Securing the network on the host machine for VMs and/or containers is important!
This presentation, shows you how you can prevent ARP spoofing and IP spoofing on the host node.
An Easy way to build a server cluster without top of rack switches (MEMO)Naoto MATSUMOTO
An Easy way to build a server cluster without top of rack switches (MEMO)
12-Feb-2015
SAKURA Internet Research Center.
Senior Researcher / Naoto MATSUMOTO
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
18 Mar, 2014
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO
Japan Vyatta Users Meeting 2014 Spring on Tokyo.
An Easy way to build a server cluster without top of rack switches (MEMO)Naoto MATSUMOTO
An Easy way to build a server cluster without top of rack switches (MEMO)
12-Feb-2015
SAKURA Internet Research Center.
Senior Researcher / Naoto MATSUMOTO
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
18 Mar, 2014
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO
Japan Vyatta Users Meeting 2014 Spring on Tokyo.
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)Naoto MATSUMOTO
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
20-Feb-2015
SAKURA Internet Research Center.
Senior Researcher / Naoto MATSUMOTO
Stephen Bates, Technical Director in the Chief Strategy and Technology Office of PMC-Sierra presented a poster on recent developments in Donard projects at the recent UCSD Non-Volatile Memories Workshop 2015 March 1-3.
How to install OpenStack MITAKA --allinone - cheat sheet -Naoto MATSUMOTO
How to install OpenStack MITAKA --allinone - cheat sheet -
27-Jun, 2016
SAKURA Internet, Inc. / SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Отказоустойчивость с использованием Cisco ASA ClusteringCisco Russia
Отказоустойчивость с использованием Cisco ASA Clustering - принципы работы, ограничения, диагностика.
Ссылка на запись вебинара: https://www.youtube.com/watch?v=h73ZVhSqd64
1st - Increasing the performance using SSE, AVX* and FMA extensions
2nd - BPF BCC tools for performance analysis
3rd - Insecurity of today's computers. Ring 2 firmware and UEFI, and why we wouldn't want them
4th - Comparison between the functionality of the best known Nginx distributions Nginx, OpenResty and Tengine
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)Naoto MATSUMOTO
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
20-Feb-2015
SAKURA Internet Research Center.
Senior Researcher / Naoto MATSUMOTO
Stephen Bates, Technical Director in the Chief Strategy and Technology Office of PMC-Sierra presented a poster on recent developments in Donard projects at the recent UCSD Non-Volatile Memories Workshop 2015 March 1-3.
How to install OpenStack MITAKA --allinone - cheat sheet -Naoto MATSUMOTO
How to install OpenStack MITAKA --allinone - cheat sheet -
27-Jun, 2016
SAKURA Internet, Inc. / SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Отказоустойчивость с использованием Cisco ASA ClusteringCisco Russia
Отказоустойчивость с использованием Cisco ASA Clustering - принципы работы, ограничения, диагностика.
Ссылка на запись вебинара: https://www.youtube.com/watch?v=h73ZVhSqd64
1st - Increasing the performance using SSE, AVX* and FMA extensions
2nd - BPF BCC tools for performance analysis
3rd - Insecurity of today's computers. Ring 2 firmware and UEFI, and why we wouldn't want them
4th - Comparison between the functionality of the best known Nginx distributions Nginx, OpenResty and Tengine
Openstack Networking Internals - Advanced Part
The pictures of the VNI were taken with the "Show my network state" tool
https://sites.google.com/site/showmynetworkstate/
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
"Implementing an IPv6 Enabled Environment for a Public Cloud Tenant" case study I delivered in OpenStack Vancouver Summit (May, 2015) jointly with Anik and Sharmin from Cisco System.
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
They are just a few clicks in the UI or a single API call, but how do security groups work at KVM hypervisor level? How do they filter traffic and what else do they do in addition to firewalling? What Anti-Spoofing policies are implemented by the security groups?
In this talk, Wido dives into the specifics of the security groups on the KVM hypervisor for both IPv4 and IPv6.
-----------------------------------------
The CloudStack Collaboration Conference 2023 took place on 23-24th November. The conference, arranged by a group of volunteers from the Apache CloudStack Community, took place in the voco hotel, in Porte de Clichy, Paris. It hosted over 350 attendees, with 47 speakers holding technical talks, user stories, new features and integrations presentations and more.
Es gibt viele Möglichkeiten hoch verfügbare und/oder skalierbare Dienste zu bauen, die weitläufig im Einsatz sind: DNS Round-Robin, ein Satz Loadbalancer oder Reverse-Proxies, etc. pp. An Anycast und BGP im eigenen Rechenzentrum trauen sich einige Admins und Entscheider nicht heran.
Warum es OK ist, wenn einige bis viele Server die selbe IP-Adresse haben, viele Wege nach Rom führen und wie man so ein Setup aufbaut und betreibt soll in diesem Vortrag praxisnah gezeigt werden. Wir bauen auf Basis von Debian Linux, Bird und Bind einen Cluster von Webservern und spielen ein bisschen damit herum (wenn noch genug Zeit ist).
Presentation delivered at LinuxCon China 2017
Real-Time is used for deadline-oriented applications and time-sensitive workloads. Real-Time KVM is the extension of KVM(Linux Kernel-based Virtual Machine) to allow the virtual machines(VM) to be a truly Real-Time operating system.Users sometimes need to run low-latency applications(such as audio/video streaming, highly interactive systems, etc) to meet their requirements in clouds. NFV is a new network concept which uses virtualization and software instead of dedicated network appliances. For some use cases of telecommunications, network latency must be within a certain range of values. Real-Time KVM can help NFV meet this requirements.
In this presentation, Pei Zhang will talk about:
(1)Real-Time KVM introduction
(2)Real-Time cloud building
(3)Real-Time KVM in NFV: VM with openvswitch, dpdk and qemu’s vhostuser
(4)Performance testing results show
Flexible NFV WAN interconnections with Neutron BGP VPNThomas Morin
[talk given during the OpenStack Summit, May 2018 in Vancouver, BC]
Telcos use OpenStack to deploy virtualized network functions, and have specific requirements to interconnect these OpenStack deployments to their backbones and mobile backhaul networks. These interconnections, in particular, need to involve dynamic routing and interconnections with operators internal VPNs.
This talk will explain the role that the networking-bgpvpn Neutron Stadium project plays to address this need, from the basics of the BGPVPN Interconnection API, to more advanced uses made possible by evolutions of this API delivered in Queens.
The more interesting use cases will be the opportunity for a step by step demo.
We'll give a status of where the project stands today in terms of feature coverage, look at the set of SDN controllers providing an implementation for this API beyond the implementation in reference drivers, and last, look at the future of the project.
In this talk Jiří Pírko discusses the design and evolution of the VLAN implementation in Linux, the challenges and pitfalls as well as hardware acceleration and alternative implementations.
Jiří Pírko is a major contributor to kernel networking and the creator of libteam for link aggregation.
How to implement PassKeys in your applicationMarian Marinov
PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application.
Management of system administrators and devops teams is different then managing Developers.
This presentation shows key differences and what to worry about :)
MySQL security is not trivial. This presentation will walk you trough some of the more important decisions you have to take, when configuring a MySQL server instance
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
An Approach to Detecting Writing Styles Based on Clustering Techniquesambekarshweta25
An Approach to Detecting Writing Styles Based on Clustering Techniques
Authors:
-Devkinandan Jagtap
-Shweta Ambekar
-Harshit Singh
-Nakul Sharma (Assistant Professor)
Institution:
VIIT Pune, India
Abstract:
This paper proposes a system to differentiate between human-generated and AI-generated texts using stylometric analysis. The system analyzes text files and classifies writing styles by employing various clustering algorithms, such as k-means, k-means++, hierarchical, and DBSCAN. The effectiveness of these algorithms is measured using silhouette scores. The system successfully identifies distinct writing styles within documents, demonstrating its potential for plagiarism detection.
Introduction:
Stylometry, the study of linguistic and structural features in texts, is used for tasks like plagiarism detection, genre separation, and author verification. This paper leverages stylometric analysis to identify different writing styles and improve plagiarism detection methods.
Methodology:
The system includes data collection, preprocessing, feature extraction, dimensional reduction, machine learning models for clustering, and performance comparison using silhouette scores. Feature extraction focuses on lexical features, vocabulary richness, and readability scores. The study uses a small dataset of texts from various authors and employs algorithms like k-means, k-means++, hierarchical clustering, and DBSCAN for clustering.
Results:
Experiments show that the system effectively identifies writing styles, with silhouette scores indicating reasonable to strong clustering when k=2. As the number of clusters increases, the silhouette scores decrease, indicating a drop in accuracy. K-means and k-means++ perform similarly, while hierarchical clustering is less optimized.
Conclusion and Future Work:
The system works well for distinguishing writing styles with two clusters but becomes less accurate as the number of clusters increases. Future research could focus on adding more parameters and optimizing the methodology to improve accuracy with higher cluster values. This system can enhance existing plagiarism detection tools, especially in academic settings.
Online aptitude test management system project report.pdfKamal Acharya
The purpose of on-line aptitude test system is to take online test in an efficient manner and no time wasting for checking the paper. The main objective of on-line aptitude test system is to efficiently evaluate the candidate thoroughly through a fully automated system that not only saves lot of time but also gives fast results. For students they give papers according to their convenience and time and there is no need of using extra thing like paper, pen etc. This can be used in educational institutions as well as in corporate world. Can be used anywhere any time as it is a web based application (user Location doesn’t matter). No restriction that examiner has to be present when the candidate takes the test.
Every time when lecturers/professors need to conduct examinations they have to sit down think about the questions and then create a whole new set of questions for each and every exam. In some cases the professor may want to give an open book online exam that is the student can take the exam any time anywhere, but the student might have to answer the questions in a limited time period. The professor may want to change the sequence of questions for every student. The problem that a student has is whenever a date for the exam is declared the student has to take it and there is no way he can take it at some other time. This project will create an interface for the examiner to create and store questions in a repository. It will also create an interface for the student to take examinations at his convenience and the questions and/or exams may be timed. Thereby creating an application which can be used by examiners and examinee’s simultaneously.
Examination System is very useful for Teachers/Professors. As in the teaching profession, you are responsible for writing question papers. In the conventional method, you write the question paper on paper, keep question papers separate from answers and all this information you have to keep in a locker to avoid unauthorized access. Using the Examination System you can create a question paper and everything will be written to a single exam file in encrypted format. You can set the General and Administrator password to avoid unauthorized access to your question paper. Every time you start the examination, the program shuffles all the questions and selects them randomly from the database, which reduces the chances of memorizing the questions.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
2. Who am I?Who am I?Who am I?Who am I?
❖ Chief System Architect of Siteground.com
❖ Sysadmin since 1996
❖ Organizer of OpenFest, BG Perl Workshops,
LUG-BG and similar :)
❖ Teaching Network Security and Linux System
Administration at Sofia University
3. DISCLAMERDISCLAMERDISCLAMERDISCLAMER
❖ I'll be looking only at the network on the host
machine
❖ The only proper way of securing the network
between your VMs / containers and the host
machine is to know your infrastructure.
This includes MAC, IP addresses and their actual
location.
4. ❖ Basic things that have to protect from
arp spoofing
ip spoofing
traffic leaking / sniffing
5. KVM networkingKVM networkingKVM networkingKVM networking
❖ What network options does KVM give us?
vnet device on the host
macvtap
Virtual Distributed Ethernet (VDE)
assign a physical device (SR-IOV)
Single Root I/O Virtualization (SR-IOV)
assign a physical device (eth, wlan)
6. KVM networkingKVM networkingKVM networkingKVM networking
❖ What network options does KVM give us?
NAT
Routing
Bridge
OpenVswitch
ProxyARP
7. Container networkingContainer networkingContainer networkingContainer networking
❖ What network options are available for
containers?
macvlan (tap & tun)
veth pair (routing or NAT)
VDE (using tap devices)
move any network device into the
container (eth, tun/tap, vlan, wlan, etc.)
18. Attacking theAttacking the
bridged networkbridged network
Attacking theAttacking the
bridged networkbridged network
❖ arp poisoning
VM-1 arp cache poison of the HOST
VM-1 arp cache poison of VM-2
As simple as:
# ip a a 10.0.0.1/24 dev eth0
# arping -i eth0 -U 10.0.0.1
Can be even easier:
# arpspoof -i eth0 -t 10.0.0.1 -r 10.0.0.15
19. Protecting theProtecting the
bridged networkbridged network
Protecting theProtecting the
bridged networkbridged network
❖ Preventing arp poison on the HOST
adding static ARP entries:
# ip n a 10.0.0.15 lladdr 01:81:36:ec:05:ee
nud permanent dev vnet1
20. Protecting theProtecting the
bridged networkbridged network
Protecting theProtecting the
bridged networkbridged network
❖ Preventing arp spoofing to the
VMs/Containers
configure ARPTABLES
# arptables -P OUT DROP
# arptables -A OUT -j ACCEPT -s GW
-i eth0 -z xx:xx:xx:xx:xx:xx
# arptables -A OUT -j ACCEPT -s 10.0.0.15
-i vnet1 -z xx:xx:xx:xx:xx:xx
# arptables -A OUT -j ACCEPT -o vnet1
21. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Bridge
eth0: 10.12.0.12
# brctl show
bridge bridge id interfaces
br0 8000.028037ec0200 eth0
vnet1
vnet2
22. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2Using a Bridge
eth0: 10.12.0.12
VM1: ping -c1 10.12.0.12
PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data.
64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
23. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2Using a Bridge
eth0: 10.12.0.12
VM1: ping -c1 10.12.0.12
PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data.
64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
24. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2Using a Bridge
❖ We now have many options
we can use bridge vlan filtering
using ingress policy
using ebtables
using namespaces
ebtables filter (drop all traffic on that interface)
arptables filter
iptables filter (drop all traffic on that interface)
don't forget about IPv6 ☺
25. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2Using a Bridge
# echo 1 > /sys/class/net/br0/bridge/vlan_filtering
# bridge vlan del dev br0 vid 1 self
# bridge vlan show
port vlan ids
eth0 1 PVID Egress Untagged
vnet1 1 PVID Egress Untagged
vnet2 1 PVID Egress Untagged
br0 None
26. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2Using a Bridge
# echo 1 > /sys/class/net/br0/bridg
# bridge vlan del dev br0 vid 1 sel
# bridge vlan show
port vlan ids
eth0 1 PVID Egress Untagged
vnet1 1 PVID Egress Untagged
vnet2 1 PVID Egress Untagged
br0 None
HOST
27. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2Using a Bridge
ingress filter
# tc qdisc add dev br0 handle ffff: ingress
# tc filter add dev br0 parent ffff: u32
match u8 0 0 action drop
ebtables:
# ebtables -A INPUT --logical-in br0 -j DROP
28. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Bridge
HOST
eth1
br0
eth0
vnet1
vnet2
vm-bridge
29. Network setupNetwork setupNetwork setupNetwork setup
# ip netns add vm-bridge
# ip link set netns vm-bridge eth0
# ip link set netns vm-bridge vnet1
# ip link set netns vm-bridge vnet2
# ip link del dev br0
# ip netns exec vm-bridge brctl addbr br0
# for i in eth0 vnet1 vnet2; do
> ip netns exec vm-bridge brctl addif br0 $i
> ip netns exec vm-bridge ip link set up dev $i
> done
# ip netns exec vm-bridge ip link set up dev br0
30. Network setupNetwork setupNetwork setupNetwork setup
Disabling ARP on bridge br0:
# ip link set arp off dev br0
# ip l l dev br0
8: br0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP mode DEFAULT group d
link/ether 50:54:33:00:00:04 brd ff:ff:ff:ff:ff:ff
31. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Router
VM1: 10.0.0.4/30
VM2: 10.0.0.8/30
HOST: 10.0.0.0/30
32. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2If you want flexibility,If you want flexibility,
you add a routing protocolyou add a routing protocol
bgp1bgp1 bgp2bgp2
33. Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2If you want flexibility,If you want flexibility,
you add a routing protocolyou add a routing protocol
You now need to protect the
BGPs from bogus announcements
bgp1bgp1 bgp2bgp2
34. Protect the HOSTProtect the HOSTProtect the HOSTProtect the HOST
Prevent access to the host node with policy routing
# echo “200 vnet1” >> /etc/iproute2/rt_tables
# ip route add 0/0 via x.x.x.x table vnet1
# ip route add 10.0.0.15 dev vnet1 table vnet1
# ip rule add iif vnet1 table vnet1
# ip rule add oif vnet1 table vnet1
35. Prevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPs
Limit the source IPs of all clients:
# iptables -P FORWARD DROP
# iptables -A FORWARD -j ACCEPT -i vnet1 -s 10.0.0.15
# iptables -A FORWARD -j ACCEPT -i vnet2 -s 10.0.0.16