WAF mitigations for Spring4Shell

A set of high profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.

Four CVEs have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:

Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.

The Cloudflare WAF team is actively monitoring these CVEs and has already deployed a number of new managed mitigation rules. Customers should review the rules listed below to ensure they are enabled while also patching the underlying Java Spring components.

CVE-2022-22947

A new rule has been developed and deployed for this CVE with an emergency release on March 29:

Managed Rule Spring - CVE:CVE-2022-22947

WAF rule ID: e777f95584ba429796856007fbe6c869
Legacy rule ID: 100522

Note that the above rule is disabled by Continue reading

The Evolution to Service-Based Networking

At first glance, it seems clear that the cloud era has fundamentally changed the way we think about networking. We’re now operating outside defined perimeters, and networks can span multiple data centers or clouds. But has networking really changed all that much from the days when everything lived in on-premises data centers? Peter McCarron Peter is a senior product marketing manager for Consul at HashiCorp and based in San Francisco. If he's not studying the best way to discover and manage microservices or talking about cloud-based networking, you'll likely find him discovering real clouds in the great outdoors. After all, it’s still all about establishing consistent connectivity and enforcing security policies. So why does everything seem so different and complicated when it comes to the cloud? To better understand the evolution to modern networking, it’s important to step back and identify the core workflows that have defined those changes, including: Discovering services Securing networks Automating networking tasks Controlling access In this article, we will walk through each of these workflows and talk about how they are combined to achieve a modern service-based networking solution. Since I work at HashiCorp, I’m going to use

The AC/DC Conundrum

Simply put: DC power is a ‘cleaner’ energy source. Traditional AC distribution generates energy waste and requires more work to be functional in a data center.

What is Storm Control?

Storm control is a feature for monitoring traffic levels and dropping broadcast, multicast, and unknown unicast packets, which is commonly known as BUM Traffic, and when a specified traffic level, referred to as the storm control level or storm control bandwidth is exceeded, limiting the traffic to protect the Local Area Network environment. In this blog post, we will try to understand the basics of it.

Storm Control Broadcast Level

Although the Storm Control feature is mainly used for Broadcast, we should configure it to protect from unnecessarily used Multicast and Unknown Unicast packets. There can be bugs in the software or hardware or due to the mis-cabling or configuration, if any of the above traffic exceeds the limit that we specify, traffic should be blocked. We need to understand some terminologies if we want to understand Storm control and its usage on Network Switch.

In the above configuration, we will show not only for Broadcast but also for Multicast and Unknown Unicast threshold levels on the Cisco switches.

Cisco Storm Control

Let’s have a look at how Storm Control is used in Cisco switch and let’s learn some new terminologies.

interface GigabitEthernet0/0
 storm-control broadcast level bps 100k 90k
  Continue reading

Why Wi-Fi 6’s Time is Now

With the high data rates, low latency, and high network density that Wi-Fi 6 offers, it is ideal for applications that need high throughput as well as for those needing to support a large number of connected devices.

Future-proofing SaltStack

At Cloudflare, we are preparing the Internet and our infrastructure for the arrival of quantum computers. A sufficiently large and stable quantum computer will easily break commonly deployed cryptography such as RSA. Luckily there is a solution: we can swap out the vulnerable algorithms with so-called post-quantum algorithms that are believed to be secure even against quantum computers. For a particular system, this means that we first need to figure out which cryptography is used, for what purpose, and under which (performance) constraints. Most systems use the TLS protocol in a standard way, and there a post-quantum upgrade is routine. However, some systems such as SaltStack, the focus of this blog post, are more interesting. This blog post chronicles our path of making SaltStack quantum-secure, so welcome to this adventure: this secret extra post-quantum blog post!

SaltStack, or simply Salt, is an open-source infrastructure management tool used by many organizations. At Cloudflare, we rely on Salt for provisioning and automation, and it has allowed us to grow our infrastructure quickly.

Salt uses a bespoke cryptographic protocol to secure its communication. Thus, the first step to a post-quantum Salt was to examine what the protocol was actually doing. In Continue reading

Zero trust requires network visibility

In a zero-trust environment, trust is not static. Behavior has to be visible for trust to persist.One of the most important differences between old thinking on networking and the zero-trust mindset is the inversion of thinking on trust. Pre-ZT, the assumption was this: Once you get on the network, you are assumed to be allowed to use it any way you want until something extraordinary happens that forces IT to shut you down and remove your access. You are assumed broadly trustworthy, and confirming that status positively is very rare. It is also very rare to have that status revoked.To read this article in full, please click here

Zero trust requires network visibility

Is MPLS/VPN Too Complex?

Henk Smit made the following claim in one of his comments:

I think BGP-MPLS-VPNs are over-complicated. And you don’t get enough return for that extra complexity.

TL&DR: He’s right (and I just violated Betteridge’s law of headlines)

The history of how we got to the current morass might be interesting for engineers who want to look behind the curtain, so here we go…

Is MPLS/VPN Too Complex?

Henk Smit made the following claim in one of his comments:

I think BGP-MPLS-VPNs are over-complicated. And you don’t get enough return for that extra complexity.

TL&DR: He’s right (and I just violated Betteridge’s law of headlines)

The history of how we got to the current morass might be interesting for engineers who want to look behind the curtain, so here we go…

Aruba exec: Centralized policies, NaaS, segmentation are big

When it comes to hot networking topics what is really interesting right now is seeing how networking and security are evolving together in terms of WAN and cloud networking—at least for David Hughes, Aruba’s chief product and technology officer.In an interview from Aruba’s Atmosphere 2022 event, Hughes told Network World that idea of a network and security perimeter as is becoming outdated.SD-WAN buyers guide: Key questions to ask vendors “The idea that you use firewalls, especially next-gen firewalls, to have an outside and an inside, and everything inside is good and everything outside it’s bad—that idea is fast becoming obsolete,” Hughes said.To read this article in full, please click here

Will Open Compute Backing Drive SIOV Adoption?

Virtualization has been an engine of efficiency in the IT industry over the past two decades, decoupling workloads from the underlying hardware and thus allowing multiple workloads to be consolidated into a single physical system as well as moved around relatively easily with live migration of virtual machines. …

Will Open Compute Backing Drive SIOV Adoption? was written by Daniel Robinson at The Next Platform.

Nvidia CEO says he is open to using Intel for chip fabrication

The old saying “adversity makes for strange bedfellows” has been proven true, with Nvidia saying it is now willing to work with Intel’s foundry business to manufacture its chips.Nvidia CEO Jen-Hsun Huang dropped the news on a press call when he was asked . about diversifying the company’s supply chain, which relies on TSMC for its chip manufacturing, and TSMC is both overloaded with orders and in a politically unstable region of the world (Taiwan).Huang said his company realized it needed more resilience going forward, and so over the last couple years has added to the number of process nodes it uses, and is in more fabs than ever. “So we've expanded our supply chain, supply base, probably four-fold in the last two years,” Huang said.To read this article in full, please click here

Nvidia CEO says he is open to using Intel for chip fabrication

Day Two Cloud 140: Troubleshooting Cloud Outages With End-To-End Visibility (Sponsored)

On today’s sponsored Day Two Cloud episode with Cisco ThousandEyes, we discuss how to monitor what’s broken in public cloud services. With the right information, you can offer a nuanced, knowledgeable answer when executives want to know when the company’s crucial customer-facing app hosted on a bunch of cloud services is coming back online.

Set git behavior based on the repository path

I maintain a handful of git accounts at GitHub.com and on private git servers, and have repeated committed to a project using the wrong personality.

My early attempts to avoid this mistake involved scripts to set per-project git parameters, but I've found a more streamlined option.

The approach revolves around the file hierarchy in my home directory: Rather than dumping everything in a single ~/projects directory, they're now in ~/projects/personal, ~/projects/work, etc...

Whenever cloning a new project, or starting a new one, as long as I put it in the appropriate directory, git will chose the behaviors and identity appropriate for that project.

Here's how it works, with 'personal' and 'work' accounts at GitHub.com

1. Generate an SSH key for each account

Not strictly required, I guess, but I like the privacy-preserving angle of using different keys everywhere, so I do this as a matter of habit.

 ssh-keygen -t ed25519 -P '' -f ~/.ssh/work.github.com  
 ssh-keygen -t ed25519 -P '' -f ~/.ssh/personal.github.com

2. Add each public key to its respective GitHub account.

Use ~/.ssh/work.github.com.pub and ~/.ssh/personal.github.com.pub (note the .pub suffix).

Instructions here.

3. Continue reading

HS019 Questions on Corporate Technology Strategy

What makes a technology strategy ? Where do you start ? Are you business or solution centric ? Being a leader means risk and funding, being a follower is simpler and faster. What questions should you be asking when establishing an IT strategy ? Heavy Strategy is where the questions are more important than the... Read more »

HS019 Questions on Corporate Technology Strategy

The post HS019 Questions on Corporate Technology Strategy appeared first on Packet Pushers.

Do You Need SASE or Zero Trust Edge?

Zero Trust Edge provides a more holistic approach to security for those organizations that continue to have an on-premises component.

Global enterprise IoT market strong but faces challenges

The global enterprise IoT market grew by 22% to a total of $157.9 billion in 2021despite some adverse conditions labncluding labor and chip shortages, according to a study released today by Germany-based research firm IoT Analytics.That figure is slightly lower than the 24% that the company projected in previous reports, but it’s still a substantial rate of growth, and one that IoT Analytics expects will be sustained for the next five years, for a projected total market size of $525 billion by 2027.One of the main factors driving enterprise IoT growth below previous estimates was a shortage of skilled workers, according to the report. Businesses in 2021 had trouble finding enough IoT-conversant hires to move digital transformation and IoT projects forward, with job postings related to IoT growing by 41% between July 2021 and Mach 2022. The firm also cited other research, from Inmarsat, as saying that a paucity of in-house IoT knowledge is one of the key blockers to more widespread IoT deployment.To read this article in full, please click here

« Previous 1 … 539 540 541 542 543 … 3,841 Next »