Five Great Ideas to Protect Your Data with Minimal Investment

February 27, 2012 — netequalizer

We see quite a bit of investment when it comes to data security. Many solutions are selected on the quantity of threats deterred. Large feature sets, driven by FUD, are exponential in cost, and at some point the price of the security solution will outweigh the benefit. But where do you draw the line?

Note:

1) It is relatively easy to cover 95 percent of the real security threats that can damage a business’s bottom line or reputation.

2) It is totally impossible to completely secure data.

3) The cost for security starts to hockey stick as you push toward the mythical 100 percent secure solution.

For example, let’s assume you can stop 95 percent of potential security breaches with an investment of $10, but it would cost $10 million to achieve 99 percent coverage. What would you do? Obviously you’d stop someplace between 95 and 99 percent coverage. Hence, the point of this post. The tips below are intended to help with the 95 percent rule, what is reasonable and cost effective. You should never be spending more money securing an asset than that asset is worth.

Some real world examples of reducing practical physical risk would be putting life jackets in a watercraft, or an airbag in an automobile. If we took the approach to securing your water craft or automobile with the FUD of data security, everybody would be driving 5 million dollar Abrams tanks, and trout fishing in double hulled aircraft carriers.

Below are some security ideas to protect your data that should greatly reduce your risk at a minimal investment.

1) Use your firewall to block all uninitiated requests from outside the region where you do business.

For example, let’s assume you are a regional medical supply company in the US. What is the likelihood that you will be getting a legitimate inquiry from a customer in China, India, or Africa? Probably not likely at all. Many hackers come in from an IP addresses originating in foreign countries, for this reason you should use your firewall to block any request outside of your region. This type of block will still allow internal users to go out to any Internet address, but will prevent unsolicited requests from outside your area.  The cost to implement such a block is free to very little, yet the security value is huge. According to many of our customers, just doing this simple block can reduce 90 percent of potential intrusions.

2) Have a security expert check your customer facing services for standard weaknesses. For a few hundred dollars, an expert can examine your security holes in just a few hours. A typical security hole often exploited by a hacker is SQL Injection – this is where a hacker inserts an SQL command in your URL or web form to see if the backend code executes the command. If it does, further exploration and exploitation will occur which could result in total system compromise. A good security expert can find most of these holes and make recommendations on how to remedy it in a few hours.

3) Install an IDPS (Intrusion Detection and Prevention System) in between your Internet connection and your data servers. A good IDPS will detect and block suspicious inquiries to your web servers and enterprise. There are even some free systems you can install with a little elbow grease.

4) Lay low, and don’t talk about your security prowess. Hackers are motivated by challenge. There are millions of targets out there and only a very small number of businesses get intentionally targeted with a concerted effort by a human. Focused hacking by a human takes a huge amount of resources and time on the part of the intruder. Without a specific motive to target your enterprise, the automated scripts and robots that crawl the internet will only probe so far and move on. The simple intrusion steps outlined here are very effective against robots and crawlers, but would be much less effective against a targeted intrusion. This is because there are often numerous entry points outside the web application – physical breaches, social engineering, etc.

5) Have an expert monitor your logs and the integrity of your file system. Combining automatic tools with manual review is an excellent line of defense against attack. Many organizations think that installing an automated solution will get them the security they need, but this is not the case. Well known virus scan tools that “analyze your web site for 25,000 vulnerabilities” are really just selling you security theater. While their scanning technology does help in many ways, combining the results of the scans with manual review and analysis is the only way to go if you care about good security. Our security friends at Fiddler on the Root, mentioned above, say they have a 100% success rate in hacking sites scanned with tools like McAfee.

File integrity monitoring is also extremely beneficial. Knowing right away that a file changed on your web server when nothing should have changed is very powerful in preventing an attack. Many attacks develop over time and if you can catch an attack early your chances of preventing its success are much greater.

Posted in Commentary and Editorials, Security. 1 Comment »

What Does it Cost You Per Mbs for Bandwidth Shaping?

February 14, 2012 — netequalizer

Sometimes by using a cost metric you can distill a relatively complicated thing down to a simple number for comparison. For example, we can compare housing costs by Dollars Per Square Foot or the fuel efficiency of cars by using the Miles Per Gallon (MPG) metric.  There are a number of factors that go into buying a house, or a car, and a compelling cost metric like those above may be one factor.   Nevertheless, if you decide to buy something that is more expensive to operate than a less expensive alternative, you are probably aware of the cost differences and justify those with some good reasons.

Clearly this makes sense for bandwidth shaping now more than ever, because the cost of bandwidth continues to decline and as the cost of bandwidth declines, the cost of shaping the bandwidth should decline as well.  After all, it wouldn’t be logical to spend a lot of money to manage a resource that’s declining in value.

With that in mind, I thought it might be interesting to looking at bandwidth shaping on a cost per Mbs basis. Alternatively, I could look at bandwidth shaping on a cost per user basis, but that metric fails to capture the declining cost of a Mbs of bandwidth. So, cost per Mbs it is.

As we’ve pointed out before in previous articles, there are two kinds of costs that are typically associated with bandwidth shapers:

1) Upfront costs (these are for the equipment and setup)

2) Ongoing costs (these are for annual renewals, upgrades, license updates, labor for maintenance, etc…)

Upfront, or equipment costs, are usually pretty easy to get.  You just call the vendor and ask for the price of their product (maybe not so easy in some cases).  In the case of the NetEqualizer, you don’t even have to do that – we publish our prices here.

With the NetEqualizer, setup time is normally less than an hour and is thus negligible, so we’ll just divide the unit price by the throughput level, and here’s the result:

I think this is what you would expect to see.

For ongoing costs you would need to add all the mandatory per year costs and divide by throughput, and the metric would be an ongoing “yearly” per Mbs cost.

Again, if we take the NetEqualizer as an example, the ongoing costs are almost zero.  This is because it’s a turn-key appliance and it requires no time from the customer for bandwidth analysis, nor does it require any policy setup/maintenance to effectively run (it doesn’t use policies). In fact, it’s a true zero maintenance product and that yields zero labor costs. Besides no labor, there’s no updates or licenses required (an optional service contract is available if you want ongoing access to technical support, or software upgrades).

Frankly, it’s not worth the effort of graphing this one. The ongoing cost of a NetEqualizer Support Agreement ranges from $29 (dollars) – $.20 (cents) per Mbs per year. Yet, this isn’t the case for many other products and this number should be evaluated carefully. In fact, in some cases the ongoing costs of some products exceed the upfront cost of a new NetEqualizer!

Again, it may not be the case that the lowest cost per Mbs of bandwidth shaping is the best solution for you – but, if it’s not, you should have some good reasons.

If you shape bandwidth now, what is your cost per Mbs of bandwidth shaping? We’d be interested to know.

If your ongoing costs are higher than the upfront costs of a new NetEqualizer and you’re open to a discussion, you should drop us a note at sales@apconnections.net.

Posted in Bandwidth Management, Business Advice, Commentary and Editorials, ROI. Tags: , , , , , . Leave a Comment »

Music Anti-Piracy in Perspective Once Again

February 11, 2012 — netequalizer

By: Art Reisman

Art Reisman CTO www.netequalizer.com

Art Reisman is the CTO of APconnections. He is Chief Architect on the NetGladiator and NetEqualizer product lines.

I was going to write a commentary story a couple weeks ago when the news broke about the government shut down of the Megaupload site. Before I could get started, one of my colleagues pointed out this new undetectable file sharing tool. Although I personally condemn any kind of software or copyright piracy in any form, all I can say is the media copyright enforcement industry should have known better. They should have known that when you spray a cockroach colony with pesticide, a few will survive and their offspring will be highly resistant.

Here is a brief excerpt from rawstory.com:

The nature of its technology (file sharing technology) is completely decentralized, leaving moderation to the users. Individuals can rename files, flag phony downloads or viruses, create “channels” of verified downloads, and act as nodes that distribute lists of peers across the network.

In the recent U.S. debate over anti-piracy measures, absolutely none of the proposed enforcement mechanisms would affect Tribler: it is, quite literally, the content industry’s worst nightmare come to life.”

Flash back to our 2008 story about how the break up Napster caused the initial wave of P2P. Back in 2001, Napster actually wanted to work on licensing for all their media files, and yet they were soundly rebuked and crushed by industry executives and the legal departments who saw no reason to compromise for fear of undermining their retail media channels. Within a few months of Napster’s demise, decentralized P2P exploded with the first wave of Kazaa, Bearshare and the like.

In this latest round of piracy, decentralized file sharing has dropped off a bit, and consumers started to congregate at centralized depositories again, most likely for the convenience of finding the pirated files they want quickly. And now with the shutting down of these sites, they are scattering again to decentralized P2P. Only this time, as the article points out, we have decentralized P2P on steroids. Perhaps a better name would be P2P 3G or P2P 4G.

And then there was the SOPA Fiasco

The Internet is so much bigger than the Music Industry, and it is a scary thought that the proposed  SOPA laws went as far as they did before getting crushed.

I am going to estimate the economic power of the Internet at 30 trillion dollars. How did I arrive at that number?  Basically that number implies that roughly half the worlds GDP is now tied to the Internet, and I don’t mean just Internet financial transactions for on-line shopping. It is the first place most communication starts for any business. It is as important as railroads, shipping, and trucking combined in terms of economic impact. If you want, we can reduce that number to 10 trillion, 1/6 of the worlds GDP , it does not really matter for the point I am about to make.

The latest figure I could find is that the Music Industry did approximately 15 billion dollars worth of business at their peak before piracy, and has steadily declined since then. There is no denying that the Music Industry has suffered 5 to 6 billion dollars in losses due to on-line piracy in the past few years, however that number is roughly .06 percent of the total positive economic impact of the Internet. Think of a stadium with 1000 people watching a game and one person standing up in front and forcing everybody to stop cheering  so they could watch the game without the bothersome noise. That is the power we are giving to the copyright industry.  We have a bunch of sheep in our Congress running around creating laws to appease a few lobbyists that risk damaging the free enterprise that is the Internet. Risking damage to the only real positive economic driver of the past 10 years. The potential damage to free enterprise by these restrictive overbearing laws is not worth the risk. Again, I am not condoning piracy nor am I against the Music Industry enforcing their laws and going after criminals, but the peanut butter approach to using a morbid congress to recoup their losses is just stupid.  The less regulation we can put on the Internet the more economic impact it will have now and into the future.  These laws and heavy-handed enforcement tactics create unrealistic burdens on operators and businesses and need to be put into perspective. There has to be a more intelligent way to enforce existing laws besides creating a highly-regulated Internet.

Stay tuned for some suggestions in my next article.

Posted in Commentary and Editorials, HEOA/RIAA. 2 Comments »

Seven Things to Look for When Choosing an Intrusion Prevention System

January 23, 2012 — netequalizer

The following list was submitted by the APconnections technical staff.

APconnections is a company that specializes in turn-key bandwidth control and intrusion prevention system (IPS) products.

1) Don’t degrade your network speed. Make sure your IPS system is not going to slow down your network. If you have a T1 or smaller sized network, chances are just about any tool you choose will not slow down your connection; however with links approaching 10 megabits and higher,  it is worth investing in a tool whose throughput speeds can be quantified. Higher speeds generally will require a tool specifically designed and tested as an IPS device and rated for your link speed. Problems can arise if you buy a software add-on module for your web server. A stand-alone physical device specifically designed to prevent intrusion is likely your best option. A good IPS system is very CPU intensive, and lower-end routers, switches, and heavily utilized web servers generally do not have the extra CPU cycles to support an IPS system. For example, IT managers are aware that large web server sites must use multiple servers to handle large volumes of HTTPS pages, which are also CPU intensive.  The same metrics will apply to an IPS system on a smaller scale,  so make sure you are not underpowered.

2) Watch out for high license fees. Try to get a tool with a one-time cost and a small licensing fee. Many vendors sell their equipment below cost with the hopes of getting a monthly fee on per seat license. Yes, you should expect to pay a yearly support fee, but it should be a small fraction of the tool’s original cost.

3) More features is not necessarily better when it comes stopping intrusion from hackers.  You may not realize that large, robust “all-in-one” IPS solutions can be rendered useless by alerting you thousands of times a day, as you will ignore their alerts at that volume.  They can also block legitimate requests (“false positives”), and can break web
functionality. They can also block legitimate requests (“false positives”), and can break web functionality.

You should consider solutions that are not as fully-featured but are targeted to your security concerns, so that you receive meaningful alerts on real potential intrusion attempts.  More features can just introduce clutter, where you are not able to sift through your alerts to find what you really care about.  Also, doing everything can dilute the mission of the toolset, so instead of doing one thing well, it does everything poorly.

Remember, the biggest threat to your enterprise is a person that breaks into your internal systems and attains access to your customer data.  A typical PC virus or Denial of Service (DoS) attack does not pose this type of threat.  Although it may be counter-intuitive to your experience, it is a good idea to make sure you have a solid intrusion detection system before investing in things like virus prevention, web-filters and reporting.  Yes, viruses are a pain and can bring down systems, but the damage will likely not compare in real cost to a hacker that steals your customer records.

4) Block first ask questions later.  An intruder usually behaves oddly when compared to a normal visitor. Your intrusion detection device should block first and ask questions later. It is better to accidentally block a small number of friendlies than to let one hacker into your network. You will get feedback if legitimate visitors are locked out from your website, and it won’t take long to hear from them if your intrusion device is accidentally blocking a friendly visitor.

5) Don’t rely on manpower for detection. Let the device do the work. If you are relying on a reporting system and a human to make a final decision on what to block, you will get hacked. Your device must be automated and on the job 24/7. There is nothing wrong with an analyst doing the follow-up.

6) Use a white knight to expose your security risks. There was an article in the Wall Street Journal today on how anybody can hire a professional hacker. What they failed to mention is that you can also hire a white knight to test your armor and let you know if you have any weaknesses. Most weaknesses are common back doors in web servers that can easily be remedied once exposed by a white knight.

7) Use a combination of techniques. The only way to 100 percent secure your enterprise is to block all outside access, and with the silo mentality of a some security zealots you could end up with this TSA mentality solution if not careful. Given the reality that you must have a public portal for your customers, the next best thing to locking them out is a combination of white knight testing, plugging holes in web servers and entry points and a permanent watch dog intrusion prevention system – this should keep you safe from a hacker.

Some good intrusion prevention links:

Lanner

Checkpoint

NetGladiator  (our product)

Solera Networks

SourceFIRE

Posted in Security. Tags: , , . 1 Comment »

Developing Technology to Detect a Network Hacker

January 21, 2012 — netequalizer

Editors note:  Updated on Feb 1st, 2012.  Our new product, NetGladiator, has been released.  You can learn more about it on the NetGladiator website at www.netgladiator.net or calling us at 303.997.1300 x123.

In a few weeks we will be releasing a product to automatically detect and prevent a web application hacker from breaking into a private enterprise. What follows are the details of how this product was born.  If you are currently seeking or researching intrusion detection & prevention technology, you will find the following quite useful.

Like many technology innovations, our solution resulted from the timely intersection of two technologies.

Technology 1: About one year ago we starting working with a consultant in our local tech community to do some programming work on a minor feature in our NetEqualizer product line. Fiddlerontheroot is the name of their company, and they specialize in ethical hacking. Ethical hacking is the process of deliberately hacking into a high-profile client company with the intention of exposing their weaknesses. The key expertise that they provided was a detailed knowledge of how to hack into a network or website.

Technology 2: Our NetEqualizer technology is well known for providing state-of-the-art bandwidth control. While working with Fiddler on the Root, we realized our toolset could be reconfigured to spot, and thwart, unwanted entry into a network. A key piece to the puzzle would be our long-forgotten Deep Packet Inspection technology. DPI is the frowned upon practice of looking inside data packets traversing the Internet.

An ironic twist to this new product journey was that, due to the privacy controversy, as well as finding a better way to shape bandwidth, we removed all of our DPI methodology from our core bandwidth shaping product four years ago.  Just like with any weapon, there are appropriate uses for DPI. Over a lunch conversation one day, we realized that using DPI to prevent a hacker intrusion was a legitimate use of DPI technology. Preventing an attack is much different from a public ISP scanning and censoring customer data.

So how did we merge these technologies to create a unique heuristics-based IPS system?

Before I answer that question, perhaps you are thinking that revealing our techniques might provide a potential hacker or competitor with inside secrets? More on this later…

The key to using DPI to prevent an intrusion (hack) revolves around 3 key facts:

1) A hacker MUST try to enter your enterprise by exploiting weaknesses in your normal entry points.

2) One of the normal entry points is a web page, and everybody has them. After all, if you had no publicly available data there would be no reason to be attached to the Internet.

3) By using DPI technology to monitor incoming requests and looking for abnormalities, we can now reliably spot unwanted intrusion attempts.

When we met with Fiddler on the Root, we realized that a normal entry by a customer and a probing entry by a hacker are radically different. A hacker attempts things that no normal visitor could even possibly stumble into. In our new solution we have directed our DPI technology to watch for abnormal entry intrusion attempts. This involved months of observing a group of professional hackers and then developing a set of profiles which clearly distinguish them from a friendly user.

What other innovations are involved in a heuristics-based Intrusion Prevention System (IPS)?

Spotting the hacker pattern with DPI was only part of a complete system. We also had to make sure we did not get any false positives – this is the case where a normal activity might accidentally be flagged as an intruder, and this obviously would be unacceptable. In our test lab we have a series of computers that act like users searching the Internet, the only difference is we can ramp these robot users up to hyper-speed so that they access millions of pages over a short period of time. We then measure our “false positive” rate from our simulation and ensure that our false positive rate on intrusion detection is below 0.001 percent.

Our solution, NetGladiator, is different than other IPS appliances.  We are not an “all-in-one solution”, which can be rendered useless by alerting you thousands of times a day, can block legitimate requests, and break web functionality.  We do one thing very well – we catch & stop hackers during their information discovery process – keeping your web applications secure.  NetGladiator is custom-configured for your environment, alerting you on meaningful attempts without false positive alerts.

We also had to dig into our expertise in real-time optimization. Although that sounds like marketing propaganda to impress somebody, we can break that statement down to mean something.

When doing DPI, you must look at and analyze every data stream and packet coming into your enterprise, skipping something might lead to a security breach. Looking at data and analyzing it requires quite a bit more CPU power than just moving it along a network. Many intrusion detection systems are afterthoughts to standard routers and switches. These devices were originally not designed to do computing-intensive heuristics on data. Doing so may slow your network down to a crawl, a common complaint with lower-end affordable security updates. We did not want to force our customers to make that trade-off. Our technology uses a series of processors embedded in our equipment all working in unison to analyze each packet of Internet data without causing any latency. Although we did not invent the idea of using parallel processing for analysis of data, we are the only product in our price range able to do this.

How did we validate and test our IPS solution?

1) We have been putting our systems in front of beta test sites and asking white knights to try to hack into them.

2) We have been running our technology in front of some of our own massive web crawlers. Our crawlers do not attempt anything abnormal but can push through millions of sites and web pages. This is how we test for false positives blocking a web crawler that is NOT attempting anything abnormal.

Back to the question, does divulging our methodology render it easier to breach?

The holes that hackers exploit are relatively consistent – in other words there really is only a finite number of exploitations that hackers use. They can either choose to exploit these holes or not, and if they attempt to exploit the hole they will be spotted by our DPI. Hence announcing that we are protecting these holes is more likely to discourage a hacker, who will then look for another target.

Posted in Security. Tags: , , , . Leave a Comment »

Hacking is Obvious, Why Can’t We Stop Them?

January 12, 2012 — netequalizer

Your website is just like any other business, whether it be a bank or a restaurant or a hardware store, a large majority of visitors are honest and enter with an intent to browse your information or perform a transaction. All legitimate customers follow a similar pattern. They browse your public HTML pages and perhaps interact with public fields and forms displayed on your site. Just like in a brick and mortar store, a normal cyber customer will observe basic rules of etiquette and stay within the boundaries of your web presence.

A hacker, on the other hand, is not likely to behave in any way close to a normal customer. If they did, they would not be very successful. A hacker will pound your website with force looking for a weaknesses. They will probe every nook and cranny of your web server until they find something to exploit. Their entry point could be one of those old orphaned web pages that you do not advertise, or they might create their own hole by inserting an SQL command within a URL. These kind of probes are way out of the ordinary and glaringly out-of-place.

Hacker intrusion is analogous to someone entering a brick and mortar store and proceeding to tip over shelves while scrounging on the floor for spilled documents. Imagine a customer asking rude questions to the sales clerk, and rattling doors off their hinges. At the very least, this behavior in the physical world would prompt a call to the police and a disorderly conduct charge.

So why is hacking so prevalent? Why isn’t the hacker immediately spotted and removed?

In many cases, hackers are detected and blocked, but all it takes is one. Just like my bank that is constantly turning off my credit cards every time I travel, a good business practice would be to err on the side of caution. Even accidentally locking out 1 in 1000 customers from your website is a much better proposition than letting one hacker in. The economic damage from a hacker is typically far worse than a short-term potential 0.1 percent drop in web visits.

In our opinion, there are several reasons why this solvable problem is so prevalent:

1) Broadbase security tools that try to do everything.

Businesses are sold an expensive set of tools that do many things unrelated to intrusion prevention. A tool that removes viruses from e-mails, prevents DOS attacks, or runs the generic firewall, is useful but the investment in a heuristics-based intrusion detection system is often on the light side of the all-in-one. Money spent on the broad-based tool is usually out of proportion with the potential economic damage of a real attack.

For example, you might lose a day of business if a virus gets loose in your enterprise and brings down a few workstations; however, the potential loss of stolen property and the damage to brand reputation that can be wreaked by a hacker is a magnitude above a nuisance virus infecting your laptops.

2) Businesses may not have the resources for an expensive tool, so they use what is at hand as best they can. We can certainly understand cash flow issues and where to spend resources. Look for some breakthroughs in cost with commercial hacker prevention tools in the near-term. A focused tool can be put in place at a reasonable cost, and does not require an IT staff to maintain.

3) Businesses cultures can get hung up on analysis of data, and don’t realize they must trust their security to a computer that makes decisions now. A hacker must be detected and blocked immediately. Many businesses may hesitate to use an automated tool, as it certainly may make a mistake and block a friendly user. However as we have mentioned above, blocking an occasional friendly user can be mitigated. Explaining the loss of 10,000 credit card numbers is hard to recover from.

So how does a good intrusion tool stop a hacker without an army of IT people?

It simply needs to quickly quantify abnormal behavior and block the IP immediately, with no questions asked or any hesitation. There really is no need to wait. The signs of intrusion are so different from a normal customer that you can with 99.99 percent accuracy toss them out before damage is done. In the coming few months we will be introducing a new turn-key product that will work like this.

Won’t the hacker try to subvert a heuristic tool once they suspect it is guarding your site?

Even if the hacker is trying to break through a heuristic based tool, the problem for the hacker is in order to get access to something they are not supposed to have, they will have to do something odd at some point, acting normal won’t cut it, and acting abnormal will get flagged. The tool will alert administrators to suspicious behavior and block the IP address of the malicious user. Now, with their increased alertness, administrators can lock down interfaces, manually review logs, and focus their diligence on the attack at hand.

—————————————————————————————————————————————————-
Editor’s note: update 01/23/2012

A wall street journal article came out today exposing how easy it is to hire  a hacker. If you think about it, the media likes to portray a hacker as some kind of amazing brilliant savant with super human powers. The truth is, tools to hack are readily available, and anybody with a background in computers and suspect moral character can do it. It also supports our premise that stopping a hacker is just a matter of plugging the common holes and entry points.

Editor’s note: update on 02/01/2012
Today APconnections, maker of the NetEqualizer, released a new intrusion prevention system (IPS) product, the NetGladiator, which is designed to detect & prevent network intrusions. You can learn more about NetGladiator at www.netgladiator.net or by calling us at 303.997.1300 x123.

Posted in Security, Topics. Leave a Comment »

Cloud Computing – Do You Have Enough Bandwidth? And a Few Other Things to Consider

December 10, 2011 — netequalizer

The following is a list of things to consider when using a cloud-computing model.

Bandwidth: Is your link fast enough to support cloud computing?

We get asked this question all the time: What is the best-practice standard for bandwidth allocation?

Well, the answer depends on what you are computing.

– First, there is the application itself.  Is your application dynamically loading up modules every time you click on a new screen? If the application is designed correctly, it will be lightweight and come up quickly in your browser. Flash video screens certainly spruce up the experience, but I hate waiting for them. Make sure when you go to a cloud model that your application is adapted for limited bandwidth.

– Second, what type of transactions are you running? Are you running videos and large graphics or just data? Are you doing photo processing from Kodak? If so, you are not typical, and moving images up and down your link will be your constraining factor.

– Third, are you sharing general Internet access with your cloud link? In other words, is that guy on his lunch break watching a replay of royal wedding bloopers on YouTube interfering with your salesforce.com access?

The good news is (assuming you will be running a transactional cloud computing environment – e.g. accounting, sales database, basic email, attendance, medical records – without video clips or large data files), you most likely will not need additional Internet bandwidth. Obviously, we assume your business has reasonable Internet response times prior to transitioning to a cloud application.

Factoid: Typically, for a business in an urban area, we would expect about 10 megabits of bandwidth for every 100 employees. If you fall below this ratio, 10/100, you can still take advantage of cloud computing but you may need  some form of QoS device to prevent the recreational or non-essential Internet access from interfering with your cloud applications.  See our article on contention ratio for more information.

Security: Can you trust your data in the cloud?

For the most part, chances are your cloud partner will have much better resources to deal with security than your enterprise, as this should be a primary function of their business. They should have an economy of scale – whereas most companies view security as a cost and are always juggling those costs against profits, cloud-computing providers will view security as an asset and invest more heavily.

We addressed security in detail in our article how secure is the cloud, but here are some of the main points to consider:

1) Transit security: moving data to and from your cloud provider. How are you going to make sure this is secure?
2) Storage: handling of your data at your cloud provider, is it secure once it gets there from an outside hacker?
3) Inside job: this is often overlooked, but can be a huge security risk. Who has access to your data within the provider network?

Evaluating security when choosing your provider.

You would assume the cloud company, whether it be Apple or Google (Gmail, Google Calendar), uses some best practices to ensure security. My fear is that ultimately some major cloud provider will fail miserably just like banks and brokerage firms. Over time, one or more of them will become complacent. Here is my check list on what I would want in my trusted cloud computing partner:

1) Do they have redundancy in their facilities and their access?
2) Do they screen their employees for criminal records and drug usage?
3) Are they willing to let you, or a truly independent auditor, into their facility?
4) How often do they back-up data and how do they test recovery?

Big Brother is watching.

This is not so much a traditional security threat, but if you are using a free service you are likely going to agree, somewhere in their fine print, to expose some of your information for marketing purposes. Ever wonder how those targeted ads appear that are relevant to the content of the mail you are reading?

Link reliability.

What happens if your link goes down or your provider link goes down, how dependent are you? Make sure your business or application can handle unexpected downtime.

Editors note: unless otherwise stated, these tips assume you are using a third-party provider for resources applications and are not a large enterprise with a centralized service on your Internet. For example, using QuickBooks over the Internet would be considered a cloud application (and one that I use extensively in our business), however, centralizing Microsoft excel on a corporate server with thin terminal clients would not be cloud computing.

Posted in Business Advice, Commentary and Editorials, Security. Tags: , . 1 Comment »

How Safe is The Cloud?

December 7, 2011 — netequalizer

By Zack Sanders, NetEqualizer Guest Columnist

There is no question that cloud-computing infrastructures are the future for businesses of every size. The advantages they offer are plentiful:

  • Scalability – IT personnel used to have to scramble for hardware when business decisions dictated the need for more servers or storage. With cloud computing, an organization can quickly add and subtract capacity at will. New server instances are available within minutes of provisioning them.
  • Cost – For a lot of companies (especially new ones), the prospect of purchasing multiple $5,000 servers (and to pay to have someone maintain them) is not very attractive. Cloud servers are very cheap – and you only pay for what you use. If you don’t require a lot of storage space, you can pay around 1 cent per hour per instance. That’s roughly $8/month. If you can’t incur that cost, you should probably reevaluate your business model.
  • Availability – In-house data centers experience routine outages. When you outsource your data center to the cloud, everything server related is in the hands of industry experts. This greatly increases quality of service and availability. That’s not to say outages don’t occur – they do – just not nearly as often or as unpredictably.

While it’s easy to see the benefits of cloud computing, it does have its potential pitfalls. The major questions that always accompany cloud computing discussions are:

  • “How does the security landscape change in the cloud?” – and
  • “What do I need to do to protect my data?”

Businesses and users are concerned about sending their sensitive data to a server that is not totally under their control – and they are correct to be wary. However, when taking proper precautions, cloud infrastructures can be just as safe – if not safer – than physical, in-house data centers. Here’s why:

  • They’re the best at what they do – Cloud computing vendors invest tons of money securing their physical servers that are hosting your virtual servers. They’ll be compliant with all major physical security guidelines, have up-to-date firewalls and patches, and have proper disaster recovery policies and redundant environments in place. From this standpoint, they’ll rank above almost any private company’s in-house data center.
  • They protect your data internally – Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that root users at the cloud provider couldn’t even penetrate your data.
  • They manage authentication and authorization effectively – Because logging and unique identification are central components to many compliance standards, cloud providers have strong identity management and logging solutions in place.

The above factors provide a lot of piece of mind, but with security it’s always important to layer approaches and be diligent. By layering, I mean that the most secure infrastructures have layers of security components that, if one were to fail, the next one would thwart an attack. This diligence is just as important for securing your external cloud infrastructure. No environment is ever immune to compromise. A key security aspect of the cloud is that your server is outside of your internal network, and thus your data must travel public connections to and from your external virtual machine. Companies with sensitive data are very worried about this. However, when taking the following security measures, your data can be just as safe in the cloud:

  • Secure the transmission of data – Setup SSL connections for sensitive data, especially logins and database connections.
  • Use keys for remote login – Utilize public/private keys, two-factor authentication, or other strong authentication technologies. Do not allow remote root login to your servers. Brute force bots hound remote root logins incessantly in cloud provider address spaces.
  • Encrypt sensitive data sent to the cloud – SSL will take care of the data’s integrity during transmission, but it should also be stored encrypted on the cloud server.
  • Review logs diligently – use log analysis software ALONG WITH manual review. Automated technology combined with a manual review policy is a good example of layering.

So, when taking proper precautions (precautions that you should already be taking for your in-house data center), the cloud is a great way to manage your infrastructure needs. Just be sure to select a provider that is reputable and make sure to read the SLA. If the hosting price is too good to be true, it probably is. You can’t take chances with your sensitive data.

About the author:

Zack Sanders is a Web Application Security Specialist with Fiddler on the Root (FOTR). FOTR provides web application security expertise to any business with an online presence. They specialize in ethical hacking and penetration testing as a service to expose potential vulnerabilities in web applications. The primary difference between the services FOTR offers and those of other firms is that they treat your website like an ACTUAL attacker would. They use a combination of hacking tools and savvy know-how to try and exploit your environment. Most security companies  just run automated scans and deliver the results. FOTR is for executives that care about REAL security.

Posted in Commentary and Editorials, Security. Tags: , . 2 Comments »

How to Speed Up Your Internet Connection with a Bandwidth Controller

October 19, 2011 — netequalizer

slow-internet

It occurred to me today, that in all the years I have been posting about common ways to speed up your Internet, I have never really written a plain and simple consumer explanation dedicated to how a bandwidth controller can speed up your Internet. After all, it seems intuitive, that a bandwidth controller is something an ISP would use to slow down your Internet; but there can be a beneficial side to a bandwidth controller, even at the home-consumer level.

Quite a bit of slow Internet service problems are due to contention on your link to the Internet. Even if you are the only user on the Internet, a simple update to your virus software running in the background can dominate your Internet link. A large download often will cause everything else you try (email, browsing) to come to a crawl.

What causes slowness on a shared link?

Everything you do on your Internet creates a connection from inside your network to the Internet, and all these connections compete for the limited amount of bandwidth which your ISP provides.

Your router (cable modem) connection to the Internet provides first-come, first-serve service to all the applications trying to access the Internet. To make matters worse, the heavier users (the ones with the larger persistent downloads), tend to get more than their fair share of router cycles. Large downloads are like the school yard bully – they tend to butt in line, and not play fair.

So how can a bandwidth controller make my Internet faster?

A smart bandwidth controller will analyze all your Internet connections on the fly. It will then selectively take away some bandwidth from the bullies. Once the bullies are removed, other applications will get much needed cycles out to the Internet, thus speeding them up.

What application benefits most when a bandwidth controller is deployed on a network?

The most noticeable beneficiary will be your VoIP service. VoIP calls typically don’t use that much bandwidth, but they are incredibly sensitive to a congested link. Even small quarter-second gaps in a VoIP call can make a conversation unintelligible.

Can a bandwidth controller make my YouTube videos play without interruption?

In some cases yes, but generally no. A YouTube video will require anywhere from 500kbs to 1000kbs of your link, and is often the bully on the link; however in some instances there are bigger bullies crushing YouTube performance, and a bandwidth controller can help in those instances.

Can a home user or small business with a slow connection take advantage of a bandwidth controller?

Yes, but the choice is a time-cost-benefit decision. For about $1,600 there are some products out there that come with support that can solve this issue for you, but that price is hard to justify for the home user – even a business user sometimes.

Note: I am trying to keep this article objective and hence am not recommending anything in particular.

On a home-user network it might be easier just to police it yourself, shutting off background applications, and unplugging the kids’ computers when you really need to get something done. A bandwidth controller must sit between your modem/router and all the users on your network.

Related Article Ten Things to Consider When Choosing a Bandwidth Shaper.

Posted in Bandwidth Monitoring, Network Speed. Tags: , . 7 Comments »

You May Be the Victim of Internet Congestion

October 9, 2011 — netequalizer

Have you ever had a mysterious medical malady? The kind where maybe you have strange spots on your tongue, pain in your left temple, or hallucinations of hermit crabs at inappropriate times – symptoms seemingly unknown to mankind?

But then, all of a sudden, you miraculously find an exact on-line medical diagnosis?

Well, we can’t help you with medical issues, but we can provide a similar oasis for diagnosing the cause of your slow network – and even better, give you something proactive to do about it.

Spotting classic congested network symptoms:

You are working from your hotel room late one night, and you notice it takes a long time to get connected. You manage to fire off a couple emails, and then log in to your banking website to pay some bills. You get the log-in prompt, hit return, and it just cranks for 30 seconds, until… “Page not found.” Well maybe the bank site is experiencing problems?

You decide to get caught up on Christmas shopping. Initially the Macy’s site is a bit a slow to come up, but nothing too out of the ordinary on a public connection. Your Internet connection seems stable, and you are able to browse through a few screens and pick out that shaving cream set you have been craving – shopping for yourself is more fun anyway. You proceed to checkout, enter in your payment information, hit submit, and once again the screen locks up. The payment verification page times out. You have already entered your credit card, and with no confirmation screen, you have no idea if your order was processed.

We call this scenario, “the cyclical rolling brown out,” and it is almost always a problem with your local Internet link having too many users at peak times. When the pressure on the link from all active users builds to capacity, it tends to spiral into a complete block of all access for 20 to 30 seconds, and then, service returns to normal for a short period of time – perhaps another 30 seconds to 1 minute. Like a bad case of Malaria, the respites are only temporary, making the symptoms all the more insidious.

What causes cyclical loss of Internet service?

When a shared link in something like a hotel, residential neighborhood, or library reaches capacity, there is a crescendo of compound gridlock. For example, when a web page times out the first time, your browser starts sending retries. Multiply this by all the users sharing the link, and nobody can complete their request. Think of it like an intersection where every car tries to proceed at the same time, they crash in the middle and nobody gets through. Additional cars keep coming and continue to pile on. Eventually the police come with wreckers and clear everything out of the way. On the Internet, eventually the browsers and users back off and quit trying – for a few minutes at least. Until late at night when the users finally give up, the gridlock is likely to build and repeat.

What can be done about gridlock on an Internet link?

The easiest way to prevent congestion is to purchase more bandwidth. However, sometimes even with more bandwidth, the congestion might overtake the link. Eventually most providers also put in some form of bandwidth control – like a NetEqualizer. The ideal solution is this layered approach – purchasing the right amount of bandwidth AND having arbitration in place. This creates a scenario where instead of having a busy four-way intersection with narrow streets and no stop signs, you now have an intersection with wider streets and traffic lights. The latter is more reliable and has improved quality of travel for everyone.

For some more ideas on controlling this issue, you can reference our previous article, Five Tips to Manage Internet Congestion.

Posted in Bandwidth Management, Network Capacity, Network Speed. Tags: , . 1 Comment »

Commentary: Is IPv6 Heading Toward a Walled-Off Garden?

September 25, 2011 — netequalizer

In a recent post we highlighted some of the media coverage regarding the imminent demise of the IPv4 address space. Subsequently, during a moment of introspection, I realized there is another angle to the story. I first assumed that some of the lobbying for IPv6 was a hardware-vendor-driven phenomenon; but there seems to be another aspect to the momentum of Ipv6. In talking to customers over the past year, I learned they were already buying routers that were IPv6 ready, but there was no real rush. If you look at a traditional router’s sales numbers over the past couple years, you won’t find anything earth shattering. There is no hockey-stick curve to replace older equipment. Most of the IPv6 hardware sales were done in conjunction with normal upgrade time lines.

The hype had to have another motive, and then it hit me. Could it be that the push to IPv6 is a back-door opportunity for a walled-off garden? A collaboration between large ISPs, a few large content providers, and mobile device suppliers?

Although the initial world of IPv6 day offered no special content, I predict some future IPv6 day will have the incentive of extra content. The extra content will be a treat for those consumers with IPv6-ready devices.

The wheels for a closed off Internet are already in place. Take for example all the specialized apps for the iPhone and iPad. Why can’t vendors just write generic apps like they do for a regular browser? Proprietary offerings often get stumbled into. There are very valid reasons for specialized apps for the iPhone, and no evil intent on the part of Apple, but it is inevitable that as their market share of mobile devices rises, vendors will cease to write generic apps for general web browsers.

I don’t contend that anybody will deliberately conspire to create an exclusively IPv6 club with special content; but I will go so far as to say in the fight for market share, product managers know a good thing when they see it. If you can differentiate content and access on IPv6, you have an end run around on the competition.

To envision how a walled garden might play out on IPv6, you must first understand that it is going to be very hard to switch the world over to IPv6 and it will take a long time – there seems to be agreement on that. But at the same time, a small number of companies control a majority of the access to the Internet and another small set of companies control a huge swatch of the content.

Much in the same way Apple is obsoleting the generic web browser with their apps, a small set of vendors and providers could obsolete IPv4 with new content and new access.

Posted in Commentary and Editorials, IPv6, Net Neutrality. 1 Comment »

Integrating NetEqualizer with Active Directory

August 11, 2011 — netequalizer

By Art Reisman

CTO www.netequalizer.com

I have to admit, that when I see this question posed to one of our sales engineers, I realize our mission of distributing a turn key bandwidth controller will always require a context switch for potential new customers.

It’s not that we can’t tie into Active Directory, we have. The point is that our solution has already solved the customer issue of bandwidth congestion in a more efficient way than divvying up bandwidth per user based on a profile in Active Directory.

Equalizing is the art form of rewarding bandwidth to the real time needs of users at the appropriate time, especially during peak usage hours when bandwidth resources are stretched to their limit. The concept does take some getting used to. A few minutes spent getting comfortable with our methodology will often pay off many times over in comparison to the man hours spent tweaking and fine tuning a fixed allocation scheme.

Does our strategy potentially alienate the Microsoft Shop that depends on Active Directory for setting customized bandwidth restrictions per user ?

Yes, perhaps in some cases it does. However, as mentioned earlier, our mission has always been to solve the business problem of congestion on a network, and equalizing has proven time and again to be the most cost effective in terms of immediate results and low recurring support costs.

Why not support Active Directory integration to get in the door with a new customer ?

Occasionally, we will open up our interface in special cases and integrate with A/D or Radius, but what we have found is that there are a myriad of boundary cases that come up that must be taken care of. For example, synchronizing after a power down or maintenance cycle. Whenever two devices must talk to each other in a network sharing common data, the support and maintenance of the system can grow exponentially. The simple initial requirements of setting a rate limit per user are often met without issue. It is the follow on inevitable complexity and support that violates the nature and structure of our turn-key bandwidth controller. What is the point in adding complexity to a solution when the solution creates more work than the original problem?

See related article on the True Cost of Bandwidth Monitoring.

Posted in Commentary and Editorials, NAC. Tags: , , , . Leave a Comment »

Speeding Up Your Internet Connection Using a TOS Bit

August 10, 2011 — netequalizer

A TOS bit (Type Of Service bit) is a special bit within an IP packet that directs routers to give preferential treatment to selected packets. This sounds great, just set a bit and move to the front of the line for faster service. As always there are limitations.

How does one set a TOS bit?

It seems that only very special enterprise applications, like VoIP PBX’s, actually set and make use of TOS bits. Setting the actual bit is not all that difficult if you have an application that deals with the Network layer, but most commercial applications just send their data on to their local host computer clearing house for data, which in turn, puts the data into IP packets without a TOS bit set. After searching around for a while, I just don’t see any literature on being able to set a TOS bit at the application level. For example, there are several forums where people mention setting the TOS bit in Skype but nothing definitive on how to do it.

However, not to be discouraged, and being the hacker that I am, I could, with some work, make a little module to force every packet leaving my computer or wireless device standard with the TOS bit set. So why not package this up and sell it to the public as an Internet accelerator?

Well before I spend any time on it, I must consider the following:

Who enforces the priority for TOS packets?

This is a function of routers at the edge of your network, and all routers along the path to wherever the IP packet is going. Generally, this limits the effectiveness of using a TOS bit to networks that you control end-to-end. In other words, a consumer using a public Internet connection cannot rely on their provider to give any precedence to TOS bits; hence this feature is relegated to enterprise networks within a business or institution.

Incoming traffic generally cannot be controlled.

The subject of when you can and cannot control a TOS bit does get a bit more involved (pun intended). We have gone over it in more detail in a separate article.

Most of what you do is downloading.

So assuming that your Internet provider did give special treatment to incoming data (which it likely does not), such as video, downloads, and VoIP, the problem with my accelerator idea is that it could only set the TOS bit on data leaving your computer. Incoming TOS bits would have to be set by the sending server.

The moral of the story is that TOS bits that traverse the public Internet don’t have much of a chance in making a difference in your connection speed.

In conclusion, we are going to continue to study TOS bits to see where they might be beneficial and complement our behavior-based shaping (aka “equalizing”) technology.

Posted in Bandwidth Management, Network Speed. Tags: , , , , . 1 Comment »

YouTube Dominates Video Viewership in U.S.

July 29, 2011 — netequalizer

Editor’s Note: Updated July 27th, 2011 with material from www.pewinternet.org:

YouTube studies are continuing to confirm what I’m sure we all are seeing – that Americans are creating, sharing and viewing video online more than ever, this according to a Pew Research Center Internet & American Life Project study released Tuesday.

According to Pew, fully 71% of online Americans use video-sharing sites such as YouTube and Vimeo, up from 66% a year earlier. The use of video-sharing sites on any given day also jumped five percentage points, from 23% of online Americans in May 2010 to 28% in May 2011.  This figure (28%) is slightly lower than the 33% Video Metrix reported in June, but is still significant.

To download or read the fully study, click on this link:  http://pewinternet.org/Reports/2011/Video-sharing-sites/Report.aspx

———————————————————————————————————————————————————

YouTube viewership in May 2011 was approximately 33 percent of video viewed on the Internet in the U.S., according to data from the comScore Video Metrix released on June 17, 2011.

Google sites, driven primarily by video viewing at YouTube.com, ranked as the top online video content property in May with 147.2 million unique viewers, which was 83 percent of the total unique viewers tracked.  Google Sites had the highest number of viewing sessions with more than 2.1 billion, and highest time spent per viewer at 311 minutes, crossing the five-hour mark for the first time.

To read more on the data released by comScore, click here.  comScore, Inc. (NASDAQ: SCOR) is a global leader in measuring the digital world and preferred source of digital business analytics. For more information, please visit www.comscore.com/companyinfo.

This trend further confirms why our NetEqualizer Caching Option (NCO) is geared to caching YouTube videos. While NCO will cache any file sized from 2MB-40MB traversing port 80, the main target content is YouTube.  To read more about the NetEqualizer Caching Option to see if it’s a fit for your organization, read our YouTube Caching FAQ or contact Sales at sales@apconnections.net.

Posted in Caching and Video, News. Tags: , . 1 Comment »

Five More Tips on Testing Your Internet Speed

July 11, 2011 — netequalizer

By Art Reisman

Art Reisman is currently CTO and co-founder of NetEqualizer

Imagine if every time you went to a gas station the meters were adjusted to exaggerate the amount of fuel pumped, or the gas contained inert additives. Most consumers count on the fact that state and federal regulators monitor your local gas station to ensure that a gallon is a gallon and the fuel is not a mixture of water and rubbing alcohol. But in the United States, there are no rules governing truth in bandwidth claims. At least none that we are aware of.

Given there is no standard in regulating Internet speed, it’s up to the consumer to take the extra steps to make sure you’re getting what you pay for. In the past, we’ve offered some tips both on speeding up your Internet connection as well as questions you should ask your provider. Here are some additional tips on how to fairly test your Internet speed.

1. Use a speed test site that mimics the way you actually access the Internet.

Why?

Using a popular speed test tool is too predictable, and your Internet provider knows this. In other words, they can optimize their service to show great results when you use a standard speed test site. To get a better measure of you speed,  your test must be unpredictable. Think of a movie star going to the Oscars. With time to plan, they are always going to look their best. But the candid pictures captured by the tabloids never show quite as well.

To get a candid picture of your providers true throughput, we suggest using a tool such as the speed test utility from M-Lab.

2. Try a very large download to see if your speed is sustained.

We suggest downloading a full Knoppix CD. Most download utilities will give you a status bar on the speed of your download. Watch the download speed over the course of the download and see if the speed backs off after a while.

Why?

Some providers will start slowing your speed after a certain amount of data is passed in a short period, so the larger the file in the test the better. The common speed test sites likely do not use large enough downloads to trigger a slower download speed enforced by your provider.

3. If you must use a standard speed test site, make sure to repeat your tests with at least three different speed test sites.

Different speed test sites use different methods for passing data and results will vary.

4. Run your tests during busy hours — typically between 5 and 9 p.m. — and try running them at different times.

Often times IPs have trouble providing their top advertised speeds during busy hours.

5. Make sure to shut off other activities that use the Internet when you test. 

This includes other computers in your house, not just the computer you are testing from.

Why?

All the computers in your house share the same Internet pipe to your provider. If somebody is watching a Netflix movie while you run your test, the movie stream will skew your results.

Created by APconnections, the NetEqualizer is a plug-and-play bandwidth control and WAN/Internet optimization appliance that is flexible and scalable. When the network is congested, NetEqualizer’s unique “behavior shaping” technology dynamically and automatically gives priority to latency sensitive applications, such as VoIP and email. Click here for a full price list.

Posted in Bandwidth Monitoring, Network Speed. Tags: , . 1 Comment »
« Older posts
Newer posts »