NetEqualizer News: October 2013

October 2013


Enjoy another issue of NetEqualizer News! This month, we preview our new RTR features (now available in Beta), reveal the location of our next Technical Seminar, discuss enhancements to our caching option, and remind you to get your web applications secured. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

art_smallFall is officially here in Boulder, Colorado. In fact, we had our first hard frost (the overnight low was 29 degrees Fahrenheit) on October 4th, pretty much right on schedule, as our fifty year average is October 6th. As we told you in our last newsletter, we have been planning for a late October harvest for our next release. We are right on track to release Software Update 7.5 in late October and have a Beta version of the new features available NOW. If you would like to get a sneak peek at the new features, learn more below about how to get involved in our 7.4 RTR Beta Test.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at I would love to hear from you!

2013 Fall Technical Seminar
neteq seminar logo with border

We are happy to announce the date and time of our 2013 Fall Technical Seminar! Please join our CTO, Art Reisman, at our host site, Western Michigan University, on Tuesday, November 12th, 2013 for a half-day seminar in Kalamazoo, Michigan.

To learn more or register for this FREE technical seminar, sign up here.logo-270x231

Last month we asked for folks to let us know if they would be interested in hosting our next Technical Seminar. We had several people step forward (thank you all!), and from that group, have decided to hold our 2013 Fall Technical Seminar in Michigan.

We think Michigan will be a great place to visit in the fall, are are excited to see the NetEqualizer in action at Western Michigan, a longtime customer who has been using NetEqualizers since early 2008.

If you have any questions regarding the Technical Seminar, contact us at:

We hope to see you there!

NetEqualizer Caching Investment

We have recently partnered with some of the Squid core development team to harden and make our caching the best it can be!

Recent testing with enhancements are showing even better hit ratios for YouTube and other media, resulting in a better caching system for our customers.

The NetEqualizer Caching Option (NCO) is available as an add-on to NetEqualizer systems at additional cost. Caching helps supplement the power of Equalizing by storing high-bandwidth streams locally for internal users.For more information on NCO, click here.If you are interested in adding caching to your system, contact us at:

Planning for 2014: Do You Need to Secure Your Web Applications?

As we near the end of 2013, many of you may be putting together your 2014 plans.netgladiator_logo If web application security is on your “must have” list for 2014, you might want to take a look at our sister product, the NetGladiator.

We used NetEqualizer’s guiding principles when we developed the NetGladiator: keep it affordable (starting at $3,500 USD), make sure it is easy to set up and maintain, and implement security rules that provide value and make sense without the overkill of most products.

If you would like to learn more, visit our website, take a look at our white paper, or contact us at:

Not sure if you should be thinking about web application security? Take our hacking challenge to see if your web apps are at risk!

RTR Release and Beta Testing!

We are very excited to announce the release of our new Real-Time Reporting (RTR) tool features!

Here are all the cool new reports/features that you will see in Software Update 7.4 (as well as our Beta version):

The first major enhancement you will see is the ability to look at graphs of all traffic going through the NetEqualizer.

This graph will show you your equalizing ratio and when traffic peaked above that threshold as well as minimum and maximum outputs in the given time frame. This will really help you see how often and when traffic is being Equalized from an historical perspective.


The other new features revolve around being able to run reports on each IP in your Active Connections table.

Instead of a static table, you will now see links associated with each IP address.

Click the desired IP address to bring up the reporting interface.


From here, you can do a number of tasks:

1) Look at historical graphs of traffic to and from the given IP address.


2) Look up the country associated with the IP address.
3) Do an NS Lookup of the IP address to see what name server it is associated with.
4) Show all rules for an IP – this interface shows you what rules currently affect the given IP (hard limits, pools, connection limits, etc.).


We are currently in Beta on new RTR Features (7.4 Release with RTR Beta), and would like several more customer participants. If you are interested, please email us at:

so we can see if you are a good fit for the Beta version. We plan to release the new RTR functionality to all customers as Software Update 7.5 in late October.

If you are interested in participating, you need to be current on NSS, and either be on the 7.4 release currently or be willing to upgrade to it. Once on 7.4, we will give you a hot fix to install the new RTR capabilities.

For more information on Software Update 7.4 and our Beta release, click here.

Best Of The Blog

Using OpenDNS on Your Wireless Network to Prevent DMCA Infringements

By Sam Beskur – CTO – Global Gossip

Editor’s Note: APconnections and Global Gossip have partnered to offer a joint hotel service solution, HMSIO. Read our HMSIO service offering datasheet to learn more.

Traffic Filtering with OpenDNS

AUP (Acceptable Use Policy) violations which include DMCA infringements on illegal downloads (P2P, Usenet or otherwise) have been hugely troublesome in many locations where we provide public access WiFi. Nearly all major carriers here in the US now have some form of notification system to alert customers when violation occur and the once that don’t send notifications are silently tracking this behavior…

Photo Of The Month

“It’s fun to stay at the Y.M.C.A.” (what’s this?)
At APconnections, we like to maintain a good work-life balance – and that includes having fun at the office. While our CTO, Art Reisman, was off running at the gym, we played this little Halloween “trick” on him.

NetEqualizer News: June 2013

June 2013


Enjoy another issue of NetEqualizer News! This month, we preview our new Dynamic Real-Time Reporting Tool, announce our quarterly FlyAway Contest winner, celebrate our 10th Anniversary, and discuss our upcoming Technical Seminar! As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

Ten years ago this summer I was feverishly developing the original DPI version of the NetEqualizer, and gettingNetEQ_story_icon ready to release it to customers. It is both humbling and gratifying to be a part of growing my big idea into the company that we are today. If you want to see into the mind of an entrepreneur during start up, you can read all about my journey and how the technology was developed in “The Story of NetEqualizer”, available as a PDF or eBook.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at I would love to hear from you!

Software Update 7.1: Dynamic Real-Time Reporting is Here!

We are excited to announce that our built-in version of the Dynamic Real-Time Reporting (RTR) tool is ready for release to all customers on Software Update 7.0+!

One of the things that differentiates the NetEqualizer from other monitoring and shaping tools is that we have the actual data for every user accurately updated by the second.

The reporting tools on most other devices tend to slog along and show you aggregate usage of 5 minute averages. Even the charge back mechanisms that ISPs use to figure out if you are over your allotted bandwidth do 95th percentile sampling – meaning they estimate your usage from sporadic sampling.

One thing we have not been good at, until now, is making this wealth of real data available to the end user in a nice organized usable presentation.

As of this week that is going to change.

In our 7.1 Software Update we have upgraded to a more robust Apache Web server shipping with every system. This has allowed us to take some of real time data and offer the administrator some nicer tools. For example, you can:

– View active connections running through your NetEqualizer and search or sort them however you like.
– Figure out the country associated with a specific IP address.
– View the top 10 flows running through your network – those that are using the most bandwidth.


– View the state of all currently penalized flows. See which flows are newly penalized, which have had their penalties increased, and which have had their penalties decreased.


– View, search and sort all running processes to easily spot problems with your device.

Stay tuned to NetEqualizer News for updates on new features!

The RTR tool is free to customers with valid NetEqualizer Software and Support who are running version 7.0+. If you are not current with NSS, contact us today!


toll-free U.S. (888-287-2492),

worldwide (303) 997-1300 x. 103

Fall Technical Seminar

We are starting to plan for our next Technical Seminar!

This popular seminar brings our CTO, Art Reisman, directly to you. In this half day event, Art explores the NetEqualizer technology in detail, and answers your technical questions. We will also be discussing and answering questions about our NetGladiator security appliance! Lunch will be provided to all attendees.

In this Technical Seminar, you will experience the following:neteq seminar logo with border
  • Deep dive on NetEqualizer bandwidth shaping
  • Learn how NetEqualizer Caching Option works
  • See the new Software Update (7.1)
  • Walk through a NetEqualizer Live Demo
  • Get your technical questions answered
  • Participate in a brainstorming session on future direction of bandwidth control
  • Learn more about the NetGladiator web application security appliance

Please note that this is NOT a marketing presentation – it is run by & created for techies!

Whether you are an existing customer or just starting to think about bandwidth shaping, come learn more about the NetEqualizer technology and share your experiences with other customers.

We are also currently looking for a location to host the seminar sometime around October of this year. If you or your organization is interested, please contact us at:

And the FlyAway Contest Winner Is…

Every few months, we have a drawing to give  away two round-trip domestic airline tickets from Frontier Airlines to one lucky person who’s recently tried out our online NetEqualizer demo.

The time has come to announce this round’s winner.

And the winner is…40

Terrence Shipclark of Humber College.

Congratulations, Terrence!

Please contact us within 30 days (by July 17, 2013) at:

to claim your prize!

10 Year Anniversary Celebration – All Summer Long!

We are celebrating 10 years in business this summer, thanks to you, our loyal customers! Our first NetEqualizer sale was a CD version, way back on July 13th, 2003. We have come a long way since then. We have rolled out NetEqualizer appliances to offer a consistent, standard, supportable framework to make it easy for you to own and operate your NetEqualizer.APconnections 10 Year Celebration

We have built out our core technology, equalizing behavior-based shaping, and added tons of features along the way – such as our Professional Quota API, CALEA, the NetEqualizer Caching Option (NCO), NetEqualizer Directory Integration (NDI), and a new GUI – just to name a few.

And we have leaped into the web application security world, introducing our NetGladiator IPS appliances last year.

Thousands of installations later, NetEqualizers are deployed across six (6) continents in small and large businesses, universities, schools, libraries, and internet providers.

So, as part of our 10 Year Celebration, we will be donating $25 to one of four charities of the buyer’s choice for each unit sold from now until August 31, 2013. The charities are:

1) United States Fund for UNICEF


2) Habitat for Humanity


3) Doctors Without Borders


4) Global Hunger Project


Contact us today at:


toll-free U.S. (800-918-2763),

worldwide (303) 997-1300 x. 103

Best Of The Blog

CALEA: A Look Back and Forward

By Art Reisman – CTO – APconnections

It has been 4 years since the most recent round of CALEA laws took effect. At the time, our phones rang off the hook for several days with calls from various small ISPs worrying that they were going to be shut down if they did not invest in a large expensive CALEA compliant device.

Implementation of the law was open to interpretation.

Confusion over what CALEA was, stemmed from the fact that the CALEA laws themselves do not contain a technical specification. In essence, they are just laws. Suppose the Harvard Law school became the front end design team for all projects in Harvard’s engineering school. Lawyers write laws,  not engineering specifications. And so it was with CALEA, congress wrote a well intended law, but the implementation and enforcement part had to be interpreted. The FBI took the lead and wrote an extremely detailed specification as to what they wanted. The specification covered every scenario possible and thus the scope was costly to implement. Vendors willingly took the complex FBI specification to heart as part of the actual law, and built out high dollar CALEA certified devices. As vendors will do, their sales teams ran with it as gospel and spread fear in order to sell expensive equipment with large margins. Fortunately calmness prevailed at some point, and the FBI consultants worked with us and some of the smaller ISPs on a reasonable scaled down version of their CALEA requirements.

Ironically, even the current law has now become problematic for the FBI and they are requesting additional requirements.

The complexity of implementing the new CALEA laws are a reflection of the way we communicate with the Internet.

Prior to the Internet, the wire tap precedent for old phone systems was much simpler to implement. And, I suspect this simplicity played a role in the surprise confusion implementing an updated law. Historically a wire tap was just a matter of arriving at the central office with a search warrant and a tapping device, a wire splice, then listening in on a customer phone call. The transition of the law to implementation was fairly obvious…

Photo Of The Month

World Series of Poker – Las Vegas, Nevada
Each summer, thousands of poker players from all over the world descend on the desert oasis of Las Vegas, Nevada for the World Series of Poker. The WSOP consists of over 50 bracelet events and culminates in a Main Event that annually turns out to be the biggest tournament of the year. This picture was taken recently by a staff member who is staying in Vegas for
the summer and participating in some of the events.

APconnections 10 Year Anniversary Celebration – All Summer Long!

We are celebrating 10 years in business this summer, thanks to you, our loyal  customers!  Our first NetEqualizer sale was a CD version, way back on July 13th, 2003.  As part of APconnections’ 10 Year Celebration, we will be donating $25 to one of four charities of the buyer’s choice for each NetEqualizer or NetGladiator sold from now until August 31, 2013.

We selected charities that are all rated B+ or above by CharityWatcAPconnections 10 Year Celebrationh.  The charities are operate on a global basis (like us!) and focus on one of the following: International Relief & Development, Homelessness & Housing, or Hunger. While we may not have picked your favorite charity, we hope that you agree that these are all worthy causes!

When you place a purchase order between now and August 31st, 2013, you will be asked to pick the charity of your choice for each unit purchased.

The charities, along with descriptions of their mission/vision from their websites are as follows.  You can visit their websites by clicking on their logos or the displayed link:

1) United States Fund for UNICEF
UNICEFThe United Nations Children’s Fund (UNICEF) works in more than 190 countries and territories to save and improve children’s lives, providing health care and immunizations, clean water and sanitation, nutrition, education, emergency relief and more. The U.S. Fund for UNICEF supports UNICEF’s work through fundraising, advocacy and education in the United States. Together, we are working toward the day when ZERO children die from preventable causes and every child has a safe and healthy childhood.

2) Habitat for Humanity    http://www.habitat.orgHabitat for Humanity
Habitat for Humanity believes that every man, woman and child should have a decent, safe and affordable place to live. We build and repair houses all over the world using volunteer labor and donations. Our partner families purchase these houses through no-profit, no-interest mortgage loans or innovative financing methods.

Doctors without Borders3) Doctors Without Borders
Doctors Without Borders/Médecins Sans Frontières (MSF) works in nearly 70 countries providing medical aid to those most in need regardless of their race, religion, or political affiliation.

The Hunger Project4) Global Hunger Project
The Hunger Project (THP) is a global, non-profit, strategic organization committed to the sustainable end of world hunger. In Africa, South Asia and Latin America, THP seeks to end hunger and poverty by empowering people to lead lives of self-reliance, meet their own basic needs and build better futures for their children.

Thank you for all your support over our first 10 years, we truly appreciate your business! 

We look forward to working with all of you for many more years. 

NetEqualizer News: December 2012

December 2012


Enjoy another issue of NetEqualizer News! This month, we preview feature additions to NetEqualizer coming in 2013, offer a special deal on web application security testing for the Holidays, and remind NetEqualizer customers to upgrade to Software Update 6.0. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

artdaughterThis month’s picture is from Parent’s Night for my daughter’s volleyball team. In December, as I get ready for the Holidays, I often think about what is important to me – like family, friends, my health, and how I help to run this business. While pondering these thoughts, I came up with some quotes that have meaning to me, which I am sharing here. I hope you enjoy them, or that they at least get you thinking about what is important to you!

“Technology is not what has already been done.”
“Following too closely ruins the journey.”
“Innovation is not a democratic endeavor.”
“Time is not linear, it just appears that way most of the time.”

What are your favorite quotes? We love it when we hear back from you – so if you have a quote or a story you would like to share with us of how we have helped you, let us know. Email me directly at I would love to hear from you!

NetEqualizer: Coming in 2013

We are always looking to improve our NetEqualizer product line such that our customers are getting maximum value from their purchase. Part of this process is brainstorming changes and additional features to adapt and help meet that need.

Here are a couple of ideas for changes to NetEqualizer that will arrive in 2013. Stay tuned to NetEqualizer News and our blog for updates on these features!

1) NetEqualizer in Mesh Networks and Cloud Computing

As the use of NAT distributed across mesh networks becomes more widespread, and the bundling of services across cloud computing becomes more prevalent, our stream-based behavior shaping will need to evolve.

This is due to the fact that we base our decision of whether or not to shape on a pair of IP addresses talking to each other without considering port numbers. Sometimes, in cloud or mesh networks, services are trunked across a tunnel using the same IP address. As they cross the trunk, the streams are broken out appropriately based on port number.

So, for example, say you have a video server as part of a cloud computing environment. Without any NAT, on a wide-open network, we would be able to give that video server priority simply by knowing its IP address. However, in a meshed network, the IP connection might be the same as other streams, and we’d have no way to differentiate it. It turns out, though, that services within a tunnel may share IP addresses, but the differentiating factor will be the port number.

Thus, in 2013 we will no longer shape just on IP to IP, but will evolve to offer shaping on IP(Port) to IP(Port). The result will be quality of service improvements even in heavily NAT’d environments.

2) 10 Gbps Line Speeds without Degradation

Some of our advantages over the years have been our price point, the techniques we use on standard hardware, and the line speeds we can maintain.

Right now, our NE3000 and above products all have true multi-core processors, and we want to take advantage of that to enhance our packet analysis. While our analysis is very quick and efficient today (sustained speeds of 1 Gbps up and down), in very high-speed networks, multi-core processing will amp up our throughput even more. In order to get to 10 Gbps on our Intel-based architecture, we must do some parallel analysis on IP packets in the Linux kernel.

The good news is that we’ve already developed this technology in our NetGladiator product (check out this blog article here).

Coming in 2013, we’ll port this technology to NetEqualizer. The result will be low-cost bandwidth shapers that can handle extremely high line speeds without degradation. This is important because in a world where bandwidth keeps getting cheaper, the only reason to invest in an optimizer is if it makes good business sense.

We have prided ourselves on smart, efficient, optimization techniques for years – and we will continue to do that for our customers!

Secure Your Web Applications for the Holidays!

We want YOU to be proactive about security. If your business has external-facing web applications, don’t wait for an attack to happen – protect yourself now! It only takes a few hours of our in-house security experts’ time to determine if your site might have issues, so, for the Holidays, we are offering a $500 upfront security assessment for customers with web applications that need testing!

If it is determined that our NetGladiator product can help shore up your issues, that $500 will be applied toward your first year of NetGladiator Software & Support (GSS). We also offer further consulting based on that assessment on an as-needed basis.

To learn more about NetGladiator, check out our video here.

Or, contact us at:


303-997-1300 x123

Don’t Forget to Upgrade to 6.0!: With a brief tutorial on User Quotas

If you have not already upgraded your NetEqualizer to Software Update 6.0, now is the perfect time!

We have discussed the new upgrade in depth in previous newsletters and blog posts, so this month we thought we’d show you how to take advantage of one of the new features – User Quotas.

User quotas are great if you need to track bandwidth usage over time per IP address or subnet. You can also send alerts to notify you if a quota has been surpassed.

To begin, you’ll want to navigate to the Manage User Quotas menu on the left. You’ll then want to start the Quota System using the third interface from the top, Start/Stop Quota System.

Now that the Quota System is turned on, we’ll add a new quota. Click on Configure User Quotas and take a look at the first window:


Here are the settings associated with setting up a new quota rule:

Host IP: Enter in the Host IP or Subnet that you want to give a quota rule to.

Quota Amount: Enter in the number of total bytes for this quota to allow.

Duration: Enter in the number of minutes you want the quota to be tracked for before it is reset (1 day, 1 week, etc.).

Hard Limit Restriction: Enter in the number of bytes/sec to allow the user once the quota is surpassed.  

Contact: Enter in a contact email for the person to notify when the quota is passed.

After you populate the form, click Add Rule. Congratulations! You’ve just set up your first quota rule!

From here, you can view reports on your quota users and more.

Remember, the new GUI and all the new features of Software Update 6.0 are available for free to customers with valid NetEqualizer Software & Support (NSS).

If you don’t have the new GUI or are not current with NSS, contact us today!


toll-free U.S. (888-287-2492),

worldwide (303) 997-1300 x. 103

Best Of The Blog

Internet User’s Bill of Rights

By Art Reisman – CTO – APconnections

This is the second article in our series. Our first was a Bill of Rights dictating the etiquette of software updates. We continue with a proposed Bill of Rights for consumers with respect to their Internet service.

1) Providers must divulge the contention ratio of their service. 

At the core of all Internet service is a balancing act between the number of people that are sharing a resource and how much of that resource is available.

For example, a typical provider starts out with a big pipe of Internet access that is shared via exchange points with other large providers. They then subdivide this access out to their customers in ever smaller chunks – perhaps starting with a gigabit exchange point and then narrowing down to a 10 megabit local pipe that is shared with customers across a subdivision or area of town.

The speed you, the customer, can attain is limited to how many people might be sharing that 10 megabit local pipe at any one time. If you are promised one megabit service, it is likely that your provider would have you share your trunk with more than 10 subscribers and take advantage of the natural usage behavior, which assumes that not all users are active at one time.

The exact contention ratio will vary widely from area to area, but from experience, your provider will want to maximize the number of subscribers who can share the pipe, while minimizing service complaints due to a slow network. In some cases, I have seen as many as 1,000 subscribers sharing 10 megabits. This is a bit extreme, but even with a ratio as high as this, subscribers will average much faster speeds when compared to dial up…

Photo Of The Month


Kansas Clouds

The wide-open ranch lands in middle America provide a nice retreat from the bustle of city life. When he can find time, one of our staff members visits his property in Kansas with his family. The Internet connection out there is shaky, but it is a welcome change from routine.

Getting the Keys to the Kingdom: SQL Injection

By Zack Sanders

Director of Security –

SQL injection is one of the most well-known vulnerabilities in web application security. Because so many web sites today are database driven, an SQL injection vulnerability puts the entire application and its users at risk. The purpose of this article is to explain what SQL injection is, show how easily it can be exploited, and discuss what steps you can take to make sure your site is secure from this devastating attack vector.

What is SQL injection?

SQL injection is performed by including portions of SQL statements in a web form entry field in an attempt to get the web site to pass a newly formed malicious SQL command to the database. The vulnerability happens when user input is either incorrectly filtered or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. Average websites can experience 100’s of SQL injection attempts per hour from automated bots scouring the Internet.

How do attackers discover it?

When searching for SQL injection, an attacker is looking for an application that behaves differently based on varying inputs to a form. For example, a vulnerable web form might accept expected content just fine, but if SQL characters are inputted, a system-level SQL error is generated saying something like, “There is an error in your MySQL syntax.” This tells the attacker that the SQL code is being interpreted, even though it is incorrect. This indicates that the application is vulnerable.

How is a site that is vulnerable exploited?

Once an application is deemed vulnerable, an attacker will try using an automated injection tool to glean information about the database. Structure data like the information schema, the version of SQL being run, and table names are all trivial to gather. Once the structure is defined and understood, custom SQL statements can be written to download data from interesting tables like, “users”, “customers”, “payments”, etc. Here is a screenshot from a recent client of mine whose site was vulnerable. These are just a few of the columns from the “users” table.

* Names, email addresses, partial passwords, usernames, and addresses are blocked out.

What happens next?

With this level of access, the sky is the limit. Here are a few things an attacker might do:

1) Take all of the hashed passwords and run them against a rainbow table for matches. This is why long passwords are so important. Even though hashing is a one-way algorithm for encryption, the hashes for short and common passwords are all known and can easily be looked up reversely. An attacker might then use the passwords, along with email addresses, to compromise other accounts owned by those users.

2) Change the super administrator flag for a user they know the password for, and log in to gain further access. A common goal is to get to a file upload interface so that a script can be uploaded to the server that would give an attacker remote control.

3) Drop the entire database purely to wreak havoc.

How do you protect your site from SQL injection?

ALL GET and POST requests involving the database need to be filtered and analyzed before being run. This includes actions like:

1) Stripping away SQL characters. In MySQL, this would be the mysql_real_escape_string() function.

2) Analyze for expected input. Should the entry only be a number 1-50? Check to make sure it is a positive number, non-zero, and no more than two characters.

3) Have strong database permissions. Different database users should be created with only needed permissions for their function. For example, don’t use the root MySQL user to connect your web application to your database.

4) Hire an expert to assess your web application. The cost of performing this type of health check is miniscule compared to the cost of being exploited.

5) Install an intrusion protection system like NetGladiator that looks for SQL characters in URL’s.

The keys to the kingdom

Hopefully you can now see the danger of SQL injection. The level of control and access coupled with the ease of discovery and exploitation make it extremely problematic. The good news is, putting basic protections in place is relatively easy.

Contact us today if you want help securing your web application!

NetEqualizer News: August 2012

August 2012


Enjoy another issue of NetEqualizer News! This month, we preview our new NetEqualizer GUI, introduce P2P Blocking on the NetGladiator, and ask for your help compiling NetEqualizer user experiences. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

With August comes the beginning of the fall harvest. Farmer’s markets are just beginning to fill up with summer squash, corn, and tomatoes in our area! Seeing nature’s bounty gets me thinking about how to enrich our products and offer our own bountiful harvest.

After nine years, we felt it was time to refresh the NetEqualizer GUI. I’m excited to announce that we are redesigning our interface to improve look & feel and make it easier to use! On the NetGladiator side, we are leveraging our DPI technology to add P2P Blocking to our security capabilities. Both projects will be ready for the fall harvest! Stay tuned to NetEqualizer News for updates on availability and release details.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at I would love to hear from you!

Coming this Fall: New NetEqualizer GUI
After 9 years we are finally revamping the GUI for the NetEqualizer!

The new GUI will provide the same functionality that the current GUI has, but it will be presented in a much more organized, intuitive, and modern way.

We will also be developing additional functionality that allows users to more easily and effectively administer their NetEqualizers.

One of the most exciting improvements is a new dashboard feature. The dashboard will be the default home page and will provide a heads up display of the most critical data and settings within NetEqualizer.

Beta testing for the new NetEqualizer GUI will begin sometime in September with a full release coming this fall. And, as always, the new GUI will be available at no charge to customers with valid NSS. Stay tuned to NetEqualizer News or our blog for announcements regarding the new GUI!

Share Your NetEqualizer Experiences!
We love it when we hear from our customers – especially messages of appreciation for the products we work so hard on.

As part of our Library Survey a few months ago, we received a message from Sara Holloway, of Handley Regional Library, asking if she could write an article about NetEqualizer for our blog. We thought this was a great idea, so Sara wrote this post. Thanks Sara!

Starting this fall, we want to open up our blog to our customers more often. Writing a post on our blog is beneficial to us, our readership, and you!

It is a great way to gain exposure for your business and to contribute to a widely-read blog.

If you are interested in being a guest contributor, email our Director of Marketing, Sandy McGregor, at!

Block P2P with NetGladiator
NetGladiator is already proving to be an effective hacking and botnet deterrent, but the usefulness of NetGladiator does not stop with web application security. Because of the customizable nature of the configuration, and the fact that NetGladiator is built on powerful DPI technology, the sky is the limit in what you can do with NetGladiator.

We wrote about some of the potential uses last month, and we are excited to announce an implementation of one of those ideas – P2P Blocking – available as an additional module to existing NetGladiators.

This implementation differs from our P2P feature on NetEqualizer. NetEqualizer focuses on managing the effects of P2P on a network through equalizing. With NetGladiator, we serve a security-driven need. P2P is one of the most common ways that malware gets through firewalls and enters internal machines. Thus, with NetGladiator, we actually block the protocols completely – greatly improving security.

We’ve already implemented the top 10 P2P protocols, but if your organization is facing a particular protocol outside of the top 10, NetGladiator can be configured to block it.

Take a look at this report from a NetGladiator equipped with P2P Blocking (click here for accompanying blog post). You’ll notice that NetGladiator can effectively determine traffic P2P signatures and display which protocol has been discovered, all without hampering other traffic or user experience.

For more information on this new feature or NetGladiator in general, visit our website or check out our blog. You can also send questions to!

Best Of The Blog

How to Build Your Own Linux-Based Access Point in 5 Minutes

By Steve Wagor – COO – APconnections

A popular post from the archives!
The motivations to build your own access point using Linux are many, and I have listed a few compelling reasons below:

1) You can use the Linux-rich set of firewall rules to customize access to any segment of your wireless network.
2) You can use SNMP utilities to report on traffic going through your AP.
3) You can configure your AP to send e-mail alerts if there are problems with your AP.
4) You can custom coordinate communications with other access points – for example, build your own Mesh network…

Photo Of The Month

Bulls in a Kansas Farm Field

These bulls may be angry, but at APconnections we are happy and excited for the near future – you could even say we are “bullish.” Our exciting new NetEqualizer GUI and NetGladiator feature enhancements are all great reasons to celebrate the upcoming fall season, and we are very optimistic in the value these improvements will provide to our customers!

P2P Protocol Blocking Now Offered with NetGladiator Intrusion Prevention

A few months ago we introduced our NetGladiator Intrusion Prevention (IPS) Device. To date, it has thwarted tens of thousands of robotic cyber attacks and counting. Success breeds success and our users wanted more.

When our savvy customers realized the power, speed, and low price point of our underlying layer 7 engine, we started getting requests seeking additional features such as: “Can you also block Peer To Peer and other protocols that cannot be stopped by our standard Web Filters and Firewalls?”  It was natural that we extended our IPS device to address this space; hence, today we are announcing the next-generation NetGladiator. We now offer a module that will allow you to block and monitor the world’s top 10 p2p protocols (which account for 99 percent of all P2P traffic). We also back our technology with our unique promise to implement a custom protocol blocking rule with the purchase of any system at no extra charge. For example, if you have a specific protocol you need to monitor and just can’t uncover it with your WebSense or Firewall filter, we will custom deliver a NetGladiator system that can track and/or block your unique protocol, in addition to our standard p2p blocking options.

Below is a sample Excel live report integrated with the NetGladiator in monitor mode. On the screen snapshot below, you will notice that we have uncovered a batch of Utorrent and Frost Wire p2p traffic.

Please feel free to call 303-997-1300 or email our NetGladiator sales engineering team with any additional questions at

Related Articles

NetGladiator A layer 7 shaper in sheep’s clothing

NetEqualizer News: June 2012

June 2012


Enjoy another issue of NetEqualizer News! This month, we announce the release of our NetGladiator Demo Video, highlight our NetEqualizer YouTube Channel, and discuss our new NetEqualizer Lite product. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Sandy…
Sandy McGregor, Director of Marketing

Just attended a June wedding! There is nothing like June (warm weather, beautiful flowers, sunshine) to celebrate a marriage! It is lovely to witness two people starting their lives together. This made me think about how we are starting to “marry” our different product lines. You will see more of NetGladiator tied into our NetEqualizer website, our blog, etc. Although the products serve very different purposes, both are capable of providing immense value to your organization.

We will continue to look for opportunities to leverage our technology to create products that help our customers run efficient, secure networks.

We want to know what challenges you face on a recurring basis! If you have a moment, please fill out our short, four-question survey. Submissions will be entered into a drawing for a $100 Amazon Gift Card!

NetGladiator Demo Video
Throughout 2012, we’ve been discussing best-practice security quite a bit. Our new intrusion prevention system, NetGladiator, is the result of expert security research, rock-solid pattern inspection, and common sense.

NetGladiator cuts through the hype that other products rely on, and provides a real, effective security solution that will fit naturally into your existing security layers to protect your web applications.

We recently released a demonstration video that showcases the NetGladiator interface,  demonstrates its configuration, and discusses its attack blocking abilities.

Take a look at the video here via our YouTube channel!


If you have additional questions about NetGladiator, visit our website or contact us at:

NetEqualizer on YouTube
If you haven’t already, take a look at our NetEqualizer YouTube Channel!

Here you can find all of our Tech Seminars, demonstrations, and other videos. Start by watching our featured video, Equalizing Explained.

NetEqualizer Lite

Do you need bandwidth control without the price or large throughput? Our new NetEqualizer Lite product is just for you.

Starting at just $999, the new NetEqualizer Lite offers compelling value at a low price. We have upgraded our base technology for the NetEqualizer Lite, our entry-level bandwidth-shaping appliance.

Our new Lite still retains a small form-factor, which sets it apart, and makes it ideal for implementation in the field, but now has enhanced CPU and memory. This enables us to include robust graphical reporting like in our other product lines, and also to support additional bandwidth license levels.

NetEqualizer Lite is perfect for small SSIPs, hotels, offices, libraries, coffee shops, and more!

For more information on NetEqualizer Lite, visit our website, check out our blog, or contact us at:

toll-free U.S. (888-287-2492),

Best Of The Blog

Case Study: A Simple Solution to Relieve Congestion on Your MPLS Network

By Art Reisman – CTO – APconnections

Summary: In the last few months, we have set up several NetEqualizer systems on spoke and hub MPLS networks. Our solution is very cost effective because it differs from many TOS/Compression-based WAN optimization products that require multiple pieces of hardware. Normally, for WAN optimization, a device is placed at the HUB and a partner device is placed at each remote location. With the NetEqualizer technology, we have been able to simply and elegantly solve contention issues with a single device at the central hub.

The problem:

A customer has a spoke and hub MPLS network where remote sites get their public Internet and corporate data by coming in on a spoke to a central site. Although the network at the host site has plenty of bandwidth, the spokes have a fixed allocation over the MPLS and are experiencing contention issues (e.g. slow response times to corporate sales data, etc.)…

Photo Of The Month

Photo by James Dougherty

Colorado Summer Storms

Every local knows the adage, “If you don’t like the weather in Colorado, wait five minutes.” Each season brings its own meteorological challenges to the region, and in summer, those are tornadoes and hail. Recently, a portent storm hit the Denver Metro area, causing funneled clouds and abrupt hailstones. After the chaos subsided, however, the sky was painted with gorgeous colors and textures.

NetGladiator: A Layer 7 Shaper in Sheep’s Clothing

When explaining our NetGladiator technology the other day, a customer was very intrigued with our Layer 7 engine. He likened it to a caged tiger under the hood, gobbling up and spitting out data packets with the speed and cunning of the world’s most powerful feline.

He was surprised to see this level of capability in equipment offered at our prices.  He was impressed with the speed attained for the price point of our solution (more on this later in the article)…

In order to create a rock-solid IPS (Intrusion Prevention System), capable of handling network speeds of up to 1 gigabit with standard Intel hardware, we had to devise a technology breakthrough in Layer 7 processing. Existing technologies were just too slow to keep up with network speed expectations.

In order to support higher speeds, most vendors use semi-custom chip sets and a technology called “ASIC“. This works well but is very expensive to manufacture.

How do typical Layer 7 engines work?

Our IPS story starts with our old Layer 7 engine. It was sitting idle on our NetEqualizer product. We had shelved it when we got away from from Layer 7 shaping in favor of Equalizing technology, which is a superior solution for traffic shaping.  However, when we decided to move ahead with our new IPS this year, we realized we needed a fast-class analysis engine, one that could look at all data packets in real time. Our existing Layer 7 shaper only analyzed headers because that was adequate for its previous mission (detecting P2P streams).  For our new IPS system, we needed a solution that could do a deep dive into the data packets.  The IPS mission requires that you look at all the data – every packet crossing into a customer network.

The first step was to revamp the older engine and configure it to look at every packet. The results were disappointing.  With the load of analyzing every packet, we could not get throughput any higher than about 20 megabits, far short of our goal of 1 gigabit.

What do we do differently with our updated Layer 7 engine?

Necessity is the mother of invention, and so we invented a better Layer 7 engine.

The key was to take advantage of multiple processors for analysis of data without delaying data packets. The way the old technology worked was that it would intercept a data packet on a data link, hold it, analyze it for P2P patterns, and then send it on.  With this method, as packets come faster and faster you end up not having enough CPU time to do the analysis and still send the packet on without adding latency.  Many customers find this out the hard way when they update their data speeds from older slower T1 technology.  Typical analysis engines on affordable routers and firewalls often just can’t keep up with line speeds.

What we did was take advantage of a utility in the Linux Kernel called “clone skb”.  This allows you to make a temporary copy of the data packet without the overhead of copying.  More importantly, it allows us to send the packet on without delay and do the analysis within a millisecond (not quite line speed, but fast enough to stop an intruder).

We then combined the cloning with a new technology in the Linux kernel called Kernel Threading.  This is different than the technology that large multi-threaded HTTP servers use because it happens at the kernel level, and we do not have to copy the packet up to some higher-level server for analysis. Copying a packet for analysis is a huge bottleneck and very time-consuming.

What were our Results?

With kernel threading, cloning, and a high-end Intel SMP processor, we can make use of 16 CPU’s doing packet analysis at the same time and we now have attained speeds close to our 1 gigabit target.

When we developed our bandwidth shaping technology in 2003/2004, we leveraged technology innovation to create a superior bandwidth control appliance (read our NetEqualizer Story).  With the NetGladiator IPS, we have once again leveraged technology innovation to enable us to provide an intrusion prevention system at a very compelling price (register to get our price list), hence our customer’s remark about great speed for the price.

What other benefits does our low cost, high-speed layer 7 engine allow for? Is it just for IPS?

The sky is the limit here.  Any type of pattern you want to look at in real-time can now be done at one tenth (1/10th) the cost of the ASIC class of shapers.  Although we are not a fan of unauthorized intrusion into private data of the public Internet (we support Net Neutrality), there are hundreds of other uses which can be configured with our engine.

Some that we might consider in the future include:

– Spam filtering
– Unwanted protocols in your business
– Content blocking
– Keyword spotting

If you are interested in testing and experimenting in any of these areas with our raw technology, feel free to contact us

Four Reasons Why Companies Remain Vulnerable to Cyber Attacks

Over the past year, since the release of our IPS product, we have spent many hours talking to resellers and businesses regarding Internet security. Below are our observations about security investment, and more importantly, non-investment.

1) By far the number one reason why companies are vulnerable is procrastination.

Seeing is believing, and many companies have never been hacked or compromised.

Some clarification here, most attacks do not end in something being destroyed or any obvious trail of data being lifted. This does not mean they do not happen; it’s just that there was no immediate ramification in many cases hence, business as usual.

Companies are run by people, and most people are reactive, and furthermore somewhat single threaded, thus they can only address a few problems at a time. Without a compelling obvious problem, security gets pushed down the list. The exception to the procrastination rule would be verticals such as financial institutions, where security audits are mandatory (more on audits in a bit). Most companies, although aware of  risk factors, are reluctant to spend on a problem that has never happened. In their defense, a company that reacts to all the security FUD, might find itself hamstrung and out of business. Sometimes, to be profitable, you have to live with a little risk.

2) Existing security tools are ignored.

Many security suites are just too broad to be relevant. Information overload can lead to a false sense of coverage.

The best analogy I can give is the Tornado warning system used by the National Weather Service. Their warning system, although well-intended, has been so diffuse in specificity that after a while people ignore the warnings. The same holds true with security tools. In order to impress and out-do one another, security tools have become bloated with quantity, not quality. This overload of data can lead to an overwhelming glut of frivolous information. It would be like a stock analyst predicting every possible outcome and expecting you to invest on that advice. Without a specific, targeted piece of information, your security solution can be a distraction.

3) Security audits are mandated formalities.

In some instances, a security audit is treated as a bureaucratic mandate. When security audits are mandated as a standard, the process of the audit can become the objective. The soldiers carrying out the process will view the completed checklist as the desired result and thus may not actually counter existing threats. It’s not that the audit does not have value, but the audit itself becomes a minimum objective. And most likely the audit is a broad cookie-cutter approach which mostly serves to protect the company or individuals from blame.

4) It may just not be worth the investment.

The cost of getting hacked may be less than the ongoing fees and consumption of time required to maintain a security solution. On a mini-scale, I followed this advice on my home laptop running Windows. It was easier to re-load my system every 6 months when I got a virus rather than mess with all the security virus protection being thrown at me, slowing my system down. The same holds true on a corporate scale. Although nobody would ever come out and admit this publicly, or make it deliberately easy, but it might be more cost-effective to recover from a security breach than to proactively invest in preventing it. What if your customer records get stolen, so what? Consumers are hearing about the largest banks and government security agencies getting hacked every day. If you are a mid-sized business it might be more cost-effective to invest in some damage control after the fact rather than jeopardize cash flow today.

So what is the future for security products? Well, they are not going to go away. They just need to be smarter, more cost-effective, and turn-key, and then perhaps companies will find the benefit-to-risk more acceptable.

<Article Reference:  Security Data overload article >

Common NetGladiator Questions Explained

Since our last security-related blog post, The Truth About Web Security (And How to Protect Your Data), we’ve received many inquiries related to NetGladiator and best-practice security in general. In the various email and phone conversations thus far, we’ve encountered some recurring questions that many of you might also find useful. The purpose of this post is to provide answers to those questions.

1) Could an attacker circumvent NetGladiator by slowly probing the targets as not to be detected by the time anomaly metrics?

The NetGladiator detects multiple types of anomalies. Some are time-frequency based, and some are pattern based.

For instance, a normal user won’t be hitting 500 pages/minute, and a normal user will never be putting SQL in the URL attempting an injection. If a malicious user was slowly running a probing robot, it would likely still be attempting patterns that the NetGladiator would detect, and the NetGladiator would immediately block that IP. There are directory brute force tools that won’t hit on any patterns, but they will hit on the time frequency settings. If the attacker were to slow it down to a normal user click-rate, it’s possible they could go undetected, but these brute force lists rely on trying millions of common page and directory names quickly. It would not be worth it to run through this list at that pace.

2) Could a hacker change their IP address often enough so that NetGladiator would not think the source of the attack was the same?

The amount of IP addresses you’d need to spoof would make this a tiresome effort for the attacker, and in an automated attack by a botnet, the probe is more likely to just move on to a new target. In a targeted attack, IP spoofing, while possible, would also likely be more of a hassle than it’s worth. But, even if it were worth it for the attacker, the NetGladiator alerts admins to intrusion attempts, so you can proactively deal with the threat. You can also block by IP Range/Country so that if you notice someone spoofing IP addresses from a specific IP range, you can drop all those connections for as long as you like.

Also with regard to IP addresses, the NetGladiator only bans them for a set amount of time. This is because bots probe from new IP addresses all the time. A real user might eventually end up with that IP and you wouldn’t want to block it forever. That being said, if there was a constantly malicious IP, you can permanently block it.

3) Why is there a maximum number of patterns you can input into NetGladiator?

One of NetGladiator’s key differentiating factors is its “robustlessness” and its custom configuration. This may sound like a detriment, but it actually will make you better off. Not only will you be able to exclusively detect threats pertinent to your web application, you also will not break functionality – regardless of poor programming or setup on the back end. Many intrusion prevention systems are so robust in their blocking of requests that there are too many false positives to deal with (usually based on programming “errors” or infrastructure abnormalities). This often ends with the IPS being disabled – which helps no one. NetGladiator has a maximum number of patterns for one main reason:

Speed and efficiency.

We don’t want to hamper your web connections by inspecting packets for too many regular expressions. We’d rather quickly check for key patterns that show malicious intent under the assumption that those patterns will be tried eventually by an attacker. This way, data can seamlessly pass through, and your users won’t incur performance problems.

4) What kind of environments benefit from NetGladiator?

NetGladiator was built to protect web applications from botnets and hackers – it won’t have much use for you at the network level or the user level (email, SPAM, anti-virus, etc.). There are other options for security controls that focus on these areas. Every few years, the Open Web Application Security Project (OWASP), releases their Top 10 – which is a list of the most common web application security vulnerabilities facing sites today. NetGladiator helps protect against issues of this type, so any web application that has even a small amount of interactivity or backend to it will benefit from NetGladiator’s features.

We want to hear from you!

Have some questions about NetGladiator or web security in general? Visit our website, leave a comment, or shoot us an email at

%d bloggers like this: