All news with #network security tag

⚠️AirSnitch exploits cross-layer identity desynchronization between Layers 1 and 2 to mount full, bidirectional machine-in-the-middle attacks. An attacker on the same SSID, a different SSID, or another segment tied to the same AP can intercept and modify link-layer traffic. The technique affects home, office, and enterprise Wi‑Fi and enables DNS poisoning, credential theft, and exploitation of unpatched flaws.

🔧 The Cloudflare One Client now implements Path MTU Discovery to detect and avoid PMTUD black holes that silently drop large encrypted packets. Using active probes over MASQUE (built on Cloudflare’s QUIC library), the client tests packet sizes end-to-end and dynamically adjusts the virtual interface MTU. This non-disruptive background process preserves sessions across shifting networks — for example, when moving from Wi‑Fi to cellular — preventing stalled uploads, calls, or SSH sessions. The feature is available for Windows, macOS, and Linux.

🔁 Automatic Return Routing (ARR) is a new Cloudflare One feature, released in Closed Beta, that resolves private IP address overlap by tracking flows and returning traffic to the exact tunnel that originated the conversation. Instead of depending on routing-table lookups, ARR uses stateful flow memory to record the originating tunnel and enforce symmetric returns. This approach minimizes the need for VRF or NAT, reducing operational overhead for mergers, extranets, and uniform branch deployments while integrating with Unified Routing and the Apollo userspace hub.

🚀 Cloudflare rebuilt the Cloudflare One Client’s proxy mode to use QUIC streams and HTTP/3 CONNECT, removing the prior L4→L3 translation via smoltcp and deprecating WireGuard for proxy mode. The change keeps traffic at Layer 4, enabling native congestion and flow control, transport tunability, and substantially better throughput and latency in internal tests. Administrators should upgrade to minimum client version 2025.8.779.0 and enable MASQUE local proxy mode to benefit from these gains.

🔍 Modern security frameworks — including AI, automation, and Zero Trust — depend on deep, trustworthy visibility to function effectively. An October 2025 Forrester study commissioned by NETSCOUT reports that 72% and 69% of organizations view NAV and packet-level visibility as essential to threat hunting, detection, and incident response. Omnis Cyber Intelligence offers packet-level fidelity, behavioral analytics, unified hybrid visibility, context-rich metadata, and retrospective investigation to strengthen detection, validation, and safe automation.

🛡️ The Global Coalition on Telecoms (GCOT) has released voluntary 6G Security and Resilience Principles to guide the early development of next-generation mobile networks. Founded by Australia, Canada, Japan, the UK and the US, and joined by Finland and Sweden at Mobile World Congress 2026, the framework was published with industry partners including AT&T, Ericsson, NVIDIA and Nokia. The guidelines define four security and four resilience objectives—covering containment, confidentiality, integrity, resilience and regulatory compliance—to inform standards, supply-chain practices and network architectures ahead of anticipated 6G rollouts in 2029–2030.

🚀 Organizations are rethinking the corporate network as perimeter-less and AI-driven, and Cloudflare argues that an agile SASE approach is required to escape legacy fragmentation and operational silos. Cloudflare One is promoted as a composable, single-pass SASE platform built on a global network that runs concurrent security checks to eliminate service-chaining and enable consistent, enforceable policy. This week Cloudflare will publish technical deep-dives across identity, AI-driven signal processing, the autonomous edge, and unified enterprise modernization, and recommends incremental adoption starting with remote access, email protection, DNS filtering, and safe AI governance.

🔧 Cloudflare outlines a truly programmable SASE that lets customers run real-time, inline logic at the edge to make decisions rather than just trigger alerts. Beyond basic APIs, webhooks, and Terraform, Cloudflare One and the Developer Platform enable invoking Workers on policy matches to enrich requests, call risk engines, inject headers, and route traffic with millisecond latency. The post describes managed and custom actions, demonstrates an automated device session revocation Worker, and previews deeper integration and custom action support through 2026.

🔒 AWS is introducing pricing for VPC Encryption Controls, a regional capability that audits and enforces encryption-in-transit for traffic within and across Virtual Private Clouds. The feature supports Monitor mode to detect unencrypted flows and Enforce mode to prevent the creation or operation of resources that allow unencrypted traffic. Beginning March 1, 2026, AWS will apply a fixed hourly charge to every non-empty VPC with Encryption Controls enabled; empty VPCs enabled with the feature are not charged. When encryption is enabled on a Transit Gateway, standard VPC Encryption Controls charges apply to all VPCs attached to that Transit Gateway regardless of each VPC's mode or whether they are empty.

🔒 ASPA (Autonomous System Provider Authorization) introduces cryptographic path validation to reduce route leaks by allowing networks to publish signed lists of authorized upstream providers in RPKI. Unlike ROAs, which verify prefix origins, ASPA validates the AS_PATH and detects routing "valleys" that indicate leaks. Cloudflare Radar now tracks ASPA adoption across RIRs and provides per‑AS visibility so operators can see whether observed upstreams are ASPA‑authorized and monitor changes over time.

🔒 Samsung Knox provides built‑in, per‑app network controls, detailed access logs, and a Zero Trust Network Access framework that complements existing VPN deployments. Its firewall supports IPv4/IPv6 filtering, domain and subdomain rules, split DNS tunneling, and context-rich logging (app package, domain/IP, timestamp) to accelerate investigations and reduce false positives. Integrated device health signals and hardware‑backed lockdowns enable dynamic policy enforcement without multiple agents. Certified for SOC 2 and compatible with leading MDM/UEM and SIEM platforms, Knox simplifies deployment while improving visibility for security teams.

🔒 Amazon SageMaker Unified Studio can now be accessed through AWS PrivateLink, enabling customers to route traffic between their VPC and Unified Studio without traversing the public internet. Network administrators can onboard SageMaker service endpoints to a VPC and combine them with IAM policies to enforce that customer data remains on the AWS network. The capability is available in all Regions that support Unified Studio, giving customers a built-in option for stronger network isolation.

🔍 AWS Network Firewall now provides web category–based filtering and visibility into generative AI (GenAI) application traffic. Administrators can reference pre-defined URL categories—such as GenAI services, social media, and streaming—to allow, block, or log traffic via stateful rule groups. When combined with TLS inspection, the service can inspect full URL paths for granular control. The feature is available across AWS commercial regions.

🔒 NETSCOUT was named a leader in Quadrant Knowledge Solutions' 2025 SPARK Matrix for Network Detection and Response, emphasizing its packet-level approach to security. Its Omnis Cyber Intelligence platform and proprietary Adaptive Service Intelligence (ASI) apply patented deep packet inspection at scale to produce enriched Layer 2–7 metadata. Continuous packet capture enables retrospective forensics independent of detection, and the vendor promotes a "Visibility Without Borders" model to cover physical, virtual, and cloud environments.

🔒 Encrypted internet traffic and TLS 1.3 are now the norm, creating inspection blind spots that threat actors exploit to hide DDoS attacks. NETSCOUT’s Arbor Edge Defense (AED) is presented as a selective-decryption, edge-deployed solution that prioritizes blocking suspicious encrypted sessions and decrypts only when validation or deeper analysis is needed. By combining handshake inspection, rate and connection controls, and targeted decryption, AED aims to preserve capacity while improving detection and mitigation of encrypted threats.

🌐 Amazon EVS now supports deploying multiple VMware NSX Tier-0 Gateways inside an SDDC, enabling enhanced network segmentation and more flexible routing. Multiple Tier‑0 gateways distribute traffic across NSX Edge Clusters to improve performance and scale. Customers can isolate workloads, maintain separate security policies, and conduct upgrades or testing with minimal production impact.

⚠️On January 22, 2026, an automated routing policy change caused Cloudflare to unintentionally advertise IPv6 routes from a Miami router for 25 minutes. The misconfiguration accepted internal IBGP routes and redistributed them to peers and transit providers, funneling non-Cloudflare traffic into Miami and causing congestion, elevated packet loss, and higher latency on backbone links. Firewall filters on the router discarded around 12 Gbps of ingress traffic for those non-downstream prefixes. Cloudflare paused automation, reverted the change, restored normal operation, and apologized to affected users, customers, and external networks.

🟦Amazon has expanded VPC Route Server to 16 additional AWS Regions, bringing total availability to 30 regions worldwide. The service lets virtual appliances advertise routes using BGP and dynamically update VPC route tables associated with subnets and internet gateways. This expansion broadens deployment choices and helps customers apply consistent dynamic routing across more geographies. It simplifies management of virtual appliances and supports scalable, resilient network architectures.

🌐 Amazon VPC Route Server is now available in 16 additional AWS Regions, bringing total availability to 30 regions. The service simplifies dynamic routing between virtual appliances by letting those appliances advertise routes via BGP and automatically update VPC route tables for subnets and internet gateways. This expansion broadens regional deployment choices for customers using third-party virtual network appliances and streamlines multi-region and hybrid routing architectures.

⚠️ On January 8, 2026, a memory-optimizing change to Cloudflare’s 1.1.1.1 resolver inadvertently reordered DNS answer records, placing CNAMEs after final A/AAAA answers and triggering widespread resolution failures. The bug primarily affected clients that parse answers sequentially—most notably glibc getaddrinfo and certain Cisco switch firmware—resulting in failed lookups and reboot loops in some devices. Cloudflare reverted the change promptly and has drafted an IETF Internet‑Draft to clarify expected answer ordering.