NetworkingNexus.net

Conntrack turns a blind eye to dropped SYNs

Intro

We have been working with conntrack, the connection tracking layer in the Linux kernel, for years. And yet, despite the collected know-how, questions about its inner workings occasionally come up. When they do, it is hard to resist the temptation to go digging for answers.

One such question popped up while writing the previous blog post on conntrack:

“Why are there no entries in the conntrack table for SYN packets dropped by the firewall?”

Ready for a deep dive into the network stack? Let’s find out.

We already know from last time that conntrack is in charge of tracking incoming and outgoing network traffic. By running conntrack -L we can inspect existing network flows, or as conntrack calls them, connections.

So if we spin up a toy VM, connect to it over SSH, and inspect the contents of the conntrack table, we will see…

$ vagrant init fedora/33-cloud-base
$ vagrant up
…
$ vagrant ssh
Last login: Sun Jan 31 15:08:02 2021 from 192.168.122.1
[vagrant@ct-vm ~]$ sudo conntrack -L
conntrack v1.4.5 (conntrack-tools): 0 flow entries have been shown.

… nothing!

Even though the conntrack kernel Continue reading

New Ansible Data Validation Module(s)

A few months ago I described how you could use JSON Schema to validate your automation data models, host/group variable files, or even Ansible inventory file.

I had to use a weird toolchain to get it done – either ansible-inventory to build a complete data model from various inventory sources, or yq to convert YAML to JSON… and just for the giggles jsonschema CLI command requires the JSON input to reside in a file, so you have to use a temporary file to get the job done.

New Ansible Data Validation Module(s)

A few months ago I described how you could use JSON Schema to validate your automation data models, host/group variable files, or even Ansible inventory file.

Phishing Detection Using Perceptual Hashes

What are phishing attacks?

Phishing attacks have become more prominent and prevalent in recent years. In particular, our research into the cyber threat landscape over the last few months has shown a dramatic increase in the volume of phishing campaigns observed by our customers.

The most basic way to detect phishing is by using blacklists of phishing URLs. However, our research showed that, in many cases, the lifetime of phishing URLs is less than 24 hours, which renders the blacklist approach largely ineffective.

At VMware, we use multiple approaches to detect phishing attacks. The one we’ve found to be the most promising uses visual representation of the website to recognize phishing. In this blog post, we’ll discuss how this approach works in greater detail. If you need an overview of the more general idea behind phishing detection using image similarity, visit our previous blog post.

Not every hash function is a cryptographic hash function

As one part of VMware’s phishing detection, we store information about the visual representation of every analyzed URL: that is, we calculate perceptual hashes of the screenshots Continue reading

Why the Service Mesh Will Be Essential for 5G Telecom Networks

Sagar Nangare Sagar Nangare is technology blogger, focusing on data center technologies (Networking, Telecom, Cloud, Storage) and emerging domains like Edge Computing, IoT, Machine Learning, AI). Based in He is based in Pune, he is currently serving Calsoft Inc. as Digital Strategist. Despite the service mesh being a fairly new technology, as compared to other cloud native technologies, a March 2020 Cloud Native Computing Foundation report

Microsoft, VMware marry Azure Virtual WAN Hub with VMware SD-WAN

Microsoft and VMware have taken their well-established relationship up a notch by tying together application and network technologies to help customers support secure WAN access to critical enterprise applications.Specifically, the companies have combined Azure Virtual WAN Hub with VMware's SD-WAN technology so that VMware's SD-WAN customers can link resources using the networking, security, and routing services in Azure WAN Hub. They announced the news at his week's Microsoft Ignite virtual conference.To read this article in full, please click here

Changing Of The Guard For HPC And Big Iron At HPE

Hewlett Packard Enterprise has been building a mainstream and grassroots server business aimed at large enterprises, HPC centers, and academic and government institutions for two decades. …

Changing Of The Guard For HPC And Big Iron At HPE was written by Timothy Prickett Morgan at The Next Platform.

Enterprise Platform Kingmaker Goes All-In with Nvidia

Global consulting and services giant Deloitte has bold ambitions to lead in enterprise AI transitions, starting with a five-year, billion-dollar investment in everything from vertical-specific technology acquisitions to building personnel and capabilities ranks. …

Enterprise Platform Kingmaker Goes All-In with Nvidia was written by Nicole Hemsoth at The Next Platform.

Day Two Cloud 087: Inside The World Of A Technical Marketer

Engineers are skeptical of vendor marketing, which is typically heavy on buzzwords and light on actual information. But technical marketing tries to change that dynamic by creating collateral to help engineers and practitioners understand a product. We get into this world with guest Martez Reed, Director of Technical Marketing at Morpheus Data.

Day Two Cloud 087: Inside The World Of A Technical Marketer

The post Day Two Cloud 087: Inside The World Of A Technical Marketer appeared first on Packet Pushers.

3 Security Issues Overlooked By the NIST Framework

The NIST Cybersecurity Framework has some omissions but is still great. It should be considered the start of a journey and not the end destination.

MANRS Fellowship 2021 Now Open

The MANRS (Mutually Agreed Norms for Routing Security) Fellowship Program 2021 is now accepting applications. If you are an emerging leader eager to improve the well-being of the Internet’s global routing system, apply now.

The program gives highly motivated individuals the chance to work alongside MANRS Ambassadors – industry leaders participating in the associated Ambassador Program that invited applications last month (details here).

Together, they will train diverse communities on good routing practices, analyze routing incidents, research into ways to secure routing, and survey the global policy landscape.

You can read about the 13 Fellows in last year’s inaugural program, which proved highly popular. The Internet Society supports this program as part of its work to reduce common routing threats and establish norms for network operations.

You can apply for a MANRS Fellowship in three different areas: training, research, and policy. Each Fellow will receive a stipend of $750 a month. The program will start in mid-April and run for up to eight months. You can apply for more than one category but will only be selected for one of them.

Online Training

Responsible for: Conducting MANRS online tutorial and virtual hands-on workshops, helping improve existing training and workshop Continue reading

Using the Python Rich library to display status indicators

I recently added a status indicator to my azruntime application. If users have a lot of VMs in their subscriptions, the azruntime application can take a long time to run. Users will appreciate seeing the status so they know the program is still running and is not hung up.

I used the Rich library to implement a status indicator. I had to learn more about Python context managers to understand how the Rich library’s progress bar and status indicators work. The Rich library’s documentation is aimed at intermediate-to-advanced programmers and the Rich tutorials I found on the web did not cover using the Rich library’s status update features.

In this post, I will share what I learned while adding a status indicator to my program and show you how to implement the same in your projects.

Rich library overview

The Rich library makes it easy to add color and style to terminal output. Rich can also render pretty tables, progress bars, markdown, syntax highlighted source code, tracebacks, and more.¹

This post focuses only on creating a status indicator. To learn more about what Rich can do for you, I encourage you to read one of the excellent Rich overviews Continue reading

John Deere invests $500k in private 5G licenses to support flexible factory networks

John Deere, the $35.5 billion maker of farm equipment, is planting the seeds of company-owned 5G cellular networking in some of its manufacturing plants after investing half-a-million dollars in wireless licenses at an FCC auction last year. 5G resources What is 5G? Fast wireless technology for enterprises and phones How 5G frequency affects range and speed Private 5G can solve some problems that Wi-Fi can’t Private 5G keeps Whirlpool driverless vehicles rolling 5G can make for cost-effective private backhaul CBRS can bring private 5G to enterprises The company says that having a piece of wireless spectrum more or less to itself is key to updating certain of its production facilities. Deere bought citizens broadband radio service (CBRS) licenses in five Iowa and Illinois counties at that give it virtually unfettered use of the local CBRS bandwidth for private 5G.To read this article in full, please click here

John Deere invests $500k in private 5G licenses to support more flexible factory networks

Chasing Anycast IP Addresses

One of my readers sent me this question:

My job required me to determine if one IP address is unicast or anycast. Is it possible to get this information from the bgp dump?

TL&DR: Not with anything close to 100% reliability. An academic research paper (HT: Andrea di Donato) documents a false-positive rate of around 10%.

If you’re not familiar with IP anycast: it’s a brilliant idea of advertising the same prefix from multiple independent locations, or the same IP address from multiple servers. Works like a charm for UDP (that’s how all root DNS servers are built) and supposedly pretty well across distant-enough locations for TCP (with a long list of caveats when used within a data center).

Chasing Anycast IP Addresses

One of my readers sent me this question:

My job required me to determine if one IP address is unicast or anycast. Is it possible to get this information from the bgp dump?

TL&DR: Not with anything close to 100% reliability.

SEC 4. Complete guide for integrating Nokia, Arista, Cumulus, as well as CentOS and Raspberry PI Linux in your own PKI

Hello my friend,

In one of the previous blogposts we have share the details how you can build the containerised PKI relying Docker, Alpine Linux and OpenSSL. Today we’ll show how you can use it.


1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission of the author.

How automation can increase the security?

In one of the recent articles dedicated to threats to the national security with respect to 5G caused by the current operation models in the big service providers, one the network automation were named as one of the key mitigation approaches. The reason is very simple: network automation allows you to keep (or even increase) the pace of the network changes with increasing the stability without increasing the size of your network operation teams.

We absolutely agree with this statement. We have observed ourselves that in many cases the key technical competence for service providers is being outsourced and in certain cases the service providers have to rely on the external parties to perform Continue reading

Comcast: Internet usage spiked in 2020 as working from home doubled

Overall Internet traffic on Comcast’s network spiked substantially at the beginning of the pandemic in the U.S. in March 2020, but normalized over the subsequent months, according to a report released today by the internet service provider.As the largest individual home ISP in the U.S., Comcast’s data on Internet usage represents a useful snapshot into overall home connectivity during the pandemic.[Get regularly scheduled insights by signing up for Network World newsletters.] Nearly two-thirds of Americans--62%--reported working from home at some point during the current crisis, double the figures for the previous March, the report found. And 93% of households with school-age children reported that those children engaged in distance learning.To read this article in full, please click here

Tigera and Microsoft Extend the Power of Calico for Windows to AKS

Tigera, in collaboration with Microsoft, is thrilled to announce the public preview of Calico for Windows on Azure Kubernetes Service (AKS). While Calico has been available for self-managed Kubernetes workloads on Azure since 2018, many organizations are migrating their .NET and Windows workloads to the managed Kubernetes environment offered by AKS. Now the leading open-source Kubernetes network policy and security solution for Kubernetes enables Windows users to fulfill their policy and compliance requirements on Azure Kubernetes Service.

With the availability of Calico for Windows on AKS in public preview, enterprises can leverage the power and simplicity of Calico to enable a single solution that provides uniform Kubernetes network policy and security for their clusters across AKS, other clouds and on-premises, as well as across their choice of Windows, Linux, and mixed-node environments.

Project Calico is the most widely adopted open-source solution for Kubernetes networking and security, used on more than 1 million nodes across 166 countries. However, thousands of our users want to be sure that choosing Calico is the right decision for many years to come. Calico is the only solution that offers a pluggable data plane supporting Windows, standard Linux and eBPF, thus future-proofing their decision Continue reading

« Previous 1 … 726 727 728 729 730 … 3,788 Next »