and accompanying infrastructure. With bare metal, you just get CPU cores, memory, networking and storage but no OS. You provide your own environment.Under the deal, enterprises will be able to deploy Dell hardware through Cyxtera’s enterprise bare-metal service, an on-demand offering that connects an enterprise’s existing on-premises infrastructure with the colocation environment.To read this article in full, please click here

Dell offers bare metal cloud via colocation

A new deal between Dell and colocation services provider Cyxtera will enable enterprises to access Dell’s PowerEdge infrastructure for bare-metal deployments in Cyxtera facilities.“Bare metal” cloud services means you get the hardware with no software loaded. Typically, a cloud services provider offers an operating system, usually Linux, and accompanying infrastructure. With bare metal, you just get CPU cores, memory, networking and storage but no OS. You provide your own environment.Under the deal, enterprises will be able to deploy Dell hardware through Cyxtera’s enterprise bare-metal service, an on-demand offering that connects an enterprise’s existing on-premises infrastructure with the colocation environment.To read this article in full, please click here

Day Two Cloud 186: A Day In The Life Of A Sales Engineer With Pete Robertson

Today's Day Two Cloud episode gets into sales engineering. IT pros may look down on sales for not being a strictly technical discipline, but it turns out there's more overlap between an engineer and a sales engineer than you might think. Both have to solve problems, understand requirements, and design and deliver outcomes. Our guest is Pete Robertson, a sales engineer for a value-added reseller.

Day Two Cloud 186: A Day In The Life Of A Sales Engineer With Pete Robertson

Today's Day Two Cloud episode gets into sales engineering. IT pros may look down on sales for not being a strictly technical discipline, but it turns out there's more overlap between an engineer and a sales engineer than you might think. Both have to solve problems, understand requirements, and design and deliver outcomes. Our guest is Pete Robertson, a sales engineer for a value-added reseller.

The post Day Two Cloud 186: A Day In The Life Of A Sales Engineer With Pete Robertson appeared first on Packet Pushers.

Using the at command to schedule tasks on Linux

To schedule a command or script to run at some particular time, the at command is perfect and provides many options for specifying the time you want it to run. It will set the task up to be run whenever you specify, and you can view the scheduled tasks or even change your mind and cancel one of them as you see fit.The at command differs from cron in that it sets up a command or script to run only once, while cron allows you to set up commands or scripts to be run on a specified schedule – whether every day, once a week, a couple times a month or even just once a year.at command syntax Using the at command is relatively easy, though it has a lot of options, particularly on how you specify the time a task should be run. If you specify a time like shown below, the task will be set up to be run the next time you reach 15:27 (3:27 PM), whether that's today or tomorrow.To read this article in full, please click here

1 283 284 285 286 287 3,792