Do users care about the licensing model?

It's interesting to watch Michael Tiemann lay claim to the one, true definition of 'open source': only projects  complying completely with the OSI license are open source.  If this were a legal issue and the definition was argued in court, the OSI might have a chance.  But when it comes to trying to freeze the definition of a term in common usage, they don't stand much of a chance. 

My own experience with talking to end users about licensing mirrors those of Mitchell Ashley and the audience of Slashdot:  most people just care that the software is free and open, not which licensing model is used.  The majority of the people I've talked to face to face at events understand why a company wouldn't want to use the OSI license.  As long as the impact on the end user is the same in the end, meaning if they get the software for free and can look at the source code themselves, they aren't too concerned with the license.  There have been exceptions, people who are hard line OSI or BSD license advocates and I respect those people for their opinions.  But they've been in the minority.

Cobia's license isn't OSI complaint.  But our source code is open and the software is free.  Call it open source, community source or something else, the effect on the end user is the same.

Mid year reflections - Thank you, Cobia users

Every once in a while I stop and think about the progress we've made in the short amount of time (since the beginning of '07) that Cobia has been available. Thousands of users, like you, have downloaded Cobia to begin using and understand how to take advantage of the Cobia Unified Network Platform. Many of you have commented privately or on the forums, which grows every day. We have a dedicated team at StillSecure working hard on many Cobia capabilities and your downloads, input, questions and comments helps us all remain passionate about Cobia and Cobia users.

During this time, we wrapped up the Cobia beta and offered the GA version of Cobia. We also introduced the firewall and DHCP modules, and we began working with a few developers in putting together our SDK. We also introduced programs for ISVs, platform partners, OEMs and VARs. And we regularly meet Cobia  users at conferences like Interop and ResNet and at a number of local user groups. I also appreciate Jason Huggett, who joined us at Interop as our first Cobia user advocate.

The most important aspect of reflecting about the first six months of this year, is to take a moment to thank you. Many alpha and beta tested Cobia. Many more since then have downloaded and used Cobia. And I especially appreciate our users who go out of their way to tell others about Cobia and how it can hep them.

Thanks to each of you, and here's to continued success throughout the year.

Setting up a DHCP server in 20 minutes

Need a DHCP server right now?  With Cobia, you can have one up and running from a barebones system and ISO in about 20 minutes.  Maybe less, if you're not working on one or two other projects at the same time like I usually do. 

This is another in my series of how-to's, and this is probably going to be one of the easiest to implement yourself.  If you've already got a Cobia server up and running, you could literally be done with the entire process in under 5 minutes. 

Scenario:  Basic configuration of the DHCP scope and a dynamic pool. 

Description: The DHCP server on Cobia only takes a couple of minutes to set up and start running on your network. This post addreses the initial setup and configuration of a DHCP scope and dynamic pool.

Technical requirements:  Cobia server with initial setup completed.

Solution: Setting up the Cobia server to start offering DHCP services is a two step process. First, create a scope by selecting "Add a scope" from the DHCP -> Configure DHCP -> General screen. Select a unique, descriptive name for the DHCP scope and select an interface for the server to offer DHCP addresses on, then select OK twice to create the scope. To create the dynamic pool in your new scope, select the interface you created the scope in and click on 'add a dynamic pool'. Select a unique, descriptive name for the pool, designate your pool of IP addresses and subnet mask. Select OK three times to commit the changes.

Finally, stop and start the DHCP service on the system from the DHCP -> Configure DHCP server page. 

Time Required:  5 minutes

Use Case:  Configuring a DHCP scope and dynamic pool.

ResNet was a success

Yesterday I flew down to San Diego to attend the ResNet symposium at the Universitey of San Diego with another StillSecure employee, Cherie.  It was interesting to meet the range of people attending, from some top notch systems administrators to managers who didn't know much about technology but knew their systems administrators would be interested in the literature.  This was a small event, but everyone attending was excited to be there and the energy level was high.

One trend I'm excited to see is people who've already heard of and tried Cobia.  There were a small number of people who'd installed Cobia at Interop, but at an event that measures its' audience in the tens of thousands that's not a surprise.  But the fact that several people have been trying out Cobia in an audience of several hundred means we're being effective in getting the word out. 

Smaller events like this are a lot of fun to attend for us.  There's fewer vendors to see, so the attendees aren't already becoming jaded by the time they come by our booth.  And fewer people means more time to talk to each of them, which I hope is a win for both of us.  The fact that it's only one day means I can maintain a high energy level without having to worry about getting through the rest of the week.  In fact, if you've got any events like this coming up in the near future, send me an email at martin_at_stillsecure.com and I'll see if I can fit it into my schedule. 

Using Cobia as a transparent firewall

I talked by phone with one of our new Cobia users today who wants to use Cobia as a transparent firewall. A transparent firewall is one which doesn't use NAT (network address translation) between internal IP addresses and outside networks, such as the Internet.

While this might sounds like a very easy proposition (and it is easy to do with Cobia), many consumer grade and SOHO firewalls ship with NAT enabled and no option to turn it off. That's a problem when you don't want to use NAT. (Maybe you could configure NAT on the device to NAT the address to the very same address, but that would be silly wouldn't it.)

To create a transparent firewall with Cobia, simply do not enable NAT in the Cobia Firewall module. Or create exceptions so that some device IPs are NAT'd while others pass through without translation. It's that simple.

Happy firewalling!

Your WiFi may be the next target

According to Robert McMillan, McAfee says that your home wifi may be part of the next wave of targets by malicious hackers.  Along with attacks on infrastructure services like DNS and  municipal wifi, your home wifi will become another venue for attackers.  Not the most heartening of thoughts if you're an end user and you're already a bit overwhelmed by all the security warnings out there.

The average end user can't do all that much when it comes to infrastructure attacks against services like DNS.  They can keep their systems patched and hope their upstream provider does the same.  And the same can probably be said of most systems administrators as well: keep patched.  But the real damage control on this sort of attack is going to have to come at a higher level than the average user will understand or care about. 

On the other hand, attacks on municipal wifi and open hotspots are something every user should be aware of and take precautions against.  The standard disclaimers of 'be careful where you connect' and 'never do sensitive business over free wifi' still apply, but there's more to worry about than ever.   A man-in-the-middle attack, where an attacker's AP pretends to be a valid AP but records traffic or modifies it slightly, could be used to capture the traffic an entire downtown area. Even using a site over SSL might not be enough if the attacker is ready for it.  The only good news is that there haven't been any recorded examples of a successful attack like this being carried out.  It doesn't mean it hasn't happened, just that we haven't caught anyone at it.

I have to agree with McAfee that the home wifi will become one of the next big targets, since many users don't know enough to set up their networks properly.  Especially in urban settings where the density of personal AP's is enough to make being physically close to AP's less of a problem.  As everything from your gaming system to your new computer entertainment center become endpoints of your wireless network, it makes the attack surface for hackers that much larger.

Using Cobia to segregate your wifi access point at home will help, as will being cautious when connecting to any open access point and using the best encryption possible on your home network.  But these are thing's we should be doing anyways.  And in all likelihood, if you're already acting in a secure manner, none of these new threats will require you to change the way you act.  The people who are going to be in danger are the ones who already connect to any hotspot without a second thought and never thought about using encryption on their home wifi network.

We're an official VMware Virtual appliance!

As of today, Cobia has been accepted as an official VMware virtual appliance.  This means Cobia has been tested as a virtual appliance by the folks at VMware and passed all the tests they threw at it.  The Cobia virtual appliance is pre-built, pre-configured and ready to use in VMware as soon as it's downloaded.

Having a pre-built virtual appliance like Cobia saves you time, allowing you to have a fully built Cobia server up in running in just a few minutes more than it takes to download the software.  Because it's pre-configured, there's no OS or server changes that have to be made and you know you're running on a hardened OS.  If you need to have a firewall, router or DHCP server working in just a few minutes, a Cobia virtual appliance will have you working in almost no time.

If you haven't tried Cobia yet, download the virtual appliance today.  The Cobia virtual appliance is free, the VMware Server is free, all you have to lose is a little space on your hard drive.  And since the folks at VMware have done their testing, you know Cobia will work.

Stiennon welcomes the secure networking revolution

Rich Stiennon is someone that I have blogged a lot about.  Of course Rich is perhaps best known for his "IDS is dead" prediction while at Gartner.  Over the last few years, Rich and I have gone back and forth on NAC and his secure network fabric concept. But I think history may record another Stiennon prediction as perhaps his most insightful.  But if they do, let them also record, StillSecure was there first!

Rich writes in SC Magazine today about his vision of the 4th generation of UTM. Now I am not going to say that Rich took his idea from us (I was on a UTM panel with him at RSA), but this article reads like a Cobia PR piece.  Let me give you some quotes here:

We are rapidly approaching the advent of the fourth generation security platform. This is a device that can do all of the security functions that are lumped in to UTM but are also excellent network devices at layers two and three. They act as a switch and a router. They supplant traditional network devices while providing security at all levels. Their inherent architectural flexibility makes them easy to fit into existing environments and even make some things possible that were never possible before. For instance a large enterprise with several business units could deploy these advanced networking/security devices at the core and assign virtual security domains to each business unit while performing content filtering and firewalling between each virtual domain, thus segmenting the business units and maximizing the investment in core security devices.

One geologic shift that will occur thanks to the advent of these fourth generation security platforms is that networking vendors will be playing catch up, trying to patch more and more security functions into their under-powered devices or complicating their go to market message with a plethora of boxes while the security platform vendors will quickly and easily add networking functionality to their devices.

Fourth generation network security platforms will evolve beyond stand alone security appliances to encompass routing and switching as well. This new generation of devices will impact the networking industry it scrambles to acquire the expertise in security and shift their business model from commodity switching and routing to value add networking and protection capabilities.

I swear. if Rich would have mentioned open source and Moore's Law providing the horsepower to make this happen, I would have sent him a check from the Cobia marketing budget!

But lets not be naive.  If Rich is writing this, you can bet his employer, Fortinet will be coming out with a network/security convergence box shortly.  We already have almost 2 years into Cobia development and welcome the company.  It will be interesting to see if Fortinet tries to do everything themselves or opens up the platform for 3rd parties.  In any event, another prescient prediction from Stiennon. Maybe this will go down as the beginning of the secure networking revolution.

On my way to Securanoia

I'm on my way to Boston to attend Securanoia, a charity event put on by the NAISG to benefit the Caitlin Raymond International Registry.  My friend Mike Rothman will be giving the presentation of the evening and then it's off to the races.  Literally. 

I've been anticipating this event for several months now and I'm really looking forward to it.  The racing should be fun, but it's meeting the members of the New England NAISG chapter that is really bringing me to the event.  I'll be coming back in October to see them again, but this time I'll be the one doing the presentation. 

I'm going to try to get some video of Mike's presentation and maybe a quick interview afterwards.  Keep an eye open for the video in the next couple of weeks.  Mike is an entertaining speaker and an experienced security analyst, so tonight promises to be interesting.  I just hope I don't have an experience like Chris Hoff had yesterday, since I'm also flying United Airlines.  I still don't understand how an airline could have a computer glitch that grounded the entire airline for 3 hours. 

Use case scenarios

If you haven't already noticed, Mitchell and I are working on a number of use case scenarios for Cobia that will be posted to the blog over the upcoming weeks.  These will be step by step instructions on setting up a Cobia system on your own home or business network, starting simple and building up to more complex implementations.

These will be multi-part postings, each covering a different aspect of implementing a small business network.  The first series is based on a small office of 25 or fewer systems, and will include setting up DHCP scopes and reserving IP's for file servers and printers.  The second series will be for a larger office with 25 to 250 users and will include setting up a mail gateway and a DMZ for web accessible services, such as your web server.

One of the more interesting scenarios we'll be writing up is the use of Cobia in a multi-building campus environment.  I haven't worked much with BGP or RIP before and will be getting a lot of help from several of our engineers, meaning I get to learn an aspect of security and networking I haven't dealt with much before.  And I always enjoy learning about technologies that are new to me.

Our final writeup will be a multi-site network connected over the Internet via VPN.  There are also several related writeup such as setting up a VMware lab environment and egress filtering that will be included as time allows.

If you have a scenario you'd like to see written up or have a writeup of a situation you've created in your own environment, send me an email at cobia_at_stillsecure.com.