Category Archives: Performance Reviews

IPVanish VPN Service and DNS Leak Testing

As you know privacy is a big thing for everyone and anyone who is a person. I think privacy is an unalienable right that should not be taken lightly. What is important to private citizens is the right to be …private citizens. We are not in the public service or want to be in the limelight. Ask anyone in Hollywood what they’d give to be invisible for a month (depending on popularity) I bet more than a few would pay a million for it. On the internet we look up, research, post, communicate, and advocate as we like. It’s our free will and right. So with that IPVanish is here to help.

IPVanish is a VPN service that …well keeps the lid on things to keep eyes off of you. To sum it up….here’s their landing page of their site.

Your simple solution for Internet privacy.
Lightning-fast speeds. Maximum security. Zero logs.

Have you ever wondered where your browser goes when you type something in and hit search? Who sees it? Who responds? Where are you going? Where is this browser taking me! Well break out wireshark and IPvanish and lets go for a little test drive shall we ? OK well you just buckle up or sit down and grab some popcorn and I will show you.

Let’s see how safe and secure our DNS requests are while not on the VPN provided by IPvanish and see what the results are.
Going to the following site you can perform a DNS Leak test here at DNS Leak Test.com (best one I’ve seen)
Here we are going to click the Extended Test cause we want to really get an exhaustive test.

leaktest_novpn1

So it tries to determine location from your ISP’s nearest hub and give you two options standard or extended tests (Click Extended)

The test runs taking and making queries out to the web and then displays what DNS servers helped resolve those queries to you.

The results of this test show the following servers answered the queries.
leaktest_novpn2b

Where was it going for the tests ? Look below. It hits your internal DNS server or gateway and then goes outbound.
dnsleaktest_novpnws3

No lets use IPVanish and see if they deliver.
ipvanish

We logon and we run the same test at the same site.
dns_leaktest_onvpn1

Click on extended and watch the wireshark capture tunnel it all. The DNS address in the capture (viewable) is in the same IP subnet range as the VPN (Which I scrubbed).
dnsleaktest_onvpn2
The results show just the one IP address which is IPVanish DNS server getting you the DNS results and not your ISP or other search engine giant.

dnsleaktest_onvpn3
So we conclude that your privacy is insured with this IP VPN service provided by IPVanish. Make sure you do your research before investing in a VPN solution. IPVanish supports EFF (Electronic Frontier Foundation) who is all about privacy and your rights.

Palo Alto Firewalls – There is Nothing Else Left to Compete

palo-alto-networks

I just finished up taking the PAN 201 and 205 classes. Had I known that these firewalls can do all that it does 2 years ago, I would have trained earlier. Where can you get a firewall that inspects traffic in real time, a single pass technology (Single Pass Parallel Processing), reviews packets up to 5 ways with App-ID before deciding what to do with it (worse case). This is just App-ID. There is still Content-ID and User-ID for policing traffic into and out of your network. Remember security is everyone’s job and watching what leaves your organization is just as important. You don’t want to be part of a botnet network. You don’t want your secret sauce leaving either.

App-ID Inspection
The traffic is classified based on IP and port, next for review the signatures are then applied to the allowed traffic (so that’s two) then if the App-ID determines that encryption SSL or SSH is used you can write a decryption policy (if legally allowed). The fourth inspection is known protocol decoders for additional context based signatures to see if applications are tunneling traffic inside. This helps avoid salami attacks or data diddling. When traffic leaves in small chunks back to C&C, this known decoders helps very well. When that does not work there is heuristics used to see if the behavior of packets are normal and then it passes.

There are three paths traffic can take even when being analyzed. We start with FW session setup/slowpath or we could use FW Fast path, or or Application Identification. It can decrypt SSL and SSH traffic (Not HIPAA, banking financial) to determine if the content inside is legitimate or not and then it can toss or re-encrypt and send it on to destination. The firewall allows for a subscription based service to Wildfire for malware and threat protection and ….analysis. Hands free administration right there folks. Brightcloud offers the url filtering service. Wildfire for threat protection and sandboxing. Upload files for review up to 10 MB. There is so much to say about this firewall. It even has packet capture capability right there on a policy or filter to aid in troubleshooting connectivity or an incident. No more running out to the data center floor or waiting for an approved change. It has App-ID to look at applications and that they behave as they should. No more ports open and let that traffic just ride on in there. It will lay the smackdown on any traffic not adhering to signature or behavioral patterns. Does your Cisco or Checkpoint do that? Really? How well does it do that? What buffer? Did you say lag to analyze your traffic? Well sorry to hear that. Palo Alto appliance have dedicated hardware multi-core security processor, network processor, signature match processor, to do all that security.

Control plane works with and independently of the data plane. Reboot one and not the other or both. Have visibility while rebooting or leave the traffic run and reboot the management. No more waiting for off hours to make changes. There are 15 steps in the flow logic that all traffic may go through.

Heck, we haven’t even touched Global Protect (VPN) which can extend the corporate borders anywhere and provide more protection. Think about security and what would you like to do. You want to be safe, see it when it happens if it does right? Guard against future incidents right? This is the firewall for you. I have worked with many firewalls Checkpoint (used to be favorite) Juniper, and Cisco ASA (I tested in and past). Nothing compares to Palo Alto. If I were the other vendors I’d start looking for another job if I were them.

More to come on this story. Check it out for yourselves. Palo Alto Networks

For a good start into how this technology works take a look at this from Palo Alto

© 2013 Palo Alto Networks
Page 3
Executive Summary: The Need for a Single-Pass Architecture
For many years, the goal of integrating threat preven
tion services into the firewall has been pursued as
a means of alleviating the need for additional devices
for functions such as IPS, network antivirus, and
more. The pursuit of integrating th
reat prevention functions into the firewall makes perfect sense – the
firewall is the cornerstone of
the security infrastructure.
Current integration iterations carr
y a variety of different labels – deep inspection, unified threat
management (UTM), deep packet
inspection, and others. Each of
these iterations share a common
problem, which is a lack of consistent and predictabl
e performance when security services are enabled.
Specifically, the firewall functions
are capable of performing at high
throughput and low latency, but
when the added security functions are enabled,
performance decreased while latency increased.
The Palo Alto Networks Single-Pass Parallel Proce
ssing (SP3) architecture addresses the integration and
performance challenges with a unique single-pass a
pproach to packet processing that is tightly
integrated with a purpose-built hardware platform.

Single-pass software:
By performing operations once per packet, the single-pass software
eliminates many redundant functions that plagu
e previous integration
attempts. As a packets
are processed, networking, policy lookup, a
pplication identification and decoding, and
signature matching for any and all threats
and content is only performed once. This
significantly reduces the amount of processing overhead required to perform multiple
functions in one security device. The single-pass software uses a stream-based, uniform
signature matching engine for content inspect
ion. Instead of using separate engines and
signature sets (requiring multi-
pass scanning) and instead of usin
g file proxies (requiring file
download prior to scanning), the single-pass arch
itecture scans traffic for all signatures once
and in a stream-based fashion to avoid the introduction of latency.

Parallel processing hardware:
The single-pass software is then integrated with a purpose-built
platform that uses dedicated processors and me
mory for the four key areas of networking,
security, content scanning and management. Th
e computing power within each platform has
been specifically chosen to perform the processi
ng intensive task of
full stack inspection at
multi-Gbps throughput.
The resulting combination delivers the horsepower
required to achieve consistent and predictable
performance at up to 20 Gbps of throughput, maki
ng the goal of integrated firewall and threat
prevention a realit

Cisco ASA VPN Device Review

Product Review
Cisco ASA VPN device with the 8.4(5) image and ASDM 7.11. This device meets the requirements for FIPS 140-2 cryptographic requirements for federal agencies. The purpose of the device is that it ensures the confidentiality, integrity, and availability of information between networks. The device is best used between different locations offering secure communications for users, clients (DMZ), and partners (DMZ). Cisco has been in the business for creating borderless networks for some time. Overall performance and features of the device are great. It does take a little time to get used to the commands, as they are a little different from the Cisco IOS router but not as different as another vendor like 3com now, HP.
This device provides the following features and services

• Visibility and granular control of applications and micro-applications, with behavior-based controls
• Robust web security
• Advanced threat protection with a comprehensive, highly effective intrusion prevention system (IPS)
• Highly secure remote access
• Protection from botnets
• Proactive, near-real-time protection against Internet threats
VPN capabilities
• Site to Site (l2l)
• Remote Access (RA) AnyConnect or IPsec Client (Cisco Client)
• Clientless VPN (webpage)
• PKI Infrastructure for Certificate based scalable authentication

CSD Features
• Secure Desktop (Vault)
• Cache Cleaner
• Keystroke Logger Detection (KSL)
• Host Emulation Detection
• Advanced Endpoint Assessment (License required)
o Provides remediation (Fixes)
 Firewall
 Antispyware

The device is reported to be the Anti-X device that will eliminate threats and reduce risks. The extended features are nice in the brochure and work if you use the proven and tested platforms. This includes the Cisco Secure Desktop (CSD). Which as of January 17, 2013 was being developed and now has stopped? More on this later.

This device provides protection and utilizes technology like IPsec protocol suite for authentication, encryption, and integrity of network communication. Companies can use these devices to build secure tunnels form branch offices and create that borderless network. It allows remote teleworkers the ability to work from anywhere. It also provides an implementation where partners can connect to company extranets to collaborate. The uses for this device are great and I would certify that this product be used in every deployment.

Pros
• Great encryption capabilities
• Versatile Remote Access configuration down to user level settings
• Customizable Web Portals Internet/Extranet Sites
• Monitoring VPN activity and errors
• CLI provides quick access to various states of the device
• Troubleshooting Tools

Cons
• Troubleshooting error codes not always decipherable
• Firewall rule configuration not as intuitive as Checkpoint. ASDM needs work

Discussion
Recently I have had the experience to setup and use a Checkpoint VSX appliance for building virtual firewalls. Checkpoint makes a great product and as far as I can say it is very intuitive more so than the Cisco ASA for creating firewall rules and applying them. The Cisco ASA also supports multiple context mode for firewalls and separate networks for a Managed Security Provider or ISP allocating address space to businesses. However, I have yet to really see a Cisco ASA used in this manner so I cannot comment on the performance of this used in this manner. I do know that the Checkpoint VSX security appliance can handle the bandwidth and processing. Utilizing 10 GB interfaces and a Linux OS, the Checkpoint is a very secure and powerful security appliance. Can the Checkpoint do VPN? Yes, but I have not configured that yet.

Cisco Secure DesktopAs reported here

“Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.” – Cisco

CSD works only on Windows platforms and it starts to go downhill from there. When you move to 64 bit systems and more rare platforms like Mac or Linux, the capabilities of CSD keeping your network safe and the bad stuff just takes a nose dive. The implementation for features vs. benefit is not worth the product offering. Your IT Dept will spend more time fixing why users cannot connect than they will having them get and be productive. Yes, what it does sounds great in the brochure but the real safe way to prevent data leakage is to train the users.

There has been talks lately since hacking events are on the increase as to what device offers the most security from the firmware to your data center. The move has been to shift from Checkpoint to Cisco as an American made product vs. an Israel manufactured device. This has been pure speculation and this trend will be monitored closely if it continues. I am not certain as to why based off speculation but in reality there is no difference in cryptographic service being impaired or diminished by any device Checkpoint or Cisco. I think it may be fear or the move to remove all doubt to purchase Cisco only.

* Personal author note – KP “We live in an age not seen before. While there is nothing new under the sun, I believe this is the time we are in, where faith and moral code is replaced by another agenda. This is what might be causing the fear of a foreign made product used in Gov’t shops”.

Purchase Point
If you are looking for a mature and dynamic security appliance for your SMB or enterprise network, the Cisco ASA is for you. If you are looking to create a data center and offer a lot of services then maybe the Checkpoint is the way to go.

DLink DAP-1522 Access Point – Measures Up!

Netwerk Guardian is quite impressed with DLink’s DAP-1522. To spare you the boring details we’ll just get right to the point. An Access Point was needed to extend wireless in a Heavy Trucking garage surrounded by 30′ tall concrete walls. DLink DAP-1522 was chosen because of it’s features as working as a bridge or an access point. Configuration is easy and just takes a few seconds for changes to be pushed down. Then came the site survey with impressive results. There was wireless coverage up to forty (40) feet away from the access point in all directions. The covers the garage as well as the office building providing internet access for the client. It operates in Wireless N and legacy G modes.

Check out the DLink DAP-1522 here

Cisco 300 LAN switch beats HP and Netgear

Tolly Group, an independent research company has released a report stating that the Cisco 300 series LAN switch is just plain better. There are several items where the Cisco 300 has outperformed HP, Netgear, and D-Link.
HP E-2510-24 and E-2610-24, Netgear’s FSM726 and GSM7224 were compared.
Categories in the test were:
• Wire speed, non-blocking Layer-2 throughput at all frame sizes
• Consistent low latencies at all frame sizes. (aka choking on a packet)
• Price for performance
• Most extensive IPv6 feature set, traffic shaping, rate limiting, scope of GUI based configuration
• Lowest power consumption in 2/3 classes tested and overall efficiency (Wait til you see the savings $$)
• Most extensive set of IPv6 protocol and application support.
• Best usability of simplified user interface delivering both basic and advanced capabilities in an intuitive fashion. (Tolly Test report #211103, Feb 2011)

Click the link above to see for yourself. Cisco has swung back with an effective SMB product that I am sure will rival HP and Netgear as well as the reseller market offering almost good as new on other products. Why buy used when you can buy a new one of these?

Some quick results:
Watts consumption on 10/100 PoE ports
• Cisco SF300P = 23.1
• D-Link DES 3528 = 42.2
• HP E2610 = (a whopping) 49.3
Watts consumption 10/100 non-PoE
• Cisco SF300 = 13.0
• D-Link DES 3528 = 14.5
• HP E2510 = 15.2
• HP E2610 = 18.5
• Netgear FSM726 = 12.5
Watt consumption on Gigabit Ethernet
• Cisco SG300-28 = 26.0
• HP E2810-24G = 47.1
• Netgear GSM7224 = 38.4
My review of these charts would say, “I bought HP or Netgear because they were cheaper but I am spending more in reoccurring costs” Like the capital investments, you don’t save on the project, you save on the benefit it provides.

Results for latency for packet size. Cisco 300 series never broke 140 ms under any size as the other were up around 180-340 ms, on the inside network. OUCH!

Conclusion All I can say from someone who works with many brands, I will have to Cisco got it right this time. What a score both performance wise and business. They are reaching the many masses in the SMB market with this where as the larger companies have to use other class of switches. This is a must buy for the next refresh cycle.

RingCentral Best Outsourced VOIP

RingCentral is undoubtedly the best outsourced VOIP solution I have seen. Just after the drama with 8×8 it looks like
the best is RingCentral.

Easy purchase, no contracts. Easy setup and free tech support. Get the best phones Linksys and Polycom configured just plug in and talk. The dashboard is very in depth and has a lot of features. A great product for those mobile companies or companies smaller that 25 people.

Elysia Cooper is a great account manager and was able to help with the transition. Netwerk Guardian is so impressed that they have decided to offer RingCentral installations for companies with 25 or less people.

Verizon messes up Backup Assistant on LG Env3

Verizon, great company on the leading edge of a 3g network and services nation wide in the U.S. However, not all their applications work as described. Noted earlier this month Netwerk Guardian tested one of their data capable phones, the LG Env3 with Backup assistant. After 4 phone calls with 4 different Customer Support personnel and one tech support, they all failed to fix the problem of over writing data. What does this mean? This means that when you edit or add/erase a contact online and then select the sync action, well it would constantly overwrite what you spent time removing. What’s the point of syncing when it just will reverse what you spent doing? So the tech said we will cancel the subscription on our (Verizon) end. Results were the same. Netwerk Guardian actually had to delete the application from the phone.

Questions you ask yourself is how safe is the data that you have on your phone?
Would you believe that what you are trying to control with their help is really out of control?

Verizon, just stick to telecommunication and leave the contact management to the end user.