From Reality Check - Features - Malware - Computer Business Review:

"The industry needs to change a little bit," [Check Point Software Technologies CEO Gil Shwed] says. "Our software blade architecture is the right direction but it's not enough. I think the real change is actually understanding that security is not a bunch of technologies that people need to deploy but understanding that it needs to be treated like a business process. It starts with the well-defined policy of what a company wants to achieve and what is allowed or not allowed, continues with educating - or not educating but involving the users - and the enforcement side is only the last part of it.

"Most of our customers have a lot of check lists but not one clear policy. Everybody is trying to keep the users aside from that, but if users are not aware of their expected behaviour they become the weakest link in security. Then it goes to enforcement, which needs to apply these principles. We've just launched 3D Security that has three elements - policy, people and enforcement - and I think that would be a major change in people's mindset when they think about security.

While Check Point certainly has some great security technology--I should know, I work there--if it's not applied according to a process and policy with defined business goals, the result will be less than satisfying. I've seen it again and again in my work over the years.

On the two Check Point user community sites CPUG and CPshared, I made a couple of interesting observations today:

  • CPshared already had more active threads today than CPUG. This includes all the public boards, which I verified by loading up both sites in Google Chrome's "Incognito Mode" to ensure I wasn't logged in.
  • The number of Check Point employees already participating on CPshared is far more than I've ever noticed on CPUG in the past two years.

Keep in mind that the CPUG forums have been around since August 2005. CPshared was only "officially" announced last week--it had been privately tested for about 4 weeks before that.

Again, these are just observations. They may be completely meaningless. You can come to your own conclusions here.

I've been a participating in the Check Point user community in various places for a long time now. Heck, I ran a Check Point community of my own for a while. It's not often the community gets a new place to congregate, so it's worthy of an announcement.

Presenting CPshared:  The Open Technical Forum for All Things Check Point. In the NG days, this was a base "package" in the Check Point suite that handled communication between management and modules. It was also called the SVN Foundation. This is where the name comes from, and I think it's an appropriate name.

CPshared was started by an ex-Check Point employee and a long-time member of the Check Point community. It is designed to be an alternate approach to information dissemination to more established forums like CPUG--a forum I kickstarted by donating my own content to in 2005. CPshared includes a blog (with contributions by others), a web-based forum, a Twitter account @cpshared, and a web-based chat system.

CPshared has been under private beta for the last few weeks with a number of other long-time members of the Check Point community, including a few Check Point employees. It was formally announced today. If you use Check Point products, give it a look and join the small, but growing community!

A PR firm representing Cisco asked me if I wanted to review the Cisco Valet, which is a line of "surprisingly simply home wireless" devices that, I have to say, does what it says on the tin. It is by far the easiest setup process I've seen.

The first thing I noticed was the packaging. A complete lack of technical jargon or marketing about how this router compares to the others they sell. There most technical things on the box are in small print and are just basically a list of system requirements and a warning that, due to a number of factors, your wireless speeds and range may vary.

When I did the initial setup, I used my Mac--usually a stumbling block for these so-called "easy setup" programs. The Easy Set Up key is little more than a Flash drive that contains some documentation and the Cisco Connect application. Launching the Cisco Connect gives you a screen that tells you to do do three things:

  • Plug the router into your Internet connection
  • Plug the router into your power
  • Click next

In less than the five minutes it tells you it could take, I had a screen that told me my router was set up and I was connected to it. Sweet! You could, of course, do some additional configuration of the router. A very simple interface is presented for doing this (click image for larger view):

The add device option gives you the settings you need to configure a device. Obviously, it's going to vary by device manufacturer. Once it has detected the device has connected, you can then "name" the device for later. Handy!

I didn't mess with the parental controls--I almost never find them granular enough for my tastes. However, it appears they do some category-based URL filtering and allow you to blacklist sites. The problem is the restrictions are per-host, meaning you have to select the individual hosts that you wish to restrict. You also can't whitelist sites or create a default URL filtering policy that applies to all connected hosts. That said, it's more functionality than I've seen in a typical consumer router.

The guest access feature is quite handy as well. Cisco Valet creates a second (open) SSID that your guests can use to access the Internet. It is segmented off from your regular wireless network and presents a captive portal to your guests, whom must enter a password before they are allowed access to the Internet:

Of course, you can disable this feature as well.

When the router is first configured, the SSID is set to a random adjective-noun word combination and the password is set to a 10 character random string. In the Valet Settings, you can change these things to something. You can also save this to the Easy Setup Key (or create a new one using any standard USB thumb drive) that will allow you easily configure other Mac or Windows computers in your house with the correct wireless settings.

And, of course, there's the Advanced Settings, which fires up a web browser with a typical Linksys-style web interface for configuring the router (though it is entirely Cisco-branded now). This is where the geek settings are, of course, and are, "advanced." I'm sure given the relatively ease through which computers can be added and the basic settings can be configured, there will rarely be a reason for most people to ever visit the advanced settings.

But Is It Secure?

Most reviews stop here. They are quite happy that someone has finally come up with a wireless router that almost anyone with even rudimentary computer knowledge could configure and use. That is a feat worthy of praise, no doubt.

I am not most people. I wonder, in the back of my mind, does Cisco make this device easy to use, yet actually make it secure? The answer is not surprising--to me at least.

First, it's probably worth pointing out that I work for a competitor to Cisco: Check Point Software Technologies. We don't compete in the consumer market, really, but we certainly in the enterprise network security market. That doesn't affect my opinions here, but I figure I should disclose that since some might consider it a conflict of interest.

Prior to proceeding with the setup wizard, I saw what the router was broadcasting by default--a WPA-protected access point named CiscoXXXXX (where XXXXX corresponded to the last 5 digits of the device serial number). My guess is the router is preconfigured with some default WPA password that the Cisco Connect software then changes to something else, which it then tells you after the setup is complete.

Cisco gets props on a number of things security related:

  • Choosing a random network name (SSID)--most manufacturers use a known default
  • Configuring WPA as a default
  • Choosing a random password that contains numbers, upper and lower case letters, and special symbols

All three of these things are good. By choosing a random SSID and a random password, it makes it harder for someone to brute-force (i.e. guess every possible password) access to the wireless access point.

While these are far better than what I've seen from others, it's, unfortunately, not enough. To be relatively safe from a brute-force attempt, the passphrase needs to be at least 20 characters--random ones at that. Also, it defaults to WPA/WPA2 mixed mode, which allows you to use the TKIP, which may be needed for some legacy hardware, is not the most secure. You can change to WPA2, which only supports AES. It would be nice if you could change the rekey interval, but I don't see a way to do that from the advanced settings.

There are a couple of other dangerous settings enabled by default:

  • Universal Plug and Play is enabled by default (which, when paired with malware, could easily make your computers more vulnerable to attacks)
  • WMM Support (in the QoS section) which, when enabled, makes your network a little more¬†susceptible to hacking when WPA (not WPA2) is enabled.

The Nintendo DS Factor

One rather common WiFi-enabled device in any household with children is the Nintendo DS. This device does not support WPA at all. Even the newer DSi, which does support WPA, doesn't support it for DS games. This means, if you want your kids to be able to use the WiFi features of their DS games, they won't be able to use them unless you use WEP for your wireless security, which is not recommended.

This is, in my opinion, one big disappointment with the Cisco Valet. There is no way to allow a Nintendo DS to use the Guest wireless without using WEP. They could very easily allow the whitelisting of certain MAC addresses to be allowed to access the Guest wireless (which is open, unencrypted, and will work with the DS) without requiring web-based captive portal authentication.

Other Minor Gripes

The Cisco Connect software allows you to configure items that cannot be configured with the Advanced Settings interface, namely the Guest wireless access. I would like to be able to change the default IP range used for the Guest wireless and, possibly, whitelist certain machines as I described above.

By default, the router administration password the same as the WPA password. This does make it easier for end users, but I think you should be able to set them independently in the Cisco Connect software.

I also do not see a way through the Cisco Connect software to upgrade the firmware for my router. This is a necessary, sometimes daunting task, especially given the number of hardware variations that can exist even with the same model. There's no reason Cisco couldn't have made this process as simple as they've made everything else--push a button and it takes care of the rest.

And, of, course, my security gripes above. While they went a lot farther than I've seen other manufacturers go, they could have gone just a little farther in choosing more secure defaults, possibly with an optional "security settings" page so you don't have to hunt in the Advanced Settings interface to make the wireless connectivity more secure.

All in all, though, I am very impressed with the product. I could easily see myself recommending this product to my non-technical friends and family as a dirt simple way to share their Internet connection and create their own personal wireless hotspot.

The only people I cannot recommend this product to are Linux users who lack a Windows or Mac machine on which to run the Cisco Connect software. Since the initial setup of this router cannot happen without the Cisco Connect software, which does not run on Linux, your "out of the box" experience will be less than fulfilling. You only need the software the first time, of course, but you might be better off with a Linksys-branded router.

So yes, Cisco did it. They made WiFi easy for normal people to set up. Using the Easy Setup Key, I set up four different Windows computers with my Cisco Valet settings in a matter of minutes. It was drop-dead simple. I wish they spent a little more time on the security side of things, but this is a tough one to do without making things more inconvenient for users. Given what Cisco was aiming for here, I think they nailed it.

IPv6 is the next generation of IP--the protocol by which most of our computers, phones, and other related devices talk to each other and to the Internet. Today, everything generally talks using IPv4, which has a 32-bit address space, or roughly 4 billion possible addresses. Both because of the sheer number of devices and the number of "reserved" addresses within the IPv4 space, the number of globally available IP addresses is running out.

To put it in perspective, as I write this, there is still a few /8 addresses unallocated by the IANA, which are distributed to regional registries, which are then responsible for distributing the IPs to ISPs, whom in turn distribute them to you. A /8, in IPv4, is 16,777,216 IP addresses. That seems like a lot of addresses, until you realize that, depending on how those IPs are allocated, the number of usable IPs ends up being a bit less.

Even so, once IANA runs out of /8s, the individual registries and ISPs still likely have caches of IPv4 addresses. The problem of address space exhaustion probably won't show any acute symptoms immediately, but the lack of IPv4 addresses (and the lack of wide deployment of IPv6) will start causing problems soon, creating pockets of servers that can only be accessed by one protocol or another.

We've actually been working around the problem of address exhaustion in the IPv4 space for some time now using network address translation. That router you get from your local consumer electronics store has been masquerading all of your computers behind a single, public IP address, providing you both a level of protection and connectivity.

Enterprises do much the same thing, except their boxes are significantly larger and they also might provide services accessible on the Internet, which means: they need more than one public IP. Also, some enterprises have so many connected systems that they have, quite literally, run out of available private IP addresses (some IPs in the IPv4 space are set aside explicitly for private, non-Internet connected use).

In any case, the pressure is mounting to switch to IPv6. Given that some of my customers are asking about IPv6, I figured I'd get myself educated. I happen to have access to one of the people who helped define the IPv6 standards in the IETF (he works at Check Point), but there's really no better way to learn about it than to just get it set up.

Of course, part of the problem right now is that my ISPs at home (Comcast, CenturyLink) are still serving me IPv4 addresses. Fortunately, there are ways of tunneling over IPv4 to the IPv6 networks. One such service is TunnelBroker, run by the folks at Hurricane Electric. They tunnel IPv6 packets inside of IPv4 packets (more specifically using IP Protocol 41, designed for this purpose).

I had it working on an old Linksys router I had flashed with TomatoUSB and hacked a bit. I had IPv6 flowing through my network and was able to reach a few sites over IPv6. Then I had the realization that I was no longer protected by my router. I was now directly reachable--without a firewall! While I could fix that, I think that's enough experimentation for now.

I guess the point is: I can make it work today. However, few people are going to want to do what I had to go through to make it work. Every hop in the network has to be IPv6 friendly and IPv6 enabled. For the home user, it's going to have to be as simple as plugging in a router. We'll get there, but it's going to be a bumpy ride for the next few years.