The most recent articles from IT Week

Stick with HSUPA for faster downloads

Dave Bailey — 2008-01-24T00:00:00.000Z

Dave Bailey, IT Week, Thursday 24 January 2008 at 00:00:00

The UK’s fastest mobile connectivity can now be accessed via a handy USB modem stick

Launched earlier this month, Vodafone’s USB modem stick is a neat little device for accessing the operator’s High-Speed Uplink Packet Access (HSUPA) service.

Vodafone upgraded its network throughout autumn 2007 to allow HSUPA access, and released a pebble-style HSUPA modem in early December. The new USB stick device is much smaller than the pebble and should therefore prove more attractive to road warriors.

We tested the device using Windows XP Professional and Windows Vista Ultimate running on a Dell Precision M50 laptop. Vodafone’s HSUPA service currently covers most of central London as well as several major airports. The device comes with all the software required to install the modem, which meant we could start accessing the internet or using the SMS function after about five minutes.

Our tests looked at download data transfer rates in the W1 and N17 London postcode areas. The fastest sustained data transfer rates we achieved were 2Mbit/s in W1 and 800kbit/s in N17. The highest rate we saw was a 2.6Mbit/s burst in W1.

As well as quick data transfer speeds, HSUPA also offers significantly lower latency the time it takes for transmit and receive signals to traverse network infrastructures. The lower the latency, the faster web pages can be drawn.

To assess latency, we pinged Google’s web site and recorded an average of 110ms for the HSUPA connection. In tests last November, Orange’s High-Speed Downlink Packet Access (HSDPA) service gave ping times of around 170ms.

Vodafone’s usage tracker records the volume of data transferred, or can be set to record time-based usage. However, the system only displays rates for the current month or last month, and only for the PC the modem is used on. It would have been nice if the modem had the ability to send usage data to a central system to enable administrators to monitor traffic patterns.

Users can set data volume or time access limits, and can choose to be warned either just before the limit is reached, and when it is reached or exceeded.

The modem costs £49 plus a flat rate of £25 per month, with a fair usage policy of 3GB per month. Vodafone said it will not charge for out-of-contract usage “within reason”.

Review: Appliances boost log management

Dave Bailey — 2008-01-16T00:00:00.000Z

Dave Bailey, IT Week, Wednesday 16 January 2008 at 00:00:00

LogLogic 4 allows real-time analysis of data logs to aid compliance and risk mitigation

LogLogic’s turnkey appliance-based system for the capture and processing of log data should appeal to any enterprise that is required to demonstrate compliance with corporate governance regulations such as Sarbanes-Oxley and the Payment Card Industry (PCI) Data Security Standard.

The LogLogic appliances we reviewed were from the high end of the firm’s two product families. The LX Series 2010 appliance performed real-time log collection and analysis functions, while the ST Series 3010 system that we daisy-chained to the LX2010 automated the archiving of the logs, applying certificated timestamps to protect them against tampering.

After attaching the two appliances to IT Week Labs network, both the LX2010 and ST3010 were loaded with eight Seagate Barracuda serial ATA (Sata) hard disks and two power supply modules. The appliances were ready to run after disk synchronisation, which took between 10 and 15 minutes.

Both appliances are 2U high and use AMD 2.4GHz dual-core Opteron processors. Due to its role as the archival and log forensics appliance, the ST3010 has 2GB of memory and 4TB of storage twice that of the log-collecting LX2010 appliance. The LX2010’s 2TB of disk storage is set up as Raid 1+0, while the 4TB used by the ST3010 is configured as Raid 5+1, which maximises both fault-tolerance and availability.

We managed the initial setup through a standard serial console. After we had got the LX2010 to autodiscover our IT assets and set up both appliances to access an NTP server, we were able to continue managing the appliance using either a web browser from our Windows Server 2003 system, or a free Telnet/SSH client such as Putty.

To make our test as realistic as possible, we set up a script to populate the appliances with significantly more log data than would normally be generated by IT Week Labs network infrastructure.

Interface

The LX2010’s web interface is divided into two sections. The upper section holds the dashboards, real- time log data views and alerts, together with all the reporting options, while the lower section holds the administration and maintenance features.

The top half of the interface has eight tabs down the side, which drill down into numerous sub-tabs. The main tabs are: Dashboards, Real-Time Viewer, Search, Alerts, Custom Reports, Real-Time Reports, Summary Reports and Preferences.

Clicking on the Management Station dashboard brings up a graph of the number of log messages processed by the LX2010 over time, and also the number of messages processed per second, which could allow IT managers to see any abnormal log activity. Any outstanding alerts and a table of messages skipped, unapproved, truncated or dropped can also be seen.

The System Status dashboard gives a graph of CPU and disk usage, while the Log Source Status dashboard can be used to check what systems have been found and are currently generating log data to be processed by the appliance. We could see, for example, Microsoft Exchange and Microsoft Internet Security for Acceleration servers, Juniper firewalls and Cisco VPN 3000 concentrators.

The LogLogic appliances were also there, and administrators accessing the appliances to create reports or schedule alerts also have all their activity and interactions with the appliances logged.

The Real-Time Viewer lets users see log data as it is actually processed by the appliances. Users can also choose to customise the Viewer to show specific logs. For instance, we could define what type of device we wanted to see logs from, such as Cisco Pix firewalls. Or we could choose to look for a pre-defined log message, such as “Microsoft DNS: Critical Errors”. We could choose an exact phrase occurring in a log message or use Boolean logic to pull out specific log messages.

LogLogic’s Search tab can be used to automatically produce a report on network connection attempts over any user-defined timescale. We produced a report detailing connection attempts through a Juniper NetScreen firewall and exported it as a comma-separated value (CSV) list. Advanced options also allow users to define what type of data, such as source IP address, destination IP address and port number, appears on the list. Boolean logic can also be applied to further enhance the search, and the search configuration can be saved as a custom report.

The alerting features can be configured to flag up a wide variety of potential problems. For example, admins can set up the system to send out alerts when server disk usage is over 80 per cent, or when changes have been made to switch configurations, or even when users are writing data to CDs.

Reporting options

The reporting options are also comprehensive, and there are many report templates available. Users can also define their own custom reports and schedule these to run

at hourly, daily, weekly or monthly intervals. The resulting report

can then be emailed as a CSV, HTML or a PDF file.

In conclusion, LogLogic’s system has a wealth of features that should allow enterprises to get on top of any regulatory compliance obligations they need to meet. It was easy to use the pre-defined report templates and also to create customised reports. It was also easy to define specific alerts to notify security or general IT personnel about critical conditions in enterprise network and IT infrastructure.

On top of the cost of the appliances, enterprises face separate charges for LogLogic’s pre-defined compliance monitoring and reporting packages. These cover a range of governance topics, including Sarbanes-Oxley, Itil and the PCI data security standard, and cost £7,500 + VAT each.

LogLogic offers a range of support services, including 24x7 cover and user training.

Review: Infoblox ID Grid

Dave Bailey — 2007-04-17T00:00:00.000Z

Dave Bailey, IT Week, Tuesday 17 April 2007 at 00:00:00

Infoblox ID Grid provides a highly resilient platform for delivering core network services

The Infoblox ID Grid platform is a system for running core network services over a firm’s local and distributed network infrastructures. These core services include: the Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), IP Address Management (IPAM), Remote Access Dial-In User Service (Radius) and Trivial File Transfer Protocol (TFTP). An Infoblox ID Grid comprises appliances connected via Ethernet using the vendor’s Keystone package. This type of appliance-based architecture is intended to offer far greater resilience than the DNS/DHCP services bundled for free with Windows-based servers.

Each Infoblox appliance has a DNSone module for delivering integrated DNS and DHCP services and an onboard XML-based database, called bloxSDB, for storing information about the devices that require network services, such as desktop systems, web servers, IP phones and wireless access points. For example, it records which systems require static IP addresses, which require dynamic IP addresses, and which systems need authentication before they can be accessed, for instance, through a Radius server.

The central point of control for the grid is provided by a system or systems located at headquarters or in a datacentre or in a network operations centre. This unit is called the Grid Master, and although it can also serve up core network services locally, it also synchronises the information contained in the distributed appliances’ databases and provides monitoring and reporting functions for the entire grid. All communications between appliance members of the grid and management by network administrators uses certificate-based authentication and Secure Sockets Layer (SSL) encryption.

We reviewed Infoblox’s ID Grid platform using four appliances configured to simulate a central headquarters site with two branch offices. For this we used a pair of Infoblox-1550 appliances, which are designed for enterprise envi ronments, and a pair of Infoblox-550 systems, which are aimed at branch offices. Both systems are 1U appliances that can fit neatly into 19in racks in datacentres or wiring closets. The Infoblox-1550 features an Intel dual-core 3.2GHz processor, 4GB of system memory and a 300GB serial ATA (Sata) hard drive. Infoblox also sells a 1552 model, which has redundant, hot swappable power supplies. The network interfaces on the 550 and 1550 models are the same, comprising one standard console port, two Gigabit Ethernet LAN ports, a Gigabit Ethernet high-availability port and a 10/100Mbit/s management port.

We configured the two Infoblox-1550 systems as a high-availability pair for increased resilience, and nominated one of these as the Grid Master. The other 1550 appliance is designated the Master Candidate, and remains passive until the active appliance fails or starts a firmware upgrade. At this point the Candidate is promoted to Grid Master.

Initial set-up was done using the front-mounted console port on the Grid Master appliance. Infoblox appliances run under the Network Identity Operating System (Nios). Initially we used Nios 4.0r1, but later during our tests we upgraded to 4.1r2, a process that at first seemed quite complex but was in fact very easy, and involved no visible loss of service to our network devices.

Nios 4.1r2, which was released in March, adds features that network administrators may find useful, such as support for secure dynamic DNS updates from Microsoft client systems and support for DHCP API add-ons for Alcatel-Lucent’s VitalQIP IP address management software.

Installing an upgrade involves using the separate partition on the Master Candidate’s hard drive and copying the files onto that partition. The upgrade is then launched on the Master Candidate, which effectively becomes a guinea pig system for the upgrade. If the upgrade is successful, this system is designated the Grid Master and it can then upgrade the rest of the appliances over the ID grid. After the upgrade, we defined subnets for the branch office Infoblox-550 appliances and connected them to our datacentre pair.

After this we connected our management device – a laptop running Windows XP Professional – and downloaded Infoblox’s ID Grid Manager Java client. The management software is very simple to use. With just a few mouse clicks network administrators can easily define DNS zones, DHCP address pools and lease times, and add clients requiring, for example, TFTP or Radius services. The fact that the Infoblox grid system is hierarchical meant that we could apply DHCP options across all our appliances. Local administrator accounts can be set up to allow individual appliances to be tweaked, however.

We were disappointed with the reporting services available to administrators, which seemed pretty basic. We could view the system log and define a syslog server to take system messages and process audit log messages, as well as set systems to take Simple Network Management Protocol (SNMP) alerts. But with compliance issues becoming more and more important, Infoblox needs to improve these reporting functions.

The vendor said an upgrade scheduled for later this year should address this issue.

Review: Fluke OptiView III INA

Dave Bailey — 2007-03-15T00:00:00.000Z

Dave Bailey, IT Week, Thursday 15 March 2007 at 00:00:00

Fluke’s portable network analyser can detect problems on both wired and wireless networks

Fluke Networks’ upgraded OptiView Series III integrated network analyser (INA), which launched in January, can diagnose problems in both wired (10/100/1000Mbit/s Ethernet) and wireless (802.11a/b/g) networks. Fluke has also introduced support for a range of small form-factor pluggable optical modules, including short-haul 1000Base-LX (220 metres) and long-haul 1000Base-ZX (70km) options.

Like earlier versions, the system features an 800x600 resolution touch-screen and stylus, which, strangely, is stored in a stand that extends from the rear of the device.

The system comes with a shoulder bag that has a compartment for an optional external Li-ion battery. When clipped into the back of the INA, this can deliver an extra four hours of troubleshooting time, according to Fluke.

The analysing subsystems run under Windows XP Professional. As soon as the wireless subsystem is fired up, the INA begins cataloguing the entire network infrastructure within range, displaying security status. Systems running no encryption are coded red, yellow is used for those with Wired Equivalent Privacy (WEP) protection and green for systems running Wi-Fi Protected Access (WPA) and WPA version 2 (WPA-2).

The INA features a directional antenna that links to a built-in tool designed for detecting rogue access points (APs). With this, network admins should be able to find all but the most carefully hidden APs. We found it easy to survey our building for APs, While there were some internal WPA and WPA-2 networks there were also a few using less secure WEP encryption. We also picked up some in nearby buildings still using no encryption and broadcasting default Service Set Identifiers (SSIDs). It was easy to see which clients were connected to which APs and if any 802.1x port-based access control was being used.

Probably the most important new feature is a free string search that allowed us to set up the INA to start a data capture if a specific string was encountered. This could be a web site or email address, or document types such as .pdf, or applications that network admins may have banned from using network bandwidth.

For added data security, the INA has a removable hard disk that can be stored in a secure facility, but is not encrypted. These add-ons cost about £316 + VAT for a single hard disk and £1,208 + VAT for a pack of four.

Review: ForeScout CounterAct 6.0

Dave Bailey — 2007-02-12T00:00:00.000Z

Dave Bailey, IT Week, Monday 12 February 2007 at 00:00:00

ForeScout’s NAC appliance stops unauthorised systems trying to access the network

ForeScout’s CounterAct 6.0 appliance is an out-of-band network access control (NAC) device that takes a clientless approach to monitoring systems requiring access to network resources. CounterAct 6.0 also monitors the network and intrinsic systems before, during and after clients connect and disconnect. Being an out-of-band device, it does not degrade network performance, which can be a problem with inline devices that have insufficient processing power.

We reviewed a CounterAct CT-1000 appliance, a 1U system running a hardened Red Hat Linux on Intel hardware with gigabit connectivity, which ForeScout said can manage up to 1,000 users. Prices for the CT-1000 start at £14,700 + VAT. A higher-end version, the CT-2000, supports up to 2,500 users and costs from £24,900 + VAT. These prices include software but do not cover support.

Setting up the appliance was a simple process involving a keyboard and a monitor connected to the VGA port. However, we did have to configure a specific port on our ProCurve gl4108 switch to mirror all the network traffic, an action that can sometimes have unforeseen consequences on devices and applications. We also set up the switch to give VLAN tag information, which would allow CounterAct to identify the VLAN that devices were being assigned to on connection.

After setting the gateway and DNS IP addresses, defining the protected network and assigning incoming and outgoing Ethernet interfaces using fstool, a Unix command line tool, we installed the CounterAct management console on a Windows 2000 Professional system. Initially users should use the system in a listen-only mode before setting the device to monitor mode. Monitor mode lets admins check the effect of a policy on devices and the network, before moving to enforcement mode.

Users should also be wary about what applications are running on their network. We normally run Neon Software’s LANsurveyor to check what devices are attached to the network, and CounterAct picked this up as a port-scanning system. Because CounterAct is clientless it can detect endpoint devices like network printers and IP phones.

Using ForeScout’s policy editor it was fairly easy to formulate security policies and specify actions in the event of a client failing to conform. For instance, we could easily get the system to alert or block users if they tried to connect with no McAfee antivirus package installed. That said, policy creation should not be left to complete novices if firms are to get the most out of CounterAct.

Features new with this version include a high availability mode, using an active/passive configuration. A CounterAct system tagged as the enterprise manager can also manage up to 50 more CounterAct systems. Firms may also wish to use ForeScout’s intrusion-prevention system, ActiveScout, to deal with so-called zero-day events.

Review: Neon Software, CyberGauge 7

Dave Bailey — 2006-09-22T00:00:00.000Z

Dave Bailey, IT Week, Friday 22 September 2006 at 00:00:00

CyberGauge 7 is a simple-to-use bandwidth monitor that can provide web-based reports

Launched in Early September, Neon Software's CyberGauge 7 is a monitoring, reporting and planning tool for bandwidth utilisation for network interfaces and works with any Simple Network Management Protocol (SNMP)-enabled device. To monitor five devices the price is £259 + VAT and an upgrade from the previous version, 6.5, costs £59 + VAT.

The main new feature is support for SNMP versions 2 and 3. The version 3 support allows two-way authentication and encryption, enabling it to be used with more sensitive networks. Another useful new feature is CyberGauge's ability to create bandwidth utilisation graphs and export the data gleaned as a .jpg file, along with the ability to timestamp it and even send it to an FTP subfolder. The data can also be exported as an Excel .xls file, allowing bandwidth trending or detailed statistical analysis for bandwidth planning. Both .jpg and .xls files can be used to provide web-based reports.

In our tests, we found setup was easy and five minutes after installing the system we were able to monitor traffic flows through our SNMP-enabled switches, routers or appliances. Unfortunately CyberGauge only works with SNMP-enabled devices, and so cannot be used with some of the less expensive wireless routers and devices which do not use SNMP.

Our Be wireless router, a Thomson SpeedTouch 716g model, was not SNMP-enabled. However, we connected it through a 3Com 4250T 48-port 10/100Mbits Layer 3 switch and then connected devices through this to check bandwidth utilisation through each port. We were able to configure alerts for gigabit uplinks, RS232 console ports, Ethernet management ports, and any defined virtual LANs (VLANs).

We could also monitor local bandwidth utilisation of devices through our HP ProCurve 4108gl gigabit switch. System administrators assigning virtual machine traffic to specific ports or to specific VLANs could also monitor bandwidth designated for that purpose.

It was also easy to define where alerts should be sent, either emailed through defined primary and secondary email servers using SMTP authentication or directly to a defined syslog server. There is also an option to record detailed transcripts of CyberGauge's operation and sub-options about what goes into these log files.

The validity of our alert and email setups was checked by detailed examination of the event log and designated subfolders for .jpg and Excel files. The daily reports showed device and interface type, as well as monitoring interval and number of intervals. The quality-of-service information consisted of uptime, downtime and number of restarts detected on each interface. Bandwidth distribution and billing information was also captured.

Checking bandwidth distribution on all the interfaces enabled us to detect a misconfigured port showing a 10Mbit/s full duplex link when it should have been set at 100Mbit/s. This correlated with an alert in the event log showing the interface falling below a pre-defined 10 percent threshold.

Review: Mutiny Network Monitor

Dave Bailey — 2006-09-07T00:00:00.000Z

Dave Bailey, IT Week, Thursday 7 September 2006 at 00:00:00

Mutiny's appliance offers an affordable and easy way to oversee equipment on a

Launched in June, Mutiny's Network Monitor is a rack-mounted 1U appliance designed to monitor server hardware and network infrastructure.

The system is easy to configure, and can be set up in a few hours. In its unclustered standalone mode, a single appliance can monitor up to 1,000 nodes – a node could be a server, router or switch – and can store more than 12 months of associated historical data.

The cost of licensing has the advantage of being based on the number of nodes, rather than number of ports. Mutiny quoted a figure of about £11,000 + VAT for monitoring a 500-node enterprise network. So the cost for monitoring even a medium-sized firm's infrastructure is relatively modest.

Network Monitor is an evolution of earlier Mutiny kit, first released in 2002 and predominantly intended to monitor servers running under Windows 2000 Server and Windows Server 2003, mainly on Dell and HP kit. Now, with Network Monitor, other network equipment can also be monitored.

The appliance we reviewed was based on a standard Supermicro hardware package similar to that used for other vendors' systems. For instance, we were also reviewing hardware management vendor Raritan's CommandCenter NOC 250 appliance at the same time, and this device uses similar hardware.

Mutiny staff came into IT Week Labs to set up the system as they would for other customers, installing the latest version of the software, which runs under a hardened version of Red Hat Fedora Core 4 with version 2.6.15 of the Linux kernel.

The onboard hardware consists of a CD-ROM, two USB ports and system status LEDs plus reset and start buttons on the front bezel. On the back are four 10/100Mbit/s network ports, another two USB ports and PS/2 ports for a mouse and keyboard, VGA adaptor, and a serial port for local access to the hardware.

Connecting to the appliance locally on the same subnet or remotely, we found it easy to call up device details to check critical server parameters, such as CPU load.

We could also easily drill down further to change threshold values for parameters such as memory usage, and Network Monitor let us define a warning value as well as a critical one. We could pull down detailed information on the specific processes running on our servers, such as process names, and process IDs (PIDs) together with CPU usage in seconds, and memory used by the process.

The new network interface monitoring functions in the system let us check network port input and output statistics for data rates, percentage of port capacity used, and the number of errors per minute. We could also pick up SNMP information from our interfaces, such as IP address, interface type, MAC address and link speed. For instance, we could interrogate our HP ProCurve 4108gl switch through Network Monitor and graph input and output port usage data over both pre-defined and user-defined time intervals.

Network Monitor also lets network administrators connect directly to a switch and use that switch's own web interface for management. This meant we could directly connect to our switch and, for instance, perform more advanced configuration by starting a Telnet session to access the switch's command-line interface. Network Monitor could also allow IT staff to monitor trunked links remotely and receive alerts if usage exceeds warning and critical thresholds.

Similarly, for server hardware we could graph memory usage, disk usage and CPU load for periods varying from the last six hours to the last six months. For disk usage the system can generate information for the percentage of the disk used, disk status, absolute total used, and free space available.

To keep servers up and running, information on CPU load, disk space available and system memory usage is critical. Network Monitor allows IT staff to configure warning and critical thresholds for variables such as memory usage to trigger email alerts in the event of breaches to be sent to a pre-defined SMTP server. It also allows SMS alerts to be sent via USB analogue and GPRS modems.

With Network Monitor, the data collected is now stored in a Java-based JRobin database rather than the MySQL database previously used in Mutiny's tools.

The appliance can monitor up to 1,000 nodes, but firms needing to monitor more or needing a degree of redundancy can set up systems in master/slave configurations with up to 1,000 appliances "slaved" to a master appliance.

Our minor criticisms of the system concerned a slightly loud cooling fan and the fact that it was easy to clutter up the web-based GUI with pop-up windows.

NetD SG-8 Unified Services Gateway

Dave Bailey — 2006-01-23T00:00:00.000Z

Dave Bailey, IT Week, Monday 23 January 2006 at 00:00:00

The SG-8’s modular system promises to make network management simpler

Launched in June last year, NetD’s SG-8 rack-mountable Unified Services Gateway is designed primarily to service large branch offices as well as small to medium-sized enterprises with between 500 and 1,000 users.

The SG-8 is priced at £9,995 + VAT for the basic system, but its hardware architecture and its software differs significantly from those of the current breed of unified threat management devices.

The SG-8 has a three-plane architecture with data, control and management planes, which gives an ability to start and stop individual software modules, such as the intrusion prevention system (IPS). NetD says services can be added to the system while it is operating, and that service failures can be insulated from other operations.

Initially we ran version 1.0 firmware, and there was no help facility available. Unfortunately even after upgrading the SG-8 to version 2.0.21.0, from an FTP site, there was still no help offered. The absence of a preconfigured firewall means that some expertise is needed to set policies to ensure protection.

The hardware of the SG-8 includes 10 module slots (two for switch fabric, two for the Services Engine and six for line cards), and the system we reviewed had eight Gigabit Ethernet ports for LAN use and four T1/E1 wide area network (WAN) ports. The dedicated services engine uses a 2GHz AMD Opteron processor, has 512MB of memory, expandable to 2GB, and also has two Gigabit Ethernet ports. For extra redundancy two more line cards can be used for installing another Services Engine.

Unlike other hardware systems, which usually route packets through firewalls and then apply security checks, the SG-8 supports what NetD calls OnePass packet processing, whereby the packet undergoes any decryption first and is held in memory while it is checked sequentially by the various modules active in the SG-8’s current software architecture. This avoids latency incurred through continually taking packets apart and reassembling them for further processing.

We could manage the SG-8 either remotely through a browser-based graphical interface or locally through a console port accessible through a combo serial-USB cable.

Users can set up the SG-8 via the browser or use the IOS-like command line interface. This is where the SG-8 has big advantages – since multiple best-of-breed devices managed remotely would each have their own management interface.

The SG-8 is shipping with software modules for routing, firewall, virtual private network (VPN), quality of service (QoS), Network Address Translation (NAT) and Layer 2/Layer 3 switching. Currently the only sensor certified for use with the SG-8 is Snort, once the open-source standard for IPS but now controlled by Check Point.

The SG-8 is capable of supporting up to 5,000 site-to-site IPSec VPN tunnels and can use 56bit DES, 168-bit triple-DES or 256bit AES encryption. NetD said Secure Sockets Layer (SSL) VPN and antivirus service modules will be available at a later date, and in future, firms will also be able to order pre-configured systems.