Choosing a Smart DNS vs VPN Solution

One of the problems with using VPN services is that they are difficult to use with devices other than computers. It’s fairly simple to set up a VPN on a computer, laptop or even on tablets.
However nowadays people use things like Smart TVs and media streamers such as the Roku which are difficult to configure to use VPNs even those simpler ones. This configuration issue lies at the heart of the puzzle – which is the best Smart DNS Vs VPN.

Probably the most common uses for a flash router is to act like a VPN service gateway. As you can see from a fast glance from the many sites which deal with Flash Routers, most encourage using one of the many VPN services and are frequently adding new ones. Subscribing to the VPN service is an extremely beneficial way to get access to unblocked content, so if you’re attempting to see US Netflix in Mexico or see BBC Sport on your Roku, employing a subscription service like Identity Cloaker, IPVanish or similar with your router will definitely a fantastic option.

Nevertheless, a VPN service isn’t the only way to unblock popular streaming video & music content. While utilizing a VPN support with your router can permit you to unblock content on devices such as Roku and Apple Television that may Usually not be flashed for VPN usage, you will find other services that could be utilized. The most outstanding is the, easy Smart DNS. Should I Be Using A VPN service or a Smart DNS Router Setup? Smart DNS is a protocol which may be utilized to re route traffic required for determining your geographical location.

Nevertheless, unlike a VPN, Smart DNS doesn’t provide encryption or conceal your IP address. The VPN service creates a tube which change or mask your IP to do it look you’re accessing the website from another location. Smart DNS works like more of a trick, by changing your DNS so sites think you’re qualified to access their content. The reason why SmartD NS differs enormously from a VPN with a better user rate is that it doesn’t require traveling through a remote server location. So a Smart DNS router configuration gives you a number Of the benefits a VPN service may provide without the possible disadvantage of slower speeds from heavy VPNs encryption.

Using SmartDNS is really hard to beat for ease and setup, particularly when utilizing a router upgraded with increased DD WRT firmware. When this Smart DNS router setup is complete, all system that runs throughout The FlashRouter will be using SmartDNS. So with one setup, all devices device on your network like Roku 3, AppleTV, iPads, iPhones may All access SmartDNS enabled content with no person setup. One installment and you’re ready to go!.

UK Proxy Buy – Some Tips

So what is a proxy, well the definition actually changes slightly depending on who you are talking to.  The origin of the term goes back to the beginning of the web in around 1990 when proxy servers were actually referred to as ‘gateways’.  These were simply devices which forwarded packets between different networks, sometimes even converting the different protocols that were being used.

However a simple up to date definition could be as follows:

A proxy server is a computer or system that acts as an intermediary between a client and a server.

They have all sorts of uses within corporate networks but in reality their real popularity has come outside that from ordinary computer users. You see the proxy sits between the computer you are using and the server you are contacting. It relays all information between the two sides and effectively protects the anonymity of the client computer.

This is the main benefit of using a proxy in this context, the proxy hides your location, your computer and identity from the web server you are using.

So Why all Secret Squirrel?  UK Proxy Buy or Not?

Most proxy users aren’t looking for total anonymity (although some are), but people have been using proxies for years in order to bypass the various blocks and filters that exist online. For example one of the most popular uses of a proxy server was in order to access British TV Online and blocked media sites  such as the BBC iPlayer or Hulu.

The BBC’s wonderful website and application is only accessible if you’re physically located in the United Kingdom – everyone else get’s blocked. However if you connect through a UK proxy first, then the BBC website only sees the location of the proxy and allows access.

It is how millions of people across the world could watch the BBC News or Match of the Day from outside the United Kingdom. As long as their proxy server was located in the UK, their actual location didn’t matter.  Exactly the same situation from US sites like Hulu, to access from outside the USA you needed to channel your connection through a proxy server based in the United States.

So does a UK Proxy Unlock Every UK TV site?

Unfortunately no, in fact the reality is that nowadays a proxy is pretty much useless as far as bypassing geographical blocks.  The reason is that the inbound connection from a proxy server is actually fairly easy to detect which is what most large scale media sites do.  If they detect a connection from a proxy server then access is blocked automatically.

Here’s a example of the message you get when trying to access Netflix through a proxy, it simply won’t let you use the site.

The reality is that there’s little point in buying a UK proxy or indeed one based anywhere in the world.  They can still obscure your identity a little, and they stop every website you visit being logged at your ISP but for watching UK TV you need something else.

That something else is a UK VPN service, which in many ways operates in a very similar way.  A VPN is a virtual private network connection between your computer and a VPN server.  Exactly like a proxy this server acts as an intermediary between you and the web resource you’re trying to access – relaying information both ways.  Yet there are important differences, firstly the entire connection is encrypted which means that no-one can access or intercept your data at any point.  The second is that a VPN connection is virtually impossible to detect, so none of the media sites are able to block or disconnect the connection.

Here we can see one such VPN service in action, it’s called Identity Cloaker.

As you can see it’s quite straight forward especially on a computer or laptop.  You merely click on the country you require and it establishes a connection to that specific VPN server. From that point any website you connect to will only the address of the VPN server not yours, which means that you can access whatever you like irrespective of your location.

Literally millions of people use these VPN services now to bypass blocks and filters of all descriptions.  Some use them to bypass state controlled filters such as in China and Turkey where the internet is heavily censored. While many others simply use them to access things like UK or US television, or to switch the version of Netflix they are using.

If you want to try the VPN service illustrated here, which is one of the few that still works with all the British TV sites it’s called Identity Cloaker.

You can try their 10 day trial here – Identity Cloaker

Primer on Protocol Verification

Depending on the environment and the purpose of a proxy then protocol verification is not always necessary. Indeed this was mostly ignored by earlier proxies and gateways as information was simply tunneled through transparently. Nowadays though there is normally some requirement to identify the protocol being transmitted through the proxy server.

Generic (circuit-level) tunneling, such as SOCKS and (SSL) tunneling, allows any protocol to be passed through the proxy server gateway. This implies that the proxy server does not necessarily understand the protocol and cannot verify what is happening at the protocol level. For example, the SSL tunneling protocol, despite its name, can tunnel /my TCP-based protocol, for example the telnet protocol.

A short-term solution to this is to allow only well-known ports to be tunneled, such as 445 for HTTPS, 563 for SNEWS, and 636 for secure LDAP. See Table 7-1 on page 135 for a list of well-known Web-related protocol ports. A longer-term solution is to be provided by proxy servers that verify the spoken protocol. More intelligence will need to be built into proxy servers to understand even protocols that are merely tunneled, not proxied. This enables proxies to notice misuse, such as exploiting the SSL tunneling to establish a telnet session.

Note that protocols that are proxied at the application level by the proxy server, such as HTTP, FTP, and Gopher, cannot be exploited as above because no direct “tunnel” is established through the proxy server. Instead, the proxy will fully re-perform the request on behalf of the client and then pass the response back.   This is important as it may be necessary for the function to be completed properly.  For example it’s common now to stream multimedia or video through  the servers and these need to function on the specific ports.  You won’t be able to stream things like the BBC TV output through this site without some sort of protocol verification taking place.

This ensures that the protocol is a legitimately allowed protocol. ‘ However, the Gopher protocol, or rather Gopher URLs, can be used to fool the proxy to make requests using other protocols by crafting special malicious URLs that convert to the language used by some other protocol.

Common Security Holes in Server Software can be read about on this blog and particularly there are Trojan horses disguised as Gopher URLs. If limiting to well-known ports is not acceptable (there are a number of servers out there running on non-standard ports), it is recommended to at least [9106/e ports that definitely should not be allowed an SSL tunnel to. Among these are ports known to be dedicated for other purposes, such as the telnet and SMTP ports (23, 25, respectively). Some proxy server software may in fact have a built-in filter for these ports and automatically disallow Gopher requests to them.

The Insider Dangers – Network Security

When most network administrators talk about network attacks most are referring to those from outside their networks.   However the reality is that those originating inside the network are not only more common but potentially much more damaging too. Internal attacks represent the vast majority of attacks on network infrastructure. They certainly can be extremely damaging and often much more challenging to find. One factor that aggravates the situation are company insiders having extensive working knowledge of security controls and considerable time to plan an assault.   There is less chance to detect those initial scanning and fingerprinting phases that outside attackers need to do.  The insiders can leverage the valid access they already have to gain additional access to systems.  There’s huge potential for both social engineering and gaining additional information and privileges from within.

There is no doubt that internal attacks are more challenging to detect than those which originate from outside the network.   It is also surprising that company’s often underpay these attacks and in many cases simply ignore them until it’s too late.

This occurs when organizations aren’t monitoring the interior as significantly as the outside. An internal assault might be the consequence of an employee progressively accumulating privileged accessibility and info over a time period of years or even decades.

The internal infrastructure may be opened up to threats from uned ucated or unsuspecting employees. Users could compromise internal security via the installation of firewall beating Peer to Peer file sharing and instant messenger applications. Some P2P applications are packed with spyware or attributes that silently allow the sharing of the whole hard drive.  There are also many threats from the many proxies and VPNs that can be installed.   Even if these VPNs are simply being used for a relatively benign activity like watching the BBC – check this post, it still represents a huge drain on available bandwidth and speed of the network.

Plus there are of course many network aware instant messengers, like AOL Instant Messenger, may be utilized to cut through any open port on a corporate firewall. Modern viruses are accompanied by many attack payloads that may open a system for the carrying. L/lost non technical customers might be unaware they’re creating a gaping security hole by going about their daily activity.

An IDS on the internal side may be utilized to discover both intentional domestic intentions and corporate policy violations. They can discover the signature of the majority of PZP tools, improper Internet use, and instant messengers. This is in addition to the anticipated intrusion monitoring capacity. These capabilities make an IDS an extremely strong security application.  You can even make sure that you keep updating the system to spot known threats more easily.  For instance if you detect a large number of attacks coming from a specific country – say Germany then configure alerts when connections are attempted from a German IP address or proxy.

The line between external and internal is increasingly obscured by corporate partner- ships as well as extranets that enable them. An attacker can jump through one part of the extranet to another, which makes the origin of an attack difficult to differentiate. As increasingly more internal security breaches are discovered, organizations will seek to enhance internal security in the future.

Orchestrating an Attack This section serves as a concise introduction to the kinds of suspicious traffic that you may encounter when using Snort. It’s by no means an effort to be all inclusive or detailed. There are many resources, both in print and on-line related to suspicious traffic analysis. In case you’ve however to develop an intensive signature analysis expertise, this section Will assist you concerning know the various genres of assault and also their associated intent. A number of phases in orchestrating an assault are generic enough that they employ to many network based attacks. If hackers are randomly looking for systems or targeting a specic firm. They follow the tried and true methodology.

Anatomy of a Denial of Service Attack

Following the first planning and reconnaissance legwork is complete, the upcoming logical step is to make use of accumulated info and assault the network. The traffic generated by strikes may take numerous different forms. Everything from the remote exploitation code into questionable normal traffic may signify an attempted assault which needs action. Denial of Service A Denial of Service assault is any attack that disrupts the use of a system in order that legitimate users can no longer access it. DoS attacks are possible on most network equipment, including routers, servers, firewalls, remote access machines, and almost every other network source.  A DOS attack may be specific to the service, like in a FTP assault, or even an entire machine.   Many times the attacks are against commercial targets or to access useful resources.  Many attacks are simply to enable installation of rogue services such as VPNs or FTP which are then used to either store data or to access resources like UK TV abroad like this.

The types of Denial of service attacks are indeed varied and operate on a wide range of targets. However they might be separated into two unique categories that relate to intrusion detection: source depletion and malicious packet strikes. Malicious packet DoS attacks work by sending abnormal visitors to the host to call the service or host to crash. Crafted packet DoS attacks happen when applications isn’t correctly coded to handle abnormal or irregular traffic. Frequently out, of spectrum traffic may cause applications to respond unexpectedly and crash. Attackers may utilize DoS attacks of crafted packages to bring down Intrusion Detection Systems too, even well developed ones like Snort. Additionally to out, of specific range traffic, malicious programs can contain payloads which create a system to crash. A packet payload is input to a service.

In any circumstance whether it’s an application or network enabled device if the input isn’t correctly checked, the application can be DoS’ed. The Microsoft FTP DOS attack demonstrates the broad selection of DoS attacks available to black hats from the wild. The initial step in the assault is to initiate a legitimate FTP link. The attacker then issues a command with a wildcard sequence. Inside the FTP Server, a function that processes wildcard sequences in FTP controls doesn’t allocate enough memory when performing pattern matching. It’s possible for the attackers command containing a wildcard order to cause the FTP service to crash. This particular attack like many including the Snort lCl/lP DoS, are just two samples of the countless thousands of potential Denial of service attacks which are possible and accessible for attackers.  The service can then be used to install malware or other code which are then used for other purposes.  As mentioned above they are often used as hosts for VPN services which are used to watch British TV overseas or other video streaming functions.

The other means to deny service is through source depletion. A source depletion DoS attack functions by flooding a service with so much regular traffic that legitimate users can’t access the service. An attacker inundating an agency with regular traffic may exhaust finite resources like bandwidth, memory, and processor cycles.A classic memory resource exhaustion attack which will bring down a device is  a SYN flood. A SYN flood takes advantage of the Transmission Control Protocol 3, way handshake. The handshake starts off with the customer sending a Transmission Control Protocol SYN pack- et. The host then sends the SYN ACK in response. The handshake is finished when the customer responds with an ACK.

In case the host doesn’t get returned by the ACK, the host sits idle and waits with a session available. Every open session consumes a certain quantity of memory. If enough three, manner handshakes are initiated, the host consumes all available memory waiting for ACKs. The traffic created from the SYN stream is normal in all other respects.

Loki – How ICMP Really Can be Dangerous

Overall ICMP has been viewed as quite a harmless and perhaps even trivial protocol. However that all changed with the rather nasty Loki.  In case you didn’t know Loki is from Norse mythology and he was the god of trickery and mischief.  The Loki exploit is well named and seeks to exploit the hither to benign ICMP protocol.  ICMP is intended mainly to inform users of error conditions and to make very simple requests.  It’s one of the reasons intrusion analysts and malware students tended to ignore the protocol.  Of course it could be used in rather obvious denial of service attacks but they were easily tracked and blocked.

However Loki changed that situation as it used ICMP as a tunneling protocol as a covert channel. The definition of a covert channel in these circumstances is a transport method used in either a secret or unexpected way. The transport vehicle is ICMP but Loki acts much more like a client/server application.  Any compromised host that gets a Loki server instance installed can respond to traffic and requests from a Loki client.   Which would also work if the client was spoofing their IP address to watch something like Netflix for instance – see this.  So for instance a Loki server could respond to a request to display the password file to screen or file. That could then be possibly captured and cracked by the owener of the Loki client application.

Many intrusion detection analysts would have simply ignored ICMP traffic passing through their logs.  Mainly because it’s such a common protocol but also an such an innocuous one.  Of course well read analysts will know treat such traffic with heightened suspicion, Loki really has changed the game for protocols like ICMP.

For those of us who spend many hours watching traffic Loki was a real eye opener.  You had to check those logs a little more carefully especially to watch out for those strange protocols being used in a different context.  There’s some more information on these attacks hidden on this technology blog –  It can take some finding though !!


Introduction to Kerberos Authentication

It’s one of the most widely used methods of authentication and this post will briefly introduce you to the subject. As well as being implemented into many operating systems you will find Kerberos is available in many industrial products too. Kerberos hasn’t been tested or verified. Kerberos has many crucial benefits. Kerberos has a few main flaws that system administrators want to take into consideration. Kerberos is the most frequently used example of this sort of authentication technology.

Encryption couldn’t be enabled. The encryption key is subsequently created. Transport layer encryption isn’t necessary if SPNEGO is used, but the customer’s browser has to be properly configured. This authentication is automatic in the event the domains are in the exact same forest. This sort of authentication is rather simple to understand, since it only involves two systems. There are lots of things that could fail with Kerberos authentication. If you’re failing to utilize Kerberos authentication utilizing the LocalSystem account, you’re more than likely failing to utilize Kerberos authentication when users are going to go to the remote system. It’s not only used for authenticating users, when your iPad connects through it’s VPN to watch British Channels online using your AD network it’s Kerberos that authenticates the machine.

In the event the password is incorrect, then you won’t have the ability to decrypt the message. It is extremely important that you don’t forget this password. You might be surprised how many users utilize a password that is just like their user name.

Your password isn’t a fantastic option for a password. When employing those services or those clients, you might have to put in your password, which is subsequently sent to the server. It’s very probable that this user has set the exact same password for the two principals for reasons of convenience. Ideally, you should simply have to type your password into your private computer, once, at the start of the day.

You won’t be able to administrate your server in case you do not keep in mind the master password. In case the server cannot automatically register the SPN, the SPN has to be registered manually. Its normal in order for it to take some opportunity to begin the admin server so be patient. The specified server cannot carry out the requested operation. A digital server simply suggests that it’s not a component of dedicated host. The RPC Server isn’t actively listening.

Server refused to negotiate authentication, which is needed for encryption. Before deploying Kerberos, a server has to be selected to accept the use of KDC. The network location server is a site that is utilised to detect whether DirectAccess clients are situated in the corporate network.

The client may be using an old Kerberos V5 protocol that doesn’t support initial connection support. If he is unable to get the ticket then you should see an error similar to one below. In Kerberos protocol, he authenticates against the server and also the server authenticates itself against the client. The RPC Client will send the very first packet, called the SYN packet.

If each client should happen to require a special key for each and every service, and if each service should happen to require an exceptional key for each client, key distribution could quickly come to be a challenging problem to fix. My client is not going to send the job unless it receives the right response. The client can’t decrypt the service ticket because only servers can do so, but nevertheless, it can send it on. Later he can use this ticket to get additional tickets for SS using the same shared secret. Both client and server may also be called security principals.

John Simmons

Filtering Authentication Credentials

When you use a proxy or VPN server there is a very important security consideration that you should be aware of that is sometimes overlooked.  Any connection should be very careful about how it handles any authentication credentials that are sent using that connection.  For example if you are using a proxy for all your web browsing, you will need to trust that server handling any user names and passwords that you supply to those websites.  Remember the proxy will forward all traffic to the origin server including those user credentials.

The other consideration is specific proxy server authentication credentials which also may be transmitted or passed on especially if the servers are chained.  It is common for proxy credentials to be forwarded as it’s reduces the need to authenticate multiple times against different servers.   In these situations the last proxy server in the chain should filter out the Proxy-Authorization: header if it is present.

One of the dangers is that a malicious server could intercept or capture these authentication credentials especially if they’re being passed in an insecure manner.    Any proxy involved in the route has the potential for intercepting usernames and passwords.  Many people forget this when using random free proxies they find online, they are implicitly trusting these servers and the unknown administrators with any personal details leaked whilst using these connections.  When you consider that often these free servers are merely misconfigured or ‘hacked’ servers it makes using them even more risky.

It is actually a difficult situation particularly with regards to proxies about how to deal with authentication details.  The situation with VPNs are slightly more straightforward, the details are protected during the majority of the transmission because most VPNs are encrypted.  However that last step to the target server will rely on any in built in security to the connection, although this can be effected as in this article – BBC block VPN connection.

Any server can filter out and protect authentication credentials but obviously those intended for the target can’t be removed.  It is a real risk and does highlight one of the important security considerations of using any intermediate server such as a proxy.    It is important that these servers are in themselves secure and do not introduce additional security risks into the connection.  Sending credentials particularly over a normal HTTP session are already potentially insecure without a badly configured or administered proxy server as well.

Most websites which accept usernames now at least use something like SSL to protect credentials.  However although VPN sessions will transport these connections effectively many proxies are unable to support the tunneling of SSL connections properly.  Man in the middle attacks are also common against these sort of protections and using a poorly configured proxy makes this much easier than a direct connection.  Ultimately there are several points where web security and protecting the data is a concern, it’s best to ensure that a VPN or proxy doesn’t introduce additional security risks into the connection though.

Additional Reading on UK VPN Trial



Content Filtering and Proxies

Proxy servers are as explained on this site, one of the most important components of a modern network infrastructure.  No corporate network should allow ordinary desktop PCs or laptops to directly access the internet without some sort of protection.  Proxy servers provide that protection to a certain extent as long as their use is enforced.

Most users, especially technically minded ones will often resent using proxies because they will be aware of the control that this entails.   The simplest way is to ensure that configuration files are delivered automatically to the desktop by network servers.  For example in a Windows environment this can be achieved using the active directory which can ensure desktops and users receive specific internet configuration files.  For example, you can configure Internet Explorer using a specific configuration which is delivered to every desktop on login.  In addition you can also use Active Directory to block access to install other browsers and configure them.

However although this allows you to control what browser and the internet route that each user will take – it doesn’t restrict what that user can do online.  Another layer is required and most companies will employ some sort of content filtering in order to protect their environment.    However as far as your proxy server is concerned content filtering will almost obviously have a major impact on performance.

One of the most common forms is that of URL filtering and this has one of the biggest performance impacts.  This is largely due to the fact that this sort of filtering inevitably has many types of patterns to match against.   Content filtering will severely impact the performance of a proxy server because of the sheer volume of data that is involved.  Even running a nominal content filter against a UK VPN trial had a similar effect.

There are a variety of different types of filtering such as HTML tag filtering, virus screening or URL screening.   It can be difficult though and the technology is developing all the time, for instance the ability to screen things like Java or ActiveX objects.

One of the biggest problems with content filtering and maintaining performance on the proxies is the fact that entire objects need to be processed.  A proxy server will need to buffer the entire file, and therefore can only proceed with the transmission after the whole file has been checked.   From the user perspective this can be frustrating as there will be long pauses and delays in their browsing especially on busy networks.   Obviously this delay can be justified in the extent of screening for viruses, however this can be controversial for other screening issues.

Further Reference: Using a Paid VPN Service

TCP Configuration: Timestamp Option

The function of the timestamp option is fairly self explanatory, it simply lets the sender place a timestamp value in each and every segment.   In turn the receiver will also reflect this value in it’s acknowledgement which allows the sender to calculate a round trip time for every received ACK.    Remember this is indeed per ACK and not segment as this can include multiple segments.

Initially most implementations of TCP would only allow one RTT per window however this has changed and nowadays larger windows sizes need more accurate RTT calculations.   You can read about the definitions of these calculations in RFC 1323 which covers the TCP enhanced extensions that allow these improved RTT calculations. The time is estimated by sampling a data signal at a lower frequency one time per window which works well with smaller windows (and less segments).

Accurate measurement of data transmission is often very difficult in congested and busy networks also when troubleshooting across networks like the internet.  It’s difficult to  isolate issues and solve problems in these sort of environments because you have no control or access to the majority of the transport hardware.  For example if you are tryign to fix a Netflix VPN problem remotely being able to check the RTT is essential to analyse where the problems potentially lie.

The sender will place a 32 bit value in the initial field which will be echoed back by the receiver in the reply field. This will increase the size of the TCP header from 20 bytes to 32 bytes when this option is used. The timestamp value will increase value on each transaction. There is no clock synchronization between the sender and the receiver merely an increase in the value of the timestamp unit. Most implementations of the timestamp option recommend that the value increment in units of one ideally between 1 millisecond and 1 second.

This option is configured during the connection establishment and is handled the same way as the windows scale option in the previous section. As you may know the receiving connection does not have to acknowledge every data segment it receives. This however is simplified because only a single timestamp value is maintained per active connection which is updated according to simple algorithm.

First of all TCP monitors the timestamp value ensuring it has the correct value to send in the next ACK. The sequence number is updated after each ACK value is sent and not as it’s acknowledged. After a new segment arrives then the byte numbered in a variable called lastack is incremented. After a new segment arrives then this value is increased but the old value stored in a variable called tsrecent, When a timestamp option is sent the tsrecent value is sent, and the sequence number field is stored in the variable called lastack.

This means that in addition to the timestamp option allowing for better RTT calculation it also performs another function. The receiver can use the function to avoid receiving old duplicate segments using an addition feature called PAWS – Protection against Wrapped Sequence Numbers.

Further Reading on Commercial Proxy Options –