Hackers @ home (in your office)

Drasanes metro station is at the bottom of the Rambla in Barcelona. Last December when I asked the station official to call security it was because I had been followed by a pick pocket onto the platform. The official amazed me by replying, "Not much point, they live here". Drasanes is an ideal place for pickpockets to operate with a plentiful supply of disorientated foreigners to prey on. The scary thing is the pickpockets have become so prevalent that they and their crimes are now invisible to all except their immediate victims. They find this fact encouraging.

Chances are your office computer network would make just such a comfortable home to hackers. It's not that you don't have security measures in place. Your internet gateway router is running a firewall, your office workstations are on a Windows domain and each endpoint workstation is protected with up to date antivirus software. All the computers in the domain are patched and up to date. So what's the weakness if you stop at these perfectly sensible security measures?

Increasingly devices are being brought on to the network that fall outside the direct control of the IT administrator. This might include staff personal/work laptops, smart-phones, visiting client PC's, or if you are a tech company, PC's you are working on for a client. In some informal networks the majority of devices are not controlled at all, with just one or two devices such as an administration PC kept for office duties. Most of the devices just connect, acquire a network and gateway address and are immediately granted access to an infamously insecure place we call the Internet. Is it safe to share your company network in this way?

Getting back to the Barcelona metro metaphor, like the metro authorities you might have resources that you feel you need to secure and others that you allow to share your network but are, well - someone else's responsibility. The style of your office and communications set up in general is easy going. People install their own applications, Facebook, Twitter, Skype; all these have become part and parcel of the way you do business. Not only that, you are a small business and cannot afford all the paraphernalia associated with corporate security (do you have retinal scanners and CCTV at the office door? Do you need a smart card with One-Time-Password to log in?) So just what threats are we turning our backs on by ignoring these 'passengers' on our network?

Keyboard logging to discover passwords and credit card details, packet sniffing to view unencrypted network traffic, remote access servers to grant a remote user full access to a PC, botnets using a PC to send out thousands of spam emails or launch attacks on other PCs; these are just some of the 'features' that hackers can install on your network via uncontrolled devices. Internet access is driving our business but it is also driving the business of hackers – it's the most popular way of gaining unauthorized access to your network.

Now let's get this in perspective. At home we have one or two PCs and each is properly protected by an Internet Security Suite. This is much more than an antivirus. It delves into our network traffic, scours emails and prods web sites suspiciously before connecting us to their servers. Inside a controlled corporate environment, antivirus, that checks once an infection has already reached the PC file system, might be enough. But we are already agreed, if we are honest, that we don't have a controlled corporate environment. So what do we need to be able to see and tackle these threats?

Configuring Cisco IPS on your network is like installing CCTV monitored by a 24/7 flying squad at your favourite city's most notorious metro station. Or to put it another way, you can configure many of the features of a security suite at a single point in your network. There's really no excuse for not doing this. I used the word configuration, because if you already have a Cisco ISR at the edge of your network then this feature is built in for no extra cost. If not then upgrading to an ISR is the way to go.

Cisco IPS works in a complementary way to a firewall. Unlike a basic firewall, IPS can detect attacks coming from the inside of the network. For example a user inadvertently clicks on a link that installs a hidden remote access server. The server attempts to connect out to its master (somewhere on the internet) and establish access to your network. IPS would be triggered by this outside connection attempt. IPS can be triggered by up to 2300 signatures matching causes as diverse as Peer-2-Peer traffic and internet worms. Sometimes just a single packet, sometimes a combination of events triggers a signature.

Alerts are sent to a management station that can be set up on the local network and via a secure connection at your service provider's network so they can proactively monitor your network security as part of their support contract. The management software is linked to an online database giving further information about the attack signature. As the sensor is operating in-line with the threat traffic it can be configured to drop a packet, reset the connection, deny the connection or deny the attacker. In the case of an infected PC, this would prevent the PC communicating through the router, giving you enough time to be able to identify the problem and take further action.

Anti spam, email and web content filtering are useful threat defences that you should also consider, but by implementing IPS you are acknowledging that, in all but the strictest security environments, the difference between inside and outside marked by the company firewall is not as clear cut as it used to be. You are also giving yourself the tools to manage the security of the 'public' on your network.

Beating Bandwidth Congestion

Rumour has it that we are running out of bandwidth on the internet. A bit of potted history might help. About a decade ago before the dotcom bubble burst, governments sold licences to service providers to operate on radio frequencies reserved for the 'Third Generation' or 3G networks. A great deal of optimism about e-commerce at the time led to astronomical figures being paid for these licences – money that the service providers are still having to pay back. Meanwhile demand for mobile data appears to be rising exponentially, driven by our enthusiasm for internet enabled applications on devices such as the iPhone and the seemingly limitless imagination of software developers.

So much for wireless connections, our home ADSL or cable usage is also snowballing. In part this is fed by the peer 2 peer file sharing revolution -a generation brought up on 'free stuff' they can download whilst redefining their understanding of the word 'theft', as well as the exponential increase in availability of all kinds of new entertainment content such as BBC iPlayer and YouTube.

So in the middle of an economic squeeze (where, incidentally demand for free stuff and online entertainment of all sorts is unlikely to fall) service providers already weighed down by borrowing for the investment in their existing infrastructure are struggling to keep their capacity in line with demand and are making noises at governments for help. Governments are also struggling to understand where the funding will come from.

Until this investment comes we can expect to see actual internet speeds fall for end consumers. So consumers and businesses looking to maintain or increase their bandwidth might take a look load balancing. Load balancing involves using connections to more than one service provider (ISP) and combining those connections to form a bigger pipe onto the internet. The technology I have been looking at is called OER, or optimized edge routing. This is particularly useful where an internet connection is shared on a local network. OER works by looking at the statistics for delays and throughput for different kinds of traffic, redirecting the traffic out of the interface with least delay, a bit like a driver who checks the traffic reports before setting out for work.

There are many configurations for OER: it can just look at time sensitive traffic such as web browsing, prefer one ISP over another depending on cost and react in different ways depending on how it is set up. When I first read the technical book I was impressed by a well thought out process but the scope for configuration was huge and the systems for monitoring performance seemed unnecessarily opaque. Thank goodness Cisco Systems, who dreamed up this feature, have excellent technical support from their TAC department and an experienced technician was able to walk me through setting the system up.

The benefits of an intelligent load balancing system like this are clear. By monitoring the state of play on each ISP connection OER can automatically find a way around traffic jams. This includes those caused by uncontrolled congestion or by the deliberate efforts of the ISP to limit traffic. In the marine industry, we provide internet services to ships that mainly rely on satellite systems such as VSAT but also have alternative connection methods such as 3G and local WiFi or WiMax for use in port. These customers can benefit from load balancing to boost their bandwidth during busy periods in port for a fraction of the cost of contracting that additional bandwidth from their VSAT service provider.