The other day I read that Comcast is launching a new plan to turn home internet users into unwilling participants in their new global wifi strategy. I'm sure that they will soon be touting how insanely awesome it will be to get "full strength" internet access virtually anywhere just by subscribing to this service. Other than the issues with taking a service that the consumer already pays for and carving out their bandwidth for other people, the security practitioner in me can't help but wonder what the security ramifications of sharing an internet connection like this actually means. Combine this with the default access to your cable modem that your service provider already has, and it paints a very scary picture of network security for the home user. It is no longer sufficient (if it ever was) to rely on your cable modem for network access controls. Thus, I am advocating in favor of placing a personal firewall between your cable modem and your network for all home internet setups.
Now, it's not as bad as you may think. It doesn't have to be some crazy expensive piece of equipment like you'd purchase for a business. Even the basic home gateways come with the ability to do Network Address Translation (NAT) which effectively turns your internet connection into a one-way pipe. All I'm saying is that instead of plugging your network devices directly into the cable modem for Internet access, you should use your own hardware and draw a clear "line in the sand" between your equipment and theirs. In addition, I would advocate that you should no longer consider the wifi access provided by the cable modem device as safe and should use your own equipment for this access. In other words, treat anything on the WAN side of your home gateway/personal firewall as untrusted and protect against it accordingly.
We knew that the historic inauguration of Barack Obama would be generating a lot more Internet traffic than usual, both in general and specifically here at NI. Being prudent Web Admin types, we checked around to make sure we thought that there wouldn't be any untoward effects on our Web site. Like many corporate sites, we use the same pipe for inbound Internet client usage and outbound Web traffic, so employees streaming video to watch the event could pose a problem. We got all thumbs up after consulting with our networking team, and decided to not even send any messaging asking people to avoid streaming. But, we monitored the situation carefully as the day unwound. Here's what we saw, just for your edification!
Our max inbound Internet throughput was 285 Mbps, about double our usual peak. We saw a ni.com Web site performance degradation of about 25% for less than two hours according to our Keynote stats. ni.com ASPs were affected proportionately which indicates the slowdown was Internet-wide and not unique to our specific Internet connection here in Austin. The slowdown was less pronounced internationally, but still visible. So in summary - not a global holocaust, but a noticeable bump.
Cacti graphs showing our Internet connection traffic:
Keynote graph of several of our Web assets, showing global response time in seconds:Looking at the traffic specifically, there were two main standouts. We had TCP 1935, which is Flash RTMP, peaking around 85 Mbps, and UDP 8247, which is a special CNN port (they use a plugin called "Octoshape" with their Flash streaming), peaking at 50 Mbps. We have an overall presence of about 2500 people here at our Austin HQ on an average day, but we can't tell exactly how many were streaming. (Our NetQoS setup shows us there were 13,600 'flows,' but every time a stream stops and starts that creates a new one - and the streams were hiccupping like crazy. We'd have to do a bunch of Excel work to figure out max concurrent, and have better things to do.)
In terms of the streaming provider breakdown - since everyone uses Akamai now, the vast majority showed as "Akamai". We could probably dig more to find out, but we don't really care all that much. And, many of the sources were overwhelmed, which helped some.
We just wanted to share the data, in case anyone finds it helpful or interesting.
As I'm preparing to take my trip to New York for the OWASP AppSec Conference, I came across a timely article on the risks involved with using a hotel network. The Center for Hospitality Research at Cornell University surveyed 147 hotels and then conducted on-site vulnerability testing at 50 of those hotels. Approximately 20% of those hotels still run basic ethernet hub-type networks and almost 93% offer wireless. Only six of the 39 hotels that had WiFi networks were using encryption (see my blog on why are people still using WEP for why this is necessary). What does this mean for you, Joe User? It means that both your personal and company information is at risk any time you connect to those networks. The next time you're surfing the web, start paying attention to all of the non-SSL links (http:// versus https://) that you visit. Then, think about the information that you are passing along to those sites. Are you signing in with a user name and password? Entering credit card information? Whatever it is, you better make sure that it's something that you wouldn't feel bad if it wound up on a billboard in Times Square, because that's about how risky your trasmission could be.
Before you get too concerned, there are a few things you can do to try to prevent this. First, DO NOT visit any links where you transmit information unencrypted. This is just asking for trouble. Since many man-in-the-middle type attacks can still be used to exploit this, my second suggestion is to use some sort of VPN tunnel. Whether it's a corporate VPN or just a freebie software VPN to your network back home, this allows you to encrypt all traffic over the untrusted hotel network. Make this your standard operating procedure anytime you connect to an untrusted network (not just a hotel) and you should keep your data much safer. Lastly, please be sure to have current firewall and anti-virus software on the computer you are using to connect to the untrusted network. The last thing you want is to get infected by some worm or virus just by plugging in to the network.
One other thing that I think that deserves mentioning here is that if you don't absolutely have to use the internet on an untrusted network, then don't do it. Obviously, there are times when you need access to do work, pay bills, etc, but if you can save those tasks until you reach a more familiar (and hopefully safer) network, that is far and away the best way to keep yourself and your data safe.
I went to a Lunch n Learn last week sponsored by PaloAlto Networks and Fishnet Security talking about what PaloAlto calls the "next generation firewalls". PaloAlto boasts having Nir Zuk, principal engineer at Check Point and one of the developers of stateful inspection technology, as it's founder and CTO. Their product, the PA-4000, Series Firewall, takes an application centric approach to traffic classification and they claim that this helps it to more accurately identify both traditional and emerging applications. This enables it to facilitate true application access control and broad threat prevention. They claim that it is:
- The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
- The only firewall to identify, control and inspect SSL encrypted traffic and applications.
- The only firewall to provide graphical visualization of applications on the network with detailed user, group, and network-level categorization by sessions, bytes, ports, threats and time.
- The only firewall with real-time (line-rate, low latency) protection against viruses, spyware and application vulnerabilities based on a stream-based threat prevention engine.
- The only firewall with line-rate, low latency performance for all services, even under load.
- The only firewall to offer a true in-line transparent deployment option for seamless integration into an existing network infrastructure.
While the presentation itself tended to focus more on analyzing internal user's connections outbound toward the internet and it seems to do that fairly well, it didn't cover external users connecting inbound to web applications and things like that so I started asking questions about the firewall's ability to act as a WAF (Web Application Firewall). I was told that it will do some things like inspection for XSS and SQL Injection, it does not function as a true WAF. I wasn't even expecting that much so kudos to them.
All-in-all, I tend to believe the hype that this is the next generation of firewalls and while PaloAlto is the first player in the field, I'm sure others will soon follow. The firewall is one of the oldest network security devices out there and PaloAlto has definitely put forth a product that changes the way people will look at them. We think about protecting our networks on an application level and not on a port level so why should our firewalls do things any differently? That said, with this being such a new technology, I'm skeptical of how it works in the real world and am quite certain that it won't be long before hackers find creative ways in and users find even more creative ways out.