Heartbleed attacks and Internet security: Prevention is better than cure

heartbleed noticeOur daily data traffic on the Internet has reached dimensions which can hardly be put into numbers. For example, in June 2014, an average of 1.7 Tbit/s of data has been transmitted at the German DE-CIX (the largest Internet exchange point worldwide, situated in Frankfurt). Indeed, numerous transactions related to critical applications such as financial or personal data are conducted. Whether stock market transactions, online shopping or home banking, anyone who carries out such transactions counts implicitly that security, integrity and authenticity are guaranteed at any time.

For years, such processes and methods have been well established on the basis of deploying according technologies which permit to appropriately encrypt and secure data transmissions. Here, the use of SSL has become a quasi-standard.

However, it has also turned out that web server, NAS, gateways and routers, due to an implementation error are vulnerable, as sensitive data can be retrieved without being able to detect the spying of data as an attack. Furthermore, particularly worrying is that a variety of services which protect their data, typically via SSL/TLS, are affected. This also includes e-mails (POPS, IMAPS, SMTP with STARTTLS).

Anatomy of a “heart defect

 By looking closely at the problem, one realizes that the actual error is comparatively simple. In order to maintain a communication, so-called heart beats will be sent out between the communicating partners. In this process the sender transmits data (payload) to the receiver who in return sends the data back.

The problem, however, results from the fact that the receiver does not verify how much data has actually been sent. This means, if the sender “lies” and actually only sends one single byte but claims to send 16 Kbyte, the receiver responds willingly by sending back data from its random access memory. This results in phishing the random access memory of the remote station by the attacker.

If someone uses this procedure systematically and with high computing power, large quantities of credit card information and passwords can be gathered and spied upon. Furthermore, it was possible to get to the innermost part of servers in order to spy out the private key. The consequence would be that perfect imitations of servers can be placed on the Internet and the users won’t notice because they won’t get a warning message of faked certificates.

Is it possible for your data security to recover from a “heart attack”?

Users and people affected are in a rather uncertain situation. Concerning the systems to which we have access, we have to explore as soon as possible whether a serious threat exists. This can be carried out in cooperation with the corresponding manufacturer.

If this is the case, appropriate measures have to be taken quickly in order to update the affected systems. In this context, it is also advisable to replace the digital certificates and to declare already existing certificates as invalid, although this may “only” be a precaution. For services to which we do not have access, we have to rely on the respective service provider to ensure security as soon as possible. It only makes sense to change passwords, after the provider has renewed certificates.

Take security preventive measures

The use of Open Source and especially in this case of OpenSSL, shows how a fundamental and critical infrastructure on the Internet can crumble overnight.

When you look behind the scenes and see how many software engineers actually work full-time on the maintenance and development, it is indeed thought-provoking.

As a manufacturer, we also ask ourselves the question, which is the correct way into the future?.

In none of Teldat´s products are the software components mentioned above deployed. Nevertheless, we see it as part of our responsibility, towards our partners and clients, to keep developing our products continually and even more intensively.

AUTHOR: Bernd Büttner

Bernd Buettner:

Hybird solutions: a single device for every branch office

Teldat hybrid solutionsAll of a sudden, the office has become a very complicated place with a lot of electronic devices that need to be configured, maintained, powered, secured, actualized, and wired (or maybe not, because they are part of a WLAN network). Even though most of the manufacturers try to make their equipment as simple, as compatible and as plug and play as possible, to the one-man-for-all that has the technical responsibility in a SME, making the most of this mess can be very frustrating.

Is there any way of simplifying SME technical environments?

As far as functionality and technical requirements are concerned, data, voice, security, and management, in the area of SMEs are the main aspects that lead to a purchasing decision. From the perspective of the customer, all features and functions desired must work properly and continuously, because otherwise they lose money and time. And they usually are not in excess of any of them. Once this is the case, further factors, such as usability, deep integration into their technical environment, as well as costs in particular, play a decisive part which many forget, but they may be as important as the functional needs.

The main problem here is that all that technical functionalities are necessary, and up to now, each one requires a different  device. Professional daily work including secure and fast access to the Internet and external cloud services, as well as to internal server applications within the company and its branches, is as essential as the flexible convergence of telephony and data services. We know that telephony and data services are already integrated in existing office applications and their processes of the working life in large companies. However, also small companies want to take advantage of the benefits more and more, because complex workflows can be easier and faster overcome. And their point of view is different, since they do not have a specialized department that can handle all the integration and configuration process.

In this regard, costs and effort are always issues to deal with. All points require specialists who even have to adopt a coordinated approach. The firewall should not only guarantee the secure access to all video, voice, data and fax services needed on the Internet and in subsidiaries, but it should also prevent unauthorized access to its own server. Furthermore, it is also necessary to coordinate the existing IT infrastructure, such as network wiring and different wireless technologies, for instance wireless LAN and DECT, as well as different services, so that time critical voice services and data transfer do not hinder each other. Hence, quality of service has to be set up appropriately in the LAN as well as in the WAN, in order to prevent dropouts during telephone calls or even loss of connection. The tuning of each single component presents often a major challenge. Therefore, applications and devices have to interact reliably. A complete transparency between the different systems and the possibility to identify errors are fundamental requirements for SMEs in order to maintain the solution by themselves.

To make things a bit more complicated, Green IT is a further buzzword which influences the decision-making. Green IT does not only mean to make proposals in order to save energy and costs. Worldwide regulations force manufacturers and consumers to pay more and more attention to these points. Thus, it is very important in SMEs to operate services also on virtual servers which is not always the case in the heterogeneous protocol environment of unified communications. In practice, virtual servers are already now the most important precondition for operating locally several services on one server or in the cloud in order to save electricity for computers and especially for their cooling. The number of permanent active devices on the network should be kept small, as much as possible.

Hybird devices simplify SME IT necessities

These all lead to the evidence of a strong trend to fulfill  the SME market powerful demand, of highly integrated and compact systems which cover a variety of functions that are offered to the user in a simple way of alignment. Open interfaces for further integration into the environment of SMEs are already important from the first workplace on.

So the answer to the question is yes! There is a way os simplifying the SME IT necessities!

Teldat has brought the experience of several company areas together and offers a powerful compact solution with the devices of the hybrid family, which provide a professional and  solid basis to fill the gap in the market with professional one device office solutions.

Please, Connect with us and ask for the Hybird Solutions. You will learn how Teldat can help you out of this problem.

Randolf Mayr:

Router and Server for onsite applications

routers and servers for branch offices   It is quite obvious to say that corporate communications have evolved. Not so long ago, a few decades ago, “dumb” terminals were connected to a mainframe. A significant evolution followed with the introduction of X25, Frame Relay and ISDN. We could say it had the same level of importance to corporate communications, as the discovery of fire had within prehistoric man. However, more recently, IP networks then totally changed the communication landscape again. So much so, that this could be compared to the invention of the wheel in history. Of course, high-speed connections such as DSL and fiber in recent times can be said to be “the Industrial Revolution” of the network communication, making broadband accessible anywhere at all. Finally, today’s trend toward “Cloud Computing” is in some way returning communications to where they started, as the intelligence is once again being centralized within “the Cloud”.

The “Cloud Computing” and its implementation in companies

Cloud Computing is at an initial stage as far as corporate communications are concerned, but nobody doubts that it will grown significantly in a short period of time, as it has grown and is still growing within residential user communications with applications such as Google Apps, Microsoft Office 365 or Dropbox. Moreover, it should not surprise anybody that the residential market is more advanced than the corporate market in ICT and communications. This already occurred with ADSL, FTTH and 4G connectivity. The question is whether corporate  clouds will be public, private or hybrid and the pace of corporate migration to the Cloud. However, it is clear that virtualization is here to stay as the advantages that this offers are obvious so what are the benefits of virtualization in companies?

  • Reduced CAPEX and OPEX in the network periphery because of hardware and software resource are being centralized in the Cloud.
  • A clear improvement in the control, security and reliability of data and applications
  • Flexibility in resource allocation.
  • License control

Problems which you can find in virtualization

The evolution of applications towards the Cloud is not necessarily problem free. Firstly, connectivity requirements for a proper user experience are more demanding than those required when local processing and storage are in place. So special attention should be paid to issues such as redundancy, security and network optimization. Secondly, some applications that create a large amount of data volume traffic at local level, such as Digital Signage or Content Management, do not scale well in the Cloud and the problem is that we no longer have a local server for those tasks at the local site. The same occurs when non-IP devices such as printers, alarms, access control, web cameras, etc. … requiring a USB o perhaps even a serial port are taken into account. Obviously these require a local interface and local processing to be conducted, so they are adapted to the Cloud. Regardless of all the above, there is a device in the middle of all that has been mentioned above, that needs to be maintained and if all the above is taken into account, it is of utmost importance; that is the router.

The “router” as solution to various problems in Cloud Computing

The router at the branch office is what connects users and applications, so that user experience is entirely dependent on the router’s efficiency and stability. However, what role is the router going to play in the new Cloud Computing scenarios? At first sight, a minimal amount of involvement could be valid, but … could the router expand its role to evolve into a more efficient player within Cloud Computing scenarios? Certainly, this is the way forward. Due to the router’s strategic situation connecting users to applications, it is able to provide the extra security and optimization required in these scenarios, and because of its positioning within the branch office, it could be the extension of Cloud Applications to interact with local devices. Now, the remaining questions are: Does it have the ability/power to run applications? Does it have the storage capacity required by certain applications? Does it have a management tool to safely conduct local processes? In the past, these tasks had not been necessary to be conducted by a router, so the previously mentioned features in routers were not available or were very limited. At most, some artificial solutions were integrated using additional hardware (mini-PC) into the router chassis. Today,  fully converged solutions based on multicore processors are possible, integrating in one physical device two virtual devices, Router + Server, each with its own software and Operating System including HDD or SSD and USB interfaces for local devices. These new “Cloud Ready” routers support applications that are not able to run anymore on local servers, such as security (Antivirus, Antispam, SIEM Probes, Content filtering), optimization (Webcache, Videoproxy, Cloud-Replicated-NAS and Virtual Desktops Repository), Local Audit or digital signage (DLNA based). Teldat is specialized in “Cloud Ready” routers, supporting the above mentioned applications which are currently available in our portfolio. What is more, without placing any restrictions on possible applications, as the router has a standard Linux operating system, allowing the development of client or third party apps.

Marcel Gil: SD-WAN Business Line Manager

What to expect from 802.11ac. Has the moment for enterprise networks arrived?

WLAN-150x150Currently there is a lot of noise in the press regarding the new so called Gigabit 802.11 ac standard. Of course the upgrade to 802.11 ac has some technical advantages, but even though, is now the right time to upgrade your enterprise network or is the new technology not yet finalized?

It is important to consider for this analysis company requirements, as it is the market to which Teldat products are focused towards. Whilst within a home/SoHo environment, one Access Point has to serve a small number of WLAN clients with excellent performance, in a typical enterprise application we will have a large number of Access Points to cover a large office area and the main need will be to serve a large number of roaming clients, unevenly distributed. This will be sufficient with a good average WI-FI performance.

802.11ac operates exclusively on the 5GHz network, but is backward compatible with the existing clients. Current chipsets promise data rates of up to 1.3 Gbit / s – this is the physical rate, whilst the net rate is about 50% lower. The performance gain is achieved mainly by two improvements. Firstly, instead of 20MHz channel bandwidth, 11 ac requires at least 80 MHz, and there is even a variant which requires 160 MHz of bandwidth. However, this very high bandwidth requirement complicates an overlap-free (and thus interference-free) channel planning within companies. Depending on the channel bandwidth, only one or two channels in the Indoor-frequencies bands are used. So especially due to the high channel bandwidth, it may well be that bottlenecks in enterprise networks are generated, as they tend to have many access points and many clients in each channel. Thereby less wireless clients can connect simultaneously to the Wi-Fi network. This could cause a huge problem for business networks.

The second improvement is that in addition to the 64-level quadrature modulation (64-QAM) it will now be adding a 256-level quadrature modulation (256-QAM). However, the use of 256-QAM requires a very good signal-to-noise ratio, which is only achieved at short distances to the access point. If the signal-to-noise ratio is not adequate, the devices switch back to 64-QAM.

An important point is the economic aspect. A possible migration to .11 ac should analyse the network infrastructure, as well as the costs involved in the planning. The current .11 ac devices are very power hungry and require a higher PoE power class (802.3at) – hence new switches will need to be purchased. In addition, the first .11 ac products are considerably more expensive than the best .11 n devices.
The new .11 ac standard comes with another technical improvement which is very important in raising the performance for many clients, especially enterprise networks. This feature is called MU-MIMO (Multi-User MIMO). Without MU-Mimo all 1×1 Mimo clients will always share the first stream or antenna of an Access Point (E.g. when connecting three 1×1 Mimo clients to a 3×3 MIMO Access Point). For MU-MIMO however, each client can receive its own stream from the access point. That means the system has a three times higher throughput or each Access Point can serve three times more clients. In any case a significant improvement.

MU-MIMO is therefore particularly interesting for applications in enterprises, as it is in this case less concerned with providing a single client with the highest possible data throughput, and is more concerned about connecting as many users with the best possible performance. The MU-MIMO is not yet in the current available chipsets – this is the most significant reason why 802.11 ac is still not quite ready for business use.

The R&D department at Teldat works closely together with semiconductor manufacturers and the latest technologies available, to launch in the next months a dual-radio enterprise access point that combines the advantages of 2.4 GHz .11 n technology and the new .11 ac technology together. This next-generation .11 ac will be both more efficient with energy consumption, as well as in the use of mobile .11 ac terminals.

Hans-Dieter Wahl: WLAN Business Line Manager

Internet on the rails

TRANSPORT-150x150Cellular networks allow new services by making Internet access ubiquitous. Their increasing coverage, reliability and speed allow businesses and end customers alike to take advantage of new possibilities, although at the same time they increase dependence on Internet availability for everyday activities.

However certain areas do not receive reliable cellular coverage. A typical case is that of railway networks, which can include long stretches along uninhabited regions in which it is not cost-effective to deploy a cellular network. Even in areas with coverage, passengers’ access to cellular networks is hindered by attenuation in network signals produced by the train’s own body. Some passengers may also face high roaming tariffs to access the Internet. In addition to passengers, M2M units and the train staff could also greatly benefit from network connectivity, but they face the same challenges.

In order to access the Internet aboard a moving train, different approaches can be followed.
The first option is for the cellular network operator to deploy additional cellular capacity along the railway tracks. This solution is rarely cost effective and in any case the signal reception is still obstructed by the coachwork of the train. In addition passengers need a cellular contract with that particular operator in order to enjoy network access.

Another option is to use signal repeaters (possibly even aboard the train). However this is only feasible in areas where there is some signal available to begin with, and network capacity is seriously affected.
A better option is to establish an independent network aboard the train. M2M systems can be connected using Ethernet cabling and Wi-Fi can be deployed to reach every corner. An onboard router controls upstream connections and can combine different network access technologies (including cellular with external high gain antennas, satellite, and Wi-Fi along the tracks) to ensure failsafe and high speed connectivity. Additional routers may also be deployed to ensure higher redundancy.

Having a full network with high speed Internet connectivity aboard the train opens many new possibilities to streamline rail operations and at the same time creates customer loyalty by offering an incentive to travel by train instead of driving or taking a plane.
Among the many new services which can be deployed we can mention some related to the train operation, such as:

•    Real-time central access to on-board cameras for security purposes.
•    Remote monitoring and management of on-board systems.

But we should not forget services catered to the passenger:

•    Internet access (free or at a cost).
•    Display of information on internal screens including maps, schedules of connecting trains, and advertisements.
•    Access to on-board cafeteria or restaurant for orders.

When deploying various services, the routers aboard the train must ensure that all of them operate independently and do not interfere with one another. The routers must also control that at times when there is limited bandwidth available the most critical services are catered to first. In addition it is important to secure sensitive information using strong encryption techniques, as well as to provide flexible management and failsafe operations.

Teldat has built a range of routers and access points which are especially designed and certified for the demanding environment found aboard a train. The H1 Rail routers and W2002T-n access points combine to offer endless possibilities aboard rolling stock.

In order to remain competitive in an increasing complex market, train operators need to streamline their operations and find new ways to ensure customer loyalty. Having full Internet connectivity aboard the trains is a cost-effective way to quickly improve both these areas.

Daniel Alvarez Wise:
Page 28 of 29« First...272829