Tag Archives: VPN

IPVanish VPN Service and DNS Leak Testing

As you know privacy is a big thing for everyone and anyone who is a person. I think privacy is an unalienable right that should not be taken lightly. What is important to private citizens is the right to be …private citizens. We are not in the public service or want to be in the limelight. Ask anyone in Hollywood what they’d give to be invisible for a month (depending on popularity) I bet more than a few would pay a million for it. On the internet we look up, research, post, communicate, and advocate as we like. It’s our free will and right. So with that IPVanish is here to help.

IPVanish is a VPN service that …well keeps the lid on things to keep eyes off of you. To sum it up….here’s their landing page of their site.

Your simple solution for Internet privacy.
Lightning-fast speeds. Maximum security. Zero logs.

Have you ever wondered where your browser goes when you type something in and hit search? Who sees it? Who responds? Where are you going? Where is this browser taking me! Well break out wireshark and IPvanish and lets go for a little test drive shall we ? OK well you just buckle up or sit down and grab some popcorn and I will show you.

Let’s see how safe and secure our DNS requests are while not on the VPN provided by IPvanish and see what the results are.
Going to the following site you can perform a DNS Leak test here at DNS Leak Test.com (best one I’ve seen)
Here we are going to click the Extended Test cause we want to really get an exhaustive test.

leaktest_novpn1

So it tries to determine location from your ISP’s nearest hub and give you two options standard or extended tests (Click Extended)

The test runs taking and making queries out to the web and then displays what DNS servers helped resolve those queries to you.

The results of this test show the following servers answered the queries.
leaktest_novpn2b

Where was it going for the tests ? Look below. It hits your internal DNS server or gateway and then goes outbound.
dnsleaktest_novpnws3

No lets use IPVanish and see if they deliver.
ipvanish

We logon and we run the same test at the same site.
dns_leaktest_onvpn1

Click on extended and watch the wireshark capture tunnel it all. The DNS address in the capture (viewable) is in the same IP subnet range as the VPN (Which I scrubbed).
dnsleaktest_onvpn2
The results show just the one IP address which is IPVanish DNS server getting you the DNS results and not your ISP or other search engine giant.

dnsleaktest_onvpn3
So we conclude that your privacy is insured with this IP VPN service provided by IPVanish. Make sure you do your research before investing in a VPN solution. IPVanish supports EFF (Electronic Frontier Foundation) who is all about privacy and your rights.

Cisco ASA VPN Device Review

Product Review
Cisco ASA VPN device with the 8.4(5) image and ASDM 7.11. This device meets the requirements for FIPS 140-2 cryptographic requirements for federal agencies. The purpose of the device is that it ensures the confidentiality, integrity, and availability of information between networks. The device is best used between different locations offering secure communications for users, clients (DMZ), and partners (DMZ). Cisco has been in the business for creating borderless networks for some time. Overall performance and features of the device are great. It does take a little time to get used to the commands, as they are a little different from the Cisco IOS router but not as different as another vendor like 3com now, HP.
This device provides the following features and services

• Visibility and granular control of applications and micro-applications, with behavior-based controls
• Robust web security
• Advanced threat protection with a comprehensive, highly effective intrusion prevention system (IPS)
• Highly secure remote access
• Protection from botnets
• Proactive, near-real-time protection against Internet threats
VPN capabilities
• Site to Site (l2l)
• Remote Access (RA) AnyConnect or IPsec Client (Cisco Client)
• Clientless VPN (webpage)
• PKI Infrastructure for Certificate based scalable authentication

CSD Features
• Secure Desktop (Vault)
• Cache Cleaner
• Keystroke Logger Detection (KSL)
• Host Emulation Detection
• Advanced Endpoint Assessment (License required)
o Provides remediation (Fixes)
 Firewall
 Antispyware

The device is reported to be the Anti-X device that will eliminate threats and reduce risks. The extended features are nice in the brochure and work if you use the proven and tested platforms. This includes the Cisco Secure Desktop (CSD). Which as of January 17, 2013 was being developed and now has stopped? More on this later.

This device provides protection and utilizes technology like IPsec protocol suite for authentication, encryption, and integrity of network communication. Companies can use these devices to build secure tunnels form branch offices and create that borderless network. It allows remote teleworkers the ability to work from anywhere. It also provides an implementation where partners can connect to company extranets to collaborate. The uses for this device are great and I would certify that this product be used in every deployment.

Pros
• Great encryption capabilities
• Versatile Remote Access configuration down to user level settings
• Customizable Web Portals Internet/Extranet Sites
• Monitoring VPN activity and errors
• CLI provides quick access to various states of the device
• Troubleshooting Tools

Cons
• Troubleshooting error codes not always decipherable
• Firewall rule configuration not as intuitive as Checkpoint. ASDM needs work

Discussion
Recently I have had the experience to setup and use a Checkpoint VSX appliance for building virtual firewalls. Checkpoint makes a great product and as far as I can say it is very intuitive more so than the Cisco ASA for creating firewall rules and applying them. The Cisco ASA also supports multiple context mode for firewalls and separate networks for a Managed Security Provider or ISP allocating address space to businesses. However, I have yet to really see a Cisco ASA used in this manner so I cannot comment on the performance of this used in this manner. I do know that the Checkpoint VSX security appliance can handle the bandwidth and processing. Utilizing 10 GB interfaces and a Linux OS, the Checkpoint is a very secure and powerful security appliance. Can the Checkpoint do VPN? Yes, but I have not configured that yet.

Cisco Secure DesktopAs reported here

“Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.” – Cisco

CSD works only on Windows platforms and it starts to go downhill from there. When you move to 64 bit systems and more rare platforms like Mac or Linux, the capabilities of CSD keeping your network safe and the bad stuff just takes a nose dive. The implementation for features vs. benefit is not worth the product offering. Your IT Dept will spend more time fixing why users cannot connect than they will having them get and be productive. Yes, what it does sounds great in the brochure but the real safe way to prevent data leakage is to train the users.

There has been talks lately since hacking events are on the increase as to what device offers the most security from the firmware to your data center. The move has been to shift from Checkpoint to Cisco as an American made product vs. an Israel manufactured device. This has been pure speculation and this trend will be monitored closely if it continues. I am not certain as to why based off speculation but in reality there is no difference in cryptographic service being impaired or diminished by any device Checkpoint or Cisco. I think it may be fear or the move to remove all doubt to purchase Cisco only.

* Personal author note – KP “We live in an age not seen before. While there is nothing new under the sun, I believe this is the time we are in, where faith and moral code is replaced by another agenda. This is what might be causing the fear of a foreign made product used in Gov’t shops”.

Purchase Point
If you are looking for a mature and dynamic security appliance for your SMB or enterprise network, the Cisco ASA is for you. If you are looking to create a data center and offer a lot of services then maybe the Checkpoint is the way to go.