0

New cities on the Cloudflare global network: March 2022 edition

If you follow the Cloudflare blog, you know that we love to add cities to our global map. With each new city we add, we help make the Internet faster, more reliable, and more secure. Today, we are announcing the addition of 18 new cities in Africa, South America, Asia, and the Middle East, bringing our network to over 270 cities globally. We’ll also look closely at how adding new cities improves Internet performance, such as our new locations in Israel, which reduced median response time (latency) from 86ms to 29ms (a 66% improvement) in a matter of weeks for subscribers of one Israeli Internet service provider (ISP).

The Cities

Without further ado, here are the 18 new cities in 10 countries we welcomed to our global network: Accra, Ghana; Almaty, Kazakhstan; Bhubaneshwar, India; Chiang Mai, Thailand; Joinville, Brazil; Erbil, Iraq; Fukuoka, Japan; Goiânia, Brazil; Haifa, Israel; Harare, Zimbabwe; Juazeiro do Norte, Brazil; Kanpur, India; Manaus, Brazil; Naha, Japan; Patna, India; São José do Rio Preto, Brazil; Tashkent, Uzbekistan; Uberlândia, Brazil.

Cloudflare’s ISP Edge Partnership Program

But let’s take a step back Continue reading

0

DC Fabric Webinar

Sorry for the short notice … I’m teaching a three-hour webinar on DC fabrics and control planes this coming Friday, the 25th, through Safari Books Online. This course covers the basics of spine-and-leaf fabrics, as well as some high level information on various DC fabric control plane options (BGP, RIFT, and IS-IS). Please register here.

0

How to Pass AWS CLF

0

What is AWS CLF

0

NaaS adoption will thrive despite migration challenges

Network-as-a-service (NaaS) is gaining momentum, providing a subscription-based model that eliminates the need for enterprises to own, build, and maintain their own network infrastructure. By replacing conventional hardware-centric VPNs, firewall appliances, load balancers, and MPLS connections, NaaS technology promises adopters the ability to rapidly scale up and down in lockstep with demand while eliminating hardware costs and bolstering network security and service levels.To read this article in full, please click here

0

Using fail2ban on Fedora

The fail2ban tool in Linux monitors system logs for signs of attacks, putting offending systems into what is called "jail", and modifying firewall settings. It shows what systems are in jail at any given time, and requires root access to configure and view findings. It's generally used on Linux servers.fail2ban primarily focuses on SSH attacks, but can be configured to look for other kinds of attacks as well.How to install fail2ban on Fedora 34 To prepare for installing fail2ban, it's a good idea to update the system first:$ sudo dnf update && sudo dnf upgrade -y Then install fail2ban and verify its presence on your system with commands like these:To read this article in full, please click here

0

What is IPv6, and why is adoption taking so long?

For the most part the dire warnings about running out of internet addresses have ceased because, slowly but surely, migration from the world of Internet Protocol Version 4 (IPv4) to IPv6 has begun, and software is in place to prevent the address apocalypse that many were predicting.But before we see where are and where we’re going with IPv6, let’s go back to the early days of internet addressing.What is IPv6 and why is it important? IPv6 is the latest version of the Internet Protocol, which identifies devices across the internet so they can be located. Every device that uses the internet is identified through its own IP address in order for internet communication to work. In that respect, it’s just like the street addresses and zip codes you need to know in order to mail a letter.To read this article in full, please click here

0

Using fail2ban on Fedora

The fail2ban tool in Linux monitors system logs for signs of attacks, putting offending systems into what is called "jail", and modifying firewall settings. It shows what systems are in jail at any given time, and requires root access to configure and view findings. It's generally used on Linux servers.fail2ban primarily focuses on SSH attacks, but can be configured to look for other kinds of attacks as well.How to install fail2ban on Fedora 34 To prepare for installing fail2ban, it's a good idea to update the system first:$ sudo dnf update && sudo dnf upgrade -y Then install fail2ban and verify its presence on your system with commands like these:To read this article in full, please click here

0

Automating NSX-T Deployments

Nicholas Michel open-sourced an automation solution (video) that deploys the whole NSX-T infrastructure stack including:

• NSX-T manager virtual machines
• NSX-T uplink profiles and IP pools
• Transport zones and transport nodes (NSX-T modules on ESXi hypervisors)
• Edge clusters including BGP, EVPN and BFD

Once the infrastructure is set up, his solution uses a Terraform configuration file to deploy multiple tenants: external VLANs, tier-0 gateways, BGP neighbors, tier-1 gateways, and application segments.

While the infrastructure part of his solution might be fully reusable, the tenant deployments definitely aren’t, but they provide a great starting point if you decide to build a fully automated provisioning system.

0

Automating NSX-T Deployments

Nicholas Michel open-sourced an automation solution (video) that deploys the whole NSX-T infrastructure stack including:

• NSX-T manager virtual machines
• NSX-T uplink profiles and IP pools
• Transport zones and transport nodes (NSX-T modules on ESXi hypervisors)
• Edge clusters including BGP, EVPN and BFD

Once the infrastructure is set up, his solution uses a Terraform configuration file to deploy multiple tenants: external VLANs, tier-0 gateways, BGP neighbors, tier-1 gateways, and application segments.

While the infrastructure part of his solution might be fully reusable, the tenant deployments definitely aren’t, but they provide a great starting point if you decide to build a fully automated provisioning system.

0

Tools 9. Monitoring Availability of Customers via HTTP GET, ICMP, and DNS via Dockerised Prometheus

Hello my friend,

in the previous blogpost we’ve started the discussion how you can improve your customers’ experience in your network via better observability of the network health with Prometheus by means of periodic automated speedtest and iperf3 measurements. Albeit it is very important and useful, it doesn’t tell you if the customers’ or your own resources are available. By resource we mean any exposed service, such as web page, streaming service, etc. Today you will learn how to setup a monitoring with Docekrised Prometheus to make sure that you know for sure if the services are available for customers.

1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission of the author.

Why to Automate Monitoring?

Monitoring allows to make you aware, what is the state of resources you are interested in. At a bare minimum, you shall be notified if the state of resources deviates from the acceptable value and, therefore, crosses some threshold. At the same time, this is just the first step. The end goal Continue reading

0

Unlocking QUIC’s proxying potential with MASQUE

In the last post, we discussed how HTTP CONNECT can be used to proxy TCP-based applications, including DNS-over-HTTPS and generic HTTPS traffic, between a client and target server. This provides significant benefits for those applications, but it doesn’t lend itself to non-TCP applications. And if you’re wondering whether or not we care about these, the answer is an affirmative yes!

For instance, HTTP/3 is based on QUIC, which runs on top of UDP. What if we wanted to speak HTTP/3 to a target server? That requires two things: (1) the means to encapsulate a UDP payload between client and proxy (which the proxy decapsulates and forward to the target in an actual UDP datagram), and (2) a way to instruct the proxy to open a UDP association to a target so that it knows where to forward the decapsulated payload. In this post, we’ll discuss answers to these two questions, starting with encapsulation.

Encapsulating datagrams

While TCP provides a reliable and ordered byte stream for applications to use, UDP instead provides unreliable messages called datagrams. Datagrams sent or received on a connection are loosely associated, each one is independent from a transport perspective. Applications that are built on top of Continue reading

0

BGP communities for traffic steering – part 2: State Management across Data Centers

This post has been a while in the making and follows up on an article about BGP communities that can be found here. Then we followed it up with some more discussion about FW design and place, or lack there of, on this podcast which inspired me to finish up “part 2”.

Anyone who has ever had to run active/active data centers and has come across this problem of how do I manage state?

You can ignore it and prepare yourself for a late night at the worst time.

Take everyone’s word that systems will never have to talk to the a system in a different security zone in the remote DC

Utilize communities and BGP policy to manage state; which we’ll focus on here

One of the biggest reasons we see for stretching a virtual routing and forwarding (vrf) is to move DC to DC flows of the same security zone below FWs. This reduces the load on the firewall and makes for easier rule management. However, it does introduce a state problem.

We’ll be using the smallest EVPN-multisite deployment you’ve ever seen with Nexus 9000v and Fortinet FWs.

Inter vrf intra data center

The first flow we’ll look Continue reading

0

A Primer on Proxies

Traffic proxying, the act of encapsulating one flow of data inside another, is a valuable privacy tool for establishing boundaries on the Internet. Encapsulation has an overhead, Cloudflare and our Internet peers strive to avoid turning it into a performance cost. MASQUE is the latest collaboration effort to design efficient proxy protocols based on IETF standards. We're already running these at scale in production; see our recent blog post about Cloudflare's role in iCloud Private Relay for an example.

In this blog post series, we’ll dive into proxy protocols.

To begin, let’s start with a simple question: what is proxying? In this case, we are focused on forward proxying — a client establishes an end-to-end tunnel to a target server via a proxy server. This contrasts with the Cloudflare CDN, which operates as a reverse proxy that terminates client connections and then takes responsibility for actions such as caching, security including WAF, load balancing, etc. With forward proxying, the details about the tunnel, such as how it is established and used, whether or not it provides confidentiality via authenticated encryption, and so on, vary by proxy protocol. Before going into specifics, let’s start with one of the most common tunnels Continue reading

0

Controversial Reads 031922

If you work in advertising or marketing, you’re probably aware of Apple’s privacy efforts over the last year. Apple now requires apps ask customers if they want to ‘opt-in’ to allow behavioral data tracking.

Among gamers and parents and even within the medical community, there’s disagreement about whether gaming addiction is real.

When discussing our relationship with technology, for whatever reason—whether it’s due to aimless maximum engagement algorithms, the ruthless economic incentive structure of the global market, or just our own sheer inability to think critically in the face of incessant propaganda—we’re led to believe that there are only two possible paths from here: 1. Integration with Technology or 2. Luddism.

I was struck by how easily he assumes that large doses of data, math, and computing power make computers smarter than humans. He is hardly alone, but he is badly mistaken.

When Shiri Melumad was working on her doctorate in 2012, she found herself reaching for her smartphone during moments of stress, before a tough exam, for example. She didn’t always use it, she just held it. It was comforting.

There is an estimated $12 billion market of companies that buy and sell location data collected from your cellphone. Continue reading

0

Heavy Networking 622: Intel’s Smart Edge Brings The Cloud To The Edge (Sponsored)

In today’s sponsored Heavy Networking show with Intel, we dive into recent Intel silicon announcements that are impacting how networking services will be delivered in the years to come. The edge of the network is set to change thanks to modern CPUs that accelerate network functions including packet processing and security. Joining us is Intel's Jeni Panhorst, Vice President & General Manager, Network & Edge Platforms Division to talk about recent Intel announcements at Mobile World Congress and what it means for networking at the edge.

0

Heavy Networking 622: Intel’s Smart Edge Brings The Cloud To The Edge (Sponsored)

In today’s sponsored Heavy Networking show with Intel, we dive into recent Intel silicon announcements that are impacting how networking services will be delivered in the years to come. The edge of the network is set to change thanks to modern CPUs that accelerate network functions including packet processing and security. Joining us is Intel's Jeni Panhorst, Vice President & General Manager, Network & Edge Platforms Division to talk about recent Intel announcements at Mobile World Congress and what it means for networking at the edge.

The post Heavy Networking 622: Intel’s Smart Edge Brings The Cloud To The Edge (Sponsored) appeared first on Packet Pushers.

0

Domain Scoped Roles – Early Access

Today, Cloudflare is making it easier for enterprise account owners to manage their team’s access to Cloudflare by allowing user access to be scoped to sets of domains. Ensuring users have exactly the access they need and no more is critical, and Domain Scoped Roles provide a significant step forward. Additionally, with the introduction of Domain Groups, account owners can grant users access to domains by group instead of individually. Domains can be added or removed from these groups to automatically update the access of those who have access to the group. This reduces toil in managing user access.

One of the most common uses we have seen for Domain Scoped Roles is to limit access to production domains to a small set of team members, while still allowing development and pre-production domains to be open to the rest of the team. That way, someone can’t make changes to a production domain unless they are given access.

How to use Domain Scoped Roles

If you are an enterprise customer please talk with your CSM to get you and your team enrolled. Note that you must have Super Administrator privileges to be able to modify account memberships.

Once the beta has Continue reading

0

Securing Cloudflare Using Cloudflare

When a new security threat arises — a publicly exploited vulnerability (like log4j) or the shift from corporate-controlled environments to remote work or a potential threat actor — it is the Security team’s job to respond to protect Cloudflare’s network, customers, and employees. And as security threats evolve, so should our defense system. Cloudflare is committed to bolstering our security posture with best-in-class solutions — which is why we often turn to our own products as any other Cloudflare customer would.

We’ve written about using Cloudflare Access to replace our VPN, Purpose Justification to create granular access controls, and Magic + Gateway to prevent lateral movement from in-house. We experience the same security needs, wants, and concerns as security teams at enterprises worldwide, so we rely on the same solutions as the Fortune 500 companies that trust Cloudflare for improved security, performance, and speed. Using our own products is embedded in our team’s culture.

Security Challenges, Cloudflare Solutions

We’ve built the muscle to think Cloudflare-first when we encounter a security threat. In fact, many security problems we encounter have a Cloudflare solution.

• Problem: Remote work creates a security blind spot of remote devices and networks.
• Solution: Continue reading

0

Using Cloudflare One to Secure IoT Devices

There is probably an insecure device with an exploitable vulnerability sitting in your house. And your office. And probably even your child’s school. Cameras, printers, speakers, access control readers, thermostats, even heart monitors... all of these devices are, or can be, Internet of Things (IoT) devices. These IoT devices are seamlessly integrated into our modern lives to improve efficiency and control of our environments — yet they are notoriously insecure. This is due to the constrained nature of device hardware and their limited computational capacity, which often lead to minimize access controls, hard-coded passwords, and an inability to patch remotely.

The reality of this threat can play out dramatically. Take, for example, the 2016 Mirai botnet attack, in which hackers exploited millions of IoT devices to become a large-scale botnet network capable of launching DDoS attacks that took down major portions of the Internet, including Twitter, the Guardian, and CNN. These types of attacks are hardly an infrequent occurrence. Cloudflare experienced this reality firsthand in March 2021, when one of our potential vendors for physical security cameras, Verkada, was compromised. The incident allowed a hacker to access Verkada's internal support tools to manage the cameras remotely, enabling them to Continue reading