Improving Microsoft ISA Server 2004 network performances with the new Scalable Network Pack?

The question mark is not a typo...

At WinHEC 2006 conference Microsoft surprised network administrators launching, with immediate availability, the Scalable Network Pack for Windows Server 2003 Service Pack 1.

The update is able to greatly improve operating system network performance when a special network card, so called TCP/IP Offload Engine (TOE), is installed in your server (and its manifacturer developed relevant drivers).
A TOE, but also a recent Intel I/O Acceleration Technology (I/AOT) powered motherboard, has a dedicated CPU for handling TCP/IP operations, unloading them from the main processor.

In particular the SNP offers 3 critical features:

• TCP Chimney Offload
  TCP Chimney Offload provides automated, stateful offload of Transmission Control Protocol (TCP) traffic processing to a specialized network adapter implementing a TCP Offload Engine (TOE). The stateful capabilities-meaning that the network adapter retains in memory the significant attributes of a connection, such as IP address, ports being used, and packet sequence numbers-significantly reduce the need for CPU cycles in managing offloaded traffic. For long-lived connections with large-sized packet payloads; like those associated with storage workloads, multimedia streaming, and other content-heavy applications; TCP Chimney Offload greatly reduces CPU overhead by delegating network packet processing tasks, including packet segmentation and reassembly, to the network adapter. This frees up CPU cycles for other application tasks, such as supporting more users sessions or processing application requests with lower latency.



• Receive-side Scaling
  Receive-side Scaling enables the processing of inbound (received) networking traffic to be shared across multiple CPUs or cores by leveraging new network adapter enhancements. Receive-side Scaling can dynamically share the inbound network traffic as either system load, or network conditions vary. Many scenarios--including Web servers, file transfers, block storage, and backups--require the host protocol stack to perform significant work in the context of receive interrupt processing and deferred procedure calls (DPC). In these scenarios and others, Receive-side Scaling can significantly improve the number of transactions per second, the number of connections per second, or total network throughput.



• NetDMA
  NetDMA enables support for advanced direct memory access technologies, such as Intel I/O Acceleration Technology (I/OAT). For servers equipped with the supported technology, NetDMA provides memory management efficiencies and network packet processing enhancements.
  
  At the heart of NetDMA is the ability to more efficiently support network data movement and reduce system overhead by minimizing CPU involvement in performing memory-to-memory data transfers. Normally the CPU is extensively involved in moving network data from network adapter receive buffers into application buffers. NetDMA largely frees the CPU from handling memory transfers by supporting use of a DMA engine. The DMA engine frees the CPU from the mundane task of copying data so that it can be better used by other applications.

Every Microsoft security professional out there probably had just one thought: Windows Server 2003 SP1 + SNP + ISA Server 2004.
It's not the case: the three mentioned features are automatically disabled when ISA Server is installed on your system.
It is bad? Can be worst: you lost all mentioned features even if you just enable the Windows Server 2003 SP1 Windows Firewall.

Have we to rely on the next ISA Server? Again, it's not the case: neither the upcoming ISA Server 2006 will gain any advantage from the SNP.

Depending on Google

Disclaimer
The following post is not the usual ranting on how Google is violating our privacy in a unauthorized way.
Realizing the best product in its market is the only tool Google is using.
Who decides to use Google services is aware of how they work and choose them anyway, accepting related risks, because they actually are the best available.

I'm going to say something I believe is pretty evident since a lot: we depend on Google. In the most complete sense of the word.

Look: I'm not saying we depend on search engines, Google is the most popular now, so the resulting affirmation is: we depend on Google.
No, I'm exactly saying: we depend on Google.

Not yet everybody in the world, but a massive amount of Internet users as the following graph shows:

March 2006 - courtesy of SearchEngineWatch

How much people are 42,7% of the market? Don't know, but I know it's equal to 91 millions of queries per day (search engines market analysts here could provide a raw calculation of how many persons this value means).

I believe this number will grow more and more in future as soon as Google will release more services following its actual strategy and quality level.
But there is no need to look ahead of time to say what I want to say: today, with its current, limited services Google already controls a large part of our life.

Just to be more explicit, Google knows:

• what we search with Web, Image and Book Search


• what we read with News, Print, Alerts, Reader, Bookmarks and Notebook


• what or where we study with Book, Scholar, University Search


• what we do, watch, hear, think, say with Blogger, Pages, Docs, Groups, Talk, Video and YouTube, Movies and Music


• what problems we have with Answers


• what illness we have with Health


• what we like to buy with Froggle and Catalogs


• what we actually buy with Maps


• what we have, buy or sell with Base, AdWords and CheckOut


• part of how much we earn with AdSense


• where we want to go with Maps and Earth


• where we are going with Ride Finder and Transit


• who we know with GMail, Orkut and Talk


• what we do outside Google with Secure Access


• what we do outside Internet with Toolbar, Desktop and Compute


• how we and our family friends look like with Picasa


• how sounds the voice we have with Talk


• our appointments and recurrences with Calendar


• our mobile number with SMS, Mobile and GMail


• our banking account and home address (who uses Google AdSense can provide account details for immediate payment)

In a word: Google profiles us.

I had to think a lot about what exactly Google still doesn't know about us. And found a couple of answers (feel free to suggest more).
They still don't know:

• who we would like to date (and eventually marry)


• where we are (when we are not searching)

So: expect soon Google Dating and Google Smartphone with free Internet connectivity (look at Google Dodgeball to have an hint). Really.

The ultimate declared scope of a so punctual profiling is to knock down the traditional advertising system, where people have to undego a fall of uninteresting commercials, just because advertisers have no way to tailor the best advertising for the related potential customer.

I had a nice, vivid representation of this scenario looking at the Minority Report movie. In a scene John Anderton escaping from police, enters in a shopping mall, where remote iris scanners recognize it and pass the information to advertising banners, starting to offer him the kind of goods he likes, depending on his shopping history, personal taste, opinions and everything else has been profiled until that time.

Much before than than, which will happen in any case, it's highly probable our mom will ask Google what is the best gift for our birthday.

But when you have such system, such amount of personal data, would you use it just for advertising?
An expert data miner could find things we do not actually suspect of ourselves.

Think about the worldwide famous Sims game.
What if Google would inject all informations listed above inside a very special version of Sims? Is Sims sophisticate enough to simulate our reactions and predict our behaviour?

Think about the new Google Trends service.
What if Trends would be slightly different and focused on a single person using Google? Can I say Trends would reveal, for example, how my politic opinions changed over years?

Can I hazardously predict the concept of Personal Intelligence (PI) in reference to the well-known Business Intelligence (BI)?

At the recent Google Press Day 2006, company chief executive, Eric Schmidt, said:

In five years, Google will have built "the product I've always wanted to build--we call it serendipity,'" he said, adding that it will "tell me what I should be typing."

It's illuminating.

Now, becoming unpopular within 1 second I'm going to declare that sincerely I absolutely don't care to be profiled so impudently.
I love Google services. I found them innovative and effective.
I actually like the idea of finally receive advertising tailored for me, adapting while I evolve my tastes, my opinions, my experience.
And since I did nothing really serious to hide, I simply can't see anything bad in profiling.

The point is not being profiled or tracked. We are tracked all the time, in several different ways, in ways we don't even imagine.

Could seem I'm trading my privacy for free, damining good tools. It's not the case: I'm trading the impression of having my privacy. And I'm happy to do.
Someone else trades the impression of having privacy for the impression of being protected against terrorism. At least Google services are concrete...

So the real reason obliging me to write this post (and thinking about Google quite every day I ear blatant rants about privacy violations) is another.

One book I love since years, much before Google arrived to so pervasive in people's life, is Nineteen Eighty Four.
If you never read it you should.

In 1984 the world is controlled by a totalitarian structure called Big Brother, which is able to manipulate the whole society continously instilling feelings like fear and hate.
The main character, Winston Smith, is employed in the so called Ministry of Truth, where his job consists in modifying or cancelling odd things written in books and newspapers, when they refute Big Brother statements.
Big Brother is so pervasive in people's life and they are so dependant on it, that are unable to recognize when news sources has been changed or when an information simply disappeared.
They believe anything Big Brother feeds them, trusting him like the only reliable source in the world.

Can I say with a grade of confidence that today we count something (or we have a chance to do a business online) only if we are included in the Google Index?
If answer is yes then we already strictly depend on Google.

So the real point is: who grants us Google, on which we rely on so massively, will not modify or delete indexed news, books, photos, videos, our history and in last analysis our life?

Be sure to have an answer before Google will launch its rumored Drive.

Is serendipity a Newspeak word?


Update: Google is even working on what seems to be the first version of a Telescreen. Amazing!


Second update: Surprise! A former CIA agent claims the Agency cooperates with Google.

Check Point offers training and certification on its endpoint security

As I wrote several times, while Microsoft has still to appear on the endpoint security market, 2 big competitors and historical rivals are already fighting for it: Cisco and Check Point.

While Cisco is offering Network Admission Control (NAC), Check Point, acquiring 2 years ago ZoneLabs and its Integrity Server, is answering with Total Access Protection (TAP).

Since less than 1 month Check Point further accelerate on this aspect of its strategy, embedding Integrity in the NGX security platform.

At the same time the company launched a training course, Check Point Integrity (very original):

You will learn:

• How to diagram Integrity Advanced Server/client components and architecture secure network endpoint PCs


• How to use Integrity Advanced Server tools to create a basic Integrity Advanced Server/client network


• How to create a rule-based policy package for deployment to Integrity clients


• How to use Integrity Advanced Server tools to configure policies that include firewall rules, zone-based security features, and Program Control


• How to use Integrity Advanced Server to protect remote, external endpoint PCs


• How to use Integrity Monitor reports to refine model deployment life-cycle policies

Detailed course Table of Content is available here.

Associated with the course there is a related certification: Check Point Integrity Specialist (CPIS) [#156-701]

I'm pretty happy of this cause being a Check Point Certified Security Instructor (CCSI) I'll soon start teaching the course.

Microsoft ISA Server looses high availability

Well, a sort of...

Actually Microsoft ISA Server 2004 doesn't offer high availability for link connectivity features and upcoming ISA Server 2006 will not provide such features as well.

But always counted on a couple of great 3rd parties products doing this since ISA Server 2000 dawn of the time: Stonesoft StoneBeat FullCluster and Rainfinity RainWall (by the way both offer high availability capabilities for Check Point VPN-1 as well).

The first one discontinued its offering for the Microsoft product some time after the released of ISA Server 2004, letting Rainfinity dominate the niche market.

Yesterday EMC Corporation announced its acquisition of Rainfinity, followed by an email warning stating the company decided to discontinue RainWall and RainConnect products.

While you can approach the problem from a hardware point of view, with products like F5 BIG-IP or Radware LinkProof, at this point there are no other software solution available for this highly requested (and I would say mandatory) feature, and we'll have to hope for the next release which is likely to be ISA Server 2009, based on recent codename Longhorn delays.

Microsoft to start NAP Client for Windows XP beta program

As you know Microsoft will release its implementation of endpoint security, called Network Access Protection (NAP), with the release of Windows Server codename Longhorn (a technology you can already try if you are in the beta program).

An endpoint security infrastructure needs integration of several tiers, from several vendors, to work: operating systems on desktops/laptops/servers (endpoints), antivirus/patching/dhcp (and many others) servers, network and security devices (switches/routers/access points/firewalls/VPN servers/authentication servers), and a policy server.

While codename Longhorn will be the only OS capable of acting as policy server (so who will stay with Windows Server 2003 and want endpoint security has to look elsewhere), both Windows Vista and Windows XP SP2 will be able to act as endpoints.
But while Vista integrates NAP capabilities, XP will have to install a stand alone version which is going to be launched as beta program, at the same time of the Vista beta 2 launch (expected for next week, at Microsoft WinHEC conference).

This is not the only difference. While the NAP client for Vista is obviously complete, the NAP client for XP will miss a key feature: 802.1x capability which is mandatory to interact with network devices, unless you'll recur to dedicated agents provided by vendors (which further complex the endpoint security management work). At today is not even sure the support will ever be included.

The NAP client for Windows XP will be released at codename Longhorn timeframe.

Check Point shuffles products names and offering

Immediately after the release of Check Point NGX [R61] platform, as expectable, the company had to change (again) names of whole offering.

The Check Point offering has changed month after month in last years, moving from a portfolio of several stand-alone products, with similar interfaces, where the most known and important one was VPN-1 (formerly Firewall-1), to a single security platform where all technologies are tightly linked to the central tier: the SmartCenter (formerly Management Module and subsequently SmartCenter Server).

The integration of existing tools like FloodGate-1 (now a QoS module) and new tools like Integrity (acquired from ZoneLabs) obliged Check Point to redesign the whole interface and the naming convention to let customers understand the new architecture.

So now the company is launching with much rumor the new Unified Threat Management (UTM), seen by worldwide IT press as a big news worthing to be quoted everywhere.

Well, I'm afraid to tell you Check Point UTM is just a name migration and an existing offer reshuffling, nothing else.
In details:

• VPN-1 Express (license for SMB up to 500 so-called users) and VPN-1 Express CI (license Express plus integrated antivirus, based on the Computer Associates eTrust engine) are now labelled VPN-1 UTM



• VPN-1 Enteprise/Pro (license for enterprise companies with unlimited IP) plus SecureXL are now labelled VPN-1 Power



• VPN-1 Enterprise/Pro plus SecureXL plus CI (borrowed from Express CI) are now labelled VPN-1 UTM Power



• VPN-1 Edge (Check Point SMB appliance competing with Sofaware Safe@Office and Nokia IPSO) is now labelled VPN-1 UTM Edge

The Check Point offering for disaster recovery of SmartCenter is actually based on a very weak hot-standby solution: now that the tier is linking together so many products customers should feel this approach less adequate than ever. I expect a new offering in this direction soon.

Release: Check Point NGX [R61]

Check Point just released the first minor update [R61] of its new security platform NGX.

I'm referring to this release as a plaform cause it matured over time in a way to fully or partially integrate every product of Check Point offering.

This new release continues in this direction introducing the endpoint security product, Integrity (obtained after ZoneLabs acquisition), integration in the VPN-1 SmartDashboard, which is the most critical move since the inclusion of QoS module (formerly Floodgate-1 standalone product).

Check the What's New and Release Notes documentation for all details.

As for the NGX [R60] you'll have to order your media kit for a brand new installation, while you can download just the update if you already have in installation in place.

I strongly believe Check Point could soon revise again its naming strategy to reflect NGX is not a VPN-1 family but a whole security system, where firewall is just a part.

Privacy practices comparison between European and US corporates

Ponemon Institute published a research whitepaper comparing how good European and US companies are in defending privacy:

White & Case, LLP and Ponemon Institute, LLC are pleased to present the summary results of the first study that benchmarks the corporate privacy practices of a matched sample of European and U.S. multinational companies.

Results from the Study of European and U.S. Corporate Privacy Practices (hereafter termed the Study) provide a meaningful baseline for measuring and monitoring trends about how multinational organizations in two different regions of the world are facing regulatory requirements and creating privacy programs that build trust with their key stakeholders.

Drawing from a matched sample of large European and U.S. companies, our study addresses eight key areas in the typical corporate privacy program.
The eight areas are:

• Privacy Policy


• Communications & Training


• Privacy Management


• Data Security Methods


• Privacy Compliance


• Choice & Consent


• Cross-National Standards


• Redress

...

What did we learn?

European companies tend to deal with privacy issues differently than their U.S. counterparts. Our benchmark findings suggest that European privacy leaders are less concerned about internal or inherent controls and are more concerned about organizational culture. The main focus of the European privacy program is to ensure the existence of reasonable policies, monitoring of regulatory events, collaborating with data privacy authorities and advocates, and assuring that transfers of personal data are limited or restricted to a very small number of permissible purposes. Because European companies are less likely to engage in gratuitous secondary data use and data sharing, these companies appear to be much less concerned about ongoing monitoring for insider threats and potential data breaches.

In contrast, U.S. companies tend to deal with privacy issues by implementing technical, administrative and physical control systems that seek to detect or mitigate risks of data leakage or misuse. U.S. companies appear to have more resources on the ground (i.e., larger budget and more headcount) to conduct downstream training and awareness programs for employees, contractors and business partners. U.S. companies appear more likely to deploy technologies that seek to limit unauthorized access to secure data stores and active files. In addition, U.S. companies are more likely to conduct audits to determine compliance with privacy policies, laws and regulations.

In short, our study dispels the myth that European companies are far ahead of U.S. firms in terms of meeting privacy commitments and obligations to various stakeholders.

A very interesting reading. Available here.

ShmooCon 2006 slides and videos

ShmooCon 2006 event material is available since a while on the official ShmooCon website.

Among others I found interesting (even if nothing real new):

• Countering Attacks at Layer 2 [Slides] [Video]


• FreeBSD jail(8), A Secure Virtual Machine [Video]


• Lockpicking and Physical Security Fundamentals [Video]


• Wi-Fi trickery, or how to secure, break and have fun with Wi-Fi [Slides] [Video]

Download all material here.