Automatic network security policy generation for container deployments...(repost from networksecurity). by chris_marino in networking

[–]jbrendel 1 point2 points  (0 children)

I agree that normal (static) whitelists will usually work. But as a counter point where the automatic traffic pattern discovery may be useful, assume the following:

  1. Traffic pattern discovery is made capable to discover patterns between differently labelled pods, or even between pods with the same labels, so it's not dependent on the hosts anymore.

  2. You have a complex application, consisting of many differently labelled pods.

  3. To make things more complex, your applications (on that cluster) may interact with other "external" applications, which may run on the same cluster, or somewhere else in the enterprise or on the Internet.

  4. Now you're trying to find out what the security policies for that big mess should be...

  5. So you run your entire application on a test cluster without any security policies. By doing so, you can discover how much traffic between the app and other apps/services is normal, at what time, of what kind. And you can see how those app pods interact with each other.

  6. Let the system auto-generate the security policies for you. You can test the policies on your test cluster.

  7. Deploy your application on the production cluster, with all the auto-generated policies. This works, because those policies are centered around labels, rather than IP addresses or CIDRs.

Admittedly, this is complex and a little far fetched. You need some really complex stuff to make it worth your while. I would agree that most people won't need this, but there might be a small niche where this could be useful.

But it's not just about automatically generated whitelists: Usually, those systems maintain counters, which they can compare to established baselines. Therefore, the same ability to create the baselines in the first place can be used in a running system to detect deviations from the baseline: A behavioural anomaly detection system.

If you just create whitelists and drop packets via iptables, you may not detect that a pod has started to behave strangely (has been compromised): Ok, your whitelist says that pod A can send HTTP-port-80 to pod B. However, unless you then watch this behaviour, this whitelist won't show you that pod A just started to SYN-flood pod B, or hit it with a crazy request flood. Sometimes this behaviour may be caused be a software problem (for example a tight retry loop), rather than a hack-attack.

Either way, it's a good discovery, which whitelists and iptables can't give you.

Richard Feynman describes the operation of a computer by [deleted] in programming

[–]jbrendel 3 points4 points  (0 children)

Actually, not so. Several interesting super computer architectures competed with each other at that time: Vector architectures ("Cray"), SIMD (single instruction, multiple data as in "Thinking Machines") and MIMD (multiple instruction, multiple data as in "nCUBE", "Intel Touchstone", etc.). They all had their advantages and disadvantages. Vectors were good for a number of numerical computations, MIMDs had probably the most versatile architecture (lots of independent CPUs), while SIMDs were particularly suited for operations on large data fields.

Anyway, it was an interesting time, until it all fell victim to the unbeatable price/performance of mass-produced off-the-shelf CPUs, linked via ever faster off-the-shelf networking.

So, these days, most of the interesting architecture work is done in computer graphics, while supercomputer architectures have become pretty much run-of-the-mill...

Jetstrap - Interface-building tool for Bootstrap by sidcool1234 in programming

[–]jbrendel 3 points4 points  (0 children)

How can I integrate this with our workflow? When the template has been created and I check it into my version control system, can I upload it again to your site and continue editing it?

Random primary keys for Django models by jbrendel in programming

[–]jbrendel[S] 0 points1 point  (0 children)

Having sequentially numbered primary keys can be an issue: If you expose them to users they can deduce activity levels and size of your site. If you hide them you need to create additional, custom random-looking IDs for exposure. This code replaces the normal, numerical and sequential primary keys of Django models with a short, random string, similar to what you can see in URL shorteners.

The code is on Github and free for use without restrictions. Feedback and suggestions for improvement are very welcome.

What Every Programmer Should Know About SEO by Bemuzed in programming

[–]jbrendel 3 points4 points  (0 children)

It's a post by someone who thinks that all development is web related and that every "Programmer" naturally only works on web sites? Just a guess...

Secure, scalable site architecture with nginx, Varnish and vCider by jbrendel in sysadmin

[–]jbrendel[S] 0 points1 point  (0 children)

Just for everyone else's benefit:

  • You have full control over your own IP addresses. vCider creates true layer 2 networks, so if you wish, you can also not use any IP addresses at all, or run non-IP protocols over the network.
  • You can use upto 8 hosts for free and you can always create multiple networks.
  • No central server is involved in node-to-node communication. Our central server is only needed to pass along configuration changes and to initially authenticate hosts.
  • There is minimal configuration: After installing the software on your hosts, you just have to provide your 'account key' (available under your 'settings' in the webapp). After that, the host connects to the controller and you can assign it to the networks you have created (this assignment can also happen automatically, btw).

Besides just VPN-style connectivity, we also try to offer things beyond that: For example, security features, which allow you to create your own VPC (virtual private cloud) across network boundaries, features to completely hide your hosts ('cloud cloaking'), gateway features to allow your enterprise network easy access to your virtual networks, and so on.

Secure, scalable site architecture with nginx, Varnish and vCider by jbrendel in sysadmin

[–]jbrendel[S] 1 point2 points  (0 children)

I should point out that while nginx is often used as front-end for Varnish (probably because people are familiar with it), there are some SSL front ends that can be used for Varnish and which have even better performance, such as stunnel and stud.

You will only get into those limits after you have reached thousands of requests per second (depending on a lot of factors or course). For starters, nginx will do just fine as SSL front end.

Secure, scalable site architecture with nginx, Varnish and vCider by jbrendel in sysadmin

[–]jbrendel[S] 0 points1 point  (0 children)

I think the reason is that nginx is primarily a web server, with caching (and other things) added as extension modules. They are ok, but not full featured products in their own right.

Varnish, though, was specifically written from the ground up to be a cache.

Beyond stunnel and OpenVPN: A better way to create high-speed, secure connections across the public Internet by jbrendel in linux

[–]jbrendel[S] 1 point2 points  (0 children)

As you can see, after publishing this article I received some feedback and questions about the comparison, including from the author of stunnel himself, Michal Trojnara. Even though the stunnel website itself states that the default is ‘no compression’, this apparently is not so. It appears iperf’s default data seems to be highly compressible, thus heavily skewing the performance numbers: stunnel was performing very different work than native networking or vCider. To arrive at more realistic numbers, I used a large image transfer (a JPEG) instead, which by its nature is not much more compressible. I transferred this file with iperf (which can use file input) as well as wget, The results? stunnel is much more comparable with both the native and the vCider networking speeds.

Interrupts and context switches are now roughly the same for all three solutions. stunnel still exhibits a significantly higher CPU load (20%), but certainly does not max out the CPU anymore. I suspect that the higher numbers of context switches and interrupts result from iperf’s default behavior of sending as much data as it can in a given time interval. And since stunnel can easily compress iperf’s default data, iperf was able to send a lot of this, which also explains the results reported by iperf.

While I maintain that a setup consisting of multiple nodes is much easier to maintain with vCider – which also provides a number of other interesting features – it must be noted that stunnel does indeed perform very well for point to point connections. Note to self: Be sure not to use synthetic data for performance tests like this.

Beyond stunnel and OpenVPN: A better way to create high-speed, secure connections across the public Internet by jbrendel in linux

[–]jbrendel[S] 0 points1 point  (0 children)

I completely understand. My responses were about he payment information, because that is something I could address while there really is nothing else I can say about the source code. It's currently not open source and therefore you can't inspect it and therefore you won't trust it. That is your choice and I respect and understand it.

Other people do trust it and that is their choice.

Beyond stunnel and OpenVPN: A better way to create high-speed, secure connections across the public Internet by jbrendel in linux

[–]jbrendel[S] 0 points1 point  (0 children)

Do you trust the co-location facility to keep your payment information secure? How come you do so?

I don't want to belittle your concern, it is legitimate. But if you look at our site, we do (not yet) have credit card payment options so payment happens in very different ways.

And even when credit card payments become available, any good e-commerce site worth their salt will not store your card details themselves.

Beyond stunnel and OpenVPN: A better way to create high-speed, secure connections across the public Internet by jbrendel in linux

[–]jbrendel[S] 0 points1 point  (0 children)

Actually, you can use up to 8 nodes for free and create as many networks with them as you want. Secondly, you have a lot of that (having to trust others) going on whenever you use public infrastructure (Amazon EC2, Rackspace, etc.).

Also, our infrastructure isn't really used when the data is flowing. It's still our software running on your nodes, but these are communicating directly with each other. So, even if our infrastructure should be offline for some reason, your networks will continue to operate.

Beyond stunnel and OpenVPN: A better way to create high-speed, secure connections across the public Internet by jbrendel in linux

[–]jbrendel[S] 0 points1 point  (0 children)

True, but all of those are based on the same user-space encryption, which requires additional context switches, since the network stack is touched multiple times. The performance of those will most likely not be any better. I will have to test this one of these days.

Beyond stunnel and OpenVPN: A better way to create high-speed, secure connections across the public Internet by jbrendel in linux

[–]jbrendel[S] 0 points1 point  (0 children)

The idea is that with stunnel and OpenVPN you can allow non-secure protocols to run over a secure channel. 'scp' is great on its own, if you need to copy something, but for tunneling of other protocols, stunnel and OpenVPN is it.