Bob's Adventures in Wireless and Video Headline Animator

Tuesday, January 17, 2012

Securing Your Web Communications

I am sure we all have had it are surfing the web and you cruise to a site that looks like what you were looking for. All of a sudden it starts to happen: pop ups come from no where, new windows appear inviting you to click to "eliminate viruses" or "fix your pc". It happens to all of us. If you are unfortunately enough to accidentally click on a link, you enter web hell. Now your home page changes, java scripts start to run every time you open your browser, and you have to spend hours trying to remove all of the crap. Hopefully you did not get a virus.

Or we have all read about hackers intercepting WiFi data at coffee shops, stealing credit card numbers, social security numbers, etc.

Or what about privacy. Do you want Google, Akamai, Limelight, ATT, or other big corporations or government being able to intercept your personal data without your knowledge? It is very easy to do so. Most routers that carriers use have CALEA support (all HauteSpot routers support CALEA). This is a way to capture everything that passes through the router to a file that can later be read. Typically this is done with a warrant if you are the government, but sometimes without. Hackers can do the same thing.

As surveillance moves to VSaaS (video surveillance as a service), using appropriate measures to protect your communications is essential. Not only do you prevent a lot of headaches, but you may keep yourself from being sued for not taking adequate steps to safeguard your customers data and networks.

For what it is worth, here are a couple of suggestions that I have to implement good security practices while using the Web.

First a couple of definitions:
Authentication - (Skip this if you already know what authentication is) Authentication is the verification of the truth regarding a piece of information or an entity. In the Internet world this generally means either verifying the identity of a person or a computer (web server, data base server, email server, video server). There are a few ways to validate the identity of someone or something on the Internet. The most common way to authenticate is to exchange a complex key either directly (pre-shared key) or through a trusted third part (certificated).

In the pre-shared key model, two users basically create a long random key or pass phrase. This key or pass phrase is then sent to the other person. Then every message sent or connection made from that point forward requires the key to be exchanged and verified to what is already known. It is more complex than this, but in general this is how pre-shared keys work. The problem with this is that you have to know the person or machine first in order to get the key from them to start with. You can't know everyone.

The other method of Authentication is through a trusted third party. There are many commercial companies that provide these services which are known as certificate authorities (CA), but the biggies are VeriSign, GlobalSign, GeoTrust, and many others. These companies are well known and make it their business to verify the identity of many companies. The certificate authority will issue a CA Certificate, which is a complex key and identification data that can be stored on your computer. This certificate is used for you to verify the identity of the CA.

The certificate authority will also issue certificates to users. Basically the user creates a long key or certificate request on the server computer that he wants to authenticate. This is sent to the CA along with a whole bunch of verifying information like bank account information, business license data, D&B data etc. The CA then issues a certificate which is installed on the server computer by the user. Now every time someone wants to connect to that server computer, the client gets the certificate from the server, verifies the certificate from the CA, and then connects to the server knowing that is it really the server he wanted.

You can think of this as asking for an introduction from the CA to the server that you want to connect to. If you trust the CA, then you can trust the introduction. In a perfect world you would verify the identity of every server (link) that you connect to on the web. We are not there yet.

Encryption - (again, skip this if you know what encryption is). Encryption is basically scrambling your data using a key that is a reference to unscrambling. If you have the key, then you can open the message. The first thing that needs to happen for encryption is to authenticate who you are talking to. Then you send them a key to use for a short period of time to scramble and unscramble messages. Then you change keys regularly from there so it is harder to crack your key.

The level of complexity of encryption is generally measured in key length. A long key of 2048 bits is hard. A short key of 64 bits is not so hard. A key of 128 bits is enough for most generally needs. More is better. If encryption is available and relatively fast, why wouldn't you use it for everything?

Suggestion 1 - Use Firefox as your browser - Firefox is an open source browser that is not tied to any corporation, and therefore less likely to be used for sniffing of your personal data. You have to weigh this against performance and the potential risk that an open product represents. But Firefox has a very good track record. Also, it has lots of security plug ins available and an anonymous browsing mode.

Microsoft IE and Chrome are great browsers, but they were developed by companies who have a vested interest in intruding in your privacy. Can they be trusted? Not a great track record, in my opinion.

Suggestion 2 - Use SSL as much as possible in your web browser. SSL (Secure Sockets Layer) is a network communication protocol developed by Netscape for authentication and encryption of web traffic. SSL authenticates a servers identity using a certificate and then encrypts all of the data exchanged with that server.

By using SSL you assure that you know that the server that you are communicating with is whom you think it is. And you also encrypt your communications to that server so that hackers and others cannot see what you are sending.

If you use Firefox, then the Electronic Freedom Foundation offers a tool that makes your browser first check to see if SSL is available before reverting to unsecure mode. HTTPS Everywhere makes it easy to at least try to secure your connections. This is a zero effort step to improve your safety.

Suggestion 3 - Enable SSL in your email client to connect to your mail server. This is a complex topic and I won't provide details on configuring your client. But if you use Outlook, Thunderbird, or other similar clients, you should make sure that your SMTP server and your IMAP or POP3 server connections use SSL. Many ISPs still use unencrypted connections for email. Definitely not good.

Just because you send and receive through your server using SSL, that does not mean that your mail goes out or comes into the server using SSL. Without certificated, authenticated and encrypted email, there is no way to know what happens once your email leaves your server or where it has been before reaching you.

Suggestion 4 - Use certificates in your email. This step sometimes can create problems. Not everyone has a mail client that can read encrypted and authenticated mail. Some mail servers will bounce your mail. But in general, it works pretty well. You can get a free certificate to install in your mail client from a number of sources: Comodo, StartCom, Secorio, TCTrustCenter and others.

Suggestion 5 - Use private browsing where possible. Firefox has a mode called Private Browsing which can be reached under the tools menu. Chrome has a mode called Incognito which can be reached under the toolbar. IE has InPrivate browsing which can be found under safety. All of these modes do basically the same thing, they hide all cookies, temp files, cache, and other identifying information during the time that you have them turned on. When you exit the mode, all your regular information is returned.

If you are going to be surfing the Internet with no particular destination in mind private browsing is a good idea. Then when you go to your bank or check your stocks, flip back to normal mode. You will lose all of your cookies at the end of session along with form data, etc, so if you planning on going back to a site later, maybe you want to use normal mode with SSL.

Suggestion 6 - Use a VPN. A virtual private network encrypts your network connection from end to end. There are lots of VPN solutions out in the market. I would suggest either setting up your own gateway at your office using something like a HauteSpot WRAPNXi router. Then you can run PPTP, L2TP or OpenVPN to dial in. There are also many different service providers that give you a cloud to VPN over. This is a more complex topic, but basically a VPN will secure your connections when connecting to remote sites or from your laptop or PDA to your office.

Suggestion 7 - Use TOR. (From their web site) "Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. 
Some attackers spy on multiple parts of the Internet and use sophisticated statistical techniques to track the communications patterns of many different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Internet traffic, not the headers.

Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints.

Tor makes it very difficult to sniff your data over the network.

Suggestion 7 - Use NoScript to selectively enable/disable javascript in your browser. This plugin for Firefox is a a mixed blessing. Javascript, Flash and Java are the programming languages used to manipulate web browser behavior. Without NoScript these programs are free to run on your browser. With NoScript you have to allow them. This is a great tool for preventing these programs from taking over your browser. The downside is that you have to explicitly enable each site. I think it is worth the hassle.

Suggestion 8 - Use an external password vault. Up until recently I used the saved password feature of my web browser to save my web site passwords. I should know better. I am sure that soon, if not already, someone will have figured out how to hack this. So I started using LastPass, which is a secure password vault. You have to make the leap of faith that LastPass can be trusted, but the reviews seem pretty good.

LastPass moves all of your passwords off site. You create an account and then secure it with a really good, long password. A plug in for your browser then grabs passwords from your vault when you visit sites.

Why do this? Well with a password vault you can then type in really long, random passwords that are difficult to break for all of your web sites. Save these really hard passwords in your vault. Then rely on your one password to protect all the others. Also, the passwords are available on other systems like your smartphone. Again, takes a leap of faith, but I think it is better than the alternatives of short, easy passwords stored in your web browser.

Suggestion 9 - Do the obvious. Have a good virus scanner, use a firewall, don't visit hacker sites and don't install pirate software.

Hope this helps protect you and your customers.

Sunday, January 15, 2012

Trinity VPN Networking

We have been making great strides forward on building the next generation wide area network architecture for video surveillance. In my last post I explained how we were using a point to point VPN connection to link the Network Optix office in Burbank to the HauteSpot office in Los Osos over standard broadband Internet connections using our HauteWRAP routers. This link has been up and running for three weeks now with no issues. It supports layer 2 network discovery of cameras, multicast broadcasting (completely filterable and route-able using PIM and IGMP).

Trinity VSE VPN using HauteSpot Routers
Over the last week we have expanded this capability to include plug and play point to multipoint VPN connections to support Veracity, IQInvision and Network Optix field demonstrations of the Trinity "serverless" VMS system. Using our WRAPNXi VPN router/Gateway at the Veracity headquarters and WRAPLXi client routers in demo kits, sales staff can now take the Veracity office demo network on the road with them.

The WRAPNXi (data sheet is coming soon) is a 9 port gigabit Ethernet router that supports same complete feature set of all HauteSpot routers including layer 2 bridging, VPN gateway, BGP, RIP, OSPF, and mesh routing, firewall, QoS management, full diagnostics, and more. Setting this up for "dial in" layer 2 VPN was easy. User accounts can be stored on the router or on a RADIUS server, so you can scale up by simply adding more routers. The WRAPNXi can also support 2x2 or 3x3 multi-band MIMO wireless.

The WRAPLXi is a compact, single 10/100 Ethernet and 2x2 multiband MIMO wireless router. It acts as a client router that can sit behind a broadband firewall router, automatically configure itself, and automatically establish a VPN connection to the WRAPNXi gateway. It then shares the VPN connection to any devices attached to it. To the devices attached to it, the remote network appears local.

ColdStore NAS Appliance
Veracity is using this network to connect cameras and PCs at customer sites with their demonstration network. At their main office they have a Veracity ColdStore Network Attached Storage device and a couple of IP cameras. In a field demo kit they have a HauteSpot WRAPLXi, a Veracity Camswitch Quad, an IP Camera, and an optional Veracity PointSource power supply.

Connections are fully secured using AES256 encryption and SHA-1 certificated authentication. The WRAPLXi units automatically establish the connection and can be configured for both wireless or wired client operation. As far as the cameras are concerned, they see the local network at the Veracity headquarters and can stream their video to the ColdStore NAS as if they are in the office.

Trinity client viewing cameras in New Jersey
over VPN from California

Sales staff use the Trinity VSE client software to view live video from cameras both at the customer site and back at the Veracity office. They can also attach to the ColdStore NAS and scroll forward and back along a time line, moving from live viewing directly from the camera to stored video from the ColdStore.

This is an incredibly strong sales tool. But more important, it can be an incredible infrastructure for deploying Video Surveillance as a Service. Using the HauteSpot VPN architecture, you can securely connect remote locations over the Internet, quickly, easily, and cost effectively.

Maybe we should call this "Virtual Networking as a Service" or "Networking on Demand"