Heavy Networking 535: The ‘What’s On Your Mind?’ Roundtable

Today's Heavy Networking is a roundtable show where a group of engineers tell us what's on their minds. Topics include why EVPN/VXLAN is useful even for small data centers, how to get automation going despite internal constraints, the pros and cons of unique network designs, and tales of how working from home has affected projects, teams, and priorities.

The post Heavy Networking 535: The ‘What’s On Your Mind?’ Roundtable appeared first on Packet Pushers.

Weekend Reads 081420

The CIS Top 20 Critical Security Controls give you a set of steps. Start from the top, and work your down the list, adding layers of security along the way. They start with the basics. Knowing what is changing in your environment and how things are configured are two very basic parts of the 20 Controls.

I have a system with c servers, each of which can only handle a single concurrent request, and has no internal queuing. The servers sit behind a load balancer, which contains an infinite queue. An unlimited number of clients offer c * 0.8 requests per second to the load balancer on average.

Security researchers have discovered more than 400 pieces of vulnerable code inside the Qualcomm Snapdragon digital signal processor (DSP) chip that powers millions of high-end smartphones from Google, Samsung, LG, Xiaomi, OnePlus, and other device manufacturers.

The fundamental technologies for creating digital clones of people — text, audio, and video that sound and look like a specific person — have rapidly advanced and are within striking distance of a future in which digital avatars can sound and act like specific people, Tamaghna Basu, co-founder and chief technology officer of neoEYED, a Continue reading

Is Bandwidth A Precious Resource?

During a recent episode of the Packet Pushers Podcast, Greg and Drew talked about the fact that bandwidth just keeps increasing and we live in a world where the solution to most problems is to just increase the pipeline to the data center or to the Internet. I came into networking after the heady days of ISDN lines everywhere and trying to do traffic shaping on slow frame relay links. But I also believe that we’re going to quickly find ourselves in a pickle when it comes to bandwidth.

Too Depressing

My grandparents were alive during the Great Depression. They remember what it was like to have to struggle to find food or make ends meet. That one singular experience transformed the way they lived their lives. If you have a relative or know of someone that lived through that time, you probably have noticed they have some interesting habits. They may keep lots of cash on hand stored in various places around the house. They may do things like peel labels from jelly jars and use them as cups. They may even go to great lengths to preserve as much as they can for reuse later “just in Continue reading

Why I joined Cloudflare

Why I joined Cloudflare
Why I joined Cloudflare

Customer Service. Business. Growth. While these three make up a large portion of what keeps most enterprise companies operating, they are just the beginning at Cloudflare.

I am excited to share that I have joined Cloudflare as its Chief Customer Officer. Cloudflare has seen explosive growth: we launched only a decade ago and have already amassed nearly 3 million customers and grown from a few 100 enterprise customers to 1000s. Currently, we are at a growth inflection point where more companies are choosing to partner with us and are leveraging our service. We are fortunate to serve these customers with a consistent, high quality experience, no matter where their end-users are located around the world.

But the flare doesn’t stop at performative success

I took this opportunity because Cloudflare serves the world and does what is right over what is easy. Our customers deliver meals to your doors, provide investment and financial advice, produce GPS devices for navigational assistance, and so much more. Our customers span every vertical and industry, as well as every size. By partnering with them, we have a hand in delighting customers everywhere and helping make the Internet better. I am excited to work with them Continue reading

DNS OARC Meeting Notes

In the Internet’s name space the DNS OARC meetings are a case where a concentrated burst of DNS tests the proposition that you just can't have too much DNS! OARC held its latest meeting on the 11th August with four presentations. Here's my thoughts on the material presented at that meeting.

Self-hosted external DNS resolver for Kubernetes

There comes a time in the life of every Kubernetes cluster when internal resources (pods, deployments) need to be exposed to the outside world. Doing so from a pure IP connectivity perspective is relatively easy as most of the constructs come baked-in (e.g. NodePort-type Services) or can be enabled with an off-the-shelf add-on (e.g. Ingress and LoadBalancer controllers). In this post, we’ll focus on one crucial piece of network connectivity which glues together the dynamically-allocated external IP with a static customer-defined hostname — a DNS. We’ll examine the pros and cons of various ways of implementing external DNS in Kubernetes and introduce a new CoreDNS plugin that can be used for dynamic discovery and resolution of multiple types of external Kubernetes resources.

External Kubernetes Resources

Let’s start by reviewing various types of “external” Kubernetes resources and the level of networking abstraction they provide starting from the lowest all the way to the highest level.

One of the most fundamental building block of all things external in Kubernetes is the NodePort service. It works by allocating a unique external port for every service instance and setting up kube-proxy to deliver incoming packets from that port to the one of Continue reading

AI system analyzes code similarities, makes progress toward automated coding

With the rapid advances in artificial intelligence (AI), are we getting to the point when computers will be smart enough to write their own code and be done with human coders? New research suggests we might be getting closer to that milestone.Researchers from MIT and Georgia Tech teamed with Intel to develop an AI engine, dubbed Machine Inferred Code Similarity (MISIM), that's designed to analyze software code and determine how it's similar to other code. What's most interesting is the potential for the system to learn what bits of code do, and then use that intelligence to change how software is written. Ultimately, a human could explain what it wants a software program to do, and then a machine programming (MP) system could come up with a coded app to accomplish it.To read this article in full, please click here

Juniper expands WiFi 6 access point family to support remote workers

Taking aim at helping enterprise customers support tons of remote workers, Juniper this week extended its family of Wi-Fi 6 wireless access points.The access points feature integration with the Juniper Mist Wi-Fi Assurance cloud service to help customers with automated WLAN configuration, anomaly detection, performance and service-level metrics to ultimately make wireless networks more predictable and reliable. Learn about 5G and Wi-Fi 6To read this article in full, please click here

IT employment takes a hit but overall remains healthy

The tech sector is beginning to feel some of the negative hiring impact of the prolonged COVID-19 shutdown, but the overall job field remains a lot healthier than other sectors. That's according to CompTIA's review of the newest Employment Situation Summary from the U.S. Bureau of Labor Statistics.The BLS report covers all sectors, but CompTIA focused on two areas: technology sector employment, which relates to jobs in the tech industry as a whole (people employed by Google, Microsoft, Dell, etc.) and includes both technical and non-technical roles; and IT employment, which covers IT jobs across all sectors of the economy (travel, retail, health care, etc.).To read this article in full, please click here

Cisco CEO to accelerate as-a-service offerings, cut costs $1B-plus

When you think of Cisco, the first thing that comes to mind is switches the size of a refrigerator, but on the company’s Q4 and year-end 2020 earnings call with financial analysts, CEO Chuck Robbins laid out a surprising transformation.For the full fiscal year, the company saw 51% of revenues come from software and services. It had also set out the goal for two-thirds of software sales to be sold as subscription. That rate has now reached 78%.[Get regularly scheduled insights by signing up for Network World newsletters.] And Robbins said Cisco isn’t done there. He says the company is reexamining its entire business model in the wake of changes to the work environment brought on by the COVID-19 pandemic. “We're even looking at how we deliver our traditional networking hardware as a service over time,” he told analysts. And  he said much of it will be available by the end of the calendar year.To read this article in full, please click here

How To Use the Official NGINX Docker Image

NGINX is one of the most popular web servers in the world. Not only is NGINX a fast and reliable static web server, it is also used by a ton of developers as a reverse-proxy that sits in front of their APIs. 

In this tutorial we will take a look at the NGINX Official Docker Image and how to use it. We’ll start by running a static web server locally then we’ll build a custom image to house our web server and the files it needs to serve. We’ll finish up by taking a look at creating a reverse-proxy server for a simple REST API and then how to share this image with your team.

Prerequisites

To complete this tutorial, you will need the following:

NGINX Official Image

The Docker Official Images are a curated set of Docker repositories hosted on Docker Hub that have been scanned for vulnerabilities and are maintained by Docker employees and upstream maintainers.

Official Continue reading

Speed Matters: How Businesses Can Improve User Experience Using Open Standards

A recent report – Milliseconds make Millions – commissioned by Google and published by Deloitte, has shown that mobile website speed has a direct impact on user experience. Reducing latency and increasing load times by just 0.1 second can positively affect conversion rates potentially leading to an increase in net earnings.

Over a four-week period, Deloitte’s research team analyzed mobile web data from 37 retail, travel, luxury, and lead generation brands throughout Europe and the U.S. Results showed that by decreasing load time by 0.1s, the average conversion rate grew by 8% for retail sites and by 10% for travel sites. The team also observed an increase in engagement, page views, and the amount of money spent by website visitors when sites loaded faster.

Multiple studies have consistently shown that faster page load speeds will result in better conversion rates. Akamai’s 2017 Online Retail Performance Report, for example, showed that a 100-millisecond delay in website load time can reduce conversion rates by 7% and that over half (53%) of mobile site visitors will leave a page that takes longer than three seconds to load.

HTTP/2 and IPv6: Faster and More Available

There’s good news: making some Continue reading

Word game: Finding anadromes with Linux

In these stressful times, one way to distract ourselves from the gloom is by playing word games. With this thought in mind, I challenged myself to identify words that, spelled backwards, would still be words.Instead of cheating by doing a simple Google search, I cheated by using my Linux commands skills. So, in this post, we’ll look at how Linux commands and resources can be used to identify such words.Defining the search Before we get started on the Linux search technique, I should point out that what I was looking for were not just palindromes – words like “civic” and “deified” that read the same from left to right as they do right to left. Instead, I was also looking for words like “reward” and “decaf” that turn into different words – in this case, “drawer” and “faced” -- when one reads them backwards.To read this article in full, please click here

Automating Mitigation of the Microsoft (CVE-2020-1350) Security Vulnerability in Windows Domain Name System Using Ansible Tower

On July 14, 2020, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server was released that is classified as a ‘wormable’ vulnerability, and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.

Updates to this vulnerability are available. However, in some use cases, applying the update quickly might not be practical: in many enterprises, even hotfixes need to run through a series of tests that require time. For such cases, a registry-based workaround is available that also requires restarting the DNS service.  However, doing so manually is time consuming and prone to error, especially if many servers are involved. For customers with the Red Hat Ansible Automation Platform, a playbook has been written to automate the workaround.

 

Background of the vulnerability

The vulnerability is described in CVE-2020-1350

Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address Continue reading

My Journey Towards the Cisco Certified DevNet Specialist – Security by Nick Russo

On 10 August 2020, I took and passed the Automating Cisco Security Solutions (SAUTO) exam on my first attempt. In February of the same year, I passed DEVASC, DEVCOR, and ENAUTO to earn both the CCDevA and CCDevP certifications. You might be wondering why I decided to take another concentration exam. I won’t use this blog to talk about myself too much, but know this: learning is a life-long journey that doesn’t end when you earn your degree, certification, or other victory trinket. I saw SAUTO as an opportunity to challenge myself by leaving my “comfort zone” … and trust me, it was very difficult.

One of the hardest aspects of SAUTO is that it encompasses 12 different APIs spread across an enormous collection of products covering the full spectrum of cyber defense. Learning any new API is difficult as you’ll have to familiarize yourself with new API documentations, authentication/authorization schemes, request/response formats, and various other product nuances. For that reason along, the scope of SAUTO when compared to ENAUTO makes it a formidable exam.

Network automation skills are less relevant in this exam than in DEVASC, DEVCOR, or ENAUTO, as they only account for 10% Continue reading

Enforcing Enterprise Security Controls in Kubernetes using Calico Enterprise

Hybrid cloud infrastructures run critical business resources and are subject to some of the strictest network security controls. Irrespective of the industry and resource types, these controls broadly fall into three categories.

  1. Segmenting environments (Dev, Staging, Prod)
  2. Enforcing zones (DMZ, Trusted, etc.)
  3. Compliance requirements (GDPR, PCI DSS)

Workloads (pods) running on Kubernetes are ephemeral in nature, and IP-based controls are no longer effective. The challenge is to enforce the organizational security controls on the workloads and Kubernetes nodes themselves. Customers need the following capabilities:

  • Ability to implement security controls both globally and on a per-app basis: Global controls help enforce segmentation across the cluster, and work well when the workloads are classified into different environments and/or zones using labels. As long as the labels are in place, these controls will work for any new workloads.
  • Generate alerts if security controls are tampered with: Anyone with valid permissions can make changes to the controls. There is a possibility that these controls can be modified without proper authorization or even with a malicious intent to bypass the security. Hence, it is important to monitor changes to the policies.
  • Produce an audit log showing changes to security controls over time: This is Continue reading
1 908 909 910 911 912 3,841