Roadrunner Extreme Broadband Beta
I was having lunch with Charles Henderson from Trustwave Spider Labs the other day and he mentioned that he had just gotten signed up with the new Roadrunner Extreme Broadband Beta from Time Warner Cable. He mentioned insane download and upload speeds as well as the new DOCSIS 3.0 compliant modem. It was enough to pique my interest and get me to call Time Warner.
I have been on the older Roadrunner Turbo-charged plan since basically when it first came out and have been generally happy with the service up until recently when I've started having to reboot the modem daily. I'm also kind of an internet speed addict so the idea of moving up to 20 MB/s downloads and 5 MB/s uploads was pretty sweet to me. That's just to start with as eventually the service will have 30 MB/s downloads. I called up Time Warner and asked what it would take to move onto the Extreme Broadband Beta and they told me that it was only an extra $5/mo over my Turbo-charged plan. Even better was that they were offering free installation as part of the Beta. They were able to get the install scheduled just over a week out. Not too bad.
The service technicians came out on the designated day and time and got everything hooked up for me. They even replaced a bunch of the wiring on the box on the side of the house where the service connects to. They did some line tests and within minutes I was up and running on the new service. While not the 5 MB/s upload that was advertised to me, the download speed is quite impressive. Check it out:
The other cool thing is that while not necessarily intended, it is very easy to get into the new ubee modem's configuration interface. By default, the device comes up as 192.168.0.1 on your network and has a username and password of user/user. Get in there and it's got all of the configuration options of a wireless internet gateway. The first thing that you should do is change the username and password. After that, enable the wireless network, configure port forwarding, etc.
Not only does the new modem have built-in wireless N, but it also has four additional network ports so you can use it with multiple computers on your network. I remember the days when Time Warner used to charge you if you had more than one computer, but not anymore.
Granted, I've only had the new service for a few hours now, but I'm already pretty impressed. If you're an internet speed demon like me, and you live in the Austin area, I'd recommend that you give Time Warner a call and ask about switching over to the new Roadrunner Extreme Broadband Beta. Enjoy!
Who Needs VPN When You Have PuTTY?
I was talking with my coworkers this afternoon about Time Warner's plans to jack up rates for high-bandwith users and it got me thinking about how much of their precious bandwith I am actually using. I know that my router at home has a web browser interface where I can get that information, but I have it intentionally only allowing access from the local area network interfaces. I needed to find another way to view the site from work while making the router think that I was on the right network. What I ended up doing was using PuTTY to create a SSH tunnel from my work computer to my Linux box on the home network. I then just pointed my browser at the forwarded port on my work computer and up comes my router's web interface. Who needs VPN when you have PuTTY? Anyway, here are the exact steps that I took to do this:
- Start PuTTY
- Under Connection->SSH->Tunnels specify a source port (the localhost port you want to connect to) and a destination (IP:port) that you want to connect to on your home network.
- Source port: 8008
- Destination: 192.168.0.1:80 (or whatever IP your router is at and it's web interface port)
- Click "Add"
- Under "Session" specify the host name for your SSH server that lives on your internal network, but is exposed via port forwarding on your router with port 22.
- Click "Open"
- When prompted, enter your username and password for your SSH server.
- Now just pull up your favorite web browser and navigate to http://localhost:8008. You should see the page just like you would if you were sitting at home.
Consider Your Hotel Network Hostile
As I'm preparing to take my trip to New York for the OWASP AppSec Conference, I came across a timely article on the risks involved with using a hotel network. The Center for Hospitality Research at Cornell University surveyed 147 hotels and then conducted on-site vulnerability testing at 50 of those hotels. Approximately 20% of those hotels still run basic ethernet hub-type networks and almost 93% offer wireless. Only six of the 39 hotels that had WiFi networks were using encryption (see my blog on why are people still using WEP for why this is necessary). What does this mean for you, Joe User? It means that both your personal and company information is at risk any time you connect to those networks. The next time you're surfing the web, start paying attention to all of the non-SSL links (http:// versus https://) that you visit. Then, think about the information that you are passing along to those sites. Are you signing in with a user name and password? Entering credit card information? Whatever it is, you better make sure that it's something that you wouldn't feel bad if it wound up on a billboard in Times Square, because that's about how risky your trasmission could be.
Before you get too concerned, there are a few things you can do to try to prevent this. First, DO NOT visit any links where you transmit information unencrypted. This is just asking for trouble. Since many man-in-the-middle type attacks can still be used to exploit this, my second suggestion is to use some sort of VPN tunnel. Whether it's a corporate VPN or just a freebie software VPN to your network back home, this allows you to encrypt all traffic over the untrusted hotel network. Make this your standard operating procedure anytime you connect to an untrusted network (not just a hotel) and you should keep your data much safer. Lastly, please be sure to have current firewall and anti-virus software on the computer you are using to connect to the untrusted network. The last thing you want is to get infected by some worm or virus just by plugging in to the network.
One other thing that I think that deserves mentioning here is that if you don't absolutely have to use the internet on an untrusted network, then don't do it. Obviously, there are times when you need access to do work, pay bills, etc, but if you can save those tasks until you reach a more familiar (and hopefully safer) network, that is far and away the best way to keep yourself and your data safe.
Next Generation Firewalls
I went to a Lunch n Learn last week sponsored by PaloAlto Networks and Fishnet Security talking about what PaloAlto calls the "next generation firewalls". PaloAlto boasts having Nir Zuk, principal engineer at Check Point and one of the developers of stateful inspection technology, as it's founder and CTO. Their product, the PA-4000, Series Firewall, takes an application centric approach to traffic classification and they claim that this helps it to more accurately identify both traditional and emerging applications. This enables it to facilitate true application access control and broad threat prevention. They claim that it is:
- The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
- The only firewall to identify, control and inspect SSL encrypted traffic and applications.
- The only firewall to provide graphical visualization of applications on the network with detailed user, group, and network-level categorization by sessions, bytes, ports, threats and time.
- The only firewall with real-time (line-rate, low latency) protection against viruses, spyware and application vulnerabilities based on a stream-based threat prevention engine.
- The only firewall with line-rate, low latency performance for all services, even under load.
- The only firewall to offer a true in-line transparent deployment option for seamless integration into an existing network infrastructure.
While the presentation itself tended to focus more on analyzing internal user's connections outbound toward the internet and it seems to do that fairly well, it didn't cover external users connecting inbound to web applications and things like that so I started asking questions about the firewall's ability to act as a WAF (Web Application Firewall). I was told that it will do some things like inspection for XSS and SQL Injection, it does not function as a true WAF. I wasn't even expecting that much so kudos to them.
All-in-all, I tend to believe the hype that this is the next generation of firewalls and while PaloAlto is the first player in the field, I'm sure others will soon follow. The firewall is one of the oldest network security devices out there and PaloAlto has definitely put forth a product that changes the way people will look at them. We think about protecting our networks on an application level and not on a port level so why should our firewalls do things any differently? That said, with this being such a new technology, I'm skeptical of how it works in the real world and am quite certain that it won't be long before hackers find creative ways in and users find even more creative ways out.