Search Our Site

Our Newsletter

Our Ramblings

Are Home Firewalls Really That Important?

In the latter stages of the 2nd decade of the 21st century, our homes have not really changed that much from those of our parents. Aside from a new predominance of cheap throwaway furniture, todays house is largely similar to that of the 70’s. Similar, that is, until we change our point of view, examining not the visible spectrum but rather the electromagnetic spectrum. working-from-home_colorThe past 20 years have seen an explosion in our use of the airwaves and that change has not stopped at our front doors. Todays homes are filled with an argosy of gadgets, many of which independently communicate without any intervention from their human hosts. Indeed, whilst the home of the 70’s was equipped with two main communications channels, namely the desktop telephone and the front door, the contemporary home has been unrecognisably changed by the communications revolution. It is the network which has been the real change across the years, allowing us to reach out in countless different ways but also, quietly, allowing the world to reach in.

And reach in it does.

The latest Government Security Breaches Survey found that nearly three-quarters (74%) of small organisations reported a security breach in the last year; an increase on the 2013 and 2014 survey. SMEs are now being pinpointed by digital attackers. If SMEs are being targeted, rest assured that home networks are too.

So how do we protect our homes? Well, the picture isn’t as bleak as it may seem. Most ISP’s provide equipment which has a built in firewall. Firewalls form your home network’s primary defence against online security risks, and can therefore considerably boost your peace of mind concerning your network security. Without any human intervention, the stock firewall set at its default settings is pretty effective. It basically blocks everything from the outside unless it was requested by something on the inside. So far so good you may think, and you’d be right, however its that sticky part about human intervention that hides the real danger. People feel the need to change their firewall settings. Not only that, they download dodgy code, click dodgy links and generally just circumvent all that good security the firewall was designed to provide. Before long the network security is full of holes and the world starts reaching in.

Home networks are becoming ever more complex and the paucity of good quality consumer grade network equipment speaks volumes about our inevitable prioritisation of cost above just about anything. ocean-digital-home-upnp-dlna-font-b-network-b-font-font-b-device-b-font-newsIn their race to the bottom, home network equipment manufacturers need to keep their costs to the bare minimum. They do this by using free vulnerable operating systems which have no simple mechanism to ever be upgraded or more importantly fixed. Theres no getting around the fact that our homes are full of and will continue for quite some time to be full of network equipment that is of a shockingly low security standard.

This brings us nicely back to the question of the home firewall. Yes, generic router firewalls are great out of the box but they only look outwards and never inwards. It is becoming increasingly apparent that home networks which are basically the same as small business networks require better. Low cost solutions do exist and they are effective. For example for those with a spare PC hanging around, the option exists to install a free software firewall (e.g. Sophos XG Home Edition) but its far from an elegant solution to keep a dedicated PC powered up 24×7 and it is one which few consumers would countenance. Other dedicated hardware solutions exist of course but they can be expensive and are in all likelihood, business solutions. Sadly, for the consumer, the choice to manage a firewall in the home is still the preserve of the nerdy computer enthusiast who, ironically is probably less vulnerable than most.

legislationFor now the discussion remains unresolved. It is unlikely that the consumer will find it in their gift to look beyond cost to something that keeps their online lives secure enough and it will likely therefore fall to some broader agency to act. Whether that agency turns out to be the government, the banks who perhaps have most to lose, or some other combination of private sector collaborators remains to be seen. One thing however is certain. The problem is going to get worse before it gets better and it will probably take some form of paradigm shift in public perception for the motivation to be found.

Lets hope the cause of the paradigm shift isn’t too painful.

Wireless Body Area Networks

wbanWireless networking has become increasingly pervasive throughout our lives with the emergence of new communications technologies and techniques which have had a dramatic effect on the efficacy of the technology. As systems and ideas catch up with the tools available to them, one very interesting area which has been touched by wireless networking is that of the human body and its very immediate surroundings. Such networks are known as WBANs (Wireless Body Area Networks).

As a reasonably intimate application area, WBANs have found their primary usefulness to be in the medical arena. The demographics of the population of the world show it to be ageing fast as the baby boom generation moves up through the years. Around the world, governments and other interested agencies have begun to plan for the inevitable peak in the requirements for the care of the aged population. One potential advantage in dealing with the thorny problem they face is to use technology to leverage the effect of the limited resources they can bring to bear. Clinical areas such as Cancer Detection, Cardiovascular Diseases, Asthma Mitigation and Sleep Disorders can be positively impacted not to mention the broader areas the implants and wearable medical devices can bring to bear. Reaching further out, WBANs can also make a significant difference to the remote control of medical devices via telemedicine systems.

In short, the assistance provided by using WBANs is extremely significant however the adoption of the technology into the specific field has had to overcome some broad and significant challenges. These challenges can be broadly described as Architecture, Power Consumption, Data Rate and Security.

Lets take a look at how WBAN technology can be applied to the UK in the specific field of heart disease. Clearly heart disease is a leading cause of death for a significant percentage of the population. Appropriate and timely monitoring can prove to be a real asset in dealing with this condition and it is in this way that the benefits of WBANs can really be brought to bear. Systems have been developed such that, by the use of non intrusive miniaturised sensors, ambulatory monitoring of the most important metrics can be continued in real time as the patients go about their routines. The ubiquity of high speed mobile data networks in the UK means that, for the most part, this monitoring can continue uninterrupted for as long as is necessary. By carefully monitoring these vital signs, trained medical professionals can interpret the presence of problems, monitor deterioration and if necessary perform interventions.

In order to gain traction and mainstream acceptance in the United Kingdom, certain key issues had to be addressed. A hierarchical model for the architecture of WBANs has been developed such that  the devices are controlled by a central appliance known as a personal server. The model is flexible enough that it can be adapted to more specifically suit its use in specialised places such as a hospital or conversely broader scope areas out in the field.

Devices have had to be developed specifically for use in such an intimate way such that they do not exceed power outputs that are considered harmful to localised regions within the human body. A key measure known as the Specific Absorption Rate must not exceed the limits set out by various legislatures in the regions within which they operate. Institutional approval must be sought for each device that will operate in this specialised area. Furthermore, these specialised appliances, be they sensors or other devices must operate to very stringent limitations on their power consumption.

In order for the system to work within the context of a 21st century professional medical care system the governance framework around which the application is set out must be considerable. Lives can be lost if the system fails so it becomes imperative that systems failure modes and their consequences be carefully managed. Where there is potential for loss of life or serious non fatal consequences, steps must be in place to ensure that systems failure cannot take place.

pavAnother extremely important aspect which must be carefully managed is that of the security of medical WBAN systems. It almost goes without saying that, with systems that intrude into the most intimate areas of the human body that are charged with managing and effecting healthcare decisions, security is one of the most paramount concerns. Conventional network security, whilst strong, is by no means impenetrable. Appropriate systems of management, policy and operation need to run covalently with the key building blocks of security such as authentication, integrity and confidentiality. Complex encryption systems place demands upon processing as well as data rate overhead which serve to pull the design of the equipment away from the miniature. Broadly speaking therefore, a robust system must mesh together and operate flawlessly for the system to meet its mandatory requirements. Such standards require a strong governing entity to overarch the system and maintain its operation. The UK is well placed to provide this governing body and manage standards such as is necessary.

Looking contrastingly at Uzbekistan, where heart disease is a more significant issue, it becomes necessary to consider whether the resources available can ensure the necessary standards are met. It becomes perhaps necessary to rethink whether any of the standards which are necessarily adopted in an idealised situation such as is available in the UK can be relaxed. Standards of governance and their implementation and control require significant budget. Given the contrasting fiscal limitations in play in Uzbekistan one wonders perhaps if such actions and activities are appropriate.

In addition, looking at the figures for the penetration of networked data communication within the country, one also wonders if the infrastructure is in place to support such ambitions. One of the key unique selling points of the technology and its application is the ability for it to continue to operate with near ubiquity. In a country where the telecommunications infrastructure renders this nigh on impossible, it would seem to render the argument in favour of using the technology moot. Looking at both arguments it is therefore probably not a suitable technology for use in countries such as Uzbekistan with insufficient network infrastructure and very limited health budgets, tempting though the technology is.

WBANs present health professionals with unique opportunities to enhance medical care to levels previously unheard of and probably unachievable. With proper and effective management systems in place they represent a fantastic fillip to the broader toolset of medical practitioners. They will undoubtedly play an increasing part in health systems for many years to come.

The Nessus Vulnerability Scanner

In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:

  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
  • Preparation for PCI DSS audits

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user.
According to surveys done by sectools.org, Nessus is the world’s most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

In typical operation, Nessus begins by doing a port scan with one of its four internal portscanners (or it can optionally use Amap or Nmap) to determine which ports are open on the target and then tries various exploits on the open ports. The vulnerability tests, available as subscriptions, are written in NASL (Nessus Attack Scripting Language), a scripting language optimized for custom network interaction.

Tenable Network Security produces several dozen new vulnerability checks (called plugins) each week, usually on a daily basis. These checks are available for free to the general public; commercial customers are not allowed to use this Home Feed any more. The Professional Feed (which is not free) also give access to support and additional scripts (audit and compliance tests…).
Optionally, the results of the scan can be reported in various formats, such as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX, scanning can be automated through the use of a command-line client. There exist many different commercial, free and open source tools for both UNIX and Windows to manage individual or distributed Nessus scanners.
If the user chooses to do so (by disabling the option ‘safe checks’), some of Nessus’s vulnerability tests may try to cause vulnerable services or operating systems to crash. This lets a user test the resistance of a device before putting it in production.
Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system, and can perform password auditing using dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they have been configured per a specific policy, such as the NSA’s guide for hardening Windows servers.

 

Q. What is included in the Nessus download?
A. When you download Nessus, you receive the Nessus 4.4 scanning engine (server) that includes a flash web-based client. To receive updates under either a ProfessionalFeed or HomeFeed, you will need to register your scanner.

Q. What OS platforms does Nessus have builds for?
A. Nessus 4.4 is available and supported for a variety of operating systems and platforms:
Debian 5 (i386 and x86-64)
Fedora Core 12, 13 and 14 (i386 and x86-64)
FreeBSD 8 (i386 and x86-64)
Mac OS X 10.4, 10.5 and 10.6 (i386, x86-64, ppc)
Red Hat ES 4 / CentOS 4 (i386)
Red Hat ES 5 / CentOS 5 / Oracle Linux 5 (i386 and x86-64)
Red Hat ES 6 / CentOS 6 (i386 and x86-64) [Server, Desktop, Workstation]
Solaris 10 (sparc)
SuSE 9.3 (i386)
SuSE 10.0 and 11 (i386 and x86-64)
Ubuntu 8.04, 9.10, 10.04 and 10.10 (i386 and x86-64)
Windows XP, Server 2003, Server 2008, Server 2008 R2, Vista and 7 (i386 and x86-64)

Q. What does Nessus 4.4 cost?
A. The Nessus 4.4 scanner is available as a free download.

Q. Where can I go for more information?
A. If you still have questions about Nessus 4.4, feel free to contact us, visit http://www.rustyice.co.uk/ or post to us via our contact link.

Cisco Plays Catchup in DPI Test

If you’re a large enterprise with its own network, an ISP, or a company intent on claiming its own, online, the technology force of Deep Packet Inspection (DPI) is with you.

But it may surprise you who shows up on the doorstep to sell it to you.

Results of a test of P2P filtering gear conducted for Internet Evolution by the European Advanced Networking Test Center AG (EANTC) , show that Cisco Systems Inc. (Nasdaq: CSCO), ipoque GmbH , and Procera Networks Inc. (Amex: PKT) are ready, willing, and able to help enterprises and ISPs reduce network production costs.

Some are more ready than others, though. Cisco, while matching and exceeding its rivals in various test scenarios, offers half the bandwidth capacity of the two smaller, younger companies. Cisco offers a total of four 10-Gbit/s load modules on its SCE-8000 unit, compared with eight 10-Gbit/s modules supported on ipoque’s PRX-10G Traffic Manager and Procera’s PacketLogic 10014.

During the tests, Procera’s and ipoque’s devices, both equipped with four interface pairs, were exposed to twice the load and concurrent connections number as Cisco’s, with its two interface pairs.

Cisco, despite being the world’s biggest networking vendor, was bested in blocking P2P traffic by ipoque, whose PRX-10G allowed less than 0.01 percent of P2P traffic to bypass its filtering, compared with 2.4 percent for Cisco’s SCE-8000 and 2.9 percent for Procera’s PacketLogic.

Further, Cisco, along with Procera, required some updates and adjustments to perform as expected in detecting popular P2P protocols.

Does this mean Cisco’s not ready for P2P prime time?

Hardly. While its DPI device may be lower capacity than the competitors in this test, Cisco, like the others, appears to have emerged from the beta-like vaporware stage all vendors were in during the March 2008 P2P EANTC test.

“Whether we talk about intelligent management of consumer traffic or about freeing bandwidth by throttling the massive amount of P2P traffic, the devices we tested are ready to be rolled out in service provider backbones,” says Carsten Rossenhövel, managing director of EANTC.

As detailed in our latest Big Report, “P2P Taste Test,” vendors have improved performance and accuracy significantly since last year’s test. EANTC increased its performance test bed by a factor of 25, and still didn’t hit the limits of these boxes.