Srcasm

It’s that time of year again. The snow is starting to fall here in the Philadelphia area, it’s getting colder out each day and the wind chill is near unbearable. We all bundle up inside of our cozy offices, homes, and cars and brave the next couple of months. While you’re just chillin’ out waiting for the cold to pass, why don’t you start a list of things that you need to complete over the winter time? These few months are the best months to get things done inside since you really don’t want to get out there and shovel the walkway anyway.

I know that I started mine early — and not just in my personal life either. Here are just a few of the security projects that I’ll be looking at in the coming year. Go ahead, use these as a guideline to start to create your company’s security wishlist.

1. Network Access Control
   • This is something that I’ve been looking into here at Southco for quite a while. Something like Cisco’s NAC or FreeNAC (a free network access control system built on Linux) software would do just fine. Anything to help keep the bad guys off your network. I know that for me, I can’t be everywhere at once so I need something else that can help me figure out who’s placing unknown or unprotected devices onto my network.
2. Firewalls
   • It’s never too late to start looking at protecting your network from the outside. Keeping unwanted users and computers outside of your network out is one of the first lines of defense to any network. I look at too many networks that simply use a router without any logging or access control lists to keep people out. Also note: Make sure that you know what you’re doing before building your NAT tables and ACLs on your devices so that you don’t interrupt business too much — the C-level people usually aren’t too keen to that sort of thing.
   • Some products to look at are: Cisco’s ASAs, Juniper’s firewalls, IPCop (a free, open-source firewall)
3. Security management software
   • Nothing gets to me more than a messy security configuration — alright, dirty dishes and overflowing trash are bad too but you get the point. But second to the dirt and grime of everyday life, a security configuration on a firewall or VPN appliance that isn’t kept clean can’t make for a horrible time when it finally fails. Take for instance a firewall with 60 rules that are in no particular order, have no descriptions and are not backed up. When that firewall dies one day, you will have one hell of a time building a new one to fit your company’s business. Make sure you keep up with the access controls that you have in your organization with tools like Kiwi CatTools or if you’re a Cisco shop, Cisco’s CSM.
4. Antivirus and malware protection
   • Finally one of the most overlooked pieces of any network, antivirus and antimalware protection. It’s easy to forget that in most organizations a user can bring in documents from home on a USB drive, email themselves attachments or simply visit websites that contain malicious material. All of these are entrance points into your network for viruses and spyware and once they’re in, they can wreak havoc. If you do nothing else this year, please make sure that you have a product like AVG, McAfee or Norton installed on all of your computers, servers, appliances, and anything else you can install antivirus/malware software on in your network.

You’ll thank me later if you do only a couple of these tasks this year. When everyone else is hunting down where the Nimda virus started or how their company documents got stolen off of their servers and plastered on a torrent tracker, you’ll be sipping that hot cup of joe by the warm firewall — I mean place.

So I’ve talked about how to start doing a basic security audit for yourself or your company. I think I’d like to answer a few questions that I get about wireless security now. Wireless is both a boon and a bane to the computing and technology world. When I talk about wireless here, I’m referring to wifi, 802.11b/g/n — not cellular wireless.

The best part of wireless is that it’s wireless. I know that sounds like a stupid, useless fact but it’s something to keep in mind while working with this technology. Wireless can be accessed outside of where you think the signal ends. Most people who implement wireless feel that they don’t need to enforce any security because they put the access point in their office or their house so only they can access it. Wireless bleeds out the windows, the doors, and straight through the walls. Someone with a high gain antenna should have no issue picking up a wireless signal over a mile away as long as they have line of site.

Second, WEP is not a secure standard.  Yes, it looks secure since it has to be 5 or 13 characters but it’s truly not.  Following some simple instructions, which can be found via Google and at SecurityFocus, a person can hack a WEP key in a few minutes.  This means that they can have access to your personal or commercial network and take control of your information or worse, take your information.  Identity theft is on the rise and there is no better time than now to protect yourself.

There are many great ways to help protect yourself while using wireless.  I’ve listed a few below along with some more information about how to implement each one.

1. Use WPA or WPA2 instead of WEP -
   There are many different ways of using WPA or WPA2.  TKIP and AES encryption are two of the simplest ways of protecting yourself.  Most wireless APs and routers can accomplish this already and it’s easier to remember a long pass-phrase (such as iLoveToProtectMyWirelessConnection) than it is to think up a 5 or 13 character phrase like needed in WEP.
2. Place your access point(s) in strategic places
   While you don’t want to place your APs so out of the way they can’t give you proper signal, you also don’t want to install your APs on the windows of your buildings.  There is a restaurant where I live that has their AP directly in the window.  This allows me access to their wireless anytime I want.  A great tool to check wireless signals is call VisiWave Site Survey.  It’s not free but it does produce outstanding reports to see just where your signals go.
3. Use a VPN server
   While you can always attempt to protect your wireless network, using a VPN server to connect after getting on your wireless will encrypt and save your data from prying eyes even after they have broken into your wifi.  Many companies already have VPN servers setup for remote access in so you could use this same server to get from your wireless into your LAN.

Well, hopefully this has been helpful to you.  Let me know what types of ways you use to protect your wireless LANs.

Helpful Informational Links:

• Security Tools to See How Secure Your Network Is
• New Generation of Hacking Tools - How to Protect Yourself

So, it was a grueling trial for us with the two vendors that we decided to look at, Riverbed with their Steelhead appliances and Juniper with their WXC boxes.  But we are finished.  If you want to cheat, you can skip to the end of this blog post and find out who we decided to go with — if you don’t know already — or you can read through all of the “junk” that I have to say about each product and what it had to offer us and you.

Juniper - The trouble child of the group…
I’ll begin with the Juniper box.  The WXC appliance and I got started on the wrong foot.  We decided to try to use their multi-pathing feature and our network design simply would not support it without a lot of work.  We spent days trying to figure out a way to connect the two routers and two VPN concentrators behind the box (on the WAN side) for redundant pathing with no luck.  We decided to go ahead without this test and figured that we would look into it later.

After we got over this hurdle, the WXC was simple to setup.  It provided us great value-add features such as QOS and reporting that was exactly what we needed.  The downside to the setup of the Juniper was that we had to specify subnets that were in front of the box (on the LAN side) and then also choose who we wanted to accelerate traffic with.  This would be great in some environments and control is key but in a meshed environment like we are moving to (MPLS), this was a headache.  Figuring out which subnets sat where and making sure that we didn’t miss any was a pain.   Other than these few issues that I ran into, the WXC was a great box.  It seemed to work well and saved us quite a bit of bandwidth of the trial.  Below is a screen capture of the numbers that we saved.  I was pleasantly impressed with this solution.

Riverbed - It was love at first site, sort of…
Riverbed was my choice from the beginning.  All of the reports that I had read and studies that I had gone over said that Riverbed was the solution for us.  Gartner puts them at the top-right of their 4-square rating system which was great for us.  During the sales pitch, Riverbed came out and showed us an in-house demo of the system.  They give you a stop watch and let you time the transfers and wait for your amazed look on your face and a blank check in hand.  We didn’t really have either since we knew what we were getting into.  We decided to delve deeper into this product and to bring a demo in line in a few of our sites.  We loaded up the gear, two for Corporate, one for Worcester, UK and one for Honoeye Falls, NY and set out on our journey.

After the setup of the first Riverbed box took a mere 7 minutes to boot up, configure and reboot to save the configuration changes and make sure it was running properly, I was impressed.  There were no tunnels to setup, no subnets to configure and when placed in line there was almost no downtime involved.  The beautiful part of this setup came when the UK put their box in line a few days later.  Since they’re 5 hours ahead of us here on the east coast, they put theirs in line about 0700 on a Thursday morning.  That was 0200 here on the east coast.  For the next 5 hours, they had no idea but they were compressing data, acceleration traffic and making their users lives easier.  When I came into the office, I got a call saying that the WAN had mysteriously improved exponentially.  I examined the setup and realized that not only had they put the box in line but they had booted it up.  This was great news — since it worked well — but it could have been a disaster.  Lucky for us, the Steelheads are smart enough to understand when a box is at the opposing end and they simply “make a connection”.  Below is a screen shot from the Riverbed demo showing just how well it was doing during its short life at Southco.

If you haven’t yet, you can read through the previous posts on the blog about our trials throughout this product selection process but we made our decision.  And, drum roll please…  If you didn’t figure it out by now, we decided on the Riverbed solution.  The pricing came out similar in both cases and Riverbed had an additional offering, the mobile client.  I don’t know if anyone understands how excited I am for the mobile client but I feel that it will make our users lives 100 times better while working remotely.  I have seen the client in action, I tested it out myself, and it is just as good as purchasing a $6000 appliance but it runs hidden on a computer and “just works”.

That’s all for this trial and decision.  Feel free to contact me with any questions or comments you might have and I’d be happy to give you a hand with any information you might need to better your WAN environment at your organization.

I came across an interesting request recently in my company. Someone in marketing asked me why they couldn’t send an 80 MB file via email to an outside company. After I was done laughing — as they had attempted to do this 5 times already — I set out to figure out the best way to get the file from us to them. It turns out I had a few options:

FTP
SFTP
HTTP/HTTPS file transfer solution
CD/DVD and the US postal service

Well a couple of these solutions were out of the question. FTP and HTTP are un-secure. Security should be something that ever company looks at today. Every day, no matter what type of industry you’re in, people try to break in to your systems and take information that isn’t theirs. Why make this easier for them? CDs and DVDs were also out of the question since we all know that our users want things NOW, not overnight or two-day express. This left me with SFTP and HTTPS file transfer solutions.

I decided to tackle SFTP first. I looked at two products that allowed SFTP transfers. First was JSCAPE Secure FTP Server software. JSCAPE’s software worked very well. The setup was simple and the features were numerous. It allowed remote administration, virtual file structures, HIPPA compliance, integrated web file transfers, and LDAP integration among other things. All of these were important features for us and for many of the companies out there that would use this technology. JSCAPE however had two hard things to overcome. One, it was expensive. The enterprise edition cost $5999 per server. This meant that not only did we have to spend almost $6000 for the software but we still needed to purchase a server and maintain the OS that was on it.

In the SFTP realm, I looked at GlobalSCAPE’s Secure FTP Server for Windows. GlobalSCAPE’s solution was within our price range and offered a wealth of features that we were interested in as well. The price of their solution was $690/server but required and additional $2294 for an integrated web file transfer piece and $2294 for an audit and reporting module. Both of these were important features to us as well. The software itself ran on top of another server which would need to run on Windows and would require us to maintain this server as well. While both of these solutions were viable, I decided to look into the HTTP/HTTPS file transfer solutions that were out there.

Lucky for me there were two very good options offered that I looked into. First was the SecureTransport solution by Tumbleweed Communications. This product was robust and offered numerous ways to allow connection to the appliance. It could be done via a client from Tumbleweed or SFTP, HTTPS or SSH. These were all great features but the manageability of the software was not as simple as the second option that we looked at and eventually settled on.

Accellion creates an all-in-one appliance that could provide everything that we needed and provided it with a web interface that was as close to sending an email as we could get. The users can authenticate via the web or directly in their Lotus Notes or Exchange clients and then write an email, attach files and send them on their way. The appliance would upload, virus scan, encrypt and deliver without any intervention from the user at our end or the receiving end. It automatically creates accounts for new users who need them and we got away from running just another server with a Microsoft OS loaded on them. This helped out IT department manage the things that we needed to manage. The box automatically updates itself, and keeps itself clean by automatically removing accounts and files when they are not in use and provides reports to myself and other administrators on its use. For Southco, this was the direction to go.

That’s all for now. I’ve been ill the past few days so I haven’t been writing much but hopefully this week, I’ll get back into the swing of things.

ALSO SEE: Southco Selects Accellion for Secure Transfer of Large Files

The Riverbed Experience - Day 1
The install of the Riverbed hardware was unbelievably simple. Within 10 minutes I had the first box setup (with Riverbed’s help) and installed in the rack. We pre-configured the other three boxes and send them out to the specific sites.

The Juniper Experience - Day 1
Juniper’s WXC boxes had a fairly simple setup process as well. The downside to the Juniper setup was while there was a wizard, there are around 23 steps to set it up. These steps were simple but were still unneccesary screens to click through.  In addition, the screens were not as intuitive as the Steelhead’s screens.  In Junper’s defense, the WXC was able to offer a much better selection of QOS settings than the Riverbed appliance.  This could be very helpful in today’s networks especially if you are planning an MPLS meshed network soon.