NetworkingNexus.net

Phased Approach to Securing a Data Center

In the fight against relentless cyberattacks, organizations have long relied on traditional perimeter firewalls to protect sensitive workloads and information in the data center. But today, in the era of distributed applications and hybrid cloud environments, we know that perimeter defenses are not enough to stop cybercriminals.

To improve security postures inside corporate networks — which means protecting against both bad actors who penetrate perimeter defenses and malicious insiders — organizations must monitor, detect, and block hostile east-west (internal) traffic using internal firewalls.

To date, network and security professionals have generally viewed securing east-west traffic as too complex, expensive, and time-consuming for their brownfield, and even greenfield, data centers. At VMware, we agree with that perception: it’s certainly true for organizations trying to detect and prevent the lateral movement of attackers by employing traditional, appliance-based perimeter firewalls as internal firewalls.

There’s a Better Way to Secure the Data Center

Instead of awkwardly forcing appliance-based firewalls to serve as internal firewalls, organizations should employ a distributed, scale-out internal firewall specifically Continue reading

Why I’m Helping Cloudflare Grow in Japan

If you'd like to read this post in Japanese click here.

I’m excited to say that I’ve recently joined the Cloudflare team as Head of Japan. Cloudflare has had a presence in Japan for a while now, not only with its network spanning the country, but also with many Japanese customers and partners which I’m now looking forward to growing with. In this new role, I’m focused on expanding our capabilities in the Japanese market, building upon our current efforts, and helping more companies in the region address and put an end to the technical pain points they are facing. This is an exciting time for me and an important time for the company. Today, I’m particularly eager to share that we are opening Cloudflare’s first Japan office, in Tokyo! I can’t wait to grow the Cloudflare business and team here.

Why Cloudflare?

The web was built 25 years ago. This invention changed the way people connected—to anyone and anywhere—and the way we work, play, live, learn, and on. We have seen this become more and more complex. With complexities come difficulties, such as ensuring security, performance, and reliability while online. Cloudflare is helping to solve these challenges that businesses Continue reading

How CEOs think

Recently, Twitter was hacked. CEOs who read about this in the news ask how they can protect themselves from similar threats. The following tweet expresses our frustration with CEOs, that they don't listen to their own people, but instead want to buy a magic pill (a product) or listen to outside consultants (like Gartner). In this post, I describe how CEOs actually think.

CEO : "I read about that Twitter hack. Can that happen to us?"
Security : "Yes, but ..."
CEO : "What products can we buy to prevent this?"
Security : "But ..."
CEO : "Let's call Gartner."
*sobbing sounds*
— Wim Remes (@wimremes) July 16, 2020

The only thing more broken than how CEOs view cybersecurity is how cybersecurity experts view cybersecurity. We have this flawed view that cybersecurity is a moral imperative, that it's an aim by itself. We are convinced that people are wrong for not taking security seriously. This isn't true. Security isn't a moral issue but simple cost vs. benefits, risk vs. rewards. Taking risks is more often the correct answer rather than having more security.

Rather than experts dispensing unbiased advice, we've become advocates/activists, trying to convince people that Continue reading

EIGRP Behavior with IP Unnumbered

Carl Zellers asked an excellent question on how EIGRP works when run over FlexVPN with IP unnumbered, considering that routers will not be on a common subnet. I thought this was a great question so I took some help from my great friend, the EIGRP guru, Peter Palúch.

First, let’s examine behavior when EIGRP is run on numbered interface. I have built a very simple lab consisting of three routers, R1, R2, and R3, where R1 and R3 are separated by R2. To demonstrate that EIGRP checks that incoming hellos are received on a common subnet, the following simple configurations were applied to R1 and R2:

R1:

interface GigabitEthernet1
 ip address 10.0.0.1 255.255.255.0
!
router eigrp LAB
 !
 address-family ipv4 unicast autonomous-system 64512
  !
  topology base
  exit-af-topology
  network 10.0.0.0 0.0.0.255
 exit-address-family

R2:

interface GigabitEthernet1
 ip address 10.0.1.1 255.255.255.0
!
router eigrp LAB
 !
 address-family ipv4 unicast autonomous-system 64512
  !
  topology base
  exit-af-topology
  network 10.0.1.0 0.0.0.255
 exit-address-family

This results in the well familiar messages on the console:

*Jul 15 08:53:20.966: %DUAL-6-NBRINFO: EIGRP-IPv4 64512: Neighbor 10.0.0.1 (GigabitEthernet1) is blocked: not  Continue reading

Cloudflare outage on July 17, 2020

Today a configuration error in our backbone network caused an outage for Internet properties and Cloudflare services that lasted 27 minutes. We saw traffic drop by about 50% across our network. Because of the architecture of our backbone this outage didn’t affect the entire Cloudflare network and was localized to certain geographies.

The outage occurred because, while working on an unrelated issue with a segment of the backbone from Newark to Chicago, our network engineering team updated the configuration on a router in Atlanta to alleviate congestion. This configuration contained an error that caused all traffic across our backbone to be sent to Atlanta. This quickly overwhelmed the Atlanta router and caused Cloudflare network locations connected to the backbone to fail.

The affected locations were San Jose, Dallas, Seattle, Los Angeles, Chicago, Washington, DC, Richmond, Newark, Atlanta, London, Amsterdam, Frankfurt, Paris, Stockholm, Moscow, St. Petersburg, São Paulo, Curitiba, and Porto Alegre. Other locations continued to operate normally.

For the avoidance of doubt: this was not caused by an attack or breach of any kind.

We are sorry for this outage and have already made a global change to the backbone configuration that will prevent it from being able to occur Continue reading

Technology Short Take 129

Welcome to Technology Short Take #129, where I’ve collected a bunch of links and references to technology-centric resources around the Internet. This collection is (mostly) data center- and cloud-focused, and hopefully I’ve managed to curate a list that has some useful information for readers. Sorry this got published so late; it was supposed to go live this morning!

Note there is a slight format change debuting in this Tech Short Take. Moving forward, I won’t include sections where I have no content to share, and I’ll add sections for content that may not typically appear. This will make the list of sections a bit more dynamic between Tech Short Takes. Let me know if you like this new approach—feel free to contact me on Twitter and provide your feedback.

Now, on to the good stuff!

Networking

Chip Zoller takes a look at Antrea, a new Kubernetes CNI (Container Networking Interface) plugin that leverages Open vSwitch (OVS).
Ivan Pepelnjak has a fantastic article on adapting network design to acommodate automation. This is a great read overall, but one sentence in particular really caught my eye: “30 years ago I was able to write a complete multitasking operating system in Z80 Continue reading

AI startup Graphcore launches Nvidia competitor

A British chip startup has launched what it claims is the world's most complex AI chip, the Colossus MK2 or GC200 IPU (intelligence processing unit). Graphcore is positioning its MK2 against Nvidia's Ampere A100 GPU for AI applications.The MK2 and its predecessor MK1 are designed specifically to handle very large machine-learning models. The MK2 processor has 1,472 independent processor cores and 8,832 separate parallel threads, all supported by 900MB of in-processor RAM. SEE ALSO: Nvidia unleashes new generation of GPU hardwareTo read this article in full, please click here

Dictionary : simplicitarian

Using fancy words gives you credibility.

The post Dictionary : simplicitarian appeared first on EtherealMind.

Heavy Networking 530: Everything You Need To Know About Wireless ISPs

Today's Heavy Networking dives into wireless Internet Service Providers, or WISPs. WISPs typically serve rural areas that have limited access to fiber or copper, but they also serve metro and urban areas and industrial sectors such as energy. Our guests to inform and instruct us about WISPs are Kevin Myers, Senior Network Architect at IP ArchiTechs; and Cory Steele, Senior Consultant at STIGroup.

Heavy Networking 530: Everything You Need To Know About Wireless ISPs

The post Heavy Networking 530: Everything You Need To Know About Wireless ISPs appeared first on Packet Pushers.

The Silver (Peak) Lining For HPE and Cloud

You no doubt saw the news this week that HPE announced that they’re buying Silver Peak for just shy of $1 billion dollars. It’s a good exit for Silver Peak and should provide some great benefits for both companies. There was a bit of interesting discussion around where this fits in the bigger picture for HPE, Aruba, and the cloud. I figured I’d throw my hat in the ring and take a turn discussing it.

Counting Your Chickens

First and foremost, let’s discuss where this acquisition is headed. HPE announced it and they’re the ones holding the purse strings. But the acquisition post was courtesy of Keerti Melkote, who runs the Aruba, a Hewlett Packard Enterprise Company (Aruba) side of the house. Why is that? It’s because HPE “reverse acquired” Aruba and sent all their networking expertise and hardware down to the Arubans to get things done.

I would venture to say that Aruba’s acquisition was the best decision HPE could have made. It gave them immediate expertise in an area they sorely needed help. It gave Aruba a platform to build on and innovate from. And it ultimately allowed HPE to shore up their campus networking story while trying Continue reading

Auto BGP

The NVIDIA® Cumulus Linux 4.2.0 release introduces a nifty new feature called auto BGP, which makes BGP ASN assignment in a two-tier leaf and spine network configuration a breeze. Auto BGP does the work for you without making changes to standard BGP behavior or configuration so that you don’t have to think about which numbers to allocate to your switches. This helps you build optimal ASN configurations in your data center and avoid suboptimal routing and path hunting, which occurs when you assign the wrong spine ASNs.

If you don’t care about ASNs then this feature is for you. But if you do, you can always configure BGP the traditional way where you have control over which ASN to allocate to your switch. What I like about this feature is that you can mix and match; you don’t have to use auto BGP across all switches in your configuration – you can use it to configure one switch but allocate ASN numbers manually to other switches.

So, how does auto BGP assign ASNs?

We use private 32-bit ASN numbers in the range 4200000000 through 4294967294. This is the private space defined in RFC 6996. Each leaf is Continue reading

Weekend Reads 071720

the introduction of ATSC 3.0. This is the newest upgrade to broadcast television and is the first big upgrade since TV converted to all-digital over a decade ago. ATSC 3.0 is the latest standard that’s been released by the Advanced Television Systems Committee that creates the standards used by over-the-air broadcasters. —Doug Dawson

Adjacency to the current set of capabilities provides a disciplined way to think about where to invest next when working to stave off irrelevance. If distribution of runtimes is blocked, competition falters, and adjacent capabilities can go un-addressed. —Alex Russell

One strong message from the 2018 APNIC Survey was that not all organizations are ready to deploy IPv6, therefore, even while promoting IPv6 deployment, APNIC must continue to support access to IPv4 address space. —Vivek Nigam

How can we find a way to gain 80% of the benefits for 20% of the work? Named after Italian economist Vilfredo Pareto, the “Pareto Principle” asserts that for many events, roughly 80% of the effects come from 20% of the causes. Can we identify a Cybersecurity Pareto Principle? We can if security teams concentrate on these six priorities: —Dan Blum

Hypertext Transfer Protocol Secure (HTTPS) is a secure Continue reading

Building a diverse and strong Internet Society Board of Trustees

[Published on behalf of the Internet Society Board of Trustees.]

The Internet Society’s 2020 AGM (Annual General Meeting) is going to be held on the first weekend of August. While the meeting had originally been planned as a face-to-face meeting, the Board decided to turn it into an online meeting instead given the current COVID-19 pandemic.

The AGM is the meeting where we say goodbye to the outgoing trustees. We want to thank them for all their efforts during their terms and wish them good luck in their future endeavours. We are confident they will continue supporting the Internet Society down the road.

The AGM is also the meeting where we welcome the incoming trustees. This year is special because we will be welcoming five new trustees. This represents a significant Board turnover for a Board of twelve voting trustees. Therefore, we are currently running a comprehensive onboarding process to get our new trustees up to speed as efficiently as possible.

As you know, the Board is selected and elected by our community, with the IETF, Organizational Members, and Chapters each independently choosing a third of the Trustees. Next year, at the 2021 AGM, three trustees will be reaching Continue reading

In Africa, An Open Internet Standards Course for Universities

Seventy university students from the Democratic Republic of Congo (DRC), Ethiopia, Kenya, and Ghana gained insights into open Internet standards

Many of the Internet standards that make the Internet work today are developed using open processes. Early exposure to these processes could significantly help future engineers play a role in the evolution of the Internet.

Next Generation of Open Internet Standards Experts in Africa

To expose the next generation of African experts to open Internet standards, the Internet Society put together a short pilot course on Internet Protocol Security (IPSec). IPSec is a technology used to improve communication security between devices on the Internet.

To promote the teaching of open Internet standards in African Universities, the one-month course brought together 70 students from 4 African universities from DRC, Ethiopia, Kenya, and Ghana. The pilot course was designed to provide university lecturers with additional training material to support existing courses at universities.

Facilitators

Technology experts Dr. Daniel Migault, Professor Nabil Benamar, and Loganaden Velvindron facilitated the learning experience. Between March and April 2020, they delivered online lectures for three weeks before opening up a week for student assignments.

The Internet Society’s Regional Vice President for Africa Dawit Bekele said the course Continue reading

Serverless Rendering with Cloudflare Workers

Cloudflare’s Workers platform is a powerful tool; a single compute platform for tasks as simple as manipulating requests or complex as bringing application logic to the network edge. Today I want to show you how to do server-side rendering at the network edge using Workers Sites, Wrangler, HTMLRewriter, and tools from the broader Workers platform.

Each page returned to the user will be static HTML, with dynamic content being rendered on our serverless stack upon user request. Cloudflare’s ability to run this across the global network allows pages to be rendered in a distributed fashion, close to the user, with miniscule cold start times for the application logic. Because this is all built into Cloudflare’s edge, we can implement caching logic to significantly reduce load times, support link previews, and maximize SEO rankings, all while allowing the site to feel like a dynamic application.

A Brief History of Web Pages

In the early days of the web pages were almost entirely static - think raw HTML. As Internet connections, browsers, and hardware matured, so did the content on the web. The world went from static sites to more dynamic content, powered by technologies like CGI, PHP, Flash, CSS, JavaScript, and Continue reading

Social Networking Do’s and Don’ts

In this era of growing technology, social media plays a significant role when it comes to networking. Unlike the traditional practices, social media sites like Facebook and LinkedIn are heavily relied on when it comes to networking. Now these sites are even used to look for the new talent as recruiters use it as a recruitment tool to fill in new positions at their workplaces. Social networking plays an important role in getting to know new people and building strong public relations.

In this article we will cover the Do’s and Don’ts of Social Networking and how you can make the most of it.

The Do’s:

Do Maintain a Proper Profile

Usually people fail to maintain a proper profile on their social media accounts, because they seem to think it is not that important. Wrong! In order to network socially, it is crucial that you have a small but complete and updated profile so that people do not consider you fake or a scam.

Do Add Value

One of the best ways to maintain an online presence that is unique and different is by being visible and by adding value. It is important to get to know people by joining Continue reading

Next Platform TV for July 16, 2020

On today’s program we talk AI chip innovations with Graphcore co-founder and CEO, Nigel Toon, tap into the Barcelona Supercomputing Center to talk Arm server performance, check in with Sandia for brain-inspired computing advances; talk HDD technologies that keep disk relevant, and also discuss RISC-V with the foundation’s CEO. …

Next Platform TV for July 16, 2020 was written by Nicole Hemsoth at The Next Platform.

Counterfeit Cisco switches raise network security alarms

In a disconcerting event for IT security professionals, counterfeit versions of Cisco Catalyst 2960-X Series switches were discovered on an unnamed business network, and the fake gear was found to be designed to circumvent typical authentication procedures, according to a report from F-Secure.F-Secure says its investigators found that while the counterfeit Cisco 2960-X units did not have any backdoor-like features, they did employ various measures to fool security controls. For example, one of the units exploited what F-Secure believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering. To read this article in full, please click here

Visibility into dropped packets

Dropped packets have a profound impact on network performance and availability. Packet discards due to congestion can significantly impact application performance. Dropped packets due to black hole routes, expired TTLs, MTU mismatches, etc. can result in insidious connection failures that are time consuming and difficult to diagnose.

Devlink Trap describes recent changes to the Linux drop monitor service that provide visibility into packets dropped by switch ASIC hardware. When a packet is dropped by the ASIC, an event is generated that includes the header of the dropped packet and the reason why it was dropped. A hardware policer is used to limit the number of events generated by the ASIC to a rate that can be handled by the Linux kernel. The events are delivered to userspace applications using the Linux netlink service.

Running the dropwatch command line tool on an Ubuntu 20 system demonstrates the instrumentation:

pp@ubuntu20:~$ sudo dropwatch
Initializing null lookup method
dropwatch> set alertmode packet
Setting alert mode
Alert mode successfully set
dropwatch> start
Enabling monitoring...
Kernel monitoring activated.
Issue Ctrl-C to stop monitoring
drop at: __udp4_lib_rcv+0xae5/0xbb0 (0xffffffffb05ead95)
origin: software
input port ifindex: 2
timestamp: Wed Jul 15 23:57:36 2020 223253465 nsec
protocol: 0x800
length: 128
original  Continue reading

« Previous 1 … 913 914 915 916 917 … 3,834 Next »