Check out these brand new videos on how to optimize CloudFlare

alt

Someone once said that the best things in life are free and I can’t agree more. I want to draw the attention of the CloudFlare community to a great resource that helps maximize the value of our product. Troy Hunt, an experienced trainer and blogger, has produced a video course on using CloudFlare. The video series is available through Pluralsight, an online training site for developers.

Because the folks at Pluralsight think that this is a great resource, the video tutorials are being offered to everyone for a week absolutely for free.

So what can you expect to learn? The course kicks off by explaining what CloudFlare brings to the table, and then sets up a site on CloudFlare, including configuring the name server records with your DNS provider. All of this helps get things up and running quickly. Then it gets deeper.

One module of the course is devoted to understanding more about SSL and further strengthening the implementation. For example, CloudFlare’s SSL rates high on the Qualys SSL Labs Test and scores an “A” right out of the box. But you can make it better – an “A+” – just by enabling HSTS. However, you really want to Continue reading

DockerCon Vendor Briefings

At DockerCon 2015 in San Francisco, I had the opportunity to meet with a few vendors in the Docker ecosystem. Here are some notes from my vendor briefings.

StackEngine

StackEngine describes themselves as enterprise-grade container application management. They tout features like being able to compose Docker applications using a drag-and-drop interface, deploy containers across multiple hosts, and provide automation—all with the sort of controls that enterprise IT groups are seeking. That’s all well and good, but the key problem in my mind is that these are features Docker is seeking for themselves. Docker Compose offers the ability to specify applications. True, there’s no GUI (yet). Alas, StackEngine can translate their GUI application design into YAML, but it doesn’t comply with Docker Compose. Thus, it ends up being more competitive than complimentary, in my opinion. Docker Swarm and the upcoming Docker Network address some of StackEngine’s deployment functionality, and if Project Orca takes off as an official effort—well, let’s just say I hope that StackEngine has more planned. This is not to say that StackEngine isn’t a well-engineered solution offering real value; rather, this is to say that StackEngine appears to be, unfortunately, in the crosshairs for functionality Docker is aiming Continue reading

Pressure mounts in EU to treat Facebook and Twitter as critical infrastructure

Pressure is mounting in the European Union to subject companies including Google, Twitter, eBay and Facebook to the same critical IT infrastructure security requirements as banks or energy networks.EU lawmakers want providers of essential services in industries including banking, health care, transport and energy to protect their networks from hackers, and to disclose data breaches to the authorities.The European Commission, which proposed the draft Network and Information Security Directive two years ago, also wants it to cover enablers of key Internet services, such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services and app stores. The European Parliament, however, rejected their inclusion in the critical infrastructure rules last year.To read this article in full or to leave a comment, please click here

FBI: CryptoWall ransomware plague rising

As the sad and sometimes scary examples of the scam known as ransomware propagates, the FBI this week said the CryptoWall variant is rapidly becoming the swindle of choice by criminals.The FBI’s Internet Crime Complaint Center said between April 2014 and June 2015, it received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. And its not just user PCs that are being targeted, a growing number of victims are being hit with ransomware that locks down mobile phones and demands payments to unlock them.To read this article in full or to leave a comment, please click here

How to build your own public key infrastructure

A major part of securing a network as geographically diverse as CloudFlare’s is protecting data as it travels between datacenters. Customer data and logs are important to protect but so is all the control data that our applications use to communicate with each other. For example, our application servers need to securely communicate with our new datacenter in Osaka, Japan.

CC BY-SA 2.0 image by kris krüg

Great security architecture requires a defense system with multiple layers of protection. As CloudFlare’s services have grown, the need to secure application-to-application communication has grown with it. As a result, we needed a simple and maintainable way to ensure that all communication between CloudFlare’s internal services stay protected, so we built one based on known and reliable protocols.

Our system of trust is based on a Public Key Infrastructure (PKI) using internally-hosted Certificate Authorities (CAs). In this post we will describe how we built our PKI, how we use it internally, and how to run your own with our open source software. This is a long post with lots of information, grab a coffee!

Protection at the application layer

Most reasonably complex modern web services are not made up of one monolithic Continue reading

Critical flaw in ESET products shows why spy groups are interested in antivirus programs

Several antivirus products from security firm ESET had a critical vulnerability that was easy to exploit and could lead to a full system compromise.The discovery of the flaw, which has now been patched, comes on the heels of a report that intelligence agencies from the U.K. and the U.S. are reverse engineering antivirus products in search for vulnerabilities and methods to bypass detection.The vulnerability in ESET products was discovered by Google security engineer Tavis Ormandy and was located in their emulator, the antivirus component responsible for unpacking and executing potentially malicious code inside a safe environment so that it can be scanned.To read this article in full or to leave a comment, please click here

Arista brings cloud-scale automation to enterprises and service providers

The term "software defined networking" (SDN) certainly means different things to different people. To the giant web companies, SDN means having the ability to create custom network software to enable functions that are unique to that organization. This requires dedicated software engineers and a networking team large enough to run and support the custom networks. There are somewhere in the neighborhood of 30 companies that have the resources, size, and scale for this model of SDN to make sense.For businesses below this tier – service providers and enterprises – SDN means the promise of automation and cloud scale but also a high level of complexity, sometimes more complexity than the original network. A good rule of thumb for IT initiatives is that solutions should never be more complicated than the problem they're intended to solve. This is one reason SDN deployments have been slow despite the fact that almost every organization I talk to today is interested in the technology. For SDNs to become pervasive in the non-web-scale tier, they must become easier to deploy.To read this article in full or to leave a comment, please click here

Operational Annoyances: SSL Certificates and Keys

SSL Key

You’re asked to update the SSL certificate for movingpackets.net on a load balancer. The requestor (me, in this case) gives you the certificate file. I don’t need to give you the intermediate certificate bundle because you’re going to use the checkcert tool to sort that out. I also tell you to use the same private key as for the last certificate. How do you know that the old private key works with the new public certificate?

Checking SSL Certificates and Keys

My good friend OpenSSL can help us match a certificate and key. The basic premise is that the modulus of both the key and the cert file should be the same. The openssl commands to do this are:

# openssl x509 -noout -modulus -in microsoft.com.crt
Modulus=B788D872FFB6C827EF5656A0535CC1E36343D6A29F1824564238793737BB2C17EAB7FF6A2032AB95174FDA4A24AFF438DFB23B85746E7B37D657F5EB3E3580291218CA66AC8CF872C2A62FD1A7F1DB85C554E4DE803E3F9397D251C8A283FA0EF4314210BFF88AE0AF656C5953A71A8D6A4C2A4476B6AD1EADE1920D1CEEEB8E0C16583698CC735861FA98D63DA3EB5632968751D099AAB7D22321920AE962B065100FFEA7BC5EF7E3DC1398935F3C6F8C43DC689BC290DAACEEDD487ECD81795BC7CA702B20369029CE6F7527D0E16CD9CC603671B05940433D49590EB15C6768DF0A326AEE7AE77084BCCC4707D1AE2694E6E0477C038598F5552B46D04C95

# openssl rsa -noout -modulus -in microsoft.com.key
Modulus=B788D872FFB6C827EF5656A0535CC1E36343D6A29F1824564238793737BB2C17EAB7FF6A2032AB95174FDA4A24AFF438DFB23B85746E7B37D657F5EB3E3580291218CA66AC8CF872C2A62FD1A7F1DB85C554E4DE803E3F9397D251C8A283FA0EF4314210BFF88AE0AF656C5953A71A8D6A4C2A4476B6AD1EADE1920D1CEEEB8E0C16583698CC735861FA98D63DA3EB5632968751D099AAB7D22321920AE962B065100FFEA7BC5EF7E3DC1398935F3C6F8C43DC689BC290DAACEEDD487ECD81795BC7CA702B20369029CE6F7527D0E16CD9CC603671B05940433D49590EB15C6768DF0A326AEE7AE77084BCCC4707D1AE2694E6E0477C038598F5552B46D04C95

Are they the same? Did you check every byte? The lazy way to do this, then, is to take an md5 hash of the output and compare those instead; it’s little easier and while there’s a remote chance that two non-equal moduli could have the same md5 hash, it’s pretty unlikely. And so:

# openssl x509 -noout -modulus -in microsoft. Continue reading

Understanding the real problems for Network Design

Designers should be trained to understand the real problems. An excellent solution to the wrong problem is worse than no solution. As a designer, you shouldn’t start by trying to solve the problem given to you. You shouldn’t try to find a best design for the given problem.You should try to understand the real issues.… Read More »

The post Understanding the real problems for Network Design appeared first on Network Design and Architecture.

IT/IT: Network scale is more than size

yoda“Judge me by my size, do you?”

I’ve had several discussions with people over the years about the concept of scale in the world of network engineering. Most often, when network engineers think of a “large scale network,” they used to mention large service providers. Now they tend to think of some large cloud provider. But is scale really about size? I’m not much into the backflipping Yoda of the later Star Wars movies, but I would argue scale is much more about backflips than it is about being big.

So what is scale about? In the networking world, scale can be given the shorthand services x size. Standing in a huge data center with rows and rows of racks and blinking lights, it’s easy to forget about the services part of that equation.

A useful way to understand this is consider the services offered by a pair of networks, one large, and one small. The typical cloud provider’s network might contain thousands of nodes in a single data center — something more than 1000x10g (or 10,000x1g) ports on the edge is moderately sized in this world. What services does such a network — within the network itself — Continue reading

The IPv6 Revolution Will Not Be Broadcast

IPv6Revolution

There are days when IPv6 proponents have to feel like Chicken Little. Ever since the final allocation of the last /8s to the RIRs over four years ago, we’ve been saying that the switch to IPv6 needs to happen soon before we run out of IPv4 addresses to allocate to end users.

As of yesterday, ARIN (@TeamARIN) has 0.07 /8s left to allocate to end users. What does that mean? Realistically, according to this ARIN page that means there are 3 /21s left in the pool. There are around 450 /24s. The availability of those addresses is even in doubt, as there are quite a few requests in the pipeline. I’m sure ARIN is now more worried that they have recieved a request that they can’t fulfill and it’s already in their queue.

The sky has indeed fallen for IPv4 addresses. I’m not going to sit here and wax alarmist. My stance on IPv6 and the need to transition is well known. What I find very interesting is that the transition is not only well underway, but it may have found the driver needed to see it through to the end.

Mobility For The Masses

I’ve Continue reading

Do you really need Quality of Service ?

Quality of service (QoS) is the overall performance of a telephony or computer network, particularly the performance seen by the users of the network. Above is the Quality of Service definition from the Wikipedia. Performance metrics can be bandwidth, delay, jitter, pocket loss and so on. Two Quality Of Service approaches have been defined by… Read More »

The post Do you really need Quality of Service ? appeared first on Network Design and Architecture.

The Upload: Your tech news briefing for Wednesday, June 24

Ford drives into car-sharing spaceAs car-sharing and ride-hailing apps make it ever easier for people, especially the urban young, to shrug off the expense of actually owning a car, at least one automaker wants to get in the driver’s seat and steer the trend in a more favorable direction. Ford is launching a pilot car-sharing program in six U.S. cities and London, CNBC reports, and will let customers who use the carmaker’s financing program rent out their vehicle via the Getaround sharing app.U.S. government is falling behind on application securityU.S. government organizations are struggling when it comes to securing the software they use, according to a report by application security firm Veracode that puts government in dead last place among all sectors. Problems include use of old scripting and programming languages, failure to self-regulate and failure to impose security requirements on software suppliers.To read this article in full or to leave a comment, please click here

Webinars in 1H2015, and a Look Forward

The first half of 2015 was extremely productive – seven brand new webinars (or 22 hours of new content) were added to the ipSpace.net webinar library.

Most of the development focus was on SDN and network automation: OpenFlow, NETCONF and YANG, Ansible, Jinja and YAML, and Monitoring SDN networks. There was also the traditional Data Center Fabrics Update session in May, IPv6 Microsegmentation webinar in March, and (finally!) vSphere 6 Networking Deep Dive in April.

Do I have to mention that you get all of them (and dozens of other webinars) with the ipSpace.net subscription?

Read more ...

Is Container Networking Holding On To The Past?

There has been a plethora of docker-related info on the internet this week, thanks in no small part to DockerCon, and I was motivated to finish this blog post about container networking.

In short, it seems like most if not all container networking projects are going out of their way to give devs the feeling of a “flat” network. My question is - who cares?

For this post, I am not talking about IaaS (which is arguably a declining use case). I am talking about an application cloud provider (i.e. SaaS, and maybe PaaS) where all IP addresses are assigned by the provider and under their control, within the context of the data center.

The way that most of these projects are being marketed to developers is that they provide one big flat network upon which to communicate. Why this choice of terminology? Why does “cloud-native” application design not by default include things like IPv6, or application nodes that are agnostic of what broadcast domain they are participating in?

I have Continue reading