0

How to customize your layer 3/4 DDoS protection settings

After initially providing our customers control over the HTTP-layer DDoS protection settings earlier this year, we’re now excited to extend the control our customers have to the packet layer. Using these new controls, Cloudflare Enterprise customers using the Magic Transit and Spectrum services can now tune and tweak their L3/4 DDoS protection settings directly from the Cloudflare dashboard or via the Cloudflare API.

The new functionality provides customers control over two main DDoS rulesets:

1. Network-layer DDoS Protection ruleset — This ruleset includes rules to detect and mitigate DDoS attacks on layer 3/4 of the OSI model such as UDP floods, SYN-ACK reflection attacks, SYN Floods, and DNS floods. This ruleset is available for Spectrum and Magic Transit customers on the Enterprise plan.
2. Advanced TCP Protection ruleset — This ruleset includes rules to detect and mitigate sophisticated out-of-state TCP attacks such as spoofed ACK Floods, Randomized SYN Floods, and distributed SYN-ACK Reflection attacks. This ruleset is available for Magic Transit customers only.

To learn more, review our DDoS Managed Ruleset developer documentation. We’ve put together a few guides that we hope will be helpful for you:

1. Onboarding & getting started with Cloudflare DDoS protection
2. Handling false negatives
3. Handling false positives
4. Continue reading

0

Magic Firewall gets Smarter

Today, we're very excited to announce a set of updates to Magic Firewall, adding security and visibility features that are key in modern cloud firewalls. To improve security, we’re adding threat intel integration and geo-blocking. For visibility, we’re adding packet captures at the edge, a way to see packets arrive at the edge in near real-time.

Magic Firewall is our network-level firewall which is delivered through Cloudflare to secure your enterprise. Magic Firewall covers your remote users, branch offices, data centers and cloud infrastructure. Best of all, it’s deeply integrated with Cloudflare, giving you a one-stop overview of everything that’s happening on your network.

A brief history of firewalls

We talked a lot about firewalls on Monday, including how our firewall-as-a-service solution is very different from traditional firewalls and helps security teams that want sophisticated inspections at the Application Layer. When we talk about the Application Layer, we’re referring to OSI Layer 7. This means we’re applying security features using semantics of the protocol. The most common example is HTTP, the protocol you’re using to visit this website. We have Gateway and our WAF to protect inbound and outbound HTTP requests, but what about Layer 3 and Layer 4 Continue reading

0

Source ID and Observation Domain ID fields meaning & configuration details

The post Source ID and Observation Domain ID fields meaning & configuration details appeared first on Noction.

0

Response: Hardware Differences between Routers and Switches

Dmytro Shypovalov sent me his views on the hardware differences between routers and switches. Enjoy!

---

So, a long time ago routers were L3 with CPU forwarding and switches were L2 with ASIC. Then they had invented TCAM and L3 switches, and since then ASICs have evolved to support more features (QoS, encapsulations etc) and store more routes, while CPU-based architectures have evolved to specialised NPU and parallel processing (e.g. Cisco QFX) to handle more traffic, while supporting all features of CPU forwarding.

0

Response: Hardware Differences between Routers and Switches

Dmytro Shypovalov sent me his views on the hardware differences between routers and switches. Enjoy!

---

So, a long time ago routers were L3 with CPU forwarding and switches were L2 with ASIC. Then they had invented TCAM and L3 switches, and since then ASICs have evolved to support more features (QoS, encapsulations etc) and store more routes, while CPU-based architectures have evolved to specialised NPU and parallel processing (e.g. Cisco QFX) to handle more traffic, while supporting all features of CPU forwarding.

0

IBM offers one-stop-shop for mainframe hybrid cloud initiatives

While cloud companies such as AWS are offering enterprise customers new ways to get applications off the mainframe and into the cloud, IBM moved this week to keep them on the Big Iron.IBM rolled out a portal  it calls the IBM Z and Cloud Modernization Center which offers an assortment of tools, training, resources and ecosystem partners to help IBM Z clients accelerate the modernization of mainframe applications, data and processes to work with hybrid-cloud architecturesHow to build a hybrid-cloud strategy “The rise of hyperscalers has led many organizations to consider an application migration approach to public cloud alone, but in many cases it can be a one-way street and lock-in to one public cloud, which may have implications on cost, governance and security," wrote Ross Mauri General Manager for IBM Z in a blog about the announcement. “The IBM Z and Cloud Modernization Center helps clients leverage existing investments, rather than committing to a costly one-size-fits-all migration strategy.”To read this article in full, please click here

0

Gartner: Diversity, equity and inclusion is key to better I&O teams

“Why should an I&O leader care about diversity and inclusion? Why do you need to be involved in this at all? What good will it do you?"The answer to her questions, Debra Logan, a vice president and Gartner fellow told a virtual conference this week, is about building better infrastructure and operations (I&O) teams.[Get regularly scheduled insights by signing up for Network World newsletters.] "I’m not asking you to have faith," she said. "I’m not asking you to do it for non-business reasons. I’m not asking you to do it because someone else told you, or because you feel it’s the right thing to do. I want you to do it because it will solve the problems that keep you up at night.”To read this article in full, please click here

0

AMD: The phoenix of tech

Five years ago, AMD was hanging on by a thread. Sales had dropped below $1 billion per quarter. Its client and server CPUs were no longer competitive with Intel’s. Its Opteron server-CPU market share was less than one percent. Its GPU products were a little better but Nvidia had the mindshare.Then two things happened: Dr. Lisa Su ascended to the CEO position, and it developed the Zen microarchitecture, a clean-sheet, from-scratch redesign of the x86 architecture.[Get regularly scheduled insights by signing up for Network World newsletters.] The result? Epyc server processors now account for somewhere between 10% market share, as per Mercury Research, and 16%, as per Omdia. The AMD Ryzen desktop processor is the CPU of choice for gamers. And in Q3 of 2021, AMD reported sales of $4 billion, more in one quarter than AMD did in all of fiscal 2015 ($3.9 billion).To read this article in full, please click here

0

AMD: The phoenix of tech

Five years ago, AMD was hanging on by a thread. Sales had dropped below $1 billion per quarter. Its client and server CPUs were no longer competitive with Intel’s. Its Opteron server-CPU market share was less than one percent. Its GPU products were a little better but Nvidia had the mindshare.Then two things happened: Dr. Lisa Su ascended to the CEO position, and it developed the Zen microarchitecture, a clean-sheet, from-scratch redesign of the x86 architecture.[Get regularly scheduled insights by signing up for Network World newsletters.] The result? Epyc server processors now account for somewhere between 10% market share, as per Mercury Research, and 16%, as per Omdia. The AMD Ryzen desktop processor is the CPU of choice for gamers. And in Q3 of 2021, AMD reported sales of $4 billion, more in one quarter than AMD did in all of fiscal 2015 ($3.9 billion).To read this article in full, please click here

0

AMD: The Phoenix of tech

Five years ago, AMD was hanging on by a thread. Sales had dropped below $1 billion per quarter. Its client and server CPUs were no longer competitive with Intel’s. Its Opteron server-CPU market share was less than one percent. Its GPU products were a little better but Nvidia had the mindshare.Then two things happened: Dr. Lisa Su ascended to the CEO position, and it developed the Zen microarchitecture, a clean-sheet, from-scratch redesign of the x86 architecture.[Get regularly scheduled insights by signing up for Network World newsletters.] The result? Epyc server processors now account for somewhere between 10% market share, as per Mercury Research, and 16%, as per Omdia. The AMD Ryzen desktop processor is the CPU of choice for gamers. And in Q3 of 2021, AMD reported sales of $4 billion, more in one quarter than AMD did in all of fiscal 2015 ($3.9 billion).To read this article in full, please click here

0

AMD: The Phoenix of tech

Five years ago, AMD was hanging on by a thread. Sales had dropped below $1 billion per quarter. Its client and server CPUs were no longer competitive with Intel’s. Its Opteron server-CPU market share was less than one percent. Its GPU products were a little better but Nvidia had the mindshare.Then two things happened: Dr. Lisa Su ascended to the CEO position, and it developed the Zen microarchitecture, a clean-sheet, from-scratch redesign of the x86 architecture.[Get regularly scheduled insights by signing up for Network World newsletters.] The result? Epyc server processors now account for somewhere between 10% market share, as per Mercury Research, and 16%, as per Omdia. The AMD Ryzen desktop processor is the CPU of choice for gamers. And in Q3 of 2021, AMD reported sales of $4 billion, more in one quarter than AMD did in all of fiscal 2015 ($3.9 billion).To read this article in full, please click here

0

Day Two Cloud 127: Avoiding Infrastructure As Code (IaC) Pitfalls

There are a lot of good things you can do with Infrastructure as Code (IaC) for automation, repeatability, and ease of operations and development. But there are also code and infrastructure pitfalls where you can tumble into a hole, break your leg, and get eaten by spiders. OK, maybe not  that bad, but on today's episode we talk about potential IaC pitfalls and how to avoid them with guest Tim Davis.

0

Day Two Cloud 127: Avoiding Infrastructure As Code (IaC) Pitfalls

There are a lot of good things you can do with Infrastructure as Code (IaC) for automation, repeatability, and ease of operations and development. But there are also code and infrastructure pitfalls where you can tumble into a hole, break your leg, and get eaten by spiders. OK, maybe not  that bad, but on today's episode we talk about potential IaC pitfalls and how to avoid them with guest Tim Davis.

The post Day Two Cloud 127: Avoiding Infrastructure As Code (IaC) Pitfalls appeared first on Packet Pushers.

0

Why Cloudflare Bought Zaraz

Today we're excited to announce that Cloudflare has acquired Zaraz. The Zaraz value proposition aligns with Cloudflare's mission. They aim to make the web more secure, more reliable, and faster. And they built their solution on Cloudflare Workers. In other words, it was a no-brainer that we invite them to join our team.

Be Careful Who Takes Out the Trash

To understand Zaraz's value proposition, you need to understand one of the biggest risks to most websites that people aren't paying enough attention to. And, to understand that, let me use an analogy.

Imagine you run a business. Imagine that business is, I don't know, a pharmacy. You have employees. They have a process and way they do things. They're under contract, and you conduct background checks before you hire them. They do their jobs well and you trust them. One day, however, you realize that no one is emptying the trash. So you ask your team to find someone to empty the trash regularly.

Your team is busy and no one has the time to add this to their regular duties. But one plucky employee has an idea. He goes out on the street and hails down a relative Continue reading

0

Cloudflare acquires Zaraz to enable cloud loading of third-party tools

We are excited to announce the acquisition of Zaraz by Cloudflare, and the launch of Cloudflare Zaraz (beta). What we are releasing today is a beta version of the Zaraz product integrated into Cloudflare’s systems and dashboard. You can use it to manage and load third-party tools on the cloud, and achieve significant speed, privacy and security improvements. We have bet on Workers, and the Cloudflare technology and network from day one, and therefore are particularly excited to be offering Zaraz to all of Cloudflare's customers today, free of charge. If you are a Cloudflare customer all you need to do is to click the Zaraz icon on the dashboard, and start configuring your third-party stack. No code changes are needed. We plan to keep releasing features in the next couple of months until this beta version is a fully-developed product offering.

It’s time to say goodbye to traditional Tag Managers and Customer Data Platforms. They have done their part, and they have done it well, but as the web evolves they have also created some crucial problems. We are here to solve that.

The problems of third-party bloat

Yo'av and I founded Zaraz after having experienced working on opposite Continue reading

0

Guest Blog: k8s tunnels with Kudelski Security

Today, we’re excited to publish a blog post written by our friends at Kudelski Security, a managed security services provider. A few weeks back, Romain Aviolat, the Principal Cloud and Security Engineer at Kudelski Security approached our Zero Trust team with a unique solution to a difficult problem that was powered by Cloudflare’s Identity-aware Proxy, which we call Cloudflare Tunnel, to ensure secure application access in remote working environments.

We enjoyed learning about their solution so much that we wanted to amplify their story. In particular, we appreciated how Kudelski Security’s engineers took full advantage of the flexibility and scalability of our technology to automate workflows for their end users. If you’re interested in learning more about Kudelski Security, check out their work below or their research blog.

Zero Trust Access to Kubernetes

Over the past few years, Kudelski Security’s engineering team has prioritized migrating our infrastructure to multi-cloud environments. Our internal cloud migration mirrors what our end clients are pursuing and has equipped us with expertise and tooling to enhance our services for them. Moreover, this transition has provided us an opportunity to reimagine our own security approach and embrace the best practices of Zero Trust.

So far, one Continue reading

0

Introducing Clientless Web Isolation

Today, we're excited to announce the beta for Cloudflare’s clientless web isolation. A new on-ramp for Browser Isolation that natively integrates Zero Trust Network Access (ZTNA) with the zero-day, phishing and data-loss protection benefits of remote browsing for users on any device browsing any website, internal app or SaaS application. All without needing to install any software or configure any certificates on the endpoint device.

Secure access for managed and unmanaged devices

In early 2021, Cloudflare announced the general availability of Browser Isolation, a fast and secure remote browser that natively integrates with Cloudflare’s Zero Trust platform. This platform — also known as Cloudflare for Teams — combines secure Internet access with our Secure Web Gateway solution (Gateway) and secure application access with a ZTNA solution (Access).

Typically, admins deploy Browser Isolation by rolling out Cloudflare’s device client on endpoints, so that Cloudflare can serve as a secure DNS and HTTPS Internet proxy. This model protects users and sensitive applications when the administrator manages their team's devices. And for end users, the experience feels frictionless like a local browser: they are hardly aware that they are actually browsing on a secure machine running in a Cloudflare Continue reading

0

Extending Cloudflare’s Zero Trust platform to support UDP and Internal DNS

At the end of 2020, Cloudflare empowered organizations to start building a private network on top of our network. Using Cloudflare Tunnel on the server side, and Cloudflare WARP on the client side, the need for a legacy VPN was eliminated. Fast-forward to today, and thousands of organizations have gone on this journey with us — unplugging their legacy VPN concentrators, internal firewalls, and load balancers. They’ve eliminated the need to maintain all this legacy hardware; they’ve dramatically improved speeds for end users; and they’re able to maintain Zero Trust rules organization-wide.

We started with TCP, which is powerful because it enables an important range of use cases. However, to truly replace a VPN, you need to be able to cover UDP, too. Starting today, we’re excited to provide early access to UDP on Cloudflare’s Zero Trust platform. And even better: as a result of supporting UDP, we can offer Internal DNS — so there’s no need to migrate thousands of private hostnames by hand to override DNS rules. You can get started with Cloudflare for Teams for free today by signing up here; and if you’d like to join the waitlist to gain early access to UDP and Continue reading

0

Zero Trust Private Networking Rules

Earlier this year, we announced the ability to build a private network on Cloudflare’s network with identity-driven access controls. We’re excited to share that you will soon be able to extend that control to sessions and login intervals as well.

Private networks failed to adapt

Private networks were the backbone for corporate applications for years. Security teams used them to build a strict security perimeter around applications. In order to access sensitive data, a user had to physically be on the network. This meant they had to be in an office, connecting from a corporately managed device. This was not perfect — network access could be breached over physical connection or Wi-Fi, but tools like certificates and physical firewalls existed to prevent these threats.

These boundaries were challenged as work became increasingly more remote. Branch offices, data centers and remote employees all required access to applications, so organizations started relying on Virtual Private Networks (VPNs) to put remote users onto the same network as their applications.

In parallel to the problem of connecting users from everywhere, the security model of a private network became an even more dangerous problem. Once inside a private network, users could access any resource on Continue reading

0

Page Shield is generally available

Supply chain attacks are a growing concern for CIOs and security professionals.

During a supply chain attack, an attacker compromises a third party tool or library that is being used by the target application. This normally results in the attacker gaining privileged access to the application’s environment allowing them to steal private data or perform subsequent attacks. For example, Magecart, is a very common type of supply chain attack, whereby the attacker skimms credit card data from e-commerce site checkout forms by compromising third party libraries used by the site.

To help identify and mitigate supply chain attacks in the context of web applications, today we are launching Page Shield in General Availability (GA).

With Page Shield you gain visibility on what scripts are running on your application and can be notified when they have been compromised or are showing malicious behaviour such as attempting to exfiltrate user data.

We’ve worked hard to make Page Shield easy to use: you can find it under the Firewall tab and turn it on with one simple click. No additional configuration required. Alerts can be set up separately on an array of different events.

What is Page Shield?

Back in March of this Continue reading