0

Zero Trust client sessions

Starting today, you can build Zero Trust rules that require periodic authentication to control network access. We’ve made this feature available for years for web-based applications, but we’re excited to bring this level of granular enforcement to TCP connections and UDP flows.

We’re excited to announce that Zero Trust client-based sessions are now generally available. During CIO Week in 2021, we announced the beta program for this feature. We incorporated feedback from early users into the generally available version. In this post, I will revisit why Zero Trust client-based sessions are important, how the feature works and what we learned during the beta.

Securing traffic with Sessions

We built Zero Trust client-based sessions to enhance the security of Cloudflare’s Zero Trust Network Access (ZTNA). The Zero Trust client is software that runs on a user machine and forwards all traffic from the machine to Cloudflare before it is sent over the Internet. This includes traffic bound for internal IPs and hostnames that typically house sensitive business applications. These sensitive applications were traditionally accessed using a VPN. Unlike VPNs, Cloudflare’s ZTNA allows administrators to set granular policies about who can access a specific resource. The only piece missing was that once Continue reading

0

Introducing SSH command logging

SSH (Secure Shell Protocol) is an important protocol for managing remote machines. It provides a way for infrastructure teams to remotely and securely manage their fleet of machines. SSH was a step-up in security from other protocols like telnet. It ensures encrypted traffic and enforces per user controls over access to a particular machine. However, it can still introduce a significant security risk. SSH, especially root access, is destructive in the wrong hands (think rm -r *) and can be difficult to track. Logging and securing user actions via SSH typically requires custom development or restrictive software deployments. We’re excited to announce SSH command logging as part of Cloudflare Zero Trust.

Securing SSH access

Security teams put significant effort into securing SSH across their organization because of the negative impact it can have in the wrong hands. Traditional SSH security consists of strong authentication, like certificate based authentication, and tight controls on who has “root” access. Additionally, VPNs and IP allow lists are used to further protect a machine from being publicly accessible to the Internet. The security challenges that remain are visibility and potential for lateral movement.

SSH commands to a remote machine are end-to-end encrypted, which means Continue reading

0

Cloudflare partners with Microsoft to protect joint customers with a Global Zero Trust Network

As a company, we are constantly asking ourselves what we can do to provide more value to our customers, including integrated solutions with our partners. Joint customers benefit from our integrations below with Azure Active Directory by:

First, centralized identity and access management via Azure Active Directory which provides single sign-on, multifactor authentication, and access via conditional authentication.

Second, policy oriented access to specific applications using Cloudflare Access—a VPN replacement service.

Third, an additional layer of security for internal applications by connecting them to Cloudflare global network and not having to open them up to the whole Internet.

Let’s step back a bit.

Why Zero Trust?

Companies of all sizes are faced with an accelerating digital transformation of their IT stack and an increasingly distributed workforce, changing the definition of the security perimeter. We are moving away from the castle and moat model to the whole Internet, requiring security checks for every user accessing every resource. As a result, all companies, especially those whose use of Azure’s broad cloud portfolio is increasing, are adopting Zero Trust architectures as an essential part of their cloud and SaaS journey.

Cloudflare Access provides secure access to Azure hosted applications and Continue reading

0

A bridge to Zero Trust

Cloudflare One enables customers to build their corporate networks on a faster, more secure Internet by connecting any source or destination and configuring routing, security, and performance policies from a single control plane. Today, we’re excited to announce another piece of the puzzle to help organizations on their journey from traditional network architecture to Zero Trust: the ability to route traffic from user devices with our lightweight roaming agent (WARP) installed to any network connected with our Magic IP-layer tunnels (Anycast GRE, IPsec, or CNI). From there, users can upgrade to Zero Trust over time, providing an easy path from traditional castle and moat to next-generation architecture.

The future of corporate networks

Customers we talk to describe three distinct phases of architecture for their corporate networks that mirror the shifts we’ve seen with storage and compute, just with a 10 to 20 year delay. Traditional networks (“Generation 1”) existed within the walls of a datacenter or headquarters, with business applications hosted on company-owned servers and access granted via private LAN or WAN through perimeter security appliances. As applications shifted to the cloud and users left the office, companies have adopted “Generation 2” technologies like SD-WAN Continue reading

0

Managing Clouds – Cloudflare CASB and our not so secret plan for what’s next

Last month we introduced Cloudflare’s new API–driven Cloud Access Security Broker (CASB) via the acquisition of Vectrix. As a quick recap, Cloudflare’s CASB helps IT and security teams detect security issues in and across their SaaS applications. We look at both data and users in SaaS apps to alert teams to issues ranging from unauthorized user access and file exposure to misconfigurations and shadow IT.

I’m excited to share two updates since we announced the introduction of CASB functionality to Cloudflare Zero Trust. First, we’ve heard from Cloudflare customers who cannot wait to deploy the CASB and want to use it in more depth. Today, we’re outlining what we’re building next, based on that feedback, to give you a preview of what you can expect. Second, we’re opening the sign-up for our beta, and I’m going to walk through what will be available to new users as they are invited from the waitlist.

What’s next in Cloudflare CASB?

The vision for Cloudflare’s API–driven CASB is to provide IT and security owners an easy-to-use, one-stop shop to protect the security of their data and users across their fleet of SaaS tools. Our goal is to make sure any IT or security Continue reading

0

DDR5 memory is coming soon. Here’s why it matters.

This year, server vendors will begin shifting to a new form of memory, Double Data Rate version 5, or DDR5 for short. With its improved performance, it will be very appealing in certain use cases, like virtualization and artificial intelligence. We’ll get to that in a minute.The DDR spec has been developed by the Joint Electronic Device Engineering Council since 2001, and with each iteration the spec supports faster speed and lower power draw. This holds true for DDR5. [ Get regularly scheduled insights by signing up for Network World newsletters. ]To read this article in full, please click here

0

DDR5 memory is coming soon. Here’s why it matters.

This year, server vendors will begin shifting to a new form of memory, Double Data Rate version 5, or DDR5 for short. With its improved performance, it will be very appealing in certain use cases, like virtualization and artificial intelligence. We’ll get to that in a minute.The DDR spec has been developed by the Joint Electronic Device Engineering Council since 2001, and with each iteration the spec supports faster speed and lower power draw. This holds true for DDR5. [ Get regularly scheduled insights by signing up for Network World newsletters. ]To read this article in full, please click here

0

What is MPLS, and why isn’t it dead yet?

Did you ever order something online from a distant retailer and then track the package as it makes strange and seemingly illogical stops all over the country?That’s similar to the way IP routing on the Internet works. When an internet router receives an IP packet, that packet carries no information beyond a destination IP address. There is no instruction on how that packet should get to its destination or how it should be treated along the way.Each router has to make an independent forwarding decision for each packet based solely on the packet’s network-layer header. Thus, every time a packet arrives at a router, the router has to “think through” where to send the packet next. The router does this by referring to complex routing tables.To read this article in full, please click here

0

How to use the clamscan tool: 2-Minute Linux Tips

In this Linux tip, we’re going to look at clamav. It's a free and open source tool that lets you scan for viruses on Linux.

0

Video: Kubernetes Networking Model

After describing the Kubernetes architecture in the introductory part of the excellent Kubernetes Networking Deep Dive webinar, Stuart Charlton focused on what matters most to networking engineers: Kubernetes networking model.

0

Video: Kubernetes Networking Model

After describing the Kubernetes architecture in the introductory part of the excellent Kubernetes Networking Deep Dive webinar, Stuart Charlton focused on what matters most to networking engineers: Kubernetes networking model.

0

Capturing Bird Photos

Continuing from the previous post which I have set up to install a bird feeder, I have mentioned that I would install a camera based on the https://mynaturewatch.net/daylight-camera-instructions project and I did install it, this took some really good photos and would like to share some of them.

Few points:

• The battery that I used is a 10000mAh power-bank and it lasted for 2-3 days
• The box that I used is a baby food box and I nailed them to the boundary wooden poles from inside.

• This Bird Feeder is not the one I 3d Printed, this is an old bird feeder that someone gave it to me

Glad to see these pics, many more to come with Idea to install and make it sustain through solar power

-Rakesh

0

Defense in depth with Calico Cloud

Last month, we announced the launch of our active cloud-native application runtime security. Calico Cloud’s active runtime security helps security teams secure their containerized workloads with a holistic approach to threat detection, prevention, and mitigation.

As security teams look to secure these workloads, it’s also critical that they employ a defense-in-depth strategy. Calico Cloud’s active runtime security can detect, prevent, and mitigate threats across the entire cyber kill chain for containerized workloads.

What is the cyber kill chain?

The cyber kill chain is a framework used to track the steps a threat actor might take as they attempt to execute a cyber attack on your organization. The cyber kill chain was originally developed by Lockheed Martin to adapt the military concept that details the structure of an attack for cybersecurity threats. Today, this framework is used by security teams from a wide range of organizations to understand and respond to cybersecurity threats.

The Lockheed Martin cyber kill chain consists of seven stages:

• Reconnaissance: An attacker assesses potential targets and tactics for an attack
• Weaponization: An attacker prepares the attack by obtaining or setting up the appropriate infrastructure
• Delivery: An attacker launches their attack
• Exploitation: An attacker gains access to their Continue reading

0

Liqid Launches Its Own Systems, Chases AI And HPC

To hardware or not to hardware, that is a real question for vendors peddling all kinds of software in the datacenter. …

Liqid Launches Its Own Systems, Chases AI And HPC was written by Timothy Prickett Morgan at The Next Platform.

0

5G smartphones sales top 4G, but don’t expect network deployment to speed up

For the first time, 5G-capable smartphones outsold 4G/LTE devices in global monthly sales in January 2022, as demand for 5G upgrades reached its highest point yet, according to a report issued by Counterpoint Research.The upward trend of 5G smartphone sales has been accelerating for some time, and Counterpoint's report said that Western Europe and North America's proportion of 5G sales has reached 76% and 73%, respectively.According to Gartner director analyst Bill Menezes, recent gains in 5G smartphone sales have been fueled in large part by device upgrade cycles."You're starting to get 5G phones sold by default, as people upgrade on a two- or three-year cycle," he said. "From what I've seen on some of the carrier sites, there's some midrange or cheaply priced 5G phones out there, so even users who don't want to pay $1,000 for a 5G phone can get one."To read this article in full, please click here

0

Luminous Shines A Light On Optical Architecture For Future AI Supercomputer

It is not every day when we hear about a new supercomputer maker with a new architecture, but it is looking like Luminous Computing, a silicon photonics startup that has been pretty secretive about what it was up to, is going to be throwing its homegrown architecture into the ring. …

Luminous Shines A Light On Optical Architecture For Future AI Supercomputer was written by Jeffrey Burt at The Next Platform.

0

Evolving Machine Learning to stop mobile bots

When we launched Bot Management three years ago, we started with the first version of our ML detection model. We used common bot user agents to train our model to identify bad bots. This model, ML1, was able to detect whether a request is a bot or a human request purely by using the request’s attributes. After this, we introduced a set of heuristics that we could use to quickly and confidently filter out the lowest hanging fruit of unwanted traffic. We have multiple heuristic types and hundreds of specific rules based on certain attributes of the request, many of which are very hard to spoof. But machine learning is a very important part of our bot management toolset.

We started with a static model because we were starting from scratch, and we were able to experiment quickly with aggregated HTTP analytics metadata. After we launched the model, we quickly gathered feedback from early bot management customers to identify where we performed well but also how we could improve. We saw attackers getting smart, and so we generated a new set of model features. Our heuristics were able to accurately identify various types of bad bots giving us much better Continue reading

0

AWS commits to two year, £1.8B data centre investment in the UK

Amazon Web Services (AWS) has committed to invest £1.8 billion (US$2.4 billion) in the UK over the next two years as it looks to expand its presence in the region.The investment hinges on a commitment to spend “more than £1.8 billion in the next two years building and operating data centres in the UK in order to meet the growing needs of our customers and to help strengthen the UK’s digital infrastructure,” the cloud vendor announced.AWS has had a presence in the UK since it launched a London region in December 2016, which now extends to three availability zones and various edge locations.To read this article in full, please click here

0

If You Want To Maximize Enterprise AI, Don’t Just Focus On GPUs

Paid Post There’s no doubt that the repurposing of GPU silicon has accelerated the development of artificial intelligence technology over the last decade. …

If You Want To Maximize Enterprise AI, Don’t Just Focus On GPUs was written by David Gordon at The Next Platform.

0

New Return-To-Office Policies

The following post originally appeared in Human Infrastructure, a weekly newsletter from the Packet Pushers. You can sign up and see every back issue here. Earlier this year, Google spent a billion dollars on office space in London. As the company orders employees back to its campuses, it’s also restarting amenities “such as cafes, restaurants, […]

The post New Return-To-Office Policies appeared first on Packet Pushers.