Origin Server Connection Security with Universal SSL

Earlier today, CloudFlare enabled Universal SSL: HTTPS support for all sites by default. Universal SSL provides state-of-the-art encryption between browsers and CloudFlare’s edge servers keeping web traffic private and secure from tampering.

CloudFlare’s Flexible SSL mode is the default for CloudFlare sites on the Free plan. Flexible SSL mode means that traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not be. To take advantage of our Full and Strict SSL mode—which encrypts the connection between CloudFlare and the origin server—it’s necessary to install a certificate on the origin server.

We made Universal SSL free so that everyone can use modern, strong encryption tools to protect their web traffic. More encrypted traffic helps build a safer, better Internet. In keeping with CloudFlare’s goal to help build a better Internet, we have some tips on how to upgrade your site from Flexible SSL to Full or Strict SSL.

Option 1: Full SSL: create a self-signed certificate

Dealing with Certificate Authorities (CAs) can be frustrating, and the process of obtaining a certificate can be time consuming. In the meantime, you can get started by installing a self-signed certificate on your origin server. This Continue reading

CWNP Conference Presentations

If it wasn’t Twitter I probably would not have known there was a CWNP conference going on, but luckily we have Twitter. Looks like it was a 3-day conference about all things wireless, I really will try and go next year. It also looks like they posted the presentations on their website found here, I’ve […]

Fryguy.Net – IMPROVED!

My hosting provider, Digital Ocean, has added IPv6 to one of their NY Data centers.  Over this weekend, and thanks to Shellshock BASH vulnerability,  I finally got around to migrating the server to a new host that is IPv6 enabled. So as of this morning, there is a now a AAAA record for www.fryguy.net! IPv6 Ping […]

SDN Skills Prerequisites Per Vendor Certifications

In the previous post, which kicked off a new series, I discussed the need to make some basic choices when building your SDN development plan. Today’s post begins to look more closely at the prerequisites, by examining what vendors tell us through the perquisites included for their SDN certifications. To that end, this post looks at HP, VMWare, and Cisco.

The Big Picture

To learn about SDN, and learn deeply, you will need to invest more than a little time. So you need a plan. That plan will include filling in the prerequisite skills that you may need before learning SDN well, some SDN skills common to most all SDN solutions, and some skills related to particular approaches to SDN that differ quite a bit.

Figure 1: Prerequisites, Foundation, and SDN Silos

Today’s post begins to look at prerequisites. This post focuses on three vendor’s SDN certifications. Cisco, VMWare, and HP all have thriving certification programs, and all three have been rolling out SDN-related certifications. All three programs have a clear vendor focus, which is not surprising. But what do they ask of us a prerequisite?

Follow-up posts will look at the specific topics, what I personally think people Continue reading

Managing the Network as a Fabric — About Time!

Earlier this September, I attended the Tech Field Day Networking Field Day 8 event. Over the course of three days, we saw presentations from many very interesting vendors including a mix of startups and established market leaders. One trend that really stuck out to me more this time around than at any previous NFD event was a nearly ubiquitous emphasis on data center network fabric management. In other words, truly managing an entire data center network (or at least a sub-block of it) as a single unit.

Just of the NFD8 presenters who were providing this option, we had Cisco with their ACI model (but it stands to reason that even the now-well-established FEX model has very similar capabilities), Big Switch Networks with their Big Cloud Fabric, Pluribus Networks’ Netvisor Software Defined Fabric, and Nuage Networks Virtual Services Platform. Each of these products has unique value propositions, so I’m not suggesting they’re all the same but rather pointing out that this concept of fabric-level management is clearly at the forefront of most, if not all, leading-edge data center solutions at this point. The concept has been building for a couple years, and other vendors are also pursuing this model Continue reading

Show 206 – Brocade’s OpenDaylight-Based Vyatta Controller – Sponsored

If you watch the software defined networking space, you might have noticed that Brocade has been quietly hiring a sharp group of actual (not self-proclaimed) thought leaders and developers. The question has been, “To what end? What’s Brocade going to do with all of these capable folks?” Today, we can answer that question. Brocade has built an […]

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 2M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
TwitterGoogle+LinkedIn

The post Show 206 – Brocade’s OpenDaylight-Based Vyatta Controller – Sponsored appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Get Out of the Way

I have a lot of memories that have emerged from my years as a network engineer — from funny stories to profound moments to those times when I felt like a complete idiot (because we’re all idiots sometimes). One of those formative moments was when I was agonizing over the decision to leave the Global Escalation Team in customer support and move into an engineering focused role. I agonized over the change for a number of reasons.

I was moving out of something I knew well, directly supporting customers in a very real way. The Escalation Team was the last stop in customer support. If we couldn’t solve it, it couldn’t be solved. That meant a lot of high pressure customer interaction, doing troubleshooting work on really hard, really big problems. I learned a ton. The Escalation Team was also the top of the hill in my world. There wasn’t anyplace, really, I could imagine wanting to be more than working directly with customers, being able to say at the end of the day, “I helped someone solve a real problem,” or even better, “I helped someone learn how to solve a real problem.” Not only for external customers, Continue reading

Introducing Universal SSL

CloudFlare's Universal SSL

The team at CloudFlare is excited to announce the release of Universal SSL™. Beginning today, we will support SSL connections to every CloudFlare customer, including the 2 million sites that have signed up for the free version of our service.

This morning we began rolling out the Universal SSL across all our current customers. We expect this process to be complete for all current customers before the end of the day. Yesterday, there were about 2 million sites active on the Internet that supported encrypted connections. By the end of the day today, we'll have doubled that.

For new customers who sign up for CloudFlare's free plan, after we get through provisioning existing customers, it will take up to 24 hours to activate Universal SSL. As always, SSL for paid plans will be provisioned instantly upon signup.

How does it work?

For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., example.com) as well as a wildcard entry for all first-level subdomains (e.g., www.example.com, blog.example.com, etc. Continue reading

High availability in horizontally-scaled applications

The networking industry has a somewhat unique relationship with high availability. For compute, storage, and applications, failures are somewhat tolerable because they tend to be more isolated (a single server going down rarely impacts the rest of the servers). However, the network’s central role in connecting resources makes it harder to contain failures. Because of this, availability has been an exercise in driving uptime to near 100 percent.

It is absolutely good to minimize unnecessary downtime, but is the pursuit of perfect availability the right endeavor?

Device uptime vs application availability

We should be crystal clear on one thing: the purpose of the network is not about providing connectivity so much as it is about making sure applications and tenants have what they need. Insofar as connectivity is a requirement, it is important, but the job doesn’t end just because packets make it from one side to the other. Application availability and application experience are far more dominant in determining whether infrastructure is meeting expectations.

With that in mind, the focus on individual device uptime is an interesting but somewhat myopic approach to declaring IT infrastructure success. By focusing on building in availability at the device level, it is easy Continue reading

Shellshock protection enabled for all customers

On Thursday, we rolled out protection against the Shellshock bash vulnerability for all paying customers through the CloudFlare WAF. This protection was enabled automatically and immediately starting blocking malicious requests.

We had a number of requests for protection from Shellshock for all our customers, including those on the Free plan.

After observing the actual Shellshock traffic across our network and after seeing the true severity of the vulnerability become clear, we've built and tested a special Basic ShellShock Protection for all customers.

That protection is now operating and enabled for every CloudFlare customer (Free, Pro, Business and Enterprise). Paying customers have the additional protection of more complex Shellshock rules in the CloudFlare WAF.

Every CloudFlare customer is now being protected from the most common attack vectors based on the Shellshock problem and paying customers continue to have the more advanced protection that was rolled out yesterday.

The Seven Layer Model is Dead

Whether we have the funeral in New Orleans style (with a lot of brass and, well, other stuff), or in the more somber style we’re all so accustomed to– or even perhaps dance down the road singing, “ding dong, the model’s dead” — it’s time to pack the seven layer model into a virtual coffin […]

Author information

Russ White

Russ White
Principle Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about, or don't really care about. You want numbers and letters? Okay: CCIE 2635, CCDE 2007:001, CCAr, BSIT, MSIT (Network Design & Architecture, Capella University), MACM (Biblical Literature, Shepherds Theological Seminary). Russ is a Principal Engineer in the IPOS Team at Ericsson, where he works on lots of different stuff, serves on the Routing Area Directorate at the IETF, and is a cochair of the Internet Society Advisory Council. Russ will be speaking in November at the Ericsson Technology Day. he recently published The Art of Network Architecture, is currently working on a new book in the area Continue reading

GNS3 on Fedora Linux

Here are mu notes about installation GNS3 version on Fedora Linux. It shows the basic steps required to successfully install and configure GNS3 for VirtualBox, Qemu, IOU, and Dynamips support. Configuration of individual VirtualBox, Qemu, IOU and IOS images is not discussed.

1. GNS3 GUI and Server Installation and Configuration

1.1 Install Dependencies

$ sudo yum install python3 python3-setuptools.noarch python3-PyQt4 python3-devel gcc

1.2 Download and Extract GNS3 GUI and Server

$ git clone https://github.com/GNS3/gns3-gui.git
$ git clone https://github.com/GNS3/gns3-server.git

$ cd gns3-gui/
$ sudo python3 setup.py install
$ cd ..

$ cd gns3-server/
$ sudo python3 setup.py install

1.3 Configure GNS3 Server Settings

Navigate to Edit-> Preferences-> GNS3 server-> Local server and change path to gns3server.

2. IOU Installation and Configuration

IOU stands for IOS on Unix. IOU images are IOS images that are compiled for x86 / Sparc CPU architecture.

2.1 Install Dependencies

$ sudo yum install gcc gcc-c++ git

2.2 Create Symbolic Link and Prevent IOU to Call Home

$ cd /usr/lib
$ sudo ln -s ./libcrypto.so.10 libcrypto.so.4
$ su -c "echo '127.0.0.127 xml.cisco.com' >> /etc/hosts"

2. Continue reading

Network device configuration using templates with Jinja2 and YAML

This blog is part of my series on Devops for Networking. Typically, Network device configurations for CLI based systems are stored as text files and when its necessary to change parameters like gateway address, vlan, ntp server etc, the script is manually edited and then reapplied to the device. This process is manual and prone … Continue reading Network device configuration using templates with Jinja2 and YAML

One More Thing: Keyless SSL and CloudFlare’s Growing Network

One more thing...

I wanted to write one more thing about Keyless SSL, our announcement from last week, before attention shifts to what we'll be announcing on Monday. Keyless allows us to provide CloudFlare's service without having private SSL keys stored locally on our edge servers. The news last week focused on how this could allow very large customers, like major financial institutions, to use CloudFlare without trusting us with their private keys.

But there's another use that will benefit the entire CloudFlare userbase, not just our largest enterprise customers, and it's this: Keyless SSL is a key part of our strategy to continue to expand CloudFlare's global network.

CloudFlare's Global Network Today

CloudFlare's network today consists of 28 edge data centers that span much of the globe. We have technical and security requirements for these facilities in order to ensure that the equipment they house remains secure. Generally, we're in Tier III or IV data center facilities with the highest level of security. In our San Jose facility, for instance, you have to pass through 5 biometric scans, in addition to multiple 24x7 manned guard check points, before you can get to the electronically locked cabinets housing our servers.

There Continue reading

The shockingly obsolete code of bash

One of the problems with bash is that it's simply obsolete code. We have modern objective standards about code quality, and bash doesn't meet those standards. In this post, I'm going to review the code, starting with the function that is at the heart of the #shellshock bug, initialize_shell_variables().

K&R function headers


The code uses the K&R function headers which have been obsolete since the mid-1980s.


I don't think it's there to support older compilers, because other parts of the code use modern headers. I think it's there simply because they are paranoid about making unnecessary changes to the code. The effect of this is that it messes up static analysis, both simple compiler warnings as well as advanced security analysis tools.

It's also a stylistic issue. There's only one rule to coding style, which is "avoid surprising things", and this is surprising.

Ultimately, this isn't much of an issue, but a symptom that there is something seriously wrong with this code.

Global variables everywhere


Global variables are bad. Your program should have a maximum of five, for such things as the global debug or logging flag. Bash has hundred(s) of global variables.


Also note that a large number of Continue reading
1 3,553 3,554 3,555 3,556 3,557 3,694