Archive: July, 2008

Behavioral targeting is advertising’s attempt at supplying you with specialized ads developed from your Internet history. The intent of this article by Michael Kassner is to shed light on how behavioral targeting works and how it can affect you.
——————————————————————————————————————-

Behavioral targeting, to say the least, is an interesting concept. It may change how all of us view and use the Internet. Knowing that, I’d hope everyone would want to understand what it’s all about. Briefly, behavioral targeting first determines what you like, based on where you go on the Internet. Then, behavioral targeting selects advertisements that are most likely to influence you, displaying them on the new web pages you ask for.

Before we get too much deeper into behavioral targeting, I need to point out some related technology that makes behavioral targeting possible. Behavioral targeting only became feasible when Deep Packet Inspection (DPI) matured into an established technology. Therefore, it’s important to comprehend what DPI is. To help in that regard, please refer to a recent article of mine called “Deep Packet Inspection: What You Need to Know.” I know it seems like a shameless plug, but it helps if we’re all on the same page.

The infamous cookie

The next piece of the puzzle we need to understand is the much-maligned cookie. Cookies are benign text files that are sent to the web browser from the web server that’s hosting the web pages being queried. Cookies have multiple purposes: they allow automatic authentication, keep track of the browser’s session state, and identify the user/web browser combination to the web server. The fact that cookies can identify the user/web browser combination is paramount to our discussion about behavioral targeting, because the behavioral targeting process installs additional cookies specifically to track what web pages have been viewed. That’s why cookies are so important and why I’d like to describe how a cookie is installed:

1. The process starts when I type the URL of a web site into the web browser.
2. The browser will check the computer’s hard drive for a cookie associated with the web site I just entered. If it finds the appropriate cookie, the browser will send the cookie information along with the URL to the web server controlling the web site being queried. If the browser doesn’t find a cookie, no data is sent.
3. The web server receives the request for a page. It then checks to see if a cookie was sent as well. If so, the web server can use that information to tailor the web page specifically for me.
4. If the web server didn’t receive a cookie, it knows that I haven’t visited the site before. The web server then creates a new ID for me in the web server’s database and sends a cookie in the header for the web page to the computer I’m using. My computer then stores the cookie on the hard drive. From that point on I’m uniquely identified when I ask for web pages from that particular web server.

We now have all the relevant pieces, so let’s get to the important stuff. Behavioral targeting is an application that uses information it has gleaned from our web-browsing habits to display ads it thinks we’d like to see. The process starts with companies like Phorm or NebuAd (behavioral targeting development companies) talking to our ISPs, offering the ISPs money if they will allow Phorm or NebuAd to install equipment in the main traffic stream of the ISP. This equipment serves two purposes:

• It inserts a Phorm or NebuAd cookie that uniquely identifies each ISP subscriber and is associated with every cookie domain that has been issued to the subscriber.
• By using DPI equipment, reads every web page that the subscriber has asked for and creates a profile of the subscriber’s interests based on a predetermined checklist.

Phorm’s approach

The subscriber profile is of obvious interest to advertising firms — why serve ads about baby diapers to someone interested in joining AARP? The advertising firms negotiate with Phorm or NebuAd to provide content through the behavioral targeting application. Thereafter, no matter where the subscriber goes on the Internet, those specific ads will show up on the web page being served to the subscriber. To help clarify this, let’s take a look at the process (diagram courtesy of Wikipedia) Phorm uses to set up behavioral targeting:

Click to enlarge diagram.

1. I want to go to www.techrepublic.com, so I type the appropriate URL in my browser and the browser sends the query out to the Internet.
2. My ISP receives the request, normally passing the query on. Since there’s Phorm equipment in the data stream, it intercepts my query for www.techrepublic.com.
3. The Phorm application then checks to see if there’s a Webwise.net cookie (a domain name owned by Phorm) associated with the Techrepublic.com domain.
4. There’s not one initially since the Phorm equipment has just been installed. Therefore, Phorm blocks access to www.techrepublic.com.
5. Now a Phorm server at the ISP steps in and pretends to be a web server at www.techrepublic.com, returning a “307-Temporary Redirect” to my web browser. The 307 redirect tells my browser that the URL I asked for has been relocated temporarily to a different location.
6. My browser now thinks that www.techrepublic.com has moved to www.webwise.net, so it makes a redirection query to www.webwise.net. If my web browser locates a Webwise domain cookie it will also be attached to the redirection query. Phorm then knows who I am by the unique ID associated with the Webwise.net domain cookie.
7. If there isn’t a Webwise domain cookie, the Phorm server will assign one to me and send it back to my browser in another 307 temporary redirect response to a fake www.techrepublic.com page that is on the Phorm server. Therefore, if I didn’t have a Webwise.net cookie, I do now and it’s a first-party cookie.
8. Next, my web browser sends a redirection query to the fake www.techrepublic.com page. The Phorm server once again steps in and pretends to be the web server at www.techrepublic.com. Remember the browser thinks it’s sending a query to www.techrepublic.com and there’s still the unique Webwise user ID in the query. The Phorm server now sends the final 307 temporary redirect response to my web browser telling it to go to the actual www.techrepublic.com web page. This part is important: The Phorm server also sends back a Webwise cookie, but it’s placed in the Techrepublic.com domain and becomes another first-party cookie.
9. Finally, my web browser sends a query to www.techrepublic.com and it appears that it will make it this time. The query has a unique payload of cookies as well, one for the Techrepublic.com domain and one for the Webwise.net domain.
10. The Phorm equipment at my ISP intercepts this query and the Webwise.net domain cookie is stripped off before the query actually proceeds to the Techrepublic.com web server. This appears to take place to avoid public visibility of the Webwise.net cookie, as it shouldn’t be on a www.techrepublic.com query.
11. The contents from my query to www.techrepublic.com come back and are intercepted by Phorm equipment. A copy of the information along with my Techrepublic.com domain and Webwise.net domain cookies are sent to a secondary piece of Phorm equipment.
12. The secondary Phorm equipment scans my Techrepublic.com web page for key information that will be added to their browsing profile about me.

Sorry for the long, drawn-out description, but that’s exactly what takes place every time a web browser sends out a query. In this way, Phorm knows exactly where I go on the Internet and what I’m looking at. With these profiles, Phorm, for a fee, will tell advertising firms what ads to place on the web pages being served to me. The company states this whole process is anonymous, but that requires trust in what Phorm says, as the Phorm application is proprietary and not available for peer review. I don’t have an opinion one way or the other as to the claims of anonymity by Phorm. As mentioned earlier, I’m just concerned that most users are not aware of this technology, and I want to correct that.

NebuAd’s approach

NebuAd is another major player in behavioral targeting. Their process is slightly different, and I’d like to explain the differences, even though the results are the same. The NebuAd equipment is also placed in the ISP’s main data stream, but NebuAd doesn’t use the cookie shuffle like Phorm. NebuAd, to their credit, uses a very innovative approach I’ll explain by using the following example:

1. I want to go to www.techrepublic.com, so I type the appropriate URL in my browser and the browser sends the query out to the Internet.
2. My ISP receives the request and passes the query on to www.techrepublic.com (different from Phorm).
3. The web server at www.techrepublic.com replies to my web browser’s query with the appropriate web page.
4. The NebuAd equipment at my ISP is monitoring this exchange and as the last packet reaches the ISP, the NebuAd application injects one packet to the end of the traffic from the web server at www.techrepublic.com.
5. This final packet contains JavaScript. The script causes my web browser to go and retrieve scripting code at a NebuAd web site.
6. My web browser then runs the script and a NebuAd cookie is planted on my computer.

The NebuAd cookie is similar to the Phorm cookie in that it uniquely identifies me and allows the NebuAd applications located at my ISP to track my Internet activity, scan the returned web pages, and create a profile that’s of interest to advertisers. At this point, Phorm and NebuAd are almost identical.

What’s it all mean

That’s the ultimate question, and I’ll leave that to the pundits who are much more knowledgeable than I am. As I mentioned, my goal was to make you aware of what’s coming. I’m not sure I want a business entity tracking my every move on the Internet. My government, sure that’s a different story. They aren’t doing it for monetary gain; they are protecting me. That being said, I do understand the need for advertising. Part of my professional existence depends on advertisements. I’m just not sure being this invasive is the answer.

Also, I suspect that this business model will place the advertising world in some sort of turmoil. For instance, who gets to decide what ads are displayed when I go to Techrepublic.com? TechRepublic or someone paying my ISP? For more insight into how this topic is playing out, I suggest that you listen to Steve Gibson of GRC.com and Leo LaPorte from Twit.TV. They cohost a series called Security Now and have put together several of their pod casts that explain relevant pieces of behavioral targeting. I’d especially recommend listening to the podcast, “Episode 153: DePhormed Politics,” where Steve and Leo have an enlightening discussion with Alexander Hanff, a technologist and anti-Phorm activist from the UK.

Preventative measures

There are options that you can use to avoid behavioral targeting cookies and DPI scrutiny. Encrypted tunnels through your ISP disallow the installation of behavioral targeting cookies. Also using VPNs, whether they are IPsec, L2TP, or SSL, will negate any effort by DPI to decipher the encrypted traffic. E-mail is another subject, and once again the only for sure way to ensure its privacy is to encrypt the message. There are not a whole lot of options, but that’s because behavioral targeting applications are being placed only one hop away from your network perimeter.

Final thoughts

Whew, this is a tough subject. I know that opinions about behavioral targeting will run from A to Z, and that’s good. I’m not even sure what my final thoughts are. What bothered me was the lack of information about behavioral targeting. Hopefully, I was able to change that with this article.

——————————————————————————————————————-
Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

Justin James talks to Spiceworks’ Jay Hallberg to learn more about how the company is incorporating crowdsourcing into its network monitoring application.

——————————————————————————————————————-

One thing I’ve always liked about Spiceworks is its customer-oriented attitude. Every time I talk to the people at Spiceworks, I get the impression that “listening to the voice of the customer” is not just a bulletpoint in a marketing brochure but a real philosophy driving the company.

On July 24, 2008, Spiceworks rolled out a major initiative that continues this tradition. I had the chance to catch up with Jay Hallberg, Spiceworks’ cofounder and VP of Marketing (pictured at right), to learn more about how the company is incorporating crowdsourcing into its product. Here’s an excerpt of BNET’s definition of crowdsourcing:

“…the basic idea is to tap into the collective intelligence of the public at large to complete business-related tasks that a company would normally either perform itself or outsource to a third-party provider.”

First, I’ll back up a little and offer a brief overview of the Spiceworks application and describe how the company benefits from audience participation. (Disclosure notice: I have a contract with Spiceworks to write product buying guides.)

How Spiceworks users drive product development

The Spiceworks application is designed to let IT pros manage their networks. When the application was first released, it was primarily geared toward reporting on the current network status (it was somewhere between an automated inventory and a proper network monitor). The Spiceworks application has grown and expanded to become more of a one-stop application, yet it’s still not headed for the kitchen-sink status of enterprise software.

Spiceworks has always had a large amount of audience participation in its product. The company’s forums about the product have been very successful. From the beginning, Spiceworks has had its users suggest and vote on new features. Spiceworks is a good example of an agile project that can be driven by customers without a huge amount of one-on-one contact.

In late 2007 and early 2008, Spiceworks’ user base grew beyond 250,000, and Jay says the company hit a critical mass in which it became possible to let users drive even more of what was going on. He reports that, once a question is posted, it usually takes only a few minutes for good answers to start pouring in from other users.

How Spiceworks is opening up its ecosphere

Beginning July 24, 2008, Spiceworks is starting with various lists and other pieces of content that it or its partners produce and letting its users “take it over.” For example, Spiceworks might start with a guide to selecting e-mail software, and then let users put together their own list of favorite e-mail software packages. The company is also letting users take part in surveys and polls that are tied to the content.

One item I find especially interesting is the ability for a user who generates a report for their network to easily share it with other users. The user clicks a Share button in the application, and the application handles the rest. From there, anyone can download the report and add it to their local deployment. Users can Vote Up their favorite reports, and highly ranked reports will become part of the shipping product.

In a way, Spiceworks is providing a framework for users to “open source” select aspects of the product and the community in a controlled fashion. Spiceworks is providing good moderation of the user-generated content (Jay said that it is “a lot like gardening”). Spiceworks is making sure that the best user contributions get the spotlight so that other users can easily find and use them.

Why is this crowdsourcing approach different?

I asked Jay what makes this crowdsourcing approach significantly different from wikis, blogs, forums, newsgroups, and so on. He told me that there are two major differences: the focus on the SMB market and the integration with the Spiceworks application.

The Spiceworks application is extremely focused on a precise market: companies with 100 or fewer employees. In fact, most of the negative feedback I hear from people regarding the Spiceworks application is that it does not meet the needs of larger companies. As a result of this focus, the content and information in the Spiceworks community is very specialized: if you are an IT worker in that kind of environment, it is tailored to meet your needs. The Spiceworks application is tied directly to this information as well. Instead of going to a search engine and spending hours looking up data, culling out duplicate hits, and so on, it is all available directly where you need it most — in the Spiceworks application that you use to manage your network.

I am pretty curious to see how this approach turns out for Spiceworks.

Additional TechRepublic resources about Spiceworks

• Tech Startup Tips from Spiceworks’ Co-founder: Deciding Which Ideas to Pursue
• Tech Startup Tips from Spiceworks’ Co-founder: Building a Business Plan and Getting Funded
• Tech Startup Tips from Spiceworks’ Co-founder: Building the Business, Year One

All sorts of public and private entities would love to monitor your Internet browsing habits. It’s now possible using “Deep Packet Inspection.” Michael Kassner will shed some light on the technology involved and possible privacy issues.
——————————————————————————————————————-

Anyone who uses the Internet needs to be aware of Deep Packet Inspection (DPI), its uses, and potential misuses. You may recognize DPI as what ISPs use to conform to CALEA, the U.S. government-ordered Internet wire-tapping directive. If that’s not enough, DPI, albeit behind the scenes, allows ISPs to block, shape, and prioritize traffic, which is now fueling the “Net Neutrality” versus traffic priority debate. So, what is DPI and how does it work?

Deep Packet Inspection

DPI is next-generation technology that’s capable of inspecting every byte of every packet that passes through the DPI device, that means packet headers, types of applications, and actual packet content. Up until now, this wasn’t possible with IDS/IPS systems or stateful firewalls. The difference being, DPI has the ability to inspect traffic at layers 2 through 7, hence the “deep” in DPI. A simple analogy would be that of snail mail. IDS/IPS firewalls would be the mail sorters who just read the letter’s address, knowing nothing about the letter’s content. Inspecting Internet traffic from layers 2 through 7 would correspond to the person who actually reads the letter and understands the contents.

To recap, DPI allows people controlling the device to know everything, including the payload of each packet in the data stream. For example, if an unencrypted e-mail is scanned, the actual body of the e-mail can be reassembled and read. Nate Anderson wrote an excellent Ars Technica article “Deep Packet Inspection Meets Net Neutrality, CALEA.” The following quote appears in that article:

“Deep packet inspection refers to the fact that these boxes don’t simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble e-mails as they are typed out by the user.”

Mr. Anderson also explains what happens at layer 7:

“Layer 7 is the application layer, the actual messages sent across the Internet by programs like Firefox or Skype or Azureus. By stripping off the headers, deep packet inspection devices can use the resulting payload to identify the program or service being used. Procera, for instance, claims to detect more than 300 application protocol signatures, including BitTorrent, HTTP, FTP, SMTP, and SSH. Ellacoya reps tell Ars that their boxes can look deeper than the protocol, identifying particular HTTP traffic generated by YouTube and Flickr, for instance. Of course, the identification of these protocols can be used to generate traffic shaping rules or restrictions.”

What makes DPI all the more impressive is that the packet analysis happens in real time, with data stream throughput approaching 20-30 Gb. See where I’m going with this? With no loss of throughput, ISPs are able to insert these devices directly in their data streams, forcing all traffic to pass through the devices. Procera, Narus, and Ellacoya are front-runners in development of this technology, having placed equipment throughout the world.

DPI’s potential uses

DPI technology is unique in that as of now it’s the only way to accomplish certain governmental security directives. DPI also has the potential to do a great deal of good. For example, DDoS attacks are virtually impossible to thwart. Conceivably if DPI were in place and configured correctly it would detect the DDoS packets and filter them out. Some more potential uses are listed below:

• Network security: DPI’s ability to inspect data streams at such a granular level will prevent viruses and spyware from either gaining entrance to a network or leaving it.
• Network access: DPI creates conditions where network access rules are easy to enforce due to the deep inspection of packets.
• CALEA compliance: DPI technology augments traffic access points (TAP) technology used initially for governmental surveillance equipment.
• SLA enforcement: ISPs can use DPI to ensure that their acceptable use policy is enforced. For example, DPI can locate illegal content or abnormal bandwidth usage.
• QoS: P2P traffic gives ISPs a great deal of trouble. DPI would allow the ISP to instigate traffic control and bandwidth allocation.
• Tailored service: DPI allows ISPs to create different services plans, which means users would pay for a certain amount of bandwidth and traffic priority. This one is controversial and affects Net Neutrality.
• DRM enforcement: DPI has the ability to filter traffic to remove copyrighted material. There’s immense pressure from the music and movie industries to make ISPs responsible for curtailing illegal distribution of copyrighted material.

The above applications have the potential to give users a better Internet experience. Yet it wouldn’t take much mission creep to create major privacy concerns. I would feel remiss if I didn’t point them out and help everyone understand the ramifications.

Possible misuses of DPI

DPI is another innovative technology that has ISPs arguing with privacy advocates. ISPs and DPI developers are adamant that the technology is benign and will create a better Internet experience. However, privacy groups have two major concerns: little or no oversight and the potential for losing still more individual privacy. Many experts find the following uses of DPI to be especially troubling:

• Traffic shaping: Traffic shaping is where certain traffic or entities get priority and a predetermined amount of bandwidth. With the increasing number of bandwidth-hungry applications, ISPs are having to make decisions on whether to increase available bandwidth with infrastructure build out or increase control of the existing bandwidth. Installing a DPI system is usually the choice as it’s cheaper and has a more predictable RoI. Albeit cheaper, it’s riskier, and I suspect that’s why the Net Neutrality debate is going on right now.
• Behavioral targeting (BT): BT uses DPI technology for the sole purpose of harvesting user information anonymously (supposedly) and selling it to interested parties who use the information to create ads that are targeted to the individual.

Final thoughts

This is a very complex subject, having the potential to change everyone’s view of the Internet. An optimist would say that DPI will help enhance the experience, even producing  ads that are relevant to each individual user. Whereas a pessimist would say it’s “big brother” technology that only benefits ISPs. I don’t think anyone is sure how the Internet will look when the dust settles about DPI, but it should be interesting.

I hope that I was able to increase awareness of how ISPs using a DPI device can intercept, read, and interpret every one of your Internet-destined packets. An ulterior motive for explaining DPI is that in my next article I’d like to discuss behavioral targeting, a very controversial technology that uses DPI. I also want to discuss what, if any, options are available to prevent DPI from scanning your Internet traffic.

——————————————————————————————————————-
Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

WINS has been around forever, and with every core upgrade of the network infrastructure it seems to make a case to stay around. Windows Server 2008’s DNS engine has a feature that can aid in the removal of WINS, the GlobalNames zone.

—————————————————————————————————-

For organizations with an Active Directory-Integrated DNS configuration, one of the challenges over the years has been the removal of Windows Internet Name Service, or WINS. Windows Server 2008 (WS2K8) introduces the GlobalNames zone (GNZ) where larger environments with multiple DNS suffixes can use a single name host across all domains.

How the GNZ works is by creating a zone that is resolvable without regard to the suffix order. The ideal scenario is for a host that may be called “intranet.corporate.company.net” and all clients across different domains, with their respective suffix configurations, can access the Intranet simply by putting “Intranet” in their Web browser. The other domains may have DNS suffixes such as: boston.company.net or engineering.boston.company.net. The Intranet server with the corporate.company.net DNS suffix can be accessed across all zones with the short name regardless of suffix.

To use the GNZ, there are a few planning points. First of all, you should not have a forward zone that you are already using called “GlobalNames,” that is going to be a problem! The DNS server needs to be WSK8, but domain controllers can be 2003. As a note for planning, the GNZ is currently not permitted to support dynamic updates, which is a reflection of the static nature of the zone. Lastly, the GlobalNames support needs to be enabled. This is done with the following command:

dnscmd DNSServerName /config /enableglobalnamessupport 1

Once you have the feature enabled, make a primary forward zone with the name “GlobalNames” within the DNS console. Once the zone is ready, you can make entries to the GNZ. When a request is made to the GNZ, the FQDN of the host is returned to the requesting client. So, in the example above, if a client from any subdomain of company.net tries to access “intranet,” it will resolve to the FQDN of intranet.corporate.company.net.

More information on GNZ can be found in the Microsoft DNS Server GlobalNames Zone Deployment guide.

David Davis tells you how the Cisco IOS Feature Navigator can help you find the information you need, including what features your current IOS image has, what the differences are between two IOS images, and whether your router can support the latest IOS.

——————————————————————————-

What is the Cisco Feature Navigator?

This recently improved Cisco IOS Feature Navigator is set up to easily research and display available features in a certain version of the IOS, in a certain hardware platform, or working backward from features to IOS.

As the name implies, the Feature Navigator allows you to navigate through some simple screens to retrieve information on your Cisco IOS, IOS XE, and CatOS software releases. This is a free tool and a great resource that can save a network admin a lot of time and frustration.

With the Feature Navigator, you can easily research your Cisco IOS software for compatibility with other images, research software releases, and search for a particular feature. It even gives you an option to display the details on any feature that you pick.

How can the Cisco IOS Feature Navigator help me?

We are going to look at five different scenarios to show you how the Feature Navigator can assist you in gaining additional information about your IOS.

Scenario 1: Display features for a particular IOS

Let’s see how easy it is to display features that are available for a particular image.

Click on Search by Software to get started. You should see a screen like Figure A:

Figure A

You can now pick and choose which options you want. For our example, we’ll pick the following:

• Software: IOS
• Platform: 4500
• Image Name: c7200-js56i-mz.12.0-1
• Product Number: SF105CW4-11.3.9

Click the Continue button when completed.

You’ll see a screen like Figure B.

Figure B

The screen displays all the features that are available for this IOS image. The display also shows you the Release and Product information for that image: No more looking through the release notes and trying to figure out what features are included in your IOS.

Scenario 2: Compare IOS and CatOS image features

Another helpful use is comparing IOS images to see what features are supported. That’s handy if you want to update an image on your router. Click on the compare images link. You should see Figure C.

Figure C

(By the way, you might notice that Help is listed right on the screen, so you can readily see what options are required and which is optional.) I have filled in the options for this example comparing Cisco CatOS image to IOS XE image. Figure D and Figure E show the results of that query.

Figure D

Figure E

As you can see, there are a lot of features that are unique to the Cisco IOS XE image. By clicking on each feature link, you can learn the details of that feature.

Now, let’s look at researching by Feature. You can click on the Search By Feature link from the first screen of the Navigator or click on the Search By Feature tab on subsequent screens. This search looks a little different than the others (Figure F).

Figure F

There are a lot of ways to research from this screen. You can search through all features and only add or remove what you are interested in obtaining in a single IOS. Once you select those features, you are told what hardware platform is required, what RAM, what Flash, and what IOS version. You are also given the option to sort these or filter these by, say, the mature and stable releases only.

Conclusion

The Cisco IOS Feature Navigator is an invaluable tool to use for researching anything and everything about Cisco IOS releases, images, and platforms. It can be used to answer questions like, what features does my IOS support, what is the difference between these two IOS versions, and what would be required for me to run the new IOS? You’ll save yourself a lot of time by creating a browser Favorite to the Cisco Feature Navigator.

To use this tool and learn more about it, visit the Cisco IOS Feature Navigator Web Site.

David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis explains why the Cisco Self-Defending Network might be the right choice for your company.

———————————————————————

If you’re a cynical consumer, the Cisco Self-Defending Network (CSDN) solution probably begs the sarcastic question: “Yeah, right; the network that can just defend itself?” However, as Cisco typically makes quality products and solutions, I can’t believe that the self-defending network concept is all bad; actually, it may even be the best solution on the market today.

Why look at security solutions in the first place?

Since every business today depends on the Internet and LAN networks for some business-critical function, the need for security is more important than ever. A company that does not have strong security can end up on the news as being hacked, their stock can plummet, and they can be out of business in no time. Once released, viruses and worms can hit businesses and consumers around the world in a matter of seconds or minutes.

However, you and your company don’t have unlimited funds; you can’t just put in every solution you discover. You have to weigh the level of investment in security with the level of risk that is perceived by your business. It’s tough to decide how much to invest and what solutions to choose, but you must ensure that your network is reasonably secure.

What is the Self-Defending Network?

The CSDN is a large complex roadmap made up of many Cisco components. You aren’t required to have all the components. CSDN does its job using all these different components. Examples of these components are Cisco NAC (admission control), Cisco Security Agent (endpoint protection), Cisco MARS (event correlation), Network Intrusion Detection System (NIDS), authentication servers, Anti-X systems like ASA and Ironport, network and host-based firewalls, and antivirus.

The theory of CSDN is that the network has the ability and the intelligence to protect itself from threats. However, this can only happen if the components of the network are working together to ensure this level of security, intelligence, and adaptability.

How do the components of the CSDN work together?

In Figure A, you can see how the components of the CSDN are all over the network. Every link, piece of hardware, and operating system is somehow secured by the CSDN. By covering all the bases, CSDN attempts to thwart security issues wherever they crop up in the network. In addition, the attempt of the CSDN is to provide end-to-end visibility of the network’s security events and status.

Figure A

Graphic courtesy of Cisco.

Network devices must work together and be integrated in order for the CSDN to do its job. Therefore, you probably aren’t going to have third-party network components on your network participate in the CSDN.

Besides hardware components, what else is involved in CDSN?

While you can buy all the network hardware components you like, software and services are also a huge part of CSDN. Just as with anything else, without the people (services), the hardware isn’t going to implement itself. Once the CSDN is implemented and the servicemen are gone, the network will still need to be monitored and maintained.

Cisco offers a lot of services revolving around the Self-Defending Network. Figure B illustrates these offerings:

Figure B

Graphic courtesy of Cisco.

As you can see, Cisco offers services beginning with planning the network and moving through designing, implementing, and operating the network. Later, Cisco can come back and optimize the implemented security systems.

While this all sounds great, I would caution anyone evaluating a security solution to determine how much time and effort will be required to implement and maintain that solution. Undoubtedly, the long-term maintenance of any security system is far greater than the original price tag.

How are credentials fundamental for network security?

When it comes to the implementation of the CSDN, user and device credentials are very important. The user and device credentials are used to identify that device and to authenticate the user.

In Figure C, you can see how the device identification is checked, then the operating system and application posture, and the user identity, based on username, password, and security certificate keys.

Figure C

Graphic courtesy of Cisco.

As you can see, user and device credentials are critical to the success of CSDN.

Where are the security standards in CSDN?

There are a number of standards at work in the CSDN roadmap. One of the most crucial technologies related to the CSDN is Network Admission Control (NAC). NAC is used to review device security posture before admisson to the network. In many cases, this is done with 802.1X; however, that is only part of what NAC does and how it works.

The battle between Cisco’s NAC and Microsoft’s new Network Access Protection (NAP) is about to heat up. Fortunately for consumers, both companies have agreed that there will be some compatibilities and interoperability between these two technologies. In the end, there are many standards at work in creating this self-defending network.

What is the future of CSDN?

A complex framework, CDSN has a goal for all of their devices to communicate together, preventing any danger to the network. The theory is that the devices will collaborate, with one device telling another that it is in danger. In my mind, the thought of many different hardware and software network security devices all working together sounds almost too good to be true.

However, devices still don’t easily integrate with other Cisco security devices, as they aren’t easy to implement and are typically expensive. Even though the CSDN framework has been around for over six years, there’s still a lot of work left to be done before networks can truly be self-defending.

David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users.

This SolutionBase article was originally published in December 2007.

E-book readers allow you to take hundreds of books and documents along with you in a device that’s not much bigger than your smartphone. Michael Kassner looks at the technology behind these products and offers his opinion about two e-book readers using a road warrior’s perspective.

——————————————————————————————————————-

Reading is everything to me. I owe my professional life to the hardworking technology writers that keep me up to date. I also owe my love of classic literature to certain college professors who patiently explained to me that there’s more to literature than the latest tech manuals. Because of this, I have a problem. It can be best described by a quote I’ve seen on a T-shirt many years ago. The shirt proudly advertised “So many books, so little time.” I can’t say it any better than that. My being a road warrior exacerbates the problem, by forcing me to make decisions on what book or literature to bring along on the latest trip. So when I find anything that will help me, I’m all for it.

With that in mind, it becomes easy to see where an e-book reader could help. An e-book reader allows me to take any pertinent reference documents I may need on the field call. In fact, the amount of e-book reader memory (plus having SD flash drive readers) is sufficient for me to have all my technical manuals along at all times. For example, having Cisco’s “Portable Command Guide” readily available has saved me on numerous occasions. Skeptics say that I could have all that information on my notebook, and that’s true to some extent. The problem with that is many manuals and books are only available in a proprietary format, making it impossible to read on a notebook.

Having an e-book reader also allows me to simultaneously view needed reference information or documents while I’m using the full LCD screen of my notebook for a different task. Also in many situations it’s just faster and easier to use the electronic reader. For example, while waiting at an airport or lobby, I find myself using my e-book reader more and more to prep for the call or spend a few minutes reading my latest science-fiction novel. Finally, road warriors are very cognizant of size and weight. Thus, they will appreciate carrying a small and lightweight e-book reader versus multiple books or documents.

ePaper is the difference

E-books aren’t new, and the fact that e-books aren’t more popular can be blamed on e-book readers not being ready for prime time. They used existing technology that didn’t provide the user with a good reading experience. Besides, introducing anything that attempts to replace a real book isn’t an easy task; it almost borders on heresy. I’d like to submit information about a technology that I feel already has or is going to change all of that. Electronic paper or ePaper has been around since 2000, but only recently has it been integrated into products that will change our perception of reading materials. ePaper is an electronic display device, but it’s very unlike conventional (CRT or LCD) flat panel display technology that uses backlighting to illuminate the pixels. ePaper is electronic paper display (EPD) technology developed by E Ink and is best described as:

“An Electronic Paper Display is a display that possesses a paper-like high contrast appearance, ultra-low power consumption, and a thin, light form. It gives the viewer the experience of reading from paper, while having the power of updatable information.

EPDs are a technology enabled by electronic ink — ink that carries a charge enabling it to be updated through electronics. Electronic ink is ideally suited for EPDs as it is a reflective technology which requires no front or back light, is viewable under a wide range of lighting conditions, including direct sunlight, and requires no power to maintain an image.”

The following image and quote (courtesy of E Ink)  will help explain microcapsule structure and how the E Ink process works:

“Electronic ink is a straightforward fusion of chemistry, physics and electronics to create this new material. The principal components of electronic ink are millions of tiny microcapsules, about the diameter of a human hair. In one incarnation, each microcapsule contains positively charged white particles and negatively charged black particles suspended in a clear fluid. When a negative electric field is applied, the white particles move to the top of the microcapsule where they become visible to the user. This makes the surface appear white at that spot. At the same time, an opposite electric field pulls the black particles to the bottom of the microcapsules where they are hidden. By reversing this process, the black particles appear at the top of the capsule, which now makes the surface appear dark at that spot.

To form an E Ink electronic display, the ink is printed onto a sheet of plastic film that is laminated to a layer of circuitry. The circuitry forms a pattern of pixels that can then be controlled by a display driver. These microcapsules are suspended in a liquid “carrier medium” allowing them to be printed using existing screen printing processes onto virtually any surface, including glass, plastic, fabric, and even paper.”

While researching ePaper, I came across a very interesting concept. The people who developed ePaper are aware of what they call the “reading experience,” and it’s a concept that’s utterly important to the success of e-book readers. To explain, at one time or another we’ve all been totally immersed while reading something, even to a point of being totally oblivious to what’s happening around us. That’s the “reading experience.” If the reading device (book or electronic reader) doesn’t allow you to forget about the device and concentrate on the material, the “reading experience” will not happen. E-book reader developers are very aware of this and work hard to make their reader as intuitive to use as possible.

E-book readers save the day

I’ve personally used two e-book readers, the Amazon Kindle and the Sony Reader Digital Book. Both e-book readers are similar in how they present the material to the user, as they both use E Ink technology. I’d rather not go into the details or specification of each as that’s already available on the individual Web sites. What I’d like to do is describe what I consider the strengths and weaknesses of each device, so as to help you make a more informed decision on which device would be best suited for your requirements.

Sony Reader Digital Book

The Reader Digital Book by Sony was the first electronic reader using E Ink available to the public and has many features that make it a worthy choice. CNET reviewer David Carnoy has an all-encompassing review “Sony Reader Digital Book PRS505.” For the most part, I agree with the well-presented article of the Reader Digital Book shown below (courtesy of Sony). Still I’d like to point out a few details that I’ve come across in using
the Reader Digital Book:

• It may seem trivial to most, but I found the page-turning buttons to be irritating. There are two separate button mechanisms for turning pages. One on the left side and one on the right. I understand the importance of accommodating either the left or the right-handed individual. What I didn’t like was having to reach further up the device to turn the page forward with either of the page-turning buttons. Since the button to turn back a page was closer to my finger, I often accidentally did that instead. To make matters worse, that annoyance wasn’t rectified as I became more familiar with the e-book reader.
• As one can imagine, the book library for these devices is totally proprietary. Sony requires the user to publish each computer and device to Sony’s online eBook library site along with credit card information. I found the whole application non-intuitive and frustrating, even to the point where I had to download a book several times before it was actually on the reader.
• How pdf files are presented is a real problem. Everywhere I read, it mentioned that pdf files worked perfectly on the Sony Reader Digital Book. That alone was the big selling feature for me. I thought I could import all sorts of pdf files and use the device as a reference library. First pdf file I downloaded, I could barely read it. I set the text size to maximum, and even with my reading glasses on, I could barely make out what’s written. Not good and is my major disappointment in Sony’s electronic reader.

The Sony Reader Digital Book is a step in the right direction, and mine has been by my side for many miles now. There are some issues, and I don’t feel that I’ll get in the zone enough to have the “reading experience” with it. Still, it sure is nice to have that much information in such a small package.

Amazon Kindle: The next generation

The Kindle shown above (courtesy of Amazon) is now my e-book reader of choice for a host of reasons. First, to get familiar with the product, I once again defer to CNET reviewer David Carnoy, who wrote a thorough review called “Amazon Kindle.” I’d like to also point out a review by Paul Thurrott named “Amazon Kindle Review” because it offers a more user-centric focus. It’s easy for me to get excited about the Kindle, since it has all the features of the Sony device and then adds several more. I’d like to point out the features that I consider important:

• The Kindle has a built-in EVDO radio that accesses Amazon’s “Whispernet,” which is one method of obtaining reading materials. It also allows you or associates (you’re given permission) to upload documents to the Kindle via e-mail.
• It is a great deal easier to use Amazon’s book selection process, and for the most part books are cheaper than at Sony’s online eBook library site.
• It’s probably personal, but I prefer the Kindle’s ergonomics over the Sony e-book reader. I seldom fat-finger any button selection.
• The Kindle has a keyboard that allows users to search for words in the document, look up words in the built-in dictionary, and add annotations to text. The ability to add text notes is one feature I like and use all the time.
• Some may not consider access to Wikipedia a feature, but I do and use it often. It’s a great place to get initial information about a subject, and the Kindle makes it easy to do so.

Amazon is offering a service called “Digital Text Platform” (DTP) that’s exciting to aspiring writers like myself. DTP is basically a self-publishing platform allowing Kindle users to upload content such as manuscripts and documents to the DTP Web site. Amazon then converts the content into Kindle books. You figure out a price and the document is then up for sale in the Kindle Store. The self-publishing industry is exciting already, and it’s not too hard to see how DTP may totally revolutionize the process.

Kindle issues

The Kindle has some of the issues that I’ve seen with the Sony Reader Digital Book. Once again they aren’t showstoppers and in no uncertain terms would you get me to give up either device. The issues I have with the Kindle are:

• Amazon doesn’t allow the uploading of files directly to the Kindle. You have to go through a somewhat convoluted e-mail process to get them loaded, and the number of allowed formats is limited.
• Displaying pdf files correctly appears to be a significant problem to e-book reader developers. The Kindle is even more disappointing when I tried to view pdf documents. First, it’s clunky, because you have to upload the file to Amazon. Next Amazon converts the pdf file into a usable format, and that’s where part of the problem appears to be. The returned document usually is not rendered correctly and is unusable. Even if the document is rendered correctly, the text once again is too small to read.
• The Kindle is plastic whereas the Sony e-book reader was made from metal, which could be an issue down the road.

Final thoughts

My library of real books is now dwindling, just like my library of CDs. I see ePaper technology as revolutionizing our perception of what a book is. I can hardly wait until colored ePaper is available. I suspect that will be a tipping point for many people who are turned off by color not being available yet. I hope I was able to shed some light on a product that every road warrior should take a serious look at as a way to lighten their load.

Finally, I managed to achieve the “reading experience” while using the Kindle. Just ask my son, who says that I apparently was oblivious to his calls for help with the garbage the other night. Or at least that’s what I told him.

——————————————————————————————————————-

Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

The ability to bring low-cost solutions with high functionality is priority one for most SOHOs. Untangle offers Active Directory authentication for the remote portal at an incredible price.

---

In last week’s network blog, I mentioned the Untangle appliance for gateway connectivity. One feature that can really take the open source tools to the next level is their ability to plug in to something like Active Directory for authentication and remote access policies. This feature, called the Active Directory (AD) Connector, really empowers the small office to bring some granular manageability into the Internet gateway without a large investment. The AD Connector is priced very reasonably at $15 monthly for up to 50 users. The full chart of pricing options in tiers per user volume is outlined on the Untangle Web site. With the AD Connector enabled, a gateway is configured to pull the users from the AD domain and populate them in the local user store. Figure A shows usernames retrieved from the RWVDEV.INTRA domain:

Figure A
From within the Untangle appliance, the remote portal configuration allows specified Web URL shortcuts, file path shortcuts, and remote desktop connection links to devices on the internal network. The portal can be configured for all users or customized for particular users relevant to their security context. Figure B shows a Web portal configured for one user:

Figure B

Once you are logged in to the portal, the selected shortcuts can be launched from the client’s browser using their AD credentials. Within the portal, it is important to note that the sessions will not be a native application. For example, the Remote Desktop session is actually a ProperJavaRDP open source Java client. Regardless, the functionality in the portal is robust and quite intuitive to configure. For the Windows administrator out there, the users are pulled from all organizational units within the Active Directory domain, but Untangle can connect only one domain per appliance.

More information can be found about the AD Connector online at the Untangle wiki site.

David Davis shows you how to view ACL statistics and, with the help of a new feature in the Cisco IOS, how you can view these usage statistics per interface and per direction.

————————————————————————

As soon as you start using access control lists (ACLs), it is important to know which ACLs are being used. Even more beneficial is knowing how many times an ACL entry (ACE) was used and on which interface.

If an ACL or ACE is never used, then it is wasting space in your router’s memory. If the applied ACL or ACE never matches any traffic, then it may be a sign that the router is misconfigured. A bad configuration could leave you with a security hole if you are not blocking the traffic you intended.

How do I view ACL usage statistics?

Keep in mind that at any time you can see what Cisco IOS options are available by using the ?. For example, here are the options available with the show access-lists command:

Router# show access-lists ?

  <1-2699>           ACL number

  WORD               ACL name

  compiled           Compiled access-list statistics

  rate-limit         Show rate-limit access lists

  |                  Output modifiers

  <cr>

As you can see, there are a number of different ways to view ACLs and their usage. But without the new Cisco ACL Manageability features in IOS 12.4, you are viewing global statistics for only that ACL and ACE. In other words, if the same ACL is used in various places for various applications, and in different directions, every use is totaled and added in the statistics. Thus, you have no way of knowing if your ACL is getting all its usage over on interface F0/1 but none on interface Fa0/2.

Viewing ACL statistics by number

Router# show access-list 158

Extended IP access list 158

    10 deny ip any any time-range denytime (active) (65951975 matches)

As you can see from the example, there are 65,951,975 packets that have been matched for this particular access list.

Viewing statistics by name

Router# show access-list MyACL

Extended IP access list MyACL

    10 permit tcp host 21.35.80.22 eq telnet host 21.23.77.101

    20 permit tcp host 21.35.80.25 eq 16100 host 21.23.77.101 (149407

matches)

    30 permit tcp host 21.35.80.25 eq 17600 host 21.23.77.101 (80592

matches)

    40 permit tcp host 21.35.80.27 eq 10701 host 21.23.77.101 (26008

matches)

As you can see from the example, this ACL has a lot of use but one ACE has no use at all.

For further information on the show access-list command, please see the Cisco IOS ACL “show access-list” documentation.

Cisco IOS ACL Manageability feature

Previously, the ACL infrastructure maintained only global statistics for each Access ACE in an ACL. A new feature was added to IOS 12.4, which allows you to display and clear ACE statistics per interface and per incoming or outgoing traffic. That is very useful if you have ACLs and ACEs applied in different places and in different directions.

Notice in the two examples below how you can show your access-lists per interface and per direction:

Input ACL-

Router# show ip access-list interface FastEthernet 0/1 in

Extended IP access list 150 in

   10 permit ip host 10.1.1.1 any (3 matches)

   30 permit ip host 10.2.2.2 any (12 matches)

Output ACL-

Router# show ip access-list interface FastEthernet 0/0 out

Extended IP access list myacl out

    5 deny ip any 10.1.0.0 0.0.255.255

    10 permit udp any any eq snmp (6 matches)

Note that if no direction is specified, any input and output ACLs applied to that interface are displayed. For more information on the new Cisco ACL Manageability feature, please see the Cisco ACL Manageability new feature documentation.

Conclusion

In this article, you have learned that you can do various show commands that will give you detailed statistics on your access lists. You also learned about the Cisco IOS ACL Manageability feature, which allows you to retrieve ACL specific information on your packets coming in and going out of each interface and can be of great value in monitoring and securing your network.

For the official documentation covering Cisco ACLs, visit Cisco’s Access Control Lists: Overview and Guidelines.

David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Rick Vanover presents considerations for the enterprise implementations of Microsoft Network Access Protection. Here is an outline of the key requirements of a NAP installation to start the planning process right.

——————————————————————————————–

Having a MS-NAP implementation in place will provide your network an extra level of protection at the entry point. There are certainly networks that need the maximum level of security for every point of connectivity; however, only the business or your technology situation can determine what you need from the perspective of network access protection. The MS-NAP implementation uses many different communication mechanisms if fully implemented. A strong point for MS-NAP is that the MS-NAP implementation can be utilized with some or all of the features and roles. In this article, we’ll take a look at some of things you need to take into consideration from an enterprise perspective.

Enforcement types for MS-NAP

If you are considering MS-NAP for your environment, you cannot invest enough time in the planning and testing phases. Deciding on the best enforcement type for a policy is critically important. The means of enforcing MS-NAP are varied in their functionality and complexity.

Enforcement types

The MS-NAP implementation can enforce the compliance policy through these four mechanisms:

• VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client and performs the validation. This is not to be confused with Windows Server 2003’s Network Access Quarantine Control feature.
• DHCP: The DHCP server interacts with the policies from the NPS to determine the client’s compliance.
• IPSec: The IPSec enforcement of MS-NAP is Microsoft’s strongest offering for network access protection. It enforces the policy and configures the systems out of compliance with a limited access local IP security policy for remediation.
• 802.1X: The MS-NAP client authenticates over an 802.1X authenticated network and is the best solution when integrating hardware from other vendors. Luckily, the 802.1X authentication protocol was developed jointly by Microsoft, Cisco, HP, Trapeze, and Enterasys.

Each enforcement type will direct the client that is out of compliance to the remediation network where a resolution should be able to occur before accessing the desired network. The remediation network should be given some thorough planning. Making the remediation network a place where clients (managed or unmanaged) can gain the requisite updates or programs without support staff intervention will be critical in making the entire MS-NAP implementation a success. Choosing an enforcement method is an important first step in a successful implementation.

Planning what can happen on the remediation network is very important as well. Question whether updates can be accessed from this network; if antivirus updates/installations can be accessed there; and, most importantly, whether the users perform the required updates automatically or without involving the client support staff.

Network Policy Server (NPS) mastery

In planning a MS-NAP implementation, a deep-level understanding of the NPS role of Windows Server 2008 should be reached. This server role will determine where systems will go based on their configuration. This is especially important because this server role touches other server roles or equipment depending on the enforcement mechanism selected. The NPS role also acts as a RADIUS server for the MS-NAP clients.

Real-world administration effort and support

Many network administrators are overworked and can have difficulty perceiving a time where they could allocate the time to properly plan a network access protection system much less fully test and implement such a solution. The common response from a quick, unscientific survey of network administrators is “It would be nice, but I don’t have the time” for a network access protection solution. Regardless of it being a Microsoft or a networking company solution, the responses are fairly consistent.

From an ongoing support perspective, the MS-NAP implementation can go one way or the other. If the remediation network has a way for the users to become compliant and a robust, intuitive way of doing so, the support effort will be minimized for ongoing access to networks from systems that have dipped out of compliance.

Networking hardware support

If the 802.1X enforcement method is selected, a unique challenge is presented. This method is unique because it would require maintaining support for the MS-NAP implementation from a networking hardware and server operating system perspective. While the implementations offered by the networking hardware vendors offer 802.1X authentication for an individual port, it takes an additional administration effort to ensure end-to-end compatibility.

New services on clients and domain group policy objects

For the client elements using the MS-NAP implementation, there are new services and local configuration elements that are required to utilize the functionality. Pushing these configuration elements to managed systems through an Active Directory domain GPO is the best way to deploy to large numbers of existing systems. The new configuration elements for the MS-NAP implementation are not available in Active Directory domains running at Windows Server 2003 level, but they are available for Windows Server 2008 level domains. There are other ways to configure the new services for clients, but it is optimal to be native in the domain group policy editor and link the new GPO to an OU or a domain.

It is not clear what implementation configuration would be required for Windows XP clients since Service Pack 3 is not yet available; nor is it clear how a Windows XP MS-NAP client would be managed — if at all possible — from a Windows Server 2008 functionality level Active Directory domain.

This Solution Base article was originally published by TechRepublic in December 2007.