Tag: networking

Why I think Netflix’s stance on VPNs stinks

by 1 comment

In Netflix blocking all access to their service except through a vanilla ISP connection, the end of both net neutrality and online privacy is coming to a head, much faster than I would have expected.

To be fair to Netflix, I have a fairly bespoke networking setup at home, mostly so that I can play around with my new technology.  I am an ‘early adopter’ – so want to play with things without disrupting the internet for everyone else.  It allows me to login to my machines remotely, and securely, and ensures that access to my online bank, crypto accounts and other online accounts is easily audit-able.

Unfortunately Netflix have dropped a fly in the ointment by suggesting that simply because I’m operating at a higher level of security than the majority of customers, I am a crook.

From their help page:

Do you use a VPN or proxy for other reasons, such as for work or for privacy?

Because there is no reliable way for us to determine if a VPN or proxy is being used for legitimate purposes, any VPN or proxy use will prevent you from streaming Netflix. Please disable any VPN or proxy and try Netflix again.

Whilst I can’t disagree with their sentiment, I would like to have the option of setting up such configuration on a site-by-site basis; rather than a broad sweeping brush requiring me to disable a level of security for my entire network, just to let me access Netflix.

We are operating in a cyber environment where security needs to be managed at multiple levels.  There is no such thing as a completely secure setup.  The safest way of operating is my having multiple levels of security and a valid alerting mechanism when something unusual occurs.  For me, that has been routing all my traffic via my single IP to make auditing of access to remote sites easier – and by limiting the number of places that I can login from.

It takes me back to the days of when I used Internet Explorer, when even with a fairly ancient tool it was possible to set privacy levels based on site.

What Netflix are essentially telling me is that for _all_ my traffic, I have to reset my network to the ISP default – there isn’t a way for me to lower my security levels just for their product.

It would be great for Netflix to accommodate the more advanced setups by publishing their public IP ranges (AWS already do this for CloudFront, and others have followed suit) so it is possible for me to make an exception specifically for Netflix.  That I’d be happy to do.

In the meantime I guess I’ll have to put the devices that I use to stream Netflix into my vanilla network.

Why am I so concerned?

In forcing people to route their traffic via their specific ISP, rather than appearing to Netflix as any other address on the internet, it allows Netflix and the ISPs to gather information based on what traffic is passing over their networks and route it accordingly (metadata).  We’re already seeing some ISPs offer ‘better performance’ for certain SaaS services, and using that as a marketing message when trying to sell their products – but it leads the way to operating a two-tier system, locking Netflix at the top by improving the performance of their Content Delivery Networks as the expense of the plucky upstarts or competitors.

Online we all leak little pieces of insignificant information each day.  Who’s got a maternal uncle on Facebook? Do you publish your D.O.B?  In the internet of 10 years ago, that would no doubt be sufficient information to break into your online banking.  10 years hence, how are the digital natives of today going to secure and verify their identities online without the level of paranoia generally associated with those in tin hats?  The internet as a ‘free’ (as in freedom) platform is being eroded slowly by decisions that do not explicitly appear to be damaging it – but have significant implications.  Five years ago the idea of Facebook/Twitter overthrowing a western government appeared absurd – yet in the last 2 years we’ve seen both Brexit and the American presidential elections significantly affected by these platforms.

Networking – let’s get complicated.

by

Ok, so things have hotted up a notch in here.  My networking knowledge has come on leaps and bounds in the past few months, but I need to learn more, lots more, and fast. Here’s where I’m at:

A firewall doesn’t always sit at the edge of your estate, sometimes a HIDS device belongs there instead.

A firewall can do lots of things, but can do a lot of things badly.

There is more than one way to skin a cat.

So I’ve been looking at some interesting reading, courtesy of Mez, and have come across the following:

http://oreilly.com/catalog/fire/chapter/ch04.html – Firewall Design.

This interests me muchly, as I currently use, and have always designed server-networks in the past as follows:

However, it seems that pretty soon that can have an adverse affect on the firewall; for each connection hitting the firewall from the net, there’s at least 6x the traffic passing through it. (  NET -> FW -> DMZ -> FW -> BACKEND -> FW -> DMZ -> FW -> NET )  This isn’t good, especially if you’re looking to purchase a firewall with a pretty low ‘max sessions limit.’  It gets worse if you’re thinking of splitting the ‘BACKEND’ into a number of different zones.  However, there is a nifty little improvement:

With this approach, you can move your ‘internet facing’ machines into their own DMZ zone, and still communicate with your backend services without passing too many times through the firewall.  It means that the number of connections the external firewall needs to handle is fewer, meaning you can get a more powerful machine, cheaper – and don’t have to compromise because of that pesky connection table limit.

Using this diagram now gives even more flexibility, as there is now a nice segregation between the networks behind the interior router.  This setup means that you can have a single-purpose network zone, which is neat, as PCI DSS states that all servers should have a single purpose.  If those have a single purpose, they should share a similar communications port setup – therefore it seems sensible to group them all into the same zone.  They’ll also probably not need much by the way of ‘interzonal’ communications – and if they do, it’s segregated off the external firewall.  It will also be much easier to spot problems introduced by an external event (DDoS, Digg Effect, Social Media Strategy Success), and those introduced by those pesky web developers (internal connections increasing).

Switching

This is where it starts to get complicated.  Where do you use switches here?  How do you segregate the switch.  Well, I guess I need to look into VLANs to segregate the switch.  Using the diagram above, the two Internal Networks could probably exist on the same switch, providing it was VLAN’d into separate blocks.  It’d be interesting to know if anyone has any preference here in terms of switch – or will a fairly basic switch do what you’d want it to do in this situation?

Conclusion / Call for Recommendations

With all this in mind, and the network infrastructure suddenly growing from what was essentially just a ‘firewall’ with loads of devices plugged into it to a much more complicated setup – how important is it that the technologies used in each of these individual networking devices are integrated?  There are a couple of vendors selling solutions that would integrate the entire networking stack, using the same technology in routers, switches and firewalls. Is it better to go with a single vendor to reduce the management headache, or will the benefits of an integrated solution only come about when many more devices are connected?

I look forward to hearing what others have done, and I look to sharing more of my decision making progress as things progress.

 

Network Problem

by 2 comments

I’ve been having a really strange networking issue at the office for the past few months.  The reason I’m posting here, rather than in IRC or a Forum, is that it’s quite an interesting problem, and I’d quite like to post the solution.  I’ve contacted my Internet Provider, and unfortunately they don’t seem to be able to comprehend the problem, let alone work out a way of diagnosing it.

We have 8/9 devices sharing our internet connection in the office, across wireless and wired, which pass through our Debian Router, then through a cable modem to the Internet.  In order to make sure the problem was not with the router.  The same symptoms occurred with a direct connection to the cable modem.

The issues is as follows:

Our internet connection doesn’t appear to drop.  According to our ISP our modem has been connetced fine for the last 15 days, and they ‘can see no problem with our line.’  When downloading a large file (<100MB) or streaming Youtube videos, the connection just stops.  The video stops downloading or, in the case of the files, the connection just stops.  This is also evident when running large downloads through apt (such as do-release-upgrade) – during the file download sometimes it just stops downloading – yet on a cancel and restart it continues to download just fine.

I’d like to work out how I can get some documentary evidence of this connection hanging – what is the proper technical term for it – and hopefully find a way to reproduce the problem in a consistent manner.  I have OSX, Linux, and Windows machines all exhibiting the same behaviour – so I’m pretty sure it’s not a clientside bug.

If you can help me out, please let me know in the comments below.

Cheers! and Thanks in Advance.