Why securing internet-facing applications is challenging in a Kubernetes environment

Internet-facing applications are some of the most targeted workloads by threat actors. Securing this type of application is a must in order to protect your network, but this task is more complex in Kubernetes than in traditional environments, and it poses some challenges. Not only are threats magnified in a Kubernetes environment, but internet-facing applications in Kubernetes are also more vulnerable than their counterparts in traditional environments. Let’s take a look at the reasons behind these challenges, and the steps you should take to protect your Kubernetes workloads.

 

Threats are magnified in a Kubernetes environment

One of the fundamental challenges in a Kubernetes environment is that there is no finite set of methods that exist in terms of how workloads can be attacked. This means there are a multitude of ways an internet-facing application could be compromised, and a multitude of ways that such an attack could propagate within the environment.

Kubernetes is designed in such a way that allows anything inside a cluster to communicate with anything else inside the cluster by default, essentially giving an attacker who manages to gain a foothold unlimited access and a large attack surface. Because of this design, any time you have Continue reading

Hedge 101: In Situ OAM

Understanding the flow of a packet is difficult in modern networks, particularly data center fabrics with their wide fanout and high ECMP counts. At the same time, solving this problem is becoming increasingly important as quality of experience becomes the dominant measure of the network. A number of vendor-specific solutions are being developed to solve this problem. In this episode of the Hedge, Frank Brockners and Shwetha Bhandari join Alvaro Retana and Russ White to discuss the in-situ OAM work currently in progress in the IPPM WG of the IETF.

download

Day Two Cloud 116: Emotional Intelligence, Hard Conversations, And Other Essential Management Skills

Guest Shelley Benhoff stops by the Day Two Cloud podcast to discuss essential skills for moving into tech management, and how to decide if management is the right career path for you. Shelley has twenty years' experience in IT as a developer and manager, runs a tech training company, and is a Pluralsight instructor.

The post Day Two Cloud 116: Emotional Intelligence, Hard Conversations, And Other Essential Management Skills appeared first on Packet Pushers.

IS-IS Flooding Details

Last week I published an unrolled version of Peter Paluch’s explanation of flooding differences between OSPF and IS-IS. Here’s the second part of the saga: IS-IS flooding details (yet again, reposted in a more traditional format with Peter’s permission).

In IS-IS, DIS1 is best described as a “baseline benchmark” – a reference point that other routers compare themselves to, but it does not sit in the middle of the flow of updates (Link State PDUs, LSPs).

A quick and simplified refresher on packet types in IS-IS: A LSP carries topological information about its originating router – its System ID, its links to other routers and its attached prefixes. It is similar to an OSPF LSU containing one or more LSAs of different types.

Read more …

IS-IS Flooding Details

Last week I published an unrolled version of Peter Paluch’s explanation of flooding differences between OSPF and IS-IS. Here’s the second part of the saga: IS-IS flooding details (yet again, reposted in a more traditional format with Peter’s permission).

In IS-IS, DIS1 is best described as a “baseline benchmark” – a reference point that other routers compare themselves to, but it does not sit in the middle of the flow of updates (Link State PDUs, LSPs).

A quick and simplified refresher on packet types in IS-IS: A LSP carries topological information about its originating router – its System ID, its links to other routers and its attached prefixes. It is similar to an OSPF LSU containing one or more LSAs of different types.

Read more …

Enter the NSX Giveaway – Tune In on LinkedIn

?  Do you remember the 21st night of September? ?

At VMware NSX, we sure do – and you can bet we’ll be dancing to Earth, Wind & Fire all September long. Whether or not this is your September song of choice, there’s no better way to listen to your favorite tunes than on a top-notch speaker. VMware NSX wants to help by giving away new portable Sonos Roam Speakers that you can bring wherever your grooving takes you.

Yep, you heard us – we’re hosting a giveaway! Entering for a chance to win is easy, too: just follow our new Networking & Security LinkedIn.

For an extra entry, tag a friend or colleague who would enjoy NSX content in the comments of the announcement post.

We’ll select winners from our new followers after the giveaway closes on Oct. 14, 2021. In the meantime, we’ll be listening to “September” on repeat. ?

This giveaway is limited to those living in the US. If you live somewhere else you can still participate, but we may not be able to deliver your prize. See full Terms and Conditions below. If you have questions, reach out to us on LinkedIn or Twitter. 

 

Continue reading

Lenovo extends TruScale as-a-service model to its entire portfolio

Lenovo is expanding its TruScale pay-per-use model to cover all its data-center products—servers, storage—and client-side devices—laptops, tablets.This transition to a fully integrated, end-to-end, as-a-service model is part of the company’s “One Lenovo” strategy of providing its entire portfolio of clients and servers as a fully managed, on-premises cloud environment through TruScale leasing.One Lenovo simply means laptops and desktops will be sold along with data-center products together all under one sales program. Lenovo will launch a new channel program in 2022 to encompass the One Lenovo strategy.The everything-as-a-service announcement came at the company’s virtual Lenovo Tech World 2021 eventTo read this article in full, please click here

Lenovo extends TruScale as-a-service model to its entire portfolio

Lenovo is expanding its TruScale pay-per-use model to cover all its data-center products—servers, storage—and client-side devices—laptops, tablets.This transition to a fully integrated, end-to-end, as-a-service model is part of the company’s “One Lenovo” strategy of providing its entire portfolio of clients and servers as a fully managed, on-premises cloud environment through TruScale leasing.One Lenovo simply means laptops and desktops will be sold along with data-center products together all under one sales program. Lenovo will launch a new channel program in 2022 to encompass the One Lenovo strategy.The everything-as-a-service announcement came at the company’s virtual Lenovo Tech World 2021 eventTo read this article in full, please click here

How to add virtual-machine drive space in Microsoft Server Hyper-V

Virtualization is an essential part of modern IT infrastructure that presents many routine management tasks to sysadmins, among them increasing virtual hard-drive space when necessary. In my line of work, because of expanding log files, scaling for growing processes, and new tasks for existing servers, this is something I do at least once a month.Here’s how to do it in a Microsoft Server Hyper-V hypervisor running Windows Server 2016 using either Hyper-V Manager or Failover Cluster Manager.To read this article in full, please click here

How to add virtual-machine drive space in Microsoft Server Hyper-V

Virtualization is an essential part of modern IT infrastructure that presents many routine management tasks to sysadmins, among them increasing virtual hard-drive space when necessary. In my line of work, because of expanding log files, scaling for growing processes, and new tasks for existing servers, this is something I do at least once a month.Here’s how to do it in a Microsoft Server Hyper-V hypervisor running Windows Server 2016 using either Hyper-V Manager or Failover Cluster Manager.To read this article in full, please click here

That Alfa-Trump Sussman indictment

Five years ago, online magazine Slate broke a story about how DNS packets showed secret communications between Alfa Bank in Russia and the Trump Organization, proving a link that Trump denied. I was the only prominent tech expert that debunked this as just a conspiracy-theory[*][*][*].

Last week, I was vindicated by the indictment of a lawyer involved, a Michael Sussman. It tells a story of where this data came from, and some problems with it.

But we should first avoid reading too much into this indictment. It cherry picks data supporting its argument while excluding anything that disagrees with it. We see chat messages expressing doubt in the DNS data. If chat messages existed expressing confidence in the data, we wouldn't see them in the indictment.

In addition, the indictment tries to make strong ties to the Hillary campaign and the Steele Dossier, but ultimately, it's weak. It looks to me like an outsider trying to ingratiated themselves with the Hillary campaign rather than there being part of a grand Clinton-lead conspiracy against Trump.

With these caveats, we do see some important things about where the data came from.

We see how Tech-Executive-1 used Continue reading

Full Stack Journey 058: New Challenges And Embracing Change

In episode 58 of the Full Stack Podcast, Scott talks to Nick Korte about a change that happened with his own podcast, The Nerd Journey. What lessons did Nick learn from this change, and how can those lessons be applied to careers in general? Scott and Nick's conversation uncovers some true gems of career advice.

The post Full Stack Journey 058: New Challenges And Embracing Change appeared first on Packet Pushers.

Big Iron Will Always Drive Big Spending

Starting way back in the late 1980s, when Sun Microsystems was on the rise in the datacenter and Hewlett Packard was its main rival in Unix-based systems, market forces compelled IBM to finally and forcefully field its own open systems machines to combat Sun, HP, and others behind the Unix movement.

Big Iron Will Always Drive Big Spending was written by Timothy Prickett Morgan at The Next Platform.

Thoughts on the Collapsed Spine

One of the designs I’ve been encountering a lot of recently is a “collapsed spine” data center network, as shown in the illustration below.

In this design, and B are spine routers, while C-F are top of rack switches. The terminology is important here, because C-F are just switches—they don’t route packets. When G sends a packet to H, the packet is switched by C to A, which then routes the packet towards F, which then switches the packet towards H. C and F do not perform an IP lookup, just a MAC address lookup. A and B are responsible for setting the correct next hop MAC address to forward packets through F to H.
What are the positive aspects of this design? Primarily that all processing is handled on the two spine routers—the top of rack switches don’t need to keep any sort of routing table, nor do any IP lookups. This means you can use very inexpensive devices for your ToR. In brownfield deployments, so long as the existing ToR devices can switch based on MAC addresses, existing hardware can be used.

This design also centralizes almost all aspects of network configuration and management on the spine routers. Continue reading

Mixed Results With A64X Port for Seismic HPC

Seismic processing cloud infrastructure provider, DUG, has enough combined compute power to grace the leading ten systems on the Top 500 list of the world’s most powerful supercomputers, with around 30 petaflops for seismic processing, full waveform inversion, petrophysics, and other HPC applications in oil and gas via many of its own software packages.

Mixed Results With A64X Port for Seismic HPC was written by Nicole Hemsoth at The Next Platform.

1 674 675 676 677 678 3,856