Manage and control the use of dedicated egress IPs with Cloudflare Zero Trust

Manage and control the use of dedicated egress IPs with Cloudflare Zero Trust
Manage and control the use of dedicated egress IPs with Cloudflare Zero Trust

Before identity-driven Zero Trust rules, some SaaS applications on the public Internet relied on the IP address of a connecting user as a security model. Users would connect from known office locations, with fixed IP address ranges, and the SaaS application would check their address in addition to their login credentials.

Many systems still offer that second factor method. Customers of Cloudflare One can use a dedicated egress IP for this purpose as part of their journey to a Zero Trust model. Unlike other solutions, customers using this option do not need to deploy any infrastructure of their own. However, not all traffic needs to use those dedicated egress IPs.

Today, we are announcing policies that give administrators control over when Cloudflare uses their dedicated egress IPs. Specifically, administrators can use a rule builder in the Cloudflare dashboard to determine which egress IP is used and when, based on attributes like identity, application, IP address, and geolocation. This capability is available to any enterprise-contracted customer that adds on dedicated egress IPs to their Zero Trust subscription.

Why did we build this?

In today’s hybrid work environment, organizations aspire for more consistent security and IT experiences to manage their employees’ traffic Continue reading

Get notified about the most relevant events with Advanced HTTP Alerts

Get notified about the most relevant events with Advanced HTTP Alerts
Get notified about the most relevant events with Advanced HTTP Alerts

Today we’re excited to be announcing more flexibility to HTTP alerting, enabling customers to customize the types of activity they’re alerted on and how those alerts are organized.

Prior to today, HTTP alerts at Cloudflare have been very generic. You could choose which Internet properties you wanted and what sensitivity you wanted to be alerted on, but you couldn’t choose anything else. You couldn’t, for example, exclude  the IP addresses you use to test things. You couldn’t choose to monitor only a specific path. You couldn’t choose which HTTP statuses you wanted to be alerted on. You couldn’t even choose to monitor your entire account instead of specific zones.

Our customers leverage the Cloudflare network for a myriad of use cases ranging from decreasing bandwidth costs and accelerating asset delivery with Cloudflare CDN to protecting their applications against brute force attacks with Cloudflare Bot Management. Whether the reasons for routing traffic through the Cloudflare network are simple or complex, one powerful capability that comes for free is observability.

With traffic flowing through the network, we can monitor and alert customers about anomalous events such as spikes in origin error rates, enabling them to investigate further and mitigate any issues as Continue reading

Lost and Hating Your Job in Tech? 9 Key Steps Before Jumping Ship

While I am not the most active user on Reddit, I still enjoy the community for the most part, even as a passive reader. Last week, Curiousguy1993 asked the IT Career Community some questions. As much as I wanted to jump in and type away my response, I eventually decided to structure my thoughts better […]

The post Lost and Hating Your Job in Tech? 9 Key Steps Before Jumping Ship appeared first on Packet Pushers.

Kubernetes Unpacked 018: Grappling With Kubernetes Complexity

In today's Kubernetes Unpacked episode, host Michael Levan and guest Michael Chenetz examine the complexity that comes with Kubernetes and its broader ecosystem, what engineers should expect when diving into it, and why organizations should invest in people not just tech.

The post Kubernetes Unpacked 018: Grappling With Kubernetes Complexity appeared first on Packet Pushers.

Azure Networking Fundamentals: VNET Peering

Comment: Here is a part of the introduction section of the eight chapter of my Azure Networking Fundamentals book. I will also publish other chapters' introduction sections soon so you can see if the book is for you. The book is available at Leanpub and Amazon (links on the right pane).

This chapter introduces an Azure VNet Peering solution. VNet peering creates bidirectional IP connections between peered VNets. VNet peering links can be established within and across Azure regions and between VNets under the different Azure subscriptions or tenants. The unencrypted data path over peer links stays within Azure's private infrastructure. Consider a software-level solution (or use VGW) if your security policy requires data path encryption. There is no bandwidth limitation in VNet Peering like in VGW, where BW is based on SKU. From the VM perspective, VNet peering gives seamless network performance (bandwidth, latency, delay, and jitter) for Inter-VNet and Intra-VNet traffic. Unlike the VGW solution, VNet peering is a non-transitive solution, the routing information learned from one VNet peer is not advertised to another VNet peer. However, we can permit peered VNets (Spokes) to use local VGW (Hub) and route Spoke-to-Spoke data by using a subnet-specific route table Continue reading

Ansible Automation Platform Moving Towards Smarter Inventory

smarter. inventory blog

TL;DR What is this?

It has been a long term ask and our desire to make Smart Inventory, well, smarter. We’ve listened to feedback, and are now addressing not only direct customer asks but also presenting solutions to make it better overall.

 

The current Red Hat Ansible Automation Platform  Smart Inventory

The current Smart Inventory has a number of shortcomings:

  • The smart inventory host_filter cannot express that a variable EQUALS a value, or do basic logic like NOT.
  • Host/group/inventory variables cannot be filtered as a combined unit, as these are separate fields.
  • Resultant smart inventories do not contain groups.
  • The smart inventory host_filter has its own custom syntax, which isn’t the most friendly.

All of these issues stem from the original design of Smart Inventory, and the fact that Inventory Django models (Inventory, Group, and Host) save their “variables” in text form as YAML/JSON, as they appear in the UI. We then have to parse these into a dictionary form so they are in some way usable. This introduces new challenges and constraints.

 

A better solution: “constructed inventory”

So rather than continuing down a sub-optimal route, we’ve taken stock of the options (there were many and they got Continue reading

Cloudflare’s handling of a bug in interpreting IPv4-mapped IPv6 addresses

Cloudflare's handling of a bug in interpreting IPv4-mapped IPv6 addresses
Cloudflare's handling of a bug in interpreting IPv4-mapped IPv6 addresses

In November 2022, our bug bounty program received a critical and very interesting report. The report stated that certain types of DNS records could be used to bypass some of our network policies and connect to ports on the loopback address (e.g. 127.0.0.1) of our servers. This post will explain how we dealt with the report, how we fixed the bug, and the outcome of our internal investigation to see if the vulnerability had been previously exploited.

RFC 4291 defines ways to embed an IPv4 address into IPv6 addresses. One of the methods defined in the RFC is to use IPv4-mapped IPv6 addresses, that have the following format:

   |                80 bits               | 16 |      32 bits        |
   +--------------------------------------+--------------------------+
   |0000..............................0000|FFFF|    IPv4 address     |
   +--------------------------------------+----+---------------------+

In IPv6 notation, the corresponding mapping for 127.0.0.1 is ::ffff:127.0.0.1 (RFC 4038)

The researcher was able to use DNS entries based on mapped addresses to bypass some of our controls and access ports on the loopback address or non-routable IPs.

This vulnerability was reported on November 27 to our bug bounty program. Our Security Incident Response Team (SIRT) was contacted, and incident response activities Continue reading

NTT, Palo Alto partner for managed SASE with AIOps

A new offering from IT services provider NTT combines Palo Alto Networks' Prisma SASE offering with NTT's managed network services and AIOps infrastructure.SASE – secure access service edge – has been gaining interest for its potential to reduce networking complexity while improving security. It combines SD-WAN with security services, including secure web access gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall-as-a-service (FWaaS), in a single, cloud-delivered service model.To read this article in full, please click here

NTT, Palo Alto partner for managed SASE with AIOps

A new offering from IT services provider NTT combines Palo Alto Networks' Prisma SASE offering with NTT's managed network services and AIOps infrastructure.SASE – secure access service edge – has been gaining interest for its potential to reduce networking complexity while improving security. It combines SD-WAN with security services, including secure web access gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall-as-a-service (FWaaS), in a single, cloud-delivered service model.To read this article in full, please click here

EU Analyst: The End of the Internet Is Near

The internet as we know it may no longer be a thing, warns a European Union-funded researcher. If it continues to fray, our favorite “network of networks” will just go back to being a bunch of networks again. And it will be the fault of us all. “The idea of an open and global internet is progressively deteriorating and the internet itself is changing,” writes Internet Fragmentation: Why It Matters for Europe” posted Tuesday by the

What is a virtual network

A computer network as we usually visualize it involves various cables (Ethernet, fiber optic, coaxial) connecting to appliances like routers and switches, which direct data packets where they need to go.The rise of Wi-Fi and cellular data networks have replaced some of those wires with wireless signals, but even radio waves are in the realm of the physical, and they connect back to cell towers or Wi-Fi access points.In the seven-layer OSI network reference model, all of that network equipment, processing, and communication occupies the lowest three layers: Level 3 (the network), Level 2 (the data link), and Level 1 (the physical layer).To read this article in full, please click here

Enterprises turn to single-vendor SASE for ease of manageability

Before the start of the Covid epidemic, a traditional WAN architecture with centralized security worked well for Village Roadshow. "Advanced security inspection services can be applied, firewalls can provide separation, and a demilitarized zone can be implemented," said Michael Fagan, chief transformation officer at Village Roadshow, the largest theme park owner in Australia.But it required backhauling traffic from remote sites to a data center or hub for security inspection, which can hurt application performance, create a poor user experience, and cost the company in productivity, he said.When the pandemic led the company to transition to a hybrid workforce, with most people working from home or from a remote site, it prompted Village Roadshow to rethink its network and security approach.To read this article in full, please click here

1 356 357 358 359 360 3,841