FromĀ ZoneAlarmā€™s Newest Security Solution: SocialGuard:

SocialGuard, ZoneAlarmā€™s newest security solution, promises a groundbreaking new method of monitoring and preventing safety breaches on Facebook the most popular social networking site by a mile, with over 500 million users without ā€œfriendingā€ your child and intruding on his/her social space. SocialGuard sends real-time alerts to parents via emailā€“or the SocialGuard interfaceā€“whenever suspicious activity is detected on your childā€™s profile; parents can customize security settings and keywords to trigger such messages if the child is exposed to illicit or inappropriate content. SocialGuard monitors childrenā€™s Facebook accounts for threats including cyberbullying, age fraud ensures children are not befriended by adults outside of their network; friend requests, hacked accounts, and link safety flags dangerous/offensive links contained in messages.

The product, available now, can be purchasedĀ here.

Check Point, my employer, is behind this. I've used the betas of this product and they do precisely what they say without being a huge burden on you or your computer. The price: $1.99 a month or $19.99 a year, makes this a no-brainer if you have kids using Facebook!

See what Check Point's Head of Consumer Business has to say about SocialGuard.

FromĀ Reality Check - Features - Malware - Computer Business Review:

"The industry needs to change a little bit," [Check Point Software Technologies CEO Gil Shwed] says. "Our software blade architecture is the right direction but it's not enough. I think the real change is actually understanding that security is not a bunch of technologies that people need to deploy but understanding that it needs to be treated like a business process. It starts with the well-defined policy of what a company wants to achieve and what is allowed or not allowed, continues with educating - or not educating but involving the users - and the enforcement side is only the last part of it.

"Most of our customers have a lot of check lists but not one clear policy. Everybody is trying to keep the users aside from that, but if users are not aware of their expected behaviour they become the weakest link in security. Then it goes to enforcement, which needs to apply these principles. We've just launched 3D Security that has three elements - policy, people and enforcement - and I think that would be a major change in people's mindset when they think about security.

While Check Point certainly has some great security technology--I should know, I work there--if it's not applied according to a process and policy with defined business goals, the result will be less than satisfying. I've seen it again and again in my work over the years.

On the two Check Point user community sitesĀ CPUGĀ andĀ CPshared, I made a couple of interesting observations today:

  • CPshared already had more active threads today than CPUG. This includes all the public boards, which I verified by loading up both sites in Google Chrome's "Incognito Mode" to ensure I wasn't logged in.
  • The number of Check Point employees already participating on CPshared is far more than I've ever noticed on CPUG in the past two years.

Keep in mind that the CPUG forums have been around since August 2005. CPshared was only "officially" announced last week--it had been privately tested for about 4 weeks before that.

Again, these are just observations. They may be completely meaningless. You can come to your own conclusions here.

I've been a participating in the Check Point user community in various places for a long time now. Heck,Ā I ran a Check Point community of my own for a while. It's not often the community gets a new place to congregate, so it's worthy of an announcement.

Presenting CPshared: Ā The Open Technical Forum for All Things Check Point. In the NG days, this was a base "package" in the Check Point suite that handledĀ communication between management and modules. It was also called the SVN Foundation. This is where the name comes from, and I think it's an appropriate name.

CPsharedĀ was started by an ex-Check Point employee and a long-time member of the Check Point community. It is designed to beĀ an alternate approach to information dissemination to more established forums likeĀ CPUG--a forum I kickstarted by donating my own content to in 2005.Ā CPshared includes a blog (with contributions by others), a web-based forum, a Twitter accountĀ @cpshared, and a web-based chat system.

CPshared has been under private beta for the last few weeks with a number of other long-time members of the Check Point community, including a few Check Point employees. It was formally announced today.Ā If you use Check Point products, give it a look and join the small, but growing community!

A PR firm representing Cisco asked me if I wanted to review theĀ Cisco Valet, which is a line of "surprisingly simply home wireless" devices that, I have to say, does what it says on the tin. It is by far the easiest setup process I've seen.

The first thing I noticed was the packaging. A complete lack of technical jargon or marketing about how this router compares to the others they sell. There most technical things on the box are in small print and are just basically a list of system requirements and a warning that, due to a number of factors, your wireless speeds and range may vary.

When I did the initial setup, I used my Mac--usually a stumbling block for these so-called "easy setup" programs. The Easy Set Up key is little more than a Flash drive that contains some documentation and the Cisco Connect application. Launching the Cisco Connect gives you a screen that tells you to do do three things:

  • Plug the router into your Internet connection
  • Plug the router into your power
  • Click next

In less than the five minutes it tells you it could take, I had a screen that told me my router was set up and I was connected to it. Sweet! You could, of course, do some additional configuration of the router. A very simple interface is presented for doing this (click image for larger view):

The add device option gives you the settings you need to configure a device. Obviously, it's going to vary by device manufacturer. Once it has detected the device has connected, you can then "name" the device for later. Handy!

I didn't mess with the parental controls--I almost never find them granular enough for my tastes. However, it appears they do some category-based URL filtering and allow you to blacklist sites. The problem is the restrictions are per-host, meaning you have to select the individual hosts that you wish to restrict. You also can't whitelist sites or create a default URL filtering policy that applies to all connected hosts. That said, it's more functionality than I've seen in a typical consumer router.

The guest access feature is quite handy as well. Cisco Valet creates a second (open) SSID that your guests can use to access the Internet. It is segmented off from your regular wireless network and presents a captive portal to your guests, whom must enter a password before they are allowed access to the Internet:

Of course, you can disable this feature as well.

When the router is first configured, the SSID is set to a random adjective-noun word combination and the password is set to a 10 character random string. In the Valet Settings, you can change these things to something. You can also save this to the Easy Setup Key (or create a new one using any standard USB thumb drive) that will allow you easily configure other Mac or Windows computers in your house with the correct wireless settings.

And, of course, there's the Advanced Settings, which fires up a web browser with a typical Linksys-style web interface for configuring the router (though it is entirely Cisco-branded now). This is where the geek settings are, of course, and are, "advanced." I'm sure given the relatively ease through which computers can be added and the basic settings can be configured, there will rarely be a reason for most people to ever visit the advanced settings.

But Is It Secure?

Most reviews stop here. They are quite happy that someone has finally come up with a wireless router that almost anyone with even rudimentary computer knowledge could configure and use. That is a feat worthy of praise, no doubt.

I am not most people. I wonder, in the back of my mind, does Cisco make this device easy to use, yet actually make it secure? The answer is not surprising--to me at least.

First, it's probably worth pointing out that I work for a competitor to Cisco:Ā Check Point Software Technologies. We don't compete in the consumer market, really, but we certainly in the enterprise network security market. That doesn't affect my opinions here, but I figure I should disclose that since some might consider it a conflict of interest.

Prior to proceeding with the setup wizard, I saw what the router was broadcasting by default--a WPA-protected access point named CiscoXXXXX (where XXXXX corresponded to the last 5 digits of the device serial number). My guess is the router is preconfigured with some default WPA password that the Cisco Connect software then changes to something else, which it then tells you after the setup is complete.

Cisco gets props on a number of things security related:

  • Choosing a random network name (SSID)--most manufacturers use a known default
  • Configuring WPA as a default
  • Choosing a random password that contains numbers, upper and lower case letters, and special symbols

All three of these things are good. By choosing a random SSID and a random password, it makes it harder for someone to brute-force (i.e. guess every possible password) access to the wireless access point.

While these are far better than what I've seen from others, it's, unfortunately, not enough. To be relatively safe from a brute-force attempt, the passphrase needs to be at leastĀ 20Ā characters--random ones at that. Also, it defaults to WPA/WPA2 mixed mode, which allows you to use the TKIP, which may be needed for some legacy hardware, is not the most secure. You can change to WPA2, which only supports AES. It would be nice if you could change the rekey interval, but I don't see a way to do that from the advanced settings.

There are a couple of other dangerous settings enabled by default:

  • Universal Plug and Play is enabled by default (which, when paired with malware, could easily make your computers more vulnerable to attacks)
  • WMM Support (in the QoS section) which, when enabled, makes your network a little moreĀ susceptible to hacking when WPA (not WPA2) is enabled.

The Nintendo DS Factor

One rather common WiFi-enabled device in any household with children is the Nintendo DS. This device does not support WPA at all. Even the newer DSi, which does support WPA, doesn't support it for DS games. This means, if you want your kids to be able to use the WiFi features of their DS games, they won't be able to use them unless you use WEP for your wireless security, which is not recommended.

This is, in my opinion, one big disappointment with the Cisco Valet. There is no way to allow a Nintendo DS to use the Guest wireless without using WEP. They could very easily allow the whitelisting of certain MAC addresses to be allowed to access the Guest wireless (which is open, unencrypted, and will work with the DS) without requiring web-based captive portal authentication.

Other Minor Gripes

The Cisco Connect software allows you to configure items that cannot be configured with the Advanced Settings interface, namely the Guest wireless access. I would like to be able to change the default IP range used for the Guest wireless and, possibly, whitelist certain machines as I described above.

By default, the router administration password the same as the WPA password. This does make it easier for end users, but I think you should be able to set them independently in the Cisco Connect software.

I also do not see a way through the Cisco Connect software to upgrade the firmware for my router. This is a necessary, sometimes daunting task, especially given the number of hardware variations that can exist even with the same model. There's no reason Cisco couldn't have made this process as simple as they've made everything else--push a button and it takes care of the rest.

And, of, course, my security gripes above. While they went a lot farther than I've seen other manufacturers go, they could have gone just a little farther in choosing more secure defaults, possibly with an optional "security settings" page so you don't have to hunt in the Advanced Settings interface to make the wireless connectivity more secure.

All in all, though, I am very impressed with the product. I could easily see myself recommending this product to my non-technical friends and family as a dirt simple way to share their Internet connection and create their own personal wireless hotspot.

The only people I cannot recommend this product to are Linux users who lack a Windows or Mac machine on which to run the Cisco Connect software. Since the initial setup of this router cannot happen without the Cisco Connect software, which does not run on Linux, your "out of the box" experience will be less than fulfilling. You only need the software the first time, of course, but you might be better off with aĀ Linksys-branded router.

So yes, Cisco did it. They made WiFi easy for normal people to set up. Using the Easy Setup Key, I set up four different Windows computers with my Cisco Valet settings in a matter of minutes. It was drop-dead simple. I wish they spent a little more time on the security side of things, butĀ this is a tough one to do without making things more inconvenient for users. Given what Cisco was aiming for here, I think they nailed it.