The NSX-T Gateway Firewall Secures Physical Servers

To date, our blog series on securing physical servers with NSX Data Center has covered the use of bare metal agents installed in a physical server. In this scenario, NSX bare metal agents provide management and enforcement of security policy for the physical server. For a quick recap of how NSX Data Center secures physical server traffic, please review our first and second blogs in this multi-part series. In this article, we will discuss the use of one of the NSX-T Gateway services of an NSX Edge Node. Specifically, the NSX-T Gateway Firewall secures physical servers.

What’s The NSX-T Edge?

The NSX-T Edge is a feature-rich L3-L7 gateway.  A brief review of some NSX-T Edge services:

  • Via Tier-0 Gateway, routing between the logical and the physical using dynamic routing protocols (eBGP and iBGP) as well as static routing
  • Via Tier-1 Gateway, routing between logical network segments, or from logical network segments to uplink to the Tier-0 Gateway
  • Routing for IPv4 and IPv6 addresses
  • Load Balancing via NSX-T Edge, which offers high-availability service for applications and distribution of network traffic load
  • Network Address Translation (NAT), available on tier-0 and tier-1 gateways
  • To manage IP addresses, the configuration of DNS (Domain Continue reading

The evolution of hardware telemetry and its software interfaces

Subscribe to Kernel of Truth on iTunesGoogle PlaySpotifyCast Box and Sticher!

Click here for our previous episode.

In this episode, Kernel of Truth host Roopa Prabhu is joined by Barak Gafni. The two of them chat about the evolution of hardware telemetry and its software interfaces as well as catch up some of the work on IOAM Barak’s been involved with. We hope you enjoy this episode and don’t forget to also check out the links below with resources referenced in the podcast.

Guest Bios

Roopa Prabhu: Roopa is a Linux Architect at NVIDIA, formally Cumulus Networks. She and her team work on all things kernel networking and Linux system infrastructure areas. Her primary focus areas in the Linux kernel are Linux bridge, Netlink, VxLAN, Lightweight tunnels. She is currently focused on building Linux kernel dataplane for E-VPN. She loves working with the Linux kernel networking and debian communities. Her past experience includes Linux clusters, ethernet drivers and Linux KVM virtualization platforms. She has a BS and MS in Computer Science. You can find her on Twitter at @__roopa.

Barak Gafni: Barak is a Staff Architect at NVIDIA, formally Mellanox Technologies, focusing on enabling Continue reading

History of Networking: Stan Hanks and GRE

GRE was the first tunneling protocol ever designed and deployed—and although it largely been overtaken by VXLAN and other tunnel protocols, it is still in widespread use today. For this episode of the History of Networking, Stan Hanks, the inventor of GRE—and hence the inventor of the concept of tunneling in packet switched networks—joins us to describe how and why GRE tunneling was invented.

download

Sponsored Post: ipdata, StackHawk, InterviewCamp.io, Educative, Triplebyte, Stream, Fauna

Who's Hiring? 

  • InterviewCamp.io has hours of system design content. They also do live system design discussions every week. They break down interview prep into fundamental building blocks. Try out their platform.

  • Triplebyte lets exceptional software engineers skip screening steps at hundreds of top tech companies like Apple, Dropbox, Mixpanel, and Instacart. Make your job search O(1), not O(n). Apply here.

  • Need excellent people? Advertise your job here! 

Cool Products and Services

  • ipdata is a reliable IP Address Geolocation API that allows you to lookup the approximate location of any IP Address, detect proxies and identify a company from an IP Address. Trusted by 10,000+ developers. Try it now!

  • Developers care about shipping secure applications. Application security products and processes, however, have not kept up with advances in software development. There are a new breed of tools hitting the market that enable developers to take the lead on AppSec. Learn how engineering teams are using products like StackHawk and Snyk to add security bug testing to their CI pipelines.

  • Learn the stuff they don't teach you in the AWS docs. Filter out the distracting hype, and focus on the parts of AWS that Continue reading

IPv6 Buzz Podcast Dives into Open Standards Everywhere

Logo of IPv6 Buzz podcast

What are the challenges with applications supporting IPv6? What do people, particularly those working in enterprises, need to know about how servers and applications work with IPv6? What is the Internet Society’s Open Standards Everywhere project doing to help? How can people get more involved?

To answer all these questions and more, I recently joined Scott Hogg and Tom Coffeen on their IPv6 Buzz Podcast episode 53. You can listen here:

It was a very enjoyable conversation! Thanks to Scott and Tom for having me on their show. I also want to thank Ed Horley, who first contacted me about joining the show but with schedule conflicts was not able to join the recording. I would also encourage you to listen to other IPv6 Buzz episodes to learn more about IPv6.

If you would like to help in the work to get open standards deployed everywhere, please:

The post IPv6 Buzz Podcast Dives into Open Standards Everywhere appeared first on Internet Society.

Introducing Cloudflare Network Interconnect

Introducing Cloudflare Network Interconnect
Introducing Cloudflare Network Interconnect

Today we’re excited to announce Cloudflare Network Interconnect (CNI). CNI allows our customers to interconnect branch and HQ locations directly with Cloudflare wherever they are, bringing Cloudflare’s full suite of network functions to their physical network edge. Using CNI to interconnect provides security, reliability, and performance benefits vs. using the public Internet to connect to Cloudflare. And because of Cloudflare’s global network reach, connecting to our network is straightforward no matter where on the planet your infrastructure and employees are.

At its most basic level, an interconnect is a link between two networks. Today, we’re offering customers the following options to interconnect with Cloudflare’s network:

  • Via a private network interconnect (PNI). A physical cable (or a virtual “pseudo-wire”; more on that later) that connects two networks.
  • Over an Internet Exchange (IX). A common switch fabric where multiple Internet Service Providers (ISPs) and Internet networks can interconnect with each other.

To use a real world analogy: Cloudflare over the years has built a network of highways across the Internet to handle all our customers' traffic. We’re now providing dedicated on-ramps for our customers’ on-prem networks to get onto those highways.

Why interconnect with Cloudflare?

CNI provides more reliable, faster, and more Continue reading

Cloudflare Network Interconnection Partnerships Launch

Cloudflare Network Interconnection Partnerships Launch

Today we’re excited to announce Cloudflare’s Network Interconnection Partner Program, in support of our new CNI product. As ever more enterprises turn to Cloudflare to secure and accelerate their branch and core networks, the ability to connect privately and securely becomes increasingly important. Today's announcement significantly increases the interconnection options for our customers, allowing them to connect with us in the location of their choice using the method or vendors they prefer.

In addition to our physical locations, our customers can now interconnect with us at any of 23 metro areas across five continents using software-defined layer 2 networking technology. Following the recent release of CNI (which includes PNI support for Magic Transit), customers can now order layer 3 DDoS protection in any of the markets below, without requiring physical cross connects, providing private and secure links, with simpler setup.

Launch Partners

We’re very excited to announce that five of the world's premier interconnect platforms are available at launch. Console Connect by PCCW Global in 14 locations, Megaport in 14 locations, PacketFabric in 15 locations, Equinix ECX Fabric in 8 locations and Zayo Tranzact in 3 locations, spanning North America, Europe, Asia, Oceania and Africa.

Cloudflare Network Interconnection Partnerships Launch Cloudflare Network Interconnection Partnerships Launch Cloudflare Network Interconnection Partnerships Launch
Cloudflare Network Interconnection Partnerships Launch Cloudflare Network Interconnection Partnerships Launch


What is an Interconnection Platform?

Like much of the networking world, there are many terms in the interconnection space for the same thing: Cloud Exchange, Virtual Cross Connect Platform and Interconnection Platform are all synonyms. They are platforms that allow two networks to interconnect privately at layer 2, without requiring additional physical cabling. Instead the customer can order a port and a virtual connection on a dashboard, and the interconnection ‘fabric’ will establish the connection. Since many large customers are already connected to these fabrics for their connections to traditional Cloud providers, it is a very convenient method to establish private connectivity with Cloudflare.

Cloudflare Network Interconnection Partnerships Launch

Why interconnect virtually?

Cloudflare has an extensive peering infrastructure and already has private links to thousands of other networks. Virtual private interconnection is particularly attractive to customers with strict security postures and demanding performance requirements, but without the added burden of ordering and managing additional physical cross connects and expanding their physical infrastructure.

Key Benefits of Interconnection Platforms

Secure
Similar to physical PNI, traffic does not pass across the Internet. Rather, it flows from the customer router, to the Interconnection Platform’s network and ultimately to Cloudflare. So while there is still some element of shared infrastructure, it’s not over the public Internet.

Efficient
Modern PNIs are typically a minimum of 1Gbps, but if you have the security motivation without the sustained 1Gbps data transfer rates, then you will have idle capacity. Virtual connections provide for “sub-rate” speeds, which means less than 1Gbps, such as 100Mbps, meaning you only pay for what you use. Most providers also allow some level of “burstiness”, which is to say you can exceed that 100Mbps limit for short periods.

Performance
By avoiding the public Internet, virtual links avoid Internet congestion.

Price
The major cloud providers typically have different pricing for egressing data to the Internet compared to an Interconnect Platform. By connecting to your cloud via an Interconnect Partner, you can benefit from those reduced egress fees between your cloud and the Interconnection Platform. This builds on our Bandwidth Alliance to give customers more options to continue to drive down their network costs.

Less Overhead
By virtualizing, you reduce physical cable management to just one connection into the Interconnection Platform. From there, everything defined and managed in software. For example, ordering a 100Mbps link to Cloudflare can be a few clicks in a Dashboard, as would be a 100Mbps link into Salesforce.

Data Center Independence
Is your infrastructure in the same metro, but in a different facility to Cloudflare? An Interconnection Platform can bring us together without the need for additional physical links.

Where can I connect?

  1. In any of our physical facilities
  2. In any of the 23 metro areas where we are currently connected to an Interconnection Platform (see below)
  3. If you’d like to connect virtually in a location not yet listed below, simply get in touch via our interconnection page and we’ll work out the best way to connect.

Metro Areas

The metro areas below have currently active connections. New providers and locations can be turned up on request.

Cloudflare Network Interconnection Partnerships Launch

What’s next?

Our customers have been asking for direct on-ramps to our global network for a long time and we’re excited to deliver that today with both physical and virtual connectivity of the world’s leading interconnection Platforms.

Already a Cloudflare customer and connected with one of our Interconnection partners? Then contact your account team today to get connected and benefit from improved reliability, security and privacy of Cloudflare Network Interconnect via our interconnection partners.

Are you an Interconnection Platform with customers demanding direct connectivity to Cloudflare? Head to our partner program page and click “Become a partner”. We’ll continue to add platforms and partners according to customer demand.

"Equinix and Cloudflare share the vision of software-defined, virtualized and API-driven network connections. The availability of Cloudflare on the Equinix Cloud Exchange Fabric demonstrates that shared vision and we’re excited to offer it to our joint customers today."
Joseph Harding, Equinix, Vice President, Global Product & Platform MarketingSoftware Developer


"Cloudflare and Megaport are driven to offer greater flexibility to our customers. In addition to accessing Cloudflare’s platform on Megaport’s global internet exchange service, customers can now provision on-demand, secure connections through our Software Defined Network directly to Cloudflare Network Interconnect on-ramps globally. With over 700 enabled data centres in 23 countries, Megaport extends the reach of CNI onramps to the locations where enterprises house their critical IT infrastructure. Because Cloudflare is interconnected with our SDN, customers can point, click, and connect in real time. We’re delighted to grow our partnership with Cloudflare and bring CNI to our services ecosystem — allowing customers to build multi-service, securely-connected IT architectures in a matter of minutes."
Matt Simpson, Megaport, VP of Cloud Services


“The ability to self-provision direct connections to Cloudflare’s network from Console Connect is a powerful tool for enterprises as they come to terms with new demands on their networks. We are really excited to bring together Cloudflare’s industry-leading solutions with PCCW Global’s high-performance network on the Console Connect platform, which will deliver much higher levels of network security and performance to businesses worldwide.”
Michael Glynn, PCCW Global, VP of Digital Automated Innovation


"Our customers can now connect to Cloudflare via a private, secure, and dedicated connection via the PacketFabric Marketplace. PacketFabric is proud to be the launch partner for Cloudflare's Interconnection program. Our large U.S. footprint provides the reach and density that Cloudflare customers need."
Dave Ward, PacketFabric CEO

Using an Inventory Plugin from a Collection in Ansible Tower

Many IT environments grow more and more complex. It is more important than ever that an automation solution always has the most up to date information about what nodes are present and need to be automated. To answer this challenge, the Red Hat Ansible Automation Platform uses inventories: lists of managed nodes.

In its simplest form, inventories can be static files. This is ideal when getting started with Ansible, but as the automation is scaled, a static inventory file is not enough anymore:

  1. How do we update and maintain a list of all of our managed nodes if something changes, if workloads are spun up or teared down?
  2. How do we classify our infrastructure so that we can be more selective in what managed nodes we automate against?

The answer to both of these questions is to use a dynamic inventory: a script or a plugin that will go to a source of truth and discover the nodes that need to be managed. It will also automatically classify the nodes by putting them into groups, which can be used to more selectively target devices when automating with Ansible.

Inventory plugins allow Ansible users to use external platforms to Continue reading

Organic data-transfer technology holds promise for IoT

Visible light communications (VLC) systems are an alternative to radio-based wireless networks and serve a dual purpose: They provide in-building lighting, and they use light waves for data transmission. VLC uses modulated light as a data carrier, while the visible spectrum provides light.Using VLC for data transmission has some advantages. It offers decent bandwidth; it offers security because walls, floors and roofs obstruct the data-carrying wavelengths, which reduces the risk of eavesdropping; and it's inexpensive since it's simply incorporated into light fixtures or, in emerging developments, worked into displays and other surfaces.To read this article in full, please click here

DevAsc – List Consisting of Dictonaries

I was going through Nick Russo’s course Getting Started with Software Development Using Cisco DevNet at Pluralsight and one thing he went through was interacting with the DNA Center API. Using a call to /intent/api/v1/network-device, DNA-C will return a JSON object consisting of an array of objects, or in Python speak, a list of dictionaries. This looks something like below, snipped for brevity:

{
    "response": [
        {
            "memorySize": "3735220224",
            "family": "Wireless Controller",
            "type": "Cisco 3504 Wireless LAN Controller",
            "macAddress": "50:61:bf:57:2f:00",
            "softwareType": "Cisco Controller",
            "softwareVersion": "8.8.111.0",
            "deviceSupportLevel": "Supported",
            "platformId": "AIR-CT3504-K9",
            "reachabilityFailureReason": "",
            "series": "Cisco 3500 Series Wireless LAN Controller",
            "serialNumber": "FCW2218M0B1",
            "inventoryStatusDetail": "<status><general code=\"SUCCESS\"/></status>",
            "hostname": "3504_WLC",
            "lastUpdateTime": 1596457941780,
            "errorDescription": null,
            "interfaceCount": "0",
            "lastUpdated": "2020-08-03 12:32:21",
            "lineCardCount": "0",
            "lineCardId": "",
            "locationName": null,
            "managementIpAddress": "10.10.20.51",
            "reachabilityStatus": "Reachable",
            "snmpContact": "",
            "snmpLocation": "",
            "tagCount": "0",
            "tunnelUdpPort": "16666",
            "waasDeviceMode": null,
            "apManagerInterfaceIp": "",
            "associatedWlcIp": "",
            "bootDateTime": "2020-03-12 16:08:21",
            "collectionStatus": "Managed",
            "errorCode": null,
            "roleSource": "AUTO",
            "upTime": "143 days, 20:24:58.00",
            "location": null,
            "role": "ACCESS",
            "collectionInterval": "Global Default",
            "instanceTenantId": "5e5a432575161200cc4ac95c",
            "instanceUuid": "72dc1f0a-e4da-4ec3-a055-822416894dd5",
            "id": "72dc1f0a-e4da-4ec3-a055-822416894dd5"
        },
        {
            "memorySize": "NA",
            "family": "Switches and Hubs",
            "type": "Cisco Catalyst 9300 Switch",
            "macAddress": "00:72:78:54:d1:00",
            "softwareType": "IOS-XE",
            "softwareVersion": "16.6.4a",
            "deviceSupportLevel": "Supported",
            "platformId": "C9300-48U",
            "reachabilityFailureReason": "",
             Continue reading

What Is Generic Programming?

This year, my journey to learn Rust (and actively use it in a few side projects) has been a treasure trove of learning experiences. Lately, I’ve been finding myself trying to wrap my head around not just new syntax, but entirely new software programming paradigms that I simply haven’t been exposed to before. In my career thus far, I’ve mainly used two languages professionally: Python, and Go. It turns out this forms a pretty interesting story arc, since these two languages paint a wide spectrum of approaches to enabling the developer to be expressive and productive while managing the runtime tradeoffs of doing so.

Tech Bytes: Fortinet’s SASE Is More Than Just The Cloud (Sponsored)

Secure Access Service Edge (SASE) is an emerging market category. On today's Tech Bytes episode, we examine SASE with sponsor Fortinet, including how Fortinet's flexible consumption model differentiates its SASE offering. Our guest is John Maddison, Executive VP of Products at Fortinet.

The post Tech Bytes: Fortinet’s SASE Is More Than Just The Cloud (Sponsored) appeared first on Packet Pushers.

My living room intern experience at Cloudflare

My living room intern experience at Cloudflare
My living room intern experience at Cloudflare

This was an internship unlike any other. With a backdrop of a pandemic, protests, and a puppy that interrupted just about every Zoom meeting, it was also an internship that demonstrated Cloudflare’s leadership in giving students meaningful opportunities to explore their interests and contribute to the company’s mission: to help build a better Internet.

For the past twelve weeks, I’ve had the pleasure of working as a Legal Intern at Cloudflare. A few key things set this internship apart from even those in which I’ve been able to connect with people in-person:

  • Communication
  • Community
  • Commingling
  • Collaboration

Ever since I formally accepted my internship, the Cloudflare team has been in frequent and thorough communication about what to expect and how to make the most of my experience. This approach to communication was in stark contrast to the approach taken by several other companies and law firms. The moment COVID-19 hit, Cloudflare not only reassured me that I’d still have a job, the company also doubled down on bringing on more interns. Comparatively, a bunch of my fellow law school students were left in limbo: unsure of if they had a job, the extent to which they’d be able to do it Continue reading

The 4D Network

I think we can all agree networks have become too complex—and this complexity is a result of the network often becoming the “final dumping ground” of every problem that seems like it might impact more than one system, or everything no-one else can figure out how to solve. It’s rather humorous, in fact, to see a lot of server and application folks sitting around saying “this networking stuff is so complex—let’s design something better and simpler in our bespoke overlay…” and then falling into the same complexity traps as they start facing the real problems of policy and scale.

This complexity cannot be “automated away.” It can be smeared over with intent, but we’re going to find—soon enough—that smearing intent on top of complexity just makes for a dirty kitchen and a sub-standard meal.

While this is always “top of mind” in my world, what brings it to mind this particular week is a paper by Jen Rexford et al. (I know Jen isn’t on the lead position in the author list, but still…) called A Clean Slate 4D Approach to Network Control and Management. Of course, I can appreciate the paper in part because I agree with a Continue reading