All news with #network security tag

🔁 AWS announced that Amazon VPC IP Address Manager (IPAM) can now automatically acquire non‑overlapping IP allocations from Infoblox Universal IPAM, reducing the need for manual ticketing between cloud and on‑prem teams. The integration imports allocated ranges into a top‑level AWS IPAM pool and allows organization into regional pools to prevent address conflicts. The feature is available in all Regions where VPC IPAM is supported, excluding AWS China and AWS GovCloud (US); refer to the IPAM documentation and pricing tab for details.

🛡️ Protective ReRoute (PRR) shifts rapid failure recovery from the network core to endpoints, enabling hosts to detect packet loss or high latency and re-steer traffic onto alternate pre-existing paths. Implemented in Linux (4.20+) and supported in Google Cloud via hypervisor and guest modes, PRR alters packet headers (IPv6 flow-label or overlay outer headers) to request multipath forwarding. In production for five years, it prevents up to 84% of slow-convergence outages and typically restores service in a single-digit multiple of RTT.

🔦 Network visibility is the critical lens that turns detection into decisive action. ESG research cited in the article shows 98% of organizations say visibility helps them move from detection to response faster and with greater confidence. Detection raises the alarm; packet-level investigation reveals scope, lateral movement, and exfiltration so analysts can validate alerts and act precisely. The piece positions NETSCOUT Omnis Cyber Intelligence as a scalable DPI capability that unifies SecOps and NetOps across hybrid and multicloud environments to eliminate blind spots and enable targeted response.

🔍 ESG research shows that environmental complexity, not malware or phishing, is viewed by most organizations as the primary barrier to effective detection and response. As alerts proliferate and validation can take hours, teams are turning to the one transit every attack must cross — the network — for a reliable, unbiased source of truth. Shared network visibility between SecOps and NetOps, together with continuous packet capture, improves investigation speed and confidence. Vendors such as NETSCOUT Omnis Cyber Intelligence (OCI) deliver alert-independent, packet-level context and deep packet inspection to reduce dwell time and streamline incident response.

🔒 Arista Networks and Palo Alto Networks extended their partnership to deliver a framework for zero-trust inside the data center. The integration pairs Arista’s Multi-Domain Segmentation Services (MSS) fabric and full network visibility with Palo Alto’s next-generation firewall (NGFW) to enable an inspect-once, enforce-many model. CloudVision MSS supports dynamic quarantine and can offload trusted high-bandwidth 'elephant flows' after inspection, while the NGFW triggers hardware line-rate isolation when threats are detected. Unified policy orchestration and Arista Validated Designs (AVD) with AVA automation add network-as-code and CI/CD-friendly deployment so NetOps and SecOps can scale independently.

🔒 AWS has expanded AWS IoT Core, AWS IoT Device Management, and AWS IoT Device Defender to support VPC endpoints via AWS PrivateLink and IPv6 for both VPC and public endpoints. Developers can route data plane operations, management APIs, and credential requests entirely within VPCs, keeping traffic off the public internet. Configuration is available through the AWS Management Console, AWS CLI, and CloudFormation, and the features are GA in all Regions that offer these services.

🌐 Amazon Web Services now supports IPv6 addresses for AWS PrivateLink Gateway and Interface VPC endpoints for Amazon S3. To enable IPv6 connectivity on new or existing S3 endpoints, set the IP address type to IPv6 or Dualstack; S3 will update route tables for gateway endpoints and provision ENIs with IPv6 for interface endpoints. IPv6 for S3 VPC endpoints is available in all AWS Commercial Regions and AWS GovCloud (US) Regions at no additional cost, and can be configured via the Console, CLI, SDK, or CloudFormation.

🔍 The U.S. government is weighing a ban on sales of TP‑Link networking gear amid concerns that the company may be subject to Chinese government influence and that its products handle sensitive U.S. data. TP‑Link Systems disputes the claims, says it split from its China-based namesake, and notes many competitors source components from China. The piece highlights industry-wide risks — insecure defaults, outdated firmware, and ISP-deployed devices — and suggests OpenWrt and similar open-source firmware as mitigations for technically capable users.

🔐 Executives must treat cybersecurity and business continuity as a unified discipline rather than separate functions. Drawing on six years managing high-availability systems at Amazon, the author warns that attackers increasingly target recovery and backup infrastructure, turning outages into leverage. The article advocates network segmentation, air-gapped and offline backups, and integrated incident-response and recovery testing to protect operations and reputation.

🔒 Amazon Cognito user pools now support AWS PrivateLink, enabling private VPC connectivity to manage and authenticate against user pools without traversing the public internet. The enhancement covers user pool management APIs, administrative operations, and sign-in for local Cognito users, but does not support OAuth 2.0 authorization code flow (hosted UI/social logins), client credentials, or federated SAML/OIDC sign-ins via VPC endpoints. It is available in all Regions where Cognito user pools exist except AWS GovCloud (US); creating VPC endpoints will incur AWS PrivateLink charges.

📡 AWS Cloud WAN is now available in the AWS Asia Pacific (Thailand), AWS Asia Pacific (Taipei), and AWS Asia Pacific (New Zealand) Regions. Using a central dashboard and policy-driven model, you can connect Amazon VPCs, AWS Transit Gateways, and on-premises locations via AWS Site-to-Site VPN, AWS Direct Connect, or supported SD‑WAN products. The service automatically builds a global network using BGP and provides a consolidated view to monitor network health, security, and performance.

🧟 Cloudflare details 'BGP zombies' — routes that remain in the Default-Free Zone after a withdrawal due to path hunting, delayed processing, or MRAI timers. Through experiments and BYOIP on-demand tests, they show how more-specific withdrawals can trigger loops and long-lived reachability issues, often worse on IPv4. Cloudflare proposes graceful draining, a multi-step BYOIP failover using same-length native announcements, and vendor adoption of RFC9687 to reduce impact.

🔒 Today's complex IT environments — multi-cloud, hybrid work, and AI — have expanded the attack surface, exposing limits of fragmented point solutions. The article argues that unifying networking and security on a natively integrated platform like VersaONE reduces blind spots, enforces consistent policies, and enables real-time threat detection and automated response using built-in AI. With zero trust access and microsegmentation, the platform aims to minimize lateral movement and simplify operations compared with bolt-together or 'platformized' vendor offerings.

📊 Cloudflare shares aggregate measurements of TCP connections observed across its global CDN from a uniformly sampled 1% snapshot (Oct 7–15, 2025). The dataset records socket-level metadata via TCP_INFO, SNI, and request counts, limited to gracefully closed connections with at least one HTTP request. Results highlight strong heavy-tailed behavior: most connections are short and small while a minority carry massive volumes, and HTTP/2 shows higher reuse and larger responses than HTTP/1.x.

🐟 Cloudflare describes building "fish" (SLATFATF), a service to egress packets using soft-unicast address space and the challenges encountered with the Linux networking stack. They found that conntrack and Netfilter interactions can silently rewrite source ports and break connections, so they evaluated several approaches including Netlink manipulation, TCP_FASTOPEN_CONNECT sockets, and routing fixes. Ultimately they preferred terminating and proxying TCP locally to avoid fragile kernel workarounds, after testing that disabling early demux produced only modest CPU effects.

🔎Cloudflare describes a supervised approach to detect large-scale IP sharing — especially CGNAT — to reduce collateral damage from IP-based security controls. They build labeled training data using distributed traceroutes (RIPE Atlas), PTR/WHOIS scraping, and lists of known VPN/proxy exit IPs, then extract per-IP and per-/24 behavioral features. An XGBoost model trained on these features achieves high accuracy, enabling operators to tune rate limits and blocklists with less harm to innocent users, particularly in regions with heavy IP sharing.

🛡️ Cloudflare explains how it initially implemented WARP as a Layer‑3 VPN by leveraging the Linux networking stack to egress arbitrary user packets from edge machines. They used a TUN device, nftables/Netfilter rules and the conntrack module to perform NAT, mark flows, and distinguish client traffic from locally‑originated traffic. Core tunnel handling was written in Rust (boringtun/WireGuard) and paired with MASQUE and defense‑in‑depth controls. The approach worked but required one IPv4 address per server, creating a scalability and cost challenge that led them to explore IP sharing.

🔒 Check Point’s SASE offering and its TCO savings calculator explain how consolidating security and networking into a cloud-delivered SASE reduces operational complexity and costs compared with traditional VPN-based architectures. The article explains product, operational and performance savings and quantifies ROI improvements when replacing hardware-heavy VPN backhauling. It highlights benefits such as simplified management, faster time-to-value, improved throughput and reduced exposure to risk for distributed users.

🌐 Amazon ElastiCache now provides dual-stack service endpoints, enabling management of resources over both IPv4 and IPv6. ElastiCache interface VPC endpoints powered by AWS PrivateLink also support dual-stack connectivity. The update, available in all AWS commercial, China, and GovCloud (US) Regions, helps simplify IPv6 migration and compliance without extra charges. This enables staged migrations and modernization while preserving existing IPv4 access.

🚀 Google Cloud is previewing managed DRANET on GKE, enabling Kubernetes to treat high-performance RDMA network interfaces as schedulable resources. The integration aligns NICs and GPUs by NUMA topology to reduce latency and increase throughput, while abstracting away operational complexity. It launches with the new A4X Max instances to deliver topology-aware networking for large multi-GPU AI workloads. Developers can request specific network interfaces in pod specs and rely on GKE to co-schedule NICs and accelerators, improving utilization and simplifying operations.