6 Years Creating Content for You

Hello my friend,

Typically on this date, June the 5th we celebrate the birthday of our company, Karneliuk.com. It started with a blog back in 2016 and since then we are constantly creating, what we believe is, interesting and useful educational content in the area of network technologies and network automation. We thank you a lot for being with us all this time!

Technically, we started blog earlier than June the 5th, but on that date we published our first blogpost about interconnecting Cisco IOS XR and Nokia SR OS VMs, which defined the course of the blog and the direction for the company – multivendorness. We breath multivendor network technologies every day in heterogeneous networks, which our team support for our companies and customers daily. And we build multivendor network automation to unleash the true potential of networks and IT systems being an enabler for applications and user services, rather than an obstacle draining time and money of organizations.

So, what have we done in the past twelve months? Let’s take a look.

Our Own Prometheus Exporter

One of the interesting experiences we’ve obtained in the software development was the development of Prometheus exporter to report trace Continue reading

Cloudflare observations of Confluence zero day (CVE-2022-26134)

Cloudflare observations of Confluence zero day (CVE-2022-26134)

On 2022-06-02 at 20:00 UTC Atlassian released a Security Advisory relating to a remote code execution (RCE) vulnerability affecting Confluence Server and Confluence Data Center products. This post covers our current analysis of this vulnerability.

When we learned about the vulnerability, Cloudflare’s internal teams immediately engaged to ensure all our customers and our own infrastructure were protected:

  • Our Web Application Firewall (WAF) teams started work on our first mitigation rules that were deployed on 2022-06-02 at 23:38 UTC for all customers.
  • Our internal security team started reviewing our Confluence instances to ensure Cloudflare itself was not impacted.

What is the impact of this vulnerability?

According to Volexity, the vulnerability results in full unauthenticated RCE, allowing an attacker to fully take over the target application.

Active exploits of this vulnerability leverage command injections using specially crafted strings to load a malicious class file in memory, allowing attackers to subsequently plant a webshell on the target machine that they can interact with.

Once the vulnerability is exploited, attackers can implant additional malicious code such as Behinder; a custom webshell called noop.jsp, which replaces the legitimate noop.jsp file located at Confluence root>/confluence/noop.jsp; and another open source webshell called Continue reading

IS-IS Area proxy (WIP)

Introduction

Following up on the last post, we will explore IS-IS Area Proxy in this post. The main goal of the IS-IS Area proxy is to provide abstraction by hiding the topology. Looking at our toy topology, we see that we have fabrics connected, and the whole network is a single flat level-2 flooding domain. The edge nodes are connected at the ends, transiting multiple fabrics, and view all the nodes in the topology. Flooding Topology

Now assume that we are using a router with a radix of 32x100G and want to deploy three-level Fat-Tree(32,3). For a single fabric, we will have 1280 nodes, 512 leaf Nodes, providing a bandwidth of 819T. If we deploy ten instances of this fabric, we are looking at a topology size greater than >12k Nodes. This is a lot for any IGP to handle. This inflation of Nodes (and links) is coming from deploying this sort of dense topology to provide more bandwidth and directly impacts IGP scaling in terms of Flooding, LSDB size, SPF runtimes, and frequency of SPF run.

Referring back to our toy topology, if we look from the edge node’s perspective, they use these fabrics as transit, and if we can Continue reading

Cisco CyberOps Associate

Information Security was one of the fields that Cisco systems used to, and still heavily participating.

Now a days not just information security, but cyber security as well, is a field that Cisco is going in and training many

of their engineers to profession.

Information Security vs. Cyber Security

The main difference summarizes the concept of both the domains, that is for information security, it is mainly

About securing the network components and assets from unauthorized access starting from physical access

Towards the control access, and by that it means accessing the nodes controlling the network, and affecting it.

Cyber security on the other hand is about protecting the same components from attacks, inside and outside attacks.

The attacks aim is usually either stealing sensitive data, or sabotage network components, or sometimes “both”.

Cisco’s role in the fields

Information Security wise, or IT Security wise, Cisco have been there for years, and they’ve been famous for their IT Security programs including the old obsolete CCNA Security, and the CCNP/CCIE Security programs that are still valid and refreshing till now a day.

Cyber Security wise, Cisco have evolved and developed their programs to present the CyberOps programs that includes the:

Heavy Networking 633: Building DPU Apps With NVIDIA DOCA (Sponsored)

In today's Heavy Networking podcast, sponsored by NVIDIA, we explore DOCA on Bluefield DPUs. DOCA is a runtime operating system on the DPU including tools for provisioning, deploying, and orchestrating containerized services. It's also an SDK to supports a range of operating systems and distributions and includes drivers, libraries, and tools. Our guests are Justin Betz and Wes Kennedy, both Technical Marketing Engineers with NVIDIA.

Heavy Networking 633: Building DPU Apps With NVIDIA DOCA (Sponsored)

In today's Heavy Networking podcast, sponsored by NVIDIA, we explore DOCA on Bluefield DPUs. DOCA is a runtime operating system on the DPU including tools for provisioning, deploying, and orchestrating containerized services. It's also an SDK to supports a range of operating systems and distributions and includes drivers, libraries, and tools. Our guests are Justin Betz and Wes Kennedy, both Technical Marketing Engineers with NVIDIA.

The post Heavy Networking 633: Building DPU Apps With NVIDIA DOCA (Sponsored) appeared first on Packet Pushers.

The Final Frontier: Talking Exascale With Oak Ridge’s Jeff Nichols

Just ahead of the revelations about the feeds and speeds of the “Frontier” supercomputer at Oak Ridge National Laboratory concurrent with the International Supercomputing conference in Hamburg, Germany and the concurrent publishing of the summer Top500 rankings of supercomputers, we had a chat with Jeff Nichols, who has steered the creation of successive generations of supercomputers at Oak Ridge.

The Final Frontier: Talking Exascale With Oak Ridge’s Jeff Nichols was written by Timothy Prickett Morgan at The Next Platform.

Weekend Reads 060322

This edition of weekend reads begins with a few straight security stories of interest. I knew key loggers existed in the wild, but the logging of keystrokes before a web form is submitted is apparently a lot more common than I realized—


They found that 1,844 websites gathered an EU user’s email address without their consent, and a staggering 2,950 logged a US user’s email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.

Illustrating that security is often a game of “whack-a-mole,” web skimmers are obfuscating their operation—


Microsoft security researchers recently observed that web skimming campaigns now employ various obfuscation techniques to deliver and hide skimming scripts.

Identity is fraught with problems even in the real world; just as people used to carry “letters of introduction” with them when they moved to a new area or started a new job, identity is often a matter of transitive trust. How to replicate transitive trust in the digital world is still a problem, but it’s also the foundation of decentralized systems—


The central thesis of the decentralized future is that I should be Continue reading

The Tyranny of Technical Debt, Numerically

A Candlestick Phone (image courtesy of WIkipedia)

This week on the Gestalt IT Rundown, I talked about the plan by Let’s Encrypt to reuse some reserved IP address space. I’ve talked about this before and I said it was a bad idea then for a lot of reasons, mostly related to the fact that modern operating systems are coded not to allow 240/4 as a valid address space, for example. Yes, I realize that when the address space was codified back in the early days of the Internet that decisions were made to organize things and we “lost” a lot of addresses for experimental reasons. However, this is not the only time this has happened. Nor is it the largest example. For that, we need to talk about the device that you’re very likely reading this post on right now: your phone.

By the Numbers

We’re going to be referring to the North American Numbering Plan (NANP) in this post, so my non-US readers are going to want to click that link to understand how phone numbering works in the US. The NANP was devised back in the 1940s by AT&T as a way to assign numbers to the Continue reading

What Is Zero Trust Data Protection?

As cyberattacks continue to escalate; companies grow their use of tech services outside of their network perimeters and the government and other organizations work with ever more sensitive personal, corporate, and government data, there is increasing adoption of zero trust data protection. So, What Is Zero Trust Data Protection? Zero trust data protection is a security methodology that includes a framework of technologies and best practices that an organization needs to define and adopt across their IT environments over time, explained Steve Malone, Sumo Logic director of security product. “It’s the culmination of something that’s been happening in security over the last 20 years, which is the perimeter is not the point of enforcement anymore because of the way that technology works today.” Interest in operating in a zero trust data protection environment has gained plenty of interest in the last few years, according to Michael Gorelik,

Who is selling Zero Trust Network Access (ZTNA) and what do you get?

The last few years have seen an explosion of interest in Zero Trust Network Access (ZTNA). The zero trust approach replaces the perimeter defense model with a "least privilege" framework where users authenticate to access specific data and applications, and their activities are continuously monitored.ZTNA gained a boost in the wake of the COVID-19 pandemic, with more employees working remotely. The old perimeter defense model, exemplified by VPNs, provides a secured internet connection that gives remote users privileges as if they were on an internal private network. This doesn't match up with a zero trust mindset; and to make things worse, many organizations found that their infrastructure couldn't handle the traffic loads created by large numbers of remote workers connecting via VPN. To read this article in full, please click here

Who is selling Zero Trust Network Access (ZTNA) and what do you get?

Enterprise interest in Zero Trust Network Access (ZTNA) has soared over the past two years among organizations trying to enable secure anywhere, anytime, any device access to IT resources for employees, contractors and third parties.Much of this interest has stemmed from organizations looking to replace VPNs as the primary remote access mechanism to their networks and data. But it is also being driven by organizations seeking to bolster security in an environment where enterprise data is scattered across on-premises and multi-cloud environments, and being accessed in more ways than ever before.To read this article in full, please click here

Who is selling Zero Trust Network Access (ZTNA) and what do you get?

Enterprise interest in Zero Trust Network Access (ZTNA) has soared over the past two years among organizations trying to enable secure anywhere, anytime, any device access to IT resources for employees, contractors and third parties.Much of this interest has stemmed from organizations looking to replace VPNs as the primary remote access mechanism to their networks and data. But it is also being driven by organizations seeking to bolster security in an environment where enterprise data is scattered across on-premises and multi-cloud environments, and being accessed in more ways than ever before.To read this article in full, please click here

Connecting to your Linux system with your Android phone

While using your cell phone to connect to your Linux system might not seem like much of a priority, it is possible and you might have a good reason to do this from time to time. If you have an Android cell phone, you can install a tool that will allow you to connect, open a terminal session on your Linux box and run commands just like you would if you were sitting in front of the system. Well, almost.The tool that I recommend is called JuiceSSH. It installs easily and leaves an icon with an image of a lemon with its name below it on your screen. Click on that icon and select Quick Connect to set up your connection.To read this article in full, please click here

Connecting to your Linux system with your Android phone

While using your cell phone to connect to your Linux system might not seem like much of a priority, it is possible and you might have a good reason to do this from time to time. If you have an Android cell phone, you can install a tool that will allow you to connect, open a terminal session on your Linux box and run commands just like you would if you were sitting in front of the system. Well, almost.The tool that I recommend is called JuiceSSH. It installs easily and leaves an icon with an image of a lemon with its name below it on your screen. Click on that icon and select Quick Connect to set up your connection.To read this article in full, please click here

Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134

Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134
Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134

On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The vulnerability is as CVE-2022-26134 and affects Confluence Server version 7.18.0 and all Confluence Data Center versions >= 7.4.0.

No patch is available yet but Cloudflare customers using either WAF or Access are already protected.

Our own Confluence nodes are protected by both WAF and Access, and at the time of writing, we have found no evidence that our Confluence instance was exploited.

Cloudflare reviewed the security advisory, conducted our own analysis, and prepared a WAF mitigation rule via an emergency release. The rule, once tested, was deployed on June 2, 2022, at 23:38 UTC with a default action of BLOCK and the following IDs:

  • 100531 (for our legacy WAF)
  • 408cff2b  (for our new WAF)

All customers using the Cloudflare WAF to protect their self-hosted Confluence applications have automatically been protected since the new rule was deployed.

Customers who have deployed Cloudflare Access in front of their Confluence applications were protected from external exploitation attempts even before the emergency release. Access verifies every request made to a Confluence application to Continue reading

The Path the Resolverless DNS

Telecommunications infrastructure is not isolated from the world of politics, and its not just limited to pronoucments of who can provide 5G networks in various countries. The world of undersea cables is similarly being shaped by these same political tensions, and this is clearly evident in the western Pacific Ocean.
1 494 495 496 497 498 3,841