Using Flow Tracking to Build Firewall Rulesets… and Halting Problem

Peter Welcher identified the biggest network security hurdle faced by most enterprise IT environments in his comment to Considerations for Host-based Firewalls (Part 1) blog post:

I have NEVER found a customer application team that can tell me all the servers they are using, their IP addresses, let alone the ports they use.

His proposed solution: use software like Tetration (or any other flow collecting tool) to figure out what’s really going on:

Read more …

Arm updates Neoverse server processors with considerable performance claims

Acquisitions and defections be damned, Arm Holdings is pushing forward with its Neoverse line of server processor designs with the launch of the Neoverse V1 and N2 processor architectures.The new chips are the successors to the Neoverse N1 and E1 designs, which are used in server processors like Ampere’s Altra, Amazon’s Graviton2, and Marvel’s ThunderX2. Arm claims these chips will deliver 40% to 50% better performance than the previous generation while consuming the same amount of power.To read this article in full, please click here

Arm updates Neoverse server processors with considerable performance claims

Acquisitions and defections be damned, Arm Holdings is pushing forward with its Neoverse line of server processor designs with the launch of the Neoverse V1 and N2 processor architectures.The new chips are the successors to the Neoverse N1 and E1 designs, which are used in server processors like Ampere’s Altra, Amazon’s Graviton2, and Marvel’s ThunderX2. Arm claims these chips will deliver 40% to 50% better performance than the previous generation while consuming the same amount of power.To read this article in full, please click here

Vendors extend the range of 5G millimeter-wave transmissions

Two wireless vendors say they have collaborated to significantly extend the useful range of millimeter-wave 5G transmissions beyond what had been widely considered its limits. 5G resources What is 5G? Fast wireless technology for enterprises and phones How 5G frequency affects range and speed Private 5G can solve some problems that Wi-Fi can’t Private 5G keeps Whirlpool driverless vehicles rolling 5G can make for cost-effective private backhaul CBRS can bring private 5G to enterprises Qualcomm and Ericsson have worked together in separate trials with two other companies to boost that distance from less than a mile (1.6km) to 3.8km in one case and to 5km-plus in the other, the companies claim.To read this article in full, please click here

Cable testing on Juniper EX switches

Does anyone use the cable test feature on EX switches? Did you even know you could do this kind of thing?

In case you didn’t, here is a bit of background and an example.

The Time Domain Reflectometer (TDR) test has been available on the EX switches for some time, but not a lot of people seem to know about it. What is TDR, I hear you ask?

A futuristic-sounding thing, what a TDR does is send a signal down a cable and measure how much (if any) is reflected by the far end. If the cable is damaged a little way along its length, the TDR test will tell you that distance to a fair level of accuracy.

In an ethernet cable, there are four pairs of conductors – eight wires in total. The operative ones are 1 & 2, and 3 & 6. The other conductors are unused but their presence in the Cat5 or Cat6 cable helps prevent cross-talk and signal attenuation. In a lab, usually cables are fairly short and easily replaced, but in a working environment, cables in floor-boxes under desks, or the structured wiring under the raised floor in an office often suffers quite Continue reading

Snakes in a Facebook Datacenter

 

What do you do when you find a snake in your datacenter? You might say this. (NSFW)

 

Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of some of its components. You might think Facebook solved all of its fault tolerance problems long ago, but when a serpent enters the Edenic datacenter realm, even Facebook must consult the Tree of Knowledge.

In this case, it's not good or evil we'll learn about, but Workload Placement, which is a method of optimally placing work over a set of failure domains. 

Here's my gloss of the Fault Tolerance through Optimal Workload Placement talk:

Technologies that Didn’t: CLNS

Note: RFC1925, rule 11, reminds us that: “Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.” Understanding the past not only helps us to understand the future, it also helps us to take a more balanced and realistic view of the technologies being created and promoted for current and future use.

The Open Systems Interconnect (OSI) model is the most often taught model of data transmission—although it is not all that useful in terms of describing how modern networks work. What many engineers who have come into network engineering more recently do not know is there was an entire protocol suite that went with the OSI model. Each of the layers within the OSI model, in fact, had multiple protocols specified to fill the functions of that layer. For instance, X.25, while older than the OSI model, was adopted into the OSI suite to provide point-to-point connectivity over some specific kinds of physical circuits. Moving up the stack a little, there were several protocols that provided much the same service as the widely used Internet Protocol (IP).

The Connection Oriented Network Service, or CONS, ran on top Continue reading

Full Stack Journey 046: Understanding AWS Controllers For Kubernetes (ACK)

Today's Full Stack Journey podcast explores AWS Controllers for Kubernetes (ACK). Currently available as a developer preview, the ACK project lets customers manage their AWS services directly from Kubernetes. Our guide to ACK is Justin Garrison, a container advocate at AWS and author.

The post Full Stack Journey 046: Understanding AWS Controllers For Kubernetes (ACK) appeared first on Packet Pushers.

Docker Github Actions

In our first post in our series on CI/CD we went over some of the high level best practices for using Docker. Today we are going to go a bit deeper and look at Github actions. 

We have just released a V2 of our GitHub Action to make using the Cache easier as well! We also want to call out a huge THANK YOU to @crazy-max (Kevin :D) for the of work he put into the V2 of the action, we could not have done this without him! 

Right now let’s have a look at what we can do! 

To start we will need to get a project setup, I am going to use one of my existing simple Docker projects to test this out:

The first thing I need to do is to ensure that I will be able to access Docker Hub from any workflow I create, to do this I will need to add my DockerID and a Personal Access Token (PAT) as secrets into GitHub. I can get a PAT by going to https://hub.docker.com/settings/security and clicking ‘new access token’, in this instance I will call my token ‘whaleCI’

I can then Continue reading

Python: The Minimum You Need to Know

Many network engineers and other professionals are transitioning their skills set to include programming and automation. Commonly, their previous programming experience comes from a few programming courses they attended in university a long time ago. I am one of those professionals and I created this Python programming guide for people like you and me.

In this guide, I explain the absolute minimum amount you need to learn about Python in order to create useful programs. Follow this guide to get a very short, but functional, overview of Python programming in less than one hour.

I omit many topics from this text that you do not need to know when you begin using Python; you can learn them later, when you need them. I don’t want you to have to unlearn misconceptions later, when you become more experienced, so I do include some Python concepts that other beginner guides might skip, such as the Python object model. This guide is “simple” but it is also “mostly correct”.

Getting Started

In this guide, I will explore the seven fundamental topics you need to know to create useful programs almost immediately. These topics are:

  • The Python object model simplified
  • Defining objects
  • Core types
  • Continue reading

Tigera Announces Open-Source Calico for Windows and Collaboration with Microsoft

Tigera is pleased to announce that we have open-sourced Calico for Windows and made it immediately available for all to use for free. With the launch of open-source Calico for Windows, the vast ecosystem of Windows users now has unprecedented access to Kubernetes via the industry’s de-facto standard for Kubernetes networking and network security.

We have been collaborating with Microsoft and our joint customers over the past few years to bring Project Calico to the Windows platform, and have seen increasing demand for Windows nodes ever since the release of Kubernetes 1.14.  Most enterprises have a Windows footprint, and Windows workloads are increasingly being modernized and migrated to containers and orchestrated with Kubernetes. Enterprise users want to deploy a single solution for network security that works across both Linux and Windows workloads. Open-sourcing Calico for Windows provides those users with the best and only solution available, and for free.

“We are seeing an influx in interest in Windows Kubernetes workloads, as well as interest in securing those workloads. Calico has been a key means of deploying network security policies across both Windows and Linux platforms, however, their Windows support has been commercially licensed by Tigera until today,“ said Continue reading

Accessing Docker Container Services over IPv6

Getting Docker to work with IPv6 is an interesting and under-documented (trying to stay diplomatic) adventure, but there’s a shortcut to the promised land: even if your Docker environment is pure IPv4 morass, you can still reach published container ports over IPv6 thanks to the userland proxy I described last week. The performance is obviously commensurate with traversing kernel-user boundary too many times.

New to this rabbit hole? Start here.

Finally, you don’t have to tell me (again) that Docker is dead and we should all use K8s. It’s as useful as telling me CloudStack is dead and we should all use OpenStack. Different challenges deserve different tools.

Cradlepoint buy nets Ericsson 5G infrastructure for carriers, enterprises

Ericsson’s purchase of wireless WAN vendor Cradlepoint means that the Sweden-based networking powerhouse is targeting growth in the 5G and edge markets, according to experts. 5G resources What is 5G? Fast wireless technology for enterprises and phones How 5G frequency affects range and speed Private 5G can solve some problems that Wi-Fi can’t Private 5G keeps Whirlpool driverless vehicles rolling 5G can make for cost-effective private backhaul CBRS can bring private 5G to enterprises The deal, valued at $1.1 billion, will see Cradlepoint become a fully owned subsidiary of Ericsson, part of the larger company’s Business Area Technologies and New Business divisionTo read this article in full, please click here

Best practices for using Docker Hub for CI/CD

According to the 2020 Jetbrains developer survey 44% of developers are now using some form of continuous integration and deployment with Docker Containers. We know a ton of developers have got this setup using Docker Hub as their container registry for part of their workflow so we decided to dig out the best practices for doing this and provide some guidance for how to get started. To support this we will be publishing a series of blog posts over the next few weeks to answer the common questions we see with the top CI providers.

We have also heard feedback that given the changes Docker introduced relating to network egress and the number of pulls for free users, that there are questions around the best way to use Docker Hub as part of CI/CD workflows without hitting these limits. This blog post covers best practices that improve your experience and uses a sensible consumption of Docker Hub which will mitigate the risk of hitting these limits and how to increase the limits depending on your use case. 

To get started, one of the most important things when working with Docker and really any CI/CD is to work out when Continue reading

Reducing RPKI Single Point of Takedown Risk

The RPKI, for those who do not know, ties the origin AS to a prefix using a certificate (the Route Origin Authorization, or ROA) signed by a third party. The third party, in this case, is validating that the AS in the ROA is authorized to advertise the destination prefix in the ROA—if ROA’s were self-signed, the security would be no better than simply advertising the prefix in BGP. Who should be able to sign these ROAs? The assigning authority makes the most sense—the Regional Internet Registries (RIRs), since they (should) know which company owns which set of AS numbers and prefixes.

The general idea makes sense—you should not accept routes from “just anyone,” as they might be advertising the route for any number of reasons. An operator could advertise routes to source spam or phishing emails, or some government agency might advertise a route to redirect traffic, or block access to some web site. But … if you haven’t found the tradeoffs, you haven’t looked hard enough. Security, in particular, is replete with tradeoffs.

Every time you deploy some new security mechanism, you create some new attack surface—sometimes more than one. Deploy a stateful packet filter to protect a Continue reading

How did they send money in the olden days of telegraphs?

 

It's not all that different really, especially that part where you can lose all your bitcoin. Here's an excerpt from East of Eden by John Steinbeck:

Say, Carlton, how do you go about telegraphing money?”

“Well, you bring me a hundred and two dollars and sixty cents and I send a wire telling the Valdosta operator to pay Adam one hundred dollars. You owe me sixty cents too.”

“I’ll pay—say, how do I know it’s Adam? What’s to stop anybody from collecting it?”

The operator permitted himself a smile of worldliness.

“Way we go about it, you give me a question couldn’t nobody else know the answer. So I send both the question and the answer. Operator asks this fella the question, and if he can’t answer he don’t get the money.””

“Say, that’s pretty cute. I better think up a good one.”
“You better get the hundred dollars while Old Breen still got the window open.”
Charles was delighted with the game. He came back with the money in his hand.
“I got the question,” he said.
“I hope it ain’t your mother’s middle name. Lot of people don’t remember.”
“No, nothing Continue reading
1 836 837 838 839 840 3,789