Democratization the Internet Infrastructure

You sure heard of the Internet blackhole Egypt lived in when Mubarak's regime shut down the whole internet during January revolution. Other countries are filtering and censoring the Internet, Tunisia, Syria and Iran are just few examples. And recently the availability of the internet to the demonstrators in the Occupy Wall Street movement is an essential issue.

Isaac Wilder and Charles Wyble are two of the participants in  OWS, and they also are the founders of an initiative to democratize the internet infrastructure using Wireless Mesh Network technology. Their initiative is called the FNF (Free Network Foundation)

Let me first give you quick brief about Wireless Mesh Network, normally at our homes we connect our access point to the internet via some sort of wired technology, for example ADSL. But let's imagine if I decide to get my ADSL connection then can give that internet I have to my neighbour's Access Point wirelessly, and he on his turn give it to his neighbour and so forth. So we will end up with having one internet connection shared among us. You can compare it to peer-to-peer file sharing (Kazaa and Torrent), where users are connected in a sort of mesh network.

Basically, the above description is how a Wireless Mesh Network look like, and it is already used but in different scenarios. When you need to have wireless coverage outdoors, you normally need many Access Points to cover the whole area, but also it is hard to get dedicated internet access to each of them, so you end up connecting one of them to the Internet ADSL hose, and then share that internet connection from one to the other using mesh topology.

Now from what I've read in the Free Network Foundation website, they are looking forward to have a similar mesh network that spans a whole metropolitan area or city, and in the first stage each of those cities will be connected the other cities using the internet, but I can see that they have plans to use underutilized spectrum in the VHF and UHF bands to connect those cities without the need of the Service Provider's infrastructure whatsoever, i.e. we will end up by replacing the Internet infrastructure we have today, and people will not be required to go to the Internet Service Providers or Mobile Network Operators for internet access any more.

How would such a system create cheaper Internet for everybody?

In the initial phase, people will be sharing their internet connection, so they will be saving money, and as you can see, their future plan is to totally replace the ISP's and MNO's so it decrease the internet access prices dramatically if not making it free.

But in my humble opinion, making the internet cheaper is just one benefit, but the most important benefit here, is that it will make it free from the government and ISP's censorship and control.

Is this feasible?

Well, we already have seen small scale examples of what they are willing to do, so technically it should be feasible, however I believe there will be many other obstacles such as legal or economical issues.

For example, here in Egypt, no one is allowed to cover public areas using Wifi, without having license from the government, and this might be the case in different locations, and if not, Mobile Operators will sure lobby to ban such thing, as it will directly harm their business.

Also, I believe I can compare the FNF to Web2.0. In Web2.0 the user-generated content is generated by users, and here the infrastructure is made and operated by the users as well. And while being at this analogy, huge part of FNF's success relies on users participation. Facebook's success is totally dependant on the user's participation there, and the number of photos and content they share, like and comment on, and so is FNF, it will only succeed if millions or hundreds of millions decide to participate in it, other wise it might fail.

Where are wireless mesh networks typically used?

Nowadays it's typically used in covering outdoor areas, but as far as I know, all the available mesh networks are like separate islands each of them is built and controlled by a single business or governmental entity. FNF should do to the state of wireless internet access what Gnutella and Kazaa did to file sharing, where the connection gets democratized and the network infrastructure will be owned and controlled by the people.

Have they ever been used in a protest context?

Many people though of a similar solution when the internet was down in Egypt, during January revolution, but it remained an idea and I am happy to see FNF taking it further.
During the revolution (after the internet came back), people living near Tahrir square opened their Access Points for the demonstrators to use freely. Although what they did is a very basic thing compared to FNF plans, however it shows the need for such solution, especially where governments can either totally shut the internet down or at least censor it.

What is the difference between a WMN and VPN?

They two are very different. WMN (Wireless Mesh-Network) is meant to provide physical layer connectivity to users, while VPN (Virtual Private Networks) are built on top of that connectivity to provide connectivity and security (encryption) in the upper layers of the internet stack.

To make it easier to understand, you can consider WMN as the roads and streets that connect our houses together, while VPN is the cars that run on those streets. Without the roads, no matter how good are the cars you have, they will be useless. VPN can help fighting governments censorship of the internet, but WMN can fight both censorship and internet blockage as well, which VPN's can't deal with.

Hint: This is basically how I understood the FNF ambitious initiative, and here are links to Mesh Networks, Sovereign Computing, and Packet Radio projects listed on FNF website.


Sources:
How Occupy Wall Street Is Building Its Own Internet
The Free Network Foundation

PAN - Cloud is Overrated

I like how those Palo Alto Network guys come out with new ideas every now and then. Many times their new ideas aren't more than a marketing buzz, yet I like them. But this time I do not get their point at all.

Ok, they said that they came out with End Point security solution where agents on the end points will not inspect the traffic there but rather send it to the nearest PAN Firewall/UTM to inspect it!

"The Palo Alto endpoint protection takes a novel approach to overcoming this problem. Palo Alto is developing a small agent that will operate persistently on the host, detecting whenever the client connects to a public or private network. Rather than doing the traffic inspection on the client, the agent will compel all traffic to route through the closest home network. This means that all traffic will be inspected and passed through the existing network-based next-generation firewall", Channel Insider - Secure Channel Blog.

And this makes me wonder, how many Megas - if not Gigs - do we need to have on our PC's? Will it send every single executable I touch on my PC over the wire to inspected regardless of its size, whether it is few kilos or multiple Gigs? Why should a network device be bothers for inspecting activities than happen on hosts? I really don't get it. May be I am missing some points here, so would someone please help me understand their new approach.

Tags: PAN, Cloud, Gr33n Data

Network Element

During our Computer Network course in the university, we used to study the differences between LAN Switches and Routers, and one of the main differences between them was that Switches forward traffic using Layer-2 header (MAC Address) while Routers forward traffic based on Layer-3 header (IP Address). Later on, in my professional life, I realized that there are also Layer-3 switches, and these Switches can do Routing, ACL's, Network Address Translation, and all other Routers functionalities.

According to Wikipedia, "The major difference between the packet switching operation of a router and that of a Layer 3 switch is the physical implementation. In general-purpose routers, packet switching takes place using a microprocessor, whereas a Layer 3 switch performs this using application-specific integrated circuit (ASIC) hardware". And may be that's why Layer-3 switches have higher throughput and process more packets per second than routers. LAN Switches also have higher port density and the cost of an Ethernet port on a Switch is much cheaper than that of a Router. Ok, in fact, the behaviour of the traffic in a LAN environment is different than that in an ISP, and that's why the Router's interface hardware is different than that of a Switch. The Buffers and Queues of Router's interfaces are different than those of a Switch's interfaces, and that's why the Switch's interfaces is cheaper. But I am sure one day the Switch's interfaces will inherit those advanced features in their Router's equivalents, especially with the boom of Metro Ethernet. There Routers nowadays also support WAN Interfaces such as Serial Interfaces, E1's and STM-1's, while switches on the other hand do not support such kind of interfaces. MPLS is another protocol that you cannot find in Switches, however Foundry's NetIron for example supports it.

As you can see, in the following few years, the boundaries between LAN Switches and Routers are going to disappear.

Now, let's see what's is going on in the Network Security field. We used to have Firewalls, IDS's/IPS's, Network-Based Antivirus, Antispam, Anti-X. Each one of those, was a separate product. Now we just deploy a UTM, and it's just a Firewall, IPS, Antivirus, all in a single box. UTM's may be suitable now to SOHO and Medium Enterprises more than ISP's and Large Data Centres due to their performance limitations and so. But believe me the advances in Processors and ASIC's - Intel and Cavium Networks are doing great job here - are capable of getting the UTM's into your Data Centre soon.

But wait a minute, now the Network products are getting combined, and so are the security products. What about combining the Network and Security products together as well? Ok, let's see what the two main players are doing. Cisco is adding security features to their ISR (Integrated Services Router).

"Cisco Integrated Services Routers help maximize the power of your organization’s network with unified network services, integrated security, mobility, and application intelligence", Cisco Systems.

The also decided to open their ISR for Application developers to build their own applications and addons on top of it.

At the Cisco Partner Summit 2008 in Honolulu, the San Jose, Calif.-based networking giant unveiled the Cisco Application eXtension Platform (AXP). The AXP consists of open, Linux-based Cisco ISR hardware modules for application development and hosting to support a tighter integration of the network and applications. According to Inbar Lasser-Raab, Cisco's senior director of access routing and switching, several off-the-shelf and custom applications are already available for the ISR, along with a development and support ecosystem that includes a downloadable software development kit (SDK) and application programming interface (API) for application developers.
Lasser-Raab said opening the ISR to third-party applications, on top of the more than 30 services already available for the platform, creates a link between the network and applications and imbeds those applications directly onto the platform, instead of having them just hosted on the router. Services available for the ISR include VoIP, wireless, WAN access, unified communications and a host of security tools like NAC, IPS, content filtering and VPN.
Andrew R Hickey, ChannelWeb.

Juniper on the other hand introduced their SSG-Series of Firewalls/UTM few years ago, they can have multiple LAN as well as WAN interfaces, and they also can run all those well known dynamic routing protocols. Later on, Juniper wraps Security Services Into JUNOS, their Router's and Switches Operating System.

Juniper Networks (NSDQ:JNPR) took JUNOS one step further, announcing that it is now wrapping the security services typically found in its ScreenOS operating system into JUNOS, meaning ScreenOS firewall, IPsec VPN, NAT, DOS and D-DOS capabilities will run on top of JUNOS software.
Michael Frendo, Juniper's senior vice president of high-end security systems, said integrating security services into the vendor's line of J-Series services routers, with integration with EX switches to follow, solidifies Juniper's vision of "fast, reliable and secure networking".
Andrew R Hickey, ChannelWeb

Juniper have opened their Operating System to Application developers even before Cisco.

Juniper has announced a Partner Solution Development Platform (PSDP) allowing customers and partners to develop specialized applications on its JUNOS operating system.
The company claims the PSDP is the industry's first partner development platform for a carrier-class network operating system, and anticipates its customers and partners will deploy new services unique to their businesses, and improve network operations productivity.
Rodney Gedda , Computerworld.

In brief, I don't think in the coming few years, there will be dedicated, Firewalls, Switches, or Routers. There will be a Network Element instead. An all in one product that will be capable of doing all the Networking, Security and may be IP Telephony tasks.

Tags: Networking, Expectations, Gr33n Data

Intrusion Detection Systems

In order to be able to continue my discussion about Firewalls Evolution, I have to take you today to a different subject. As I said before, "Firewall is a device that divides the network into different Zones, and controls Who's is supposed to talk to Who, using which Applications (Service), across those different Zones". But once Client (C) is allowed to talk to Server (S) using Application (A), he is then allowed to send whatever traffic he wants to that Application.

What's the difference between a Firewall and an IDS?
Let's say that Application A is Vulnerable to XSS (Cross Site Scripting), i.e. it has a bug, and Attackers can send Malicious Traffic to this Application that can harm that Server or those people who deal with it taking advantage of this bug. A Firewall can only block people from accessing this Application or permit them, but it can never know if this traffic is Malicious or not. A Firewall is only capable of inspection up to layer 4 (The Transport Layer), hence another solution is needed in order to inspect traffic up to layer 7 (The Application Layer). This solution is called an IDS or Intrusion Detection System.

How does an IDS work?
But what kind of magic does IDS's do in order to detect those attacks. We are now in the application layer and there is no 5-tuple to inspect anymore, so IDS's use various techniques to detect attacks. Let's go back to our XSS example.

Imagine a web forum where different users can post articles and comments etc. So an attacker can forge his post to contain some HTML tags or JavaScript in stead of clear text. So the result will be the execution of that HTML tags or JavaScript in the other forum visitors' browsers.
Gr33n Data: Cross Site Scripting - XSS

So a simple IDS can look for a certain pattern - here it will be an HTML Tag - in the traffic sent from the Client to the Web Server. The HTML Code is normally sent from the Server to the Client and not in the other direction. This kind of Intrusion Detection Technique is called Signature Based Detection. Another Technique used by IDS's is Behavior Based Analysis or Traffic/Protocol Anomaly Detection. When someone's PC is infected by a worm, it normally tries to connect to hundreds or even thousands of other PC's in order to try to infect them. This is how worms normally propagate and this is what differentiate worms from viruses. So an IDS that is able to detect Traffic Anomalies will know that a certain PC is infected by a worm when it starts sending traffic to a large number of PC's in a short period.

By they way, the Antiviruses you use on your PC use similar techniques to detect malwares. And you know what, the Antivirus updates you download every now and then are files containing those signatures used by it in the Signature Based Detection. And yes, an IDS needs tp get periodic updates too, just like Antiviruses.

The Signature Based Detection is more accurate than Behavior Analysis in detecting Attacks, but Signature Based Detection can detect Known Attacks only while Behavior Analysis can detect both Known and Unknown Attacks, which are sometimes called Zero-Day Attacks. That's why Intrusion Detection Systems depend on both techniques together and sometimes they implement more proprietary techniques.

Accuracy, what do I mean by accuracy?
When there is an Attack and the IDS doesn't detect it, they call this False Negative, and on the other hand when there is no Attack and the IDS thinks that there is one, they call it False Positive. A good IDS is the one that tries to minimize both False Negatives and False Positives.

IDS is dead, long live the IPS
IDS is more complicated than a Firewall, it needs more processing and analysis that may impose some delays. It's also not accurate. That's why people preferred not to deploy them inline. The traffic doesn't pass by them, they just see a copy of it, and they do not take actions to block or permit traffic, they are just passive devices that fire an alarm whenever they detect an attack.

And that's why a few years ago a new technology was born, an IPS is just an IDS but it is deployed inline and capable of tacking the decision to block or permit traffic. By doing so IPS vendors were forced to increase their products accuracy as well as processing power.

IPS Vendors
Now a days that top players in the IPS field are Tipping Point (3Com), IntruShield (McAfee), NetScreen IDP (Juniper), and ISS Proventia (IBM). Cisco also have their own *quote* IPS *quote*. And if you are an Open Source fan, you can try Snort, these guys have good documentations and papers here.

Tags: IPS, Attacks, Gr33n Data