Net-Ctrl Blog

Strong Authentication Best Practices

April 15th, 2014

A strong authentication solution that validates the identities of users and computing devices that access the non-public areas of an organisation’s network is the first step in building a secure and robust information protection system.

1. Match Your Authentication Solution to Your Business, Users, and Risk
A flexible approach that enables an organisation to implement different authentication methods based on different risk levels may ensure a robust system that can be efficiently and cost-effectively deployed.
Technologies for multi-factor authentication include:

One-Time Passwords (OTP): OTP technology is based on a shared secret or seed that is stored on the authentication device and the authentication backend. This method ensures authentication by generating a one-time passcode based on the token’s secret.

Certificate-based Authentication (CBA): This method ensures authentication using a public and private encryption key that is unique to the authentication device and the person who possesses it. CBA tokens can also be used to digitally sign transactions and to ensure non-repudiation. SafeNet for example delivers certificate-based authentication via USB tokens and smart cards.

Context-based Authentication: Context-based authentication uses contextual information to ascertain whether a user’s identity is authentic or not, and is recommended as a complement to other strong authentication technologies. In order to develop a robust authentication solution, organisations should consider their business, users, and risk, and select a solution that provides them with the flexibility to adapt as needed. For example, if organisations are interested in implementing additional security solutions that rely on PKI technology, such as full-disk encryption, network logon, and digital signatures, or are thinking about adding such solutions in the future, they should consider CBA, as it enables these applications.

2. Prefer Solutions That Adhere to Standards-Based Security and Certifications
Products that are built upon standards-based crypto-algorithms and authentication protocols are preferred. Unlike proprietary algorithms, standards-based algorithms have gone through public scrutiny by industry and security experts that reduces the chance of any inherent weaknesses or vulnerabilities. Moreover, they enjoy broad industry support.

3. Consider All Access Points
Organisations need to ensure that access to all sensitive information is authenticated, whether the information resides on premise or in the cloud. Organisations should implement the same security mechanisms for cloud resources as they would for remote access to the corporate network. In addition, organisations should deploy security mechanisms to ensure that users accessing network resources from their mobile consumer devices (e.g., tablets, smart phones) are securely authenticated.

4. Ensure the Solution Reduces IT Administrative and Management Overhead
Authentication environments have to offer convenience and transparency for end users and administrators alike. Following are several guidelines that can help organisations achieve these goals:

Administrative Controls: Administrators need to be able to manage all users across all devices and resources. To meet this charter, they need automation, central management, and visibility into user access across multiple resources. To ensure users have an optimal experience, administrators need to be equipped with granular controls and comprehensive reporting capabilities.

End-User Convenience: To ensure security controls are enforced, while streamlining user access, organisations should have the ability to offer users the type of authentication device that most suits their role and security profile. Organisations can offer their users several authentication methods, ranging from context-based authentication, through SMS, phone tokens or hardware tokens – ensuring user acceptance and compliance with corporate security policies

If you’re unsure of the best multi-factor authentication solution for your company contact Net-Ctrl on 01473 281 211, or email

View the original best practices guide from SafeNet.

Palo Alto Networks 8 Tips for Dealing with Heartbleed right now

April 14th, 2014

Palo Alto Networks have released their own set of tips for dealing with Heartbleed right away. There’s a lot out there already about what Heartbleed means for the Web and beyond, and I’ll point you to Palo Alto’s analysis written by Scott Simkin or an essay by Dan Goodin over at ars technica for that explanation.

1. Don’t panic: Yes, this is a serious issue – and a vulnerability that has been available for exploitation for over two years. But the chances that hackers have successfully exploited you or your organization are pretty small. Check your trap lines for sure but let’s get on with the business of cleaning up in aisle nine.

2. Monitor Palo Alto Networks IPS vulnerability Signature IDs 36416, 36417, 36418, 40039: For Palo Alto Networks customers, monitor IPS vulnerability signature IDs 36416, 36417, 36418, 40039 for signs of activity. We released those signatures on April 9 and April 10 and they can automatically detect and block attempted exploitation of the vulnerability. If you’re a Palo Alto Networks customer with an up-to-date subscription, you’re covered.

3. Identify and patch your affected systems: I know that this sounds obvious, but don’t assume you know everything. Run local scanners across your network to discover any OpenSSL instances that might have popped up without your knowledge. Both client and server applications utilizing OpenSSL need to be updated.

4. Ping your cloud application providers to see where they are in the cleanup process: is one cloud provider that already announced that its systems are unaffected by this vulnerability. But you are probably using a handful of other cloud providers for other tasks like HR, Payroll, ERP, etc. Make sure you know who they are and ensure they are cleaning up the same way that you are. As Brian Krebs noted, one useful resource is Filippo Valsorda’s site to check for vulnerable systems.

5. Get new keys: Acquire new key certificates, revoke your old ones and install the new ones. Because of the way the vulnerability works, hackers who have compromised your servers with this Heartbeat weakness may have stolen your private keys. Even after you patch your systems, these guys would still have your private keys. Get a new set of keys.

6. Inform your customers: This is critical. Your customers should already be asking you if you have been affected (see No. 3), but there will be some that do not and will just assume you’re working on it. As a matter of trust, you should be transparent about your cleanup efforts. Do not shy away from this. Since this vulnerability is widespread, you will not be alone in your efforts and maybe you can help some other organization who is not as clear thinking as you are about how to do this cleanup. Customers always remember who acted swiftly and professionally in times of crisis.

7. Change your passwords: Once you have patched your systems, changed your keys, ensured that your cloud providers also accomplished those tasks, then it is time to change the passwords for all users on those systems. But wait on this until everything else is done, because hackers who are hanging out on systems that have not been patched or systems where the keys have not been changed can still read your new password. It does not make sense to change your password until the other tasks are completed.

8. Beware of the inevitable phishing campaigns: Soon you will start to see phishing email messages telling you that you must immediately change your password in order to protect yourself from the Heartbleed vulnerability. They will most likely have a link embedded in the message pointing you to a sight that looks very much like your ERP, HR or payroll site, but in fact, it will be a site cleverly designed to collect your credentials. Be wary of all communications.

Read the original report by Rick Howard at Palo Alto Networks.

Net-Ctrl’s Response to the Heartbleed SSL Vulnerability

April 11th, 2014

Net-Ctrl are aware and monitoring the Heartbleed SSL vulnerability that has been publicised heavily over the past few days. For Net-Ctrl we have to look at the incident on many levels:

  • Are any of our own services and systems compromised?
  • Are any of products and solutions we offer vulnerable?
  • If they are, how are they protecting against it?
  • How can we check whether our customers are vulnerable?
  • How it affects each one of us individually?

As a starting point, Net-Ctrl contacted all of our technology partners to see if any of their systems may be vulnerable to the Heartbleed situation. This allowed us to check through our customer database to see who may have been affected by the vulnerability and act on it.

One of our vendors, Palo Alto Networks, has not only issued a statement of how Heartbleed affects their service in relation to their firewalls, but also released vulnerability patches in order to help protect their customer’s networks against the problem. More details of how to get this can be obtained on their website.

We have had many customers contacting us about their systems, wanting reassurance and direction to see if they need to do anything, many of them were not vulnerable. We have had a few cases where customer’s products were vulnerable, and we have pro-actively provided a solution in order to make their network safe and secure once again.

Dealing with the Heartbleed Vulnerability

Dealing with the Heartbleed vulnerability through patches and updates is the first step in securing your systems. The second step is to replace your existing encryption keys. This is crucial, as it may be that the vulnerability has already been exploited on your system and your encryption keys used to carry out your SSL connection may have already been obtained. Therefore the data being exchanged on your network is still just as vulnerable post patching.

Soon after the vulnerability announcement at least one of our SSL certificate providers made statements about the infection and have offered to re-issue SSL certificates at no charge, which allows people to replace their compromised keys with fresh ones.

Change your password, but do it the right way

Currently in the media there is a lot of ‘change your password’ scenarios going-on. From an end user point-of-view, this is only worth doing if the platform you’re using that was vulnerable, has now been patched and has also had the keys replaced. Otherwise you’re just changing a password on a system that is still compromised.

Even for systems that were not vulnerable, the issue is that whilst people shouldn’t use the same passwords to access multiple systems, if they do, they need to think about all the secure sites that they access with the same credentials. It could be that the details have been collected from a different vulnerable system. So the user needs to check before changing their passwords that all their systems are no longer vulnerable, which in our mind is going to take some time.

You are able visit to check whether a particular server is vulnerable. It is worth running all your sites through this tool, please be aware it is currently experiencing a lot of traffic.

Here is our Heartbleed action plan:

  1. Check whether any of your solutions are vulnerable, to do so contact your reseller, or visit the technology partner websites and use the SSL labs site to check servers.
  2. Apply upgrades and patches where required.
  3. Contact your SSL certificate provider about getting new encryption keys, a lot of providers are offering this ‘free of charge’ in light of the events.
  4. Replace your encryption keys.
  5. Once you’re happy that all of your systems are protected, change all your passwords.
  6. Sit back and relax knowing that your network is now safe and secure once again.

If you have any concerns or questions over the Heartbleed vulnerability please email me at and I will get back to you as soon as I can.

10 Things Your Next Firewall Must Do

April 8th, 2014

Stop Thinking: Traditional firewall.
Start Thinking: Next-generation firewall

An Introduction
In the face of today’s complex cybersecurity landscape, choosing your next firewall is more than a simple comparison of technical features. It’s about embracing a change in your role as an enabler of business rather than a blocker. It’s about balancing the needs of the company with the business and security risks associated with modern applications. It’s about acknowledging that the world has changed around you and you can no longer protect yourself with an approach to cyber security that worked well when web browsing and email were the only two applications on the Internet. It’s about the 10 things we describe in this booklet that we believe your next firewall must do.

Stop Thinking: Bricks.
Start Thinking: Open air, everywhere.

Identify and control applications on any port

Application developers no longer adhere to standard port/protocol/application mapping. More and more of the applications on your network are capable of operating on non-standard ports or can hop ports (e.g., instant messaging applications, peer-to-peer file sharing, or VoIP). Additionally, users are increasingly savvy enough to force applications to run over non-standard ports (e.g., RDP, SSH). In order to enforce application-specific policies where ports are increasingly irrelevant, your next firewall must assume that any application can run on any port.

Identify and control circumventors

Most organizations have security policies along with controls designed to enforce those policies. External proxies, remote server/desktop management tools, and encrypted tunnel applications are being used to circumvent security controls like firewalls. Without the ability to identify and control these tools, your organization cannot enforce your security policies, exposing the business to the very Cyberattacks the security controls were designed to mitigate. Your next firewall must be capable of dealing with these circumvention tools.

Stop Thinking: Closed doors.
Start Thinking: Freedom.

Decrypt SSL and control SSH usage

The number of commonly used applications on your network that have adopted SSL as a means of encrypting traffic currently hovers at around 25%. The increased use of HTTPS for many high-risk, high-reward applications and users’ ability to manually enable SSL on many websites means your network security team has a large and growing blind spot. As SSH is used more commonly by tech-savvy employees, the encryption blind spot may be even larger than you thought. Your next firewall must be capable of decrypting and inspecting SSL traffic on any port; be flexible enough to bypass selected segments of SSL traffic (e.g., web traffic from health care organizations) and enforce the native use of SSH via policy.

Provide application function control

Many applications have significantly different functions, presenting your organization with different risk profiles and value. Many business focused as well as end-user focused examples exist. WebEx vs. WebEx Desktop Sharing and GoogleMail vs. Google Talk. If your organization is heavily dependent on intellectual property, then external desktop sharing and file transfer applications may represent security and regulatory risks. Your next firewall must continually evaluate the traffic and watch for changes—if a different function or feature is introduced in the session, the firewall must recognize the shift and perform a policy check.

For the complete list download Palo Alto Network’s free guide to the ’10 Things Your Next Firewall Must Do’.

If you have any questions, please email or contact your account manager directly.

Trade in and Trade up your Security Solution with Net-Ctrl

April 7th, 2014

So you want to replace your current security solution to the latest, industry leading offering from Kaspersky Lab but still have time remaining on your current licence?

Well great news! New customers to Kaspersky can trade in their current security solution and benefit from all the features that Kaspersky Endpoint Security for Business has to offer without needing to wait for your license expiry date.

Available on new purchases of Kaspersky Endpoint Security for Business and/ or Kaspersky Security for Virtualization on licences for 2 or 3 years, you can trade in and get up to 6 months free*!


An example would be that your current security solution is a paid for security license from either Symantec, McAfee, Trend Micro or Sophos, that runs until 31/10/2014.You would like to switch to Kaspersky Lab for a 3 year term. We deliver the license which will be valid from the “purchase date” of this 3 year term plus the additional term on your existing agreement e.g.

• Current license valid until: 31/10/2014
• Purchase date for a new 3 year term on a Kaspersky Lab license: 30/04/2014
• New license will there run for a total of 3 years + 6 months from 30/04/2014 and will expire 31/10/2017

You therefore don’t pay the 6 months “double cost” for the time your current license is valid, but can benefit from all the award winning technologies of Kaspersky Lab Endpoint Security for Business right away.

Contact us directly to find out more, alternatively please email your enquiry to


How “inconvenient” would it be to lose your passport?

April 4th, 2014

My daughter, who’s nearly 19 years old, thought that she’d lost her passport. For three days in a state of panic she looked in all the places she might have put it and the specific place she thought she put it.

She isn’t travelling abroad any time soon but having to mop up after losing it didn’t fill her with joy, nor me for that matter as I’d likely have to buy the new one.

A similar thing happened to me a few years ago when I thought I’d lost my driving licence. I spent two days looking for it and then cancelled it and had to obtain a new one. Of course, like my daughters passport my driving licence was safely stored where it should have been, in my wallet, and her passport was in her desk drawer. At least she found it before cancelling it.

What’s the point of my stories?

The point is that keeping safe your valuables is very important. Losing a passport is a serious matter and a company losing it’s data due to a breach is different but the heart sinking feeling you’ll get when you realise you’ve been breached will be much the same, only much worse.

In my previous blog entitled Plan B. An in-depth analysis of securing your data and your reputation, I highlighted that organisations must consider the consequences of a breach. No perimeter or filtering solutions are ever going to be 100% foolproof, so securing the data with encryption and storing the keys in specialist hardware is an absolute must.

Many reputations have been lost, and many sleepless nights have been endured, so now is as good a time as any to look at Plan B.

Call me. Tony Pullon, 01473 281211 or contact

Connectivity Problems for Mobile Clinicians – Given up yet?

April 2nd, 2014

There is definitely an art to recognising when accepted procedure isn’t necessarily the best way to do something. And it sometimes takes a brave person within an organisation to put their head over the parapet to point it out.  But I have faith in people and gradually more IT managers aren’t settling for 2nd best, “work-arounds” and inertia.

Here’s an example of what I mean.

For as long as I can remember the NHS has been promoting home based care, where District Nurses, Midwives and other mobile clinicians have been asked to access live clinical applications whilst in the patient’s home. Typically staff are handed a laptop computer loaded with an IPSec VPN or SSL client and a form of two factor authentication. So far so good. Really?

The problem comes when they actually try and use it. The connectivity is awful (most of the time) and users end up leaving their PC in the car and fall back to paper records. This means that expensive medical staff finish early to go home or to the clinic (where there’s a fast, reliable connection) to catch up on the days notes, if they have time, perhaps tomorrow!

So the IT department under pressure from the clinical lead and HR decides to do something about it. But what?

The mobile phone data network is slowly getting better but speed isn’t always the issue, it’s the variability, the flakiness. The drop outs, the 3G to 2G to no signal and back again is the issue. That and the impatience of TCP, the re-sends, the lost data, the 15 minutes log-on times. Argghhh!

Keep calm, there must be a solution.

Yes, more Internet bandwidth.



Intelligent Pens

Remember I mentioned the work-arounds. Here they are above. Those and going back to clinic at 3pm to write the notes up.

There is another way which some of you have already adopted. It’s called NetMotion Mobility XE.

It’s a VPN solution, and on paper it looks like any other, BUT it isn’t. It really isn’t. For a start it actually works over flaky, low bandwidth networks because its underlying architecture was designed for that environment. The system is secure, EAL4 and FIPPS. It has NAC, Policy and Reporting. It will reduce your ISP and Mobile Data Costs because far less data will be sent (and with the old system, never received) and staff won’t finish at 3 and drive to a clinic because they will be able to access clinical applications and data LIVE!

Ah! I hear you say. We don’t have any signal in our area. If that is true, and I doubt it in most cases then I really can’t help, but the chances are that you do have a connection but a weak one that your existing VPN can’t make use of. That’s the difference, WE CAN.

And with our “Application Persistence” we can hold the connection even when it goes completely, and when it returns the application and VPN will just carry on where it left off. No lost data. No fed up District Nurses. Fewer calls to IT support from irate mobile clinicians.

Have a look at our web pages dedicated to NetMotion Mobility.

Then we can put you in touch with our customers who come from the ranks of the NHS, Councils, Utility Companies and Emergency Services.

I really look forward to hearing about your connectivity issues and to assess whether NetMotion Mobility and Net-Ctrl know-how can help fix your problems.

Call me: Tony Pullon 01473 281 211

Plan B. An in-depth analysis of securing your data and your reputation

April 1st, 2014

Hands up all those who have a security infrastructure centered around preventing a breach. Yeh, me too. I’ll call it Plan A.

Now hands up all those who have a Plan B.

Ooo, not so many, and I wonder what it is……. I’ll have a guess…. two firewalls, idp, dlp, mdm, 2fa…. OMG!  Enough already.

Now hands up how many have a potential “Snowden” in their organisation or who might in the future? Come on, all your hands should be up now.

One last question. Which of you can guarantee that you won’t get a breach? I mean really guarantee it, stake your job on it…?

I wouldn’t, and neither should you. Not unless you really do have a proper Plan B.

My friend at SafeNet Inc, Tsion Gonen at the SafeNet Partner Conference for the 2nd year running banged on about having a Plan B, and he’s right, ‘cos none of us can be absolutely sure. Can we?

So here’s the thing. Plan B. Which isn’t to undermine Plan A, ‘cos it shouldn’t. Both Plans are entirely valid, even the two firewalls, idp, dlp, mdm, 2fa…. OMG!  All valid.

You have to do two more things.

1. Kill the data

2. Hide the keys


Call me, Tony Pullon, 01473 281211, and I’ll tell you how.


Join the Net-Ctrl Sales Team!

March 28th, 2014

Net-Ctrl seeks two well-motivated and professionally minded people to join our sales team. If you’re interested in either of our roles please send your CV’s to

Internal Sales Support

You will be working alongside our established internal and external sales team producing quotations and liaising with customers and suppliers. You will be using Sage 50 to raise quotations, MS Word, Excel and Outlook for email and calendar.

The job is office based and full time preferably, 9am to 5pm. Salary is commensurate with experience and industry knowledge.

Products will include Firewalls, Mobile Working\Remote Access, Wireless and Wired Infrastructure.

Sales experience is not as important as being able to work well with other people often under pressure. Accuracy in numeracy and written English is also important but this in no way excludes foreign applicants.

Salary TBD + Package

External Sales Executive

The candidate will have a proven track record in selling IT products or services in to the private and/or public sectors on a business to business basis. You will be able to explain how you went about finding prospects, closing business and developing your clients.

The role will include finding your own leads from telesales activity, often in conjunction with suppliers and vendors. Liaising with our in-house marketing will also provide a steady supply of organisations to call and to hopefully generate leads. Account management is key to the success of Net-Ctrl so nurturing clients over time is a must. We are also looking for someone with good communication skills, driving license and the willingness to go the extra mile!

Our Head Office is in Ipswich, Suffolk. We would expect the successful candidate to be in the office around once a week and live within an hour journey time of the office.

Products will include Firewalls, Mobile Working\Remote Access, Wireless and Wired Infrastructure.

Salary TBD + OTE year one + package

Ruckus Wireless Release 802.11AC Access Point

March 20th, 2014

Ruckus Wireless have released their first 802.11AC access point called the R700.

The ZoneFlex R700 ensures the most reliable connectivity within challenging and ever-changing RF environments. With BeamFlex+, the ZoneFlex R700 is capable of delivering 6 dB of signal-to-interference-plus-noise (SINR) improvement and up to 15 dB of interference mitigation over other APs. The ZoneFlex R700 simultaneously supports spatial multiplexing and BeamFlex+ to deliver the best price/performance of any three-stream 802.11ac AP.

ZoneFlex R700 is purpose-built for high-capacity, high performance and interference-laden environments such as airports, public venues, hotels, universities and conference centers. The perfect choice for data-intensive streaming multimedia applications, the ZoneFlex R700 delivers picture perfect HD-quality IP video while supporting VoIP and data applications that have stringent quality of service requirements.

Download the Ruckus ZoneFlex R700 Datasheet


Ultra high performance and cost effective

  • Three-stream MIMO 3×3:3
  • Concurrent dual-band (5GHz/2.4GHz) support
  • 450 Mbps of user throughput per radio (2.4 GHz) and 1300 Mbps (5 GHz)
  • Up to 6dB of signal-to-interference and noise (SINR) improvement and up to 15dB of interference mitigation
  • Transmit beamforming capable
  • Capable of supporting over 500 clients
  • Novel channel selection approach delivering up to 50 percent capacity gain over alternative background scanning approaches

Adaptive antennas and Automatic interference mitigation

  • Up to 2 times extended range and coverage
  • Automatic interference mitigation, optimized for high-density environments
  • Dual polarized adaptive antennas with 21 antenna elements and over 3000 antenna patterns for ultra-reliabilit

Concurrent support for HD IPTV, VoIP and data

  • Support for isochronous, multicast IP video streaming
  • Four queues per client station

Differentiated services with multiple SSIDs

  • 32 BSSIDs with unique QoS and security policies (8 BSSIDs at 5 GHz)
  • WPA-PSK (AES), 802.1X support
  • Zero-IT and Dynamic PSK
  • Captive portal and guest accounts
  • RADIUS and Active Directory support