0

Kubernetes Q3-2020: Threats, Exploits and TTPs

Kubernetes has become the world’s most popular container orchestration system and is taking the enterprise ecosystem by storm. At this disruptive moment it’s useful to look back and review the security threats that have evolved in this dynamic landscape. Identifying these threats and exploits and being a proactive learner may save you a lot of time and effort…as well as help you retain your reputation in the long run. In this blog we’ll look at some critical security issues faced by the Kubernetes ecosystem in the recent past, and examine the top tactics, techniques and procedures (TTPs) used by attackers.

Major Vulnerabilities

Everyday, new Kubernetes ecosystem Common Vulnerabilities and Exposures (CVEs) are published. Let’s take a closer look at some of the cloud shakers…

CVE-2020-14386: Using privilege escalation vulnerability to escape the pod
A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes.

We received notification that some instances in our cloud infrastructure are vulnerable to this CVE. When we took a closer look, it appeared to be a typical privilege escalation vulnerability using AF sockets on hosts. Unprivileged users with CAP_NET_RAW permissions can send packets Continue reading

0

It’s Back To The Future For Omni-Path InfiniBand

People in the modern era sometimes forget that networking predates the rise of Cisco Systems and the commercialization of the Internet. …

It’s Back To The Future For Omni-Path InfiniBand was written by Timothy Prickett Morgan at The Next Platform.

0

Introducing VMware Transit Connect for networking and security on VMware Cloud on AWS

As you migrate and expand your deployments on VMware Cloud on AWS, your network connectivity provides the foundational infrastructure for all workloads in your SDDCs. When you then scale across multiple SDDCs — which also need to network with several data centers and tens or even hundreds of VPCs — scaling network connectivity becomes a critical challenge.  

In this context, we’re excited to announce a number of new networking and security capabilities on VMware Cloud on AWS. 

• SDDC Groups – a way to organize SDDCs together for ease of management
• VMware Transit Connect –high bandwidth, resilient connectivity for SDDCs in an SDDC Group
• Multi-Edge SDDCs – the ability to add network capacity for north-south traffic to the SDDC

Together, these new features enable seamless connectivity to your SDDCs from on-prem data centers and AWS VPCs while unlocking the capacity you need to efficiently drive your workloads in the cloud. 

Let’s take a closer look at each one. 

SDDC Groups 

SDDC Groups enable customers to manage multiple SDDCs as a single logical entity. This simplifies operations while maintaining the flexibility that customers rely on. SDDCs in a Group can be interconnected with VMware Transit Connect, and Continue reading

0

Can You Spare a Minute? Network Time Security Featured on The Hedge Podcast

Are you interested in finding out more about Network Time Protocol (NTP), Network Time Security (NTS), and discovering why synchronized time is an essential foundation for online security?

Today is International Podcast Day, so why not spend it listening to the The Hedge Podcast #49: Karen O’Donoghue and Network Time Security.

Network Time Protocol (NTP) is one of the oldest Internet protocols in use. It enables the synchronization of clocks on computer networks to within a few milliseconds of standard universal coordinated time (UTC).  Accurate time is also a critical component for online security, and many security mechanisms, such as Transport Layer Security (TLS) and digital signature creation and verification, depend on accurate timekeeping. 

Updated Mechanism 

NTP’s security mechanisms, however, were designed back in an era when the risk of attack was unlikely. Due to the continued expansion of the Internet, these mechanisms have become outdated. Work has been underway for many years in the Internet Engineering Task Force (IETF) Network Time Protocol Working Group to develop replacement technology, which will help to secure the Internet’s time synchronization infrastructure well into the future. The result of this work is in the Continue reading

0

VMware amps up security for network, SASE, SD-WAN products

At its virtual VMworld 2020 conclave this week, VMware took the wraps off a number of security enhancements aimed at the growing COVID-driven remote workforce.For starters, the company boosted security for remote and mobile workers by extending its partnerships with zScaler and Menlo for its secure-access service edge (SASE) offering, VMware SD-WAN Zero Trust Service. VMware's SASE technology melds its Workspace ONE platform with its SD-WAN package. To read this article in full, please click here

0

The Hedge Podcast 54: Bob Friday and AI in Networks

AI in networks is a hotly contested subject—so we asked Bob Friday, CTO of Mist Systems, to explain the value and future of AI in networks. Bob joins Tom Ammon and Russ White for this episode.

download

0

VMware Embraces Nvidia GPUs, DPUs To Drive Enterprise AI

AI is too hard for most enterprises to adopt, just like HPC was and continues to be. …

VMware Embraces Nvidia GPUs, DPUs To Drive Enterprise AI was written by Jeffrey Burt at The Next Platform.

0

Offered Mid-Career Advice

A meeting with Duan Lightfoot from Lab Everyday to discuss mid-career choices.

0

Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored)

Today's show explores cloud visibility with sponsor Riverbed. Perhaps best known for its Steelhead WAN optimization appliances, Riverbed has a suite of solutions that target cloud performance and visibility, and we'll get to know them. Our Riverbed guests are Dr. Vincent Berk, VP, Chief Architect Security, CTO; and Brandon Carroll, Director, Technical Evangelist, Worldwide Marketing Management.

0

Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored)

Today's show explores cloud visibility with sponsor Riverbed. Perhaps best known for its Steelhead WAN optimization appliances, Riverbed has a suite of solutions that target cloud performance and visibility, and we'll get to know them. Our Riverbed guests are Dr. Vincent Berk, VP, Chief Architect Security, CTO; and Brandon Carroll, Director, Technical Evangelist, Worldwide Marketing Management.

The post Day Two Cloud 068: Achieving Crucial Cloud Visibility With Riverbed (Sponsored) appeared first on Packet Pushers.

0

Arista adds IoT, remote-work management to campus family

Arista Networks has taken the wraps off extensions to its campus-networking portfolio that promise to help customers manage IoT devices, improve wireless connectivity and cope with COVID-era remote-networking requirements.When it comes to managing the campus and the edge it’s important for IT to understand what devices are in the network, what they're doing, and making sure they are properly segmented, said Ed Chapman, vice president of business development for Arista.  Customers need to manage wireless and wired systems as one entity to gain visibility, intelligence,  and analytics on the overall environment.To read this article in full, please click here

0

You Can’t Do Everything, And That’s Okay

You’re a responsible human–a reliable person who does everything that’s expected and more. Congratulations! Here’s more work to do.

Yep, that’s the rub. If you’re good at your job and other people notice, you get never-ending opportunities to prove once again how good you are. More work to do, and more work to do, and more. The balance in your life is lost as you drown under a pile of opportunities and challenges with deliverables, due dates, and project managers scheduling recurring meetings to get status updates.

No Good Deed Goes Unpunished

If you’ve been through a few jobs, no doubt you’re familiar with this cycle. You leave the old job with a sense of relief, having transitioned your projects to others in a ceremony known as “the hand-off.” You chuckle a bit to yourself as your co-workers and manager who clearly didn’t grasp what all you were handling go glassy-eyed as you talk them through it.

You start the new job with a lightness in your heart. No projects. No due dates. No recurring meetings. The anxiety of getting familiar with a new company, figuring out your role, learning the politics, sure–there’s all that to contend with. But Continue reading

0

Nigeria’s IXPs – Enabling Better Connectivity, Faster Internet Delivery, and Improving Internet Service

Nigeria grew its local Internet traffic from  30% to 70% in the past eight years, connecting more people, increasing speed, and reducing costs. They did this through Internet Exchange Points (IXPs), according to the Internet Society report Anchoring the African Internet Ecosystem: Lessons from Kenya and Nigeria’s Internet Exchange Points Growth.

Between 2012 and 2020, the number of peering networks has grown from 30 to 71 and new exchange platforms have been set up in Abuja, Kano, and Port Harcourt. More networks and more IXPs increased the amount of Internet traffic exchanged in Nigeria from 300 Mbps to peak traffic of 125 Gbps in Lagos.

Muhammed Rudman started the Internet Exchange Point of Nigeria (IXPN) in 2006, when the industry was developing. Most networks did not peer in Nigeria. One major submarine cable, Sat3, offered services across the country with others getting service via VSATs. This meant ninety-nine percent of websites were hosted abroad.

“The terrain was tough,” says Rudman, an IT veteran and founding Chief Executive Officer of IXPN, which is based in Lagos, Nigeria’s largest city. Approaching Internet service providers, he was often asked how many networks were already peering. Without any networks exchanging traffic, he’d often hear, “When you Continue reading

0

BGP Routing Security Discussion on Linkedin

0

Customer Spotlights at AnsibleFest 2020

AnsibleFest 2020 will be here before we know it, and we cannot wait to connect with everyone in October. We have some great content lined up for this year’s virtual experience and that includes some amazing customer spotlights. This year you will get to hear from CarMax, Blue Cross Blue Shield of NC, T-Mobile, PRA International and CEPSA. These customers are using Ansible in a variety of ways, and we hope you connect to their incredible stories of teamwork and transformative automation.

 

Customer Spotlights

Benjamin Blizard, a Network Engineer at T-Mobile, will explore how T-Mobile transformed from a disparate organization with difficulty enforcing standards to a collaborative group of engineers working from repeatable templates and processes. T-Mobile, a major telecommunications provider, uses Ansible Automation Platform to standardize processes across their organization. Ben will show how automation supports T-Mobile’s compliance standards, data integrity, and produces speed and efficiency for network teams. 

 

What Next?

Join us for AnsibleFest 2020 to hear from more customer like T-mobile talk about their automation journey. Make sure to go and register today and check out the session catalog that lists all the content that we have prepared for you this year. We look Continue reading

0

Python Pieces: PyEnv and Venvs

In my last post, we talked about PyEnv and how it can help manage your local Python environments. As it turns out it can also help you manage virtual environments as well! However – pursuing this functionality took me down a rabbit hole that was a bit deeper than expected. The way that PyEnv works causes some behaviors (and on my end assumptions) to change which made me start questioning some of the things that I’ve always just taken for granted. In other words – prepare yourself to go down the rabbit hole with me.

At first glance PyEnv promised the same sort of awesome automagically context switching craziness that we saw previously work with Python versions. However – the virtual environment management implementation with PyEnv felt rather foreign (and maybe a little clunky?) to me. Most notably, as I pointed out in my last post, the .zshrc alias provided to make the auto activation piece work slows down my terminal immensely which is why I omitted using it. A slow terminal is about the worst thing I can think of…

That said – I still think it’s worth reviewing what it can offer so you can Continue reading

0

Introducing Cloudflare Radar

Unlike the tides, Internet use ebbs and flows with the motion of the sun not the moon. Across the world usage quietens during the night and picks up as morning comes. Internet use also follows patterns that humans create, dipping down when people stopped to applaud healthcare workers fighting COVID-19, or pausing to watch their country’s president address them, or slowing for religious reasons.

And while humans leave a mark on the Internet, so do automated systems. These systems might be doing useful work (like building search engine databases) or harm (like scraping content, or attacking an Internet property).

All the while Internet use (and attacks) is growing. Zoom into any day and you’ll see the familiar daily wave of Internet use reflecting day and night, zoom out and you’ll likely spot weekends when Internet use often slows down a little, zoom out further and you might spot the occasional change in use caused by a holiday, zoom out further and you’ll see that Internet use grows inexorably.

And attacks don’t only grow, they change. New techniques are invented while old ones remain evergreen. DDoS activity continues day and night roaming from one victim to another. Automated scanning tools look Continue reading

0

Speeding up HTTPS and HTTP/3 negotiation with… DNS

In late June, Cloudflare's resolver team noticed a spike in DNS requests for the 65479 Resource Record thanks to data exposed through our new Radar service. We began investigating and found these to be a part of Apple’s iOS14 beta release where they were testing out a new SVCB/HTTPS record type.

Once we saw that Apple was requesting this record type, and while the iOS 14 beta was still on-going, we rolled out support across the Cloudflare customer base.

This blog post explains what this new record type does and its significance, but there’s also a deeper story: Cloudflare customers get automatic support for new protocols like this.

That means that today if you’ve enabled HTTP/3 on an Apple device running iOS 14, when it needs to talk to a Cloudflare customer (say you browse to a Cloudflare-protected website, or use an app whose API is on Cloudflare) it can find the best way of making that connection automatically.

And if you’re a Cloudflare customer you have to do… absolutely nothing… to give Apple users the best connection to your Internet property.

Negotiating HTTP security and performance

Whenever a user types a URL in the browser box without specifying a Continue reading

0

The Next Generation of Cognitive Campus Workspaces

Campus networks are undergoing another massive transition in the COVID teleworking era. With this fundamental shift and as administrators consider an interconnected IoT (Internet of Things) environment, the boundary between the office, home, teleworker and user is converging. Security concerns with ever-increasing threat vectors are substantiated. How does one secure an IoT environment and guard against malware and outbreaks? How is the network impacted as some workloads shift to the cloud? Why do we cope with wired and wireless silos? The challenge lies in successfully transitioning the existing siloed campus into an integral data-driven model for clients, users and devices from IoT to cloud with a common experience, while addressing security and availability needs with lower operational costs. These are the key requirements of the third-generation campus evolution as shown in the figure below.

0

The Next Generation of Cognitive Campus Workspaces

Campus networks are undergoing another massive transition in the COVID teleworking era. With this fundamental shift and as administrators consider an interconnected IoT (Internet of Things) environment, the boundary between the office, home, teleworker and user is converging. Security concerns with ever-increasing threat vectors are substantiated. How does one secure an IoT environment and guard against malware and outbreaks? How is the network impacted as some workloads shift to the cloud? Why do we cope with wired and wireless silos? The challenge lies in successfully transitioning the existing siloed campus into an integral data-driven model for clients, users and devices from IoT to cloud with a common experience, while addressing security and availability needs with lower operational costs. These are the key requirements of the third-generation campus evolution as shown in the figure below.