Tag Archives: Network

Cisco ETA security integrated into Catalyst, ASR, ISR

Cisco boosted its IOS network operating system, integrating technology designed to spot malware activity in encrypted traffic. The company has incorporated the capability in the version of IOS that runs on Catalyst 9000 switches and ASR and ISR routers.

The integration makes it possible for companies using the hardware to subscribe to Cisco’s Encrypted Traffic Analytics (ETA), which the vendor made available for testing in June 2017. Cisco ETA is scheduled to be generally available Jan. 10.

The hardware support for Cisco ETA puts “meat on the bones of the initial announcement,” said Brad Casemore, an analyst at IDC. Cisco chose the right products for ETA because they are designed for enhanced security capabilities.

How Cisco ETA works

The Cisco ETA technology incorporated in IOS XE makes it possible for the hardware to generate ETA metadata and export it with additional telemetry to the vendor’s Stealthwatch Enterprise Edition Flow Collector, Brian Ford, technical marketing engineer in the Cisco security business group, said this week in a blog post. Stealthwatch collects flow records about network events, so they can be analyzed for malware activity.

Stealthwatch sends the ETA metadata and telemetry to Cisco’s cloud-based Cognitive Threat Analytics service, which examines the data, formulates risk scores for events and sends them to the customer’s Stealthwatch Management Console.

ETA gathers metadata from traffic without decrypting the packet flow. The nondecryption technique, which involves Cisco-developed machine learning, is meant to preserve a company’s data privacy, Ford said.

ETA looks for signs of malware in three features of encrypted data, according to Cisco. They include the first data packet from a new network connection, the sequence of packet lengths and times, and the byte distribution across the payloads of the packets.

Attackers expected to adapt

Some security experts have told TechTarget searching for malware activity in encrypted traffic can lead to a cat-and-mouse game with cybercriminals. As attackers become familiar with detection methods, “they will likely try to modify their encrypted traffic to blend in and remove the features that machine learning models rely on for detection,” said Nick Bilogorskiy, senior director of threat operations at Cyphort Inc.

Security is a significant piece of Cisco’s strategy to generate half its revenue from software and services by the fiscal year 2020. Cisco’s fiscal year runs from August to the following July.

In the first quarter of the current fiscal year, which ended Oct. 28, Cisco reported security revenue rose 8% year over year. The company expects security and software-based networking initiatives to help drive a projected revenue increase of 1% to 3% in the current quarter. The growth would end an eight-quarter streak of revenue declines.

Five questions to ask before purchasing NAC products

As network borders become increasingly difficult to define, and as pressure mounts on organizations to allow many different devices to connect to the corporate network, network access control is seeing a significant resurgence in deployment.

Often positioned as a security tool for the bring your own device (BYOD) and internet of things (IoT) era, network access control (NAC) is also increasingly becoming a very useful tool in network management, acting as a gatekeeper to the network. It has moved away from being a system that blocks all access unless a device is recognized, and is now more permissive, allowing for fine-grained control over what access is permitted based on policies defined by the organization. By supporting wired, wireless and remote connections, NAC can play a valuable role in securing all of these connections.

Once an organization has determined that NAC will be useful to its security profile, it’s time for it to consider the different purchasing criteria for choosing the right NAC product for its environment. NAC vendors provide a dizzying array of information, and it can be difficult to differentiate between their products.

When you’re ready to buy NAC products and begin researching your options — and especially when speaking to vendors to determine the best choice for your organization — consider the questions and features outlined in this article.

NAC device coverage: Agent or agentless?

NAC products should support all devices that may connect to an organization’s network. This includes many different configurations of PCs, Macs, Linux devices, smartphones, tablets and IoT-enabled devices. This is especially true in a BYOD environment.

NAC agents are small pieces of software installed on a device that provide detailed information about the device — such as its hardware configuration, installed software, running services, antivirus versions and connected peripherals. Some can even monitor keystrokes and internet history, though that presents privacy concerns. NAC agents can either run scans as a one-off — dissolvable — or periodically via a persistently installed agent.

If the NAC product uses agents, it’s important that they support the widest variety of devices possible, and that other devices can use agentless NAC if required. In many cases, devices will require the NAC product to support agentless implementation to detect BYOD and IoT-enabled devices and devices that can’t support NAC agents, such as printers and closed-circuit television equipment. Agentless NAC allows a device to be scanned by the network access controller and be given the correct designation based on the class of the device. This is achieved with aggressive port scans and operating system version detection.

Agentless NAC is a key component in a BYOD environment, and most organizations should look at this as must-have when buying NAC products. Of course, gathering information via an agent will provide more information on the device, but it’s not viable on a modern network that needs to support many different devices.

Does the NAC product integrate with existing software and authentication?

This is a key consideration before you buy an NAC product, as it is important to ensure it supports the type of authentication that best integrates with your organization’s network. The best NAC products should offer a variety of choices: 802.1x — through the use of a RADIUS server — Active Directory, LDAP or Oracle. NAC will also need to integrate with the way an organization uses the network. If the staff uses a specific VPN product to connect remotely, for example, it is important to ensure the NAC system can integrate with it.

Supporting many different security systems that do not integrate with one another can cause significant overhead. A differentiator between the different NAC products is not only what type of products they integrate with, but also how many systems exist within each category.

Consider the following products that an organization may want to integrate with, and be sure that your chosen NAC product supports the products already in place:

1. Security information and event management

2. Vulnerability assessment

3. Advanced threat detection

4. Mobile device management

5. Next-generation firewalls

Does the NAC product aid in regulatory compliance?

NAC can help achieve compliance with many different regulations, such as the Payment Card Industry Data Security Standard, HIPAA, International Organization for Standardization 27002 — ISO 27002 — and the National Institute of Standards and Technology. Each of these regulations stipulates certain controls regarding network access that should be implemented, especially around BYOD, IoT and rogue devices connecting to the network.

By continually monitoring network connections and performing actions based on the policies set by an organization, NAC can help with compliance with many of these regulations. These policies can, in many cases, be configured to match those of the compliance regulations mentioned above. So, when buying NAC products, be sure to have compliance in mind and to select a vendor that can aid in this process — be it through specific knowledge in its support team or through predefined policies that can be tweaked to provide the compliance required for your individual business.

What is the true cost of buying an NAC product?

The price of NAC products can be the most significant consideration, depending on the budget you have available for procurement. Most NAC products are charged per endpoint (device) connected to the network. On a large network, this can quickly become a substantial cost. There are often also hidden costs with NAC products that must be considered when assessing your purchase criteria.

Consider the following costs before you buy an NAC product:

A differentiator between the different NAC products is not only what type of products they integrate with, but also how many systems exist within each category.

1. Add-on modules. Does the basic price give organizations all the information and control they need? NAC products often have hidden costs, in that the basic package does not provide all the functionality required. The additional cost of add-on modules can run into tens of thousands of dollars on a large network. Be sure to look at what the basic NAC package includes and investigate how the organization will be using the NAC system. Specific integrations may be an additional cost. Is there extra functionality that will be required in the NAC product to provide all the benefits required?

2. Upfront costs. Are there any installation charges or initial training that will be required? Be sure to factor these into the calculation, on top of the price per endpoint — of course.

3. Support costs. What level of support does the organization require? Does it need one-off or regular training, or does it require 24/7 technical support? This can add significantly to the cost of NAC products.

4. Staff time. While not a direct cost of buying NAC products, consider how much monitoring an NAC system requires. Time will need to be set aside not only to learn the NAC system, but to manage it on an ongoing basis and respond to alerts. Even the best NAC systems will require staff to be trained so if problems occur, there will be people available to address the issues.

NAC product support: What’s included?

Support from the NAC manufacturer is an important consideration from the perspective of the success of the rollout and assessing the cost. Some of the questions that should be asked are:

  1. What does the basic support package include?
  2. What is the cost of extended support?
  3. Is support available at all times?
  4. Does the vendor have a significant presence in the organization’s region? For example, some NAC providers are primarily U.S.-based, and if an organization is based in EMEA, it may not provide the same level of support.
  5. Is on-site training available and included in the license?

Support costs can significantly drive up the cost of deployment and should be assessed early in the procurement process.

What to know before you buy an NAC system

When it comes to purchasing criteria for network access control products, it is important that not only is an NAC system capable of detecting all the devices connected to an organization’s network, but that it integrates as seamlessly as possible. The cost of attempting to shoehorn existing processes and systems into an NAC product that does not offer integration can quickly skyrocket, even if the initial cost is on the cheaper side.

NAC should also work for the business, not against it. In the days when NAC products only supported 802.1x authentication and blocked everything by default, it was seen as an annoyance that stopped legitimate network authentication requests. But, nowadays, a good NAC system provides seamless connections for employees, third parties and contractors alike — and to the correct area of the network to which they have access. It should also aid in regulatory compliance, an issue all organizations need to deal with now.

Assessing NAC products comes down to the key questions highlighted above. They are designed to help organizations determine what type of NAC product is right for them, and accordingly aid them in narrowing their choices down to the vendor that provides the product that most closely matches those criteria.

Once seldom used by organizations, endpoint protection is now a key part of IT security, and NAC products have a significant part to play in that. From a hacker’s perspective, well-implemented and managed NAC products can mean the difference between a full network attack and total attack failure.

Juniper Contrail battles Cisco ACI, VMware NSX in the cloud

SAN FRANCISCO — Juniper Networks has extended its Contrail network virtualization platform to multicloud environments, competing with Cisco and VMware for the growing number of enterprises running applications across public and private clouds.

The Juniper Contrail Enterprise Multicloud, introduced this week at the company’s NXTWORK conference, is a single software console for orchestrating, managing and monitoring network services across applications running on cloud-computing environments. The new product, which won’t be available until early next year, would compete with the cloud versions of Cisco’s ACI and VMware’s NSX.

Also at the show, Juniper announced that it would contribute the codebase for OpenContrail, the open source version of the software-defined networking (SDN) overlay, to The Linux Foundation. The company said the foundation’s networking projects would help drive OpenContrail deeper into cloud ecosystems.

Contrail Enterprise Multicloud stems, in part, from the work Juniper has done over several years with telcos building private clouds, Juniper CEO Rami Rahim told analysts and reporters at the conference.

“It’s almost like a bad secret — how embedded we have been now with practically all — many — telcos around the world in helping them develop the telco cloud,” Rahim said. “We’ve learnt the hard way in some cases how this [cloud networking] needs to be done.”

Is Juniper’s technology enough to win?

Technologically, Juniper Contrail can compete with ACI and NSX, IDC analyst Brad Casemore said. “Juniper clearly has put considerable thought into the multicloud capabilities that Contrail needs to support, and, as you’d expect from Juniper, the features and functionality are strong.”

Cisco and VMware have marketed their multicloud offerings aggressively. As such, Juniper will have to raise and sustain the marketing profile of Contrail Enterprise Multicloud.
Brad Casemoreanalyst, IDC

However, Juniper will need more than good technology when competing for customers. A lot more enterprises use Cisco and VMware products in data centers than Juniper gear. Also, Cisco has partnered with Google to build strong technological ties with the Google Cloud Platform, and VMware has a similar deal with Amazon.

“Cisco and VMware have marketed their multicloud offerings aggressively,” Casemore said. “As such, Juniper will have to raise and sustain the marketing profile of Contrail Enterprise Multicloud.”

Networking with Juniper Contrail Enterprise Multicloud

Contrail Enterprise Multicloud comprises networking, security and network management. Companies can buy the three pieces separately, but the new product lets engineers manage the trio through the software console that sits on top of the centralized Contrail controller.

For networking in a private cloud, the console relies on a virtual network overlay built on top of abstracted hardware switches, which can be from Juniper or a third party. The system also includes a virtual router that provides links to the physical underlay and Layer 4-7 network services, such as load balancers and firewalls. Through the console, engineers can create and distribute policies that tailor the network services and underlying switches to the needs of applications.

Contrail Enterprise Multicloud capabilities within public clouds, including Amazon Web Services, Google Cloud Platform and Microsoft Azure, are different because the provider controls the infrastructure. Network operators use the console to program and control overlay services for workloads through the APIs made available by cloud providers. The Juniper software also uses native cloud APIs to collect analytics information. 

Other Juniper Contrail Enterprise Multicloud capabilities

Network managers can use the console to configure and control the gateway leading to the public cloud and to define and distribute policies for cloud-based virtual firewalls.

Also accessible through the console is Juniper’s AppFormix management software for cloud environments. AppFormix provides policy monitoring and application and software-based infrastructure analytics. Engineers can configure the product to handle routine networking tasks.

The cloud-related work of Juniper, Cisco and VMware is a recognition that the boundaries of the enterprise data center are being redrawn. “Data center networking vendors are having to redefine their value propositions in a multicloud world,” Casemore said.

Indeed, an increasing number of companies are reducing the amount of hardware and software running in private data centers by moving workloads to public clouds. Revenue from cloud services rose almost 29% year over year in the first half of 2017 to more than $63 billion, according to IDC.

Barefoot Tofino chip tapped for Deep Insight network monitor

Barefoot Networks has introduced software that pinpoints anomalies in network traffic at the packet level. The new product, called Deep Insight, works on Ethernet switches powered by Barefoot Tofino, a programmable chip for the data center.

The software, unveiled this week, provides graphical reporting on network abnormalities, such as dropped packets and microbursts. The latter refers to traffic congestion that lasts for microseconds in a switch. Such delays are a problem, for example, in high-speed transactions performed by financial applications.

To use the software, network operators must first program each Barefoot Tofino chip to add to packets metadata that could include arrival time, matched rules, queue delay and switch identity. Engineers program the silicon using P4, an open source language that directs network devices on how to process packets.

Network managers choose the metadata each switch adds to packets as they travel to the application. The last switch collects the metadata and sends the package to Deep Insight, which runs on a commodity server.

The software establishes a baseline for network operations, so it can identify anomalies and display the details to network operators. To reduce the amount of unnecessary information, engineers choose the application traffic the software will analyze.

Deep Insight data drawn from Barefoot Tofino

The information Deep Insight provides includes the path taken by a packet, the rules it followed along the route, the amount of time it queued at each switch and the other packets with which it shared the queues.

Barefoot plans to eventually extend Deep Insight to open source virtual switches built on specifications developed by the Open vSwitch Project and network interface cards that support the P4 language. The company did not provide a timetable for the support.

Barefoot Tofino, which processes packets at 6.5 Tbps, is marketed as an alternative to fixed-function application-specific integrated circuits. Tofino appeals to large data centers, cloud and communication service providers, and white box switch makers that incorporate the technology into their product lines, analysts said. Examples of the latter include Edgecore Networks and WNC.

Barefoot plans to sell the Deep Insight software based on the number of packets processed each second. Barefoot has product trials underway with select customers and plans to make the software available in February.

VMware NSX-T gets support for Pivotal Container Service

VMware has updated its version of NSX for non-vSphere environments, adding to the network virtualization software integration with the Pivotal Container Service and the latest iteration of Pivotal Cloud Foundry.

VMware introduced NSX-T 2.1 on Tuesday. Through NSX-T, Pivotal Container Service, or PKS, brings support for Kubernetes container clusters to vSphere, VMware’s virtualization platform for the data center. PCF is an open source cloud platform as a service (PaaS) that developers use to build, deploy, run and scale applications.

VMware developed the Cloud Foundry service that is the basis for PCF. Pivotal Software, whose parent company is Dell Technologies, now owns the PaaS, which Pivotal licenses under Apache 2.0.

VMware NSX-T was introduced early this year to provide networking and security management for non-vSphere application frameworks, OpenStack environments, and multiple KVM distributions.

Support for KVM underscores VMware’s recognition that the virtualization layer in Linux is a force in cloud environments. As a result, the vendor has to provide integration with vSphere for VMware to extend its technology beyond the data center.

Kubernetes cluster support in VMware NSX-T

VMware NSX-T integration with PKS is significant because of the extensive use of Kubernetes in public, private and hybrid cloud environments. Kubernetes, which Google developed, is used to automate the deployment, scaling, maintenance, and operation of multiple Linux-based containers across clusters of nodes. Google, VMware and Pivotal developed PKS.

VMware has said it plans to add Docker support in NSX-T. Docker is another popular open source software platform for application containers.

VMware NSX-T is a piece of the vendor’s strategy for spreading its technology across the branch, WAN, cloud computing environments, and security and networking in the data center. Essential to its networking plans is the acquisition of SD-WAN vendor VeloCloud, which VMware plans to complete by early next year.

VMware expects to use VeloCloud to take NSX into the branch and the WAN. “What VeloCloud offers is really NSX everywhere,” VMware CEO Pat Gelsinger told analysts last week, according to a transcript published by the financial site Seeking Alpha.

Gelsinger held the conference call after the company released earnings for the fiscal third quarter ended Nov. 3. VMware reported revenue of $1.98 billion, an increase of 11% over the same period last year. Net income grew to $443 million from $319 million a year ago.

New ONAP architecture provides network automation platform

Eight months after its inception, the Open Network Automation Platform project released its first code, dubbed Amsterdam. The ONAP architecture is a combination of two former open source projects — AT&T’s Enhanced Control, Orchestration, Management and Policy and the Open-Orchestrator project.

ONAP’s November release targets carriers and service providers by creating a platform for network automation. It includes two blueprints — one for Voice over Long Term Evolution and one governing virtual customer premises equipment. Additionally, Amsterdam focuses on automating the service lifecycle management for virtual network functions (VNFs), said Arpit Joshipura, general manager of networking and orchestration at The Linux Foundation, which hosts the ONAP project.

The ONAP architecture includes three main components: design time, run time and the managed environment. Users can package VNFs according to their individual requirements, but Amsterdam also offers a VNF software developer kit (SDK) to incorporate third-party VNFs, Joshipura said.

Once services are live, the code — a combination of existing Enhanced Control, Orchestration, Management and Policy, or ECOMP, and Open-O with new software — can manage physical and virtual network functions, hypervisors, operating systems and cloud environments. The ONAP architecture integrates with existing operational and billing support systems through an external API framework.

VNF automation is a key component, Joshipura said.

“The network is constantly collecting data, analytics, events, security, scalability — all the things relevant to closed-loop automation — and then it feeds it [the data] back to the service lifecycle management,” he said. “If a VNF needs more VMs [virtual machines] or more memory or a change in priority or quality of service, all that is automatically done — no human touch required.”

Because ONAP is a collection of individual open source projects, some industry observers and potential users expressed doubts about how easy it would be to put Amsterdam to use — particularly since AT&T was originally the main ECOMP contributor. But Joshipura said ONAP reworked the code to reduce the complexity and make Amsterdam usable for the majority of users, not just specific contributors.

“Originally, yes, it was complex because it was a set of two monolithic codes. One was Open-O and the other was ECOMP,” he said. “Then, what we did was we decoupled and modularized it and we removed all the open source components. We refactored a lot of code when we added new code.”

The result is a modular platform — not a product, he said — that has many parts doing several different things. This modularity means carriers and service providers can pick and choose from the Amsterdam code or use the platform as a whole.

ONAP’s next release — Beijing, expected in 2018 — will focus on support for enterprise workloads, including 5G and internet of things (IoT).

MEF releases 3.0 framework aimed at automation, orchestration

MEF has released a new framework governing how service providers deploy network automation and orchestration.

MEF 3.0 Transformational Global Services Framework is the latest effort by the organization to move beyond its carrier Ethernet roots. MEF is shifting its focus toward creating a foundation that service provider members can use as they move toward cloud-native environments.

MEF 3.0 is developed around four main components: standardized and orchestrated services, open lifecycle service orchestration (LSO) APIs, certification programs and community collaboration.

With the new framework, MEF is defining network services, like wavelength, IP and security, to help service providers move to cloud environments and network automation, according to Pascal Menezes, CTO at MEF, based in Los Angeles.

“A service is defined like a language that everybody can understand, whether it be a subscriber ordering it or a provider implementing it. They all agree on that language,” he said. “But how they actually implement it and what technology they use is independent and was never really defined in any specs. It defines SLA objectives, performance objectives and different classes of performances, but it doesn’t tell you how to implement.”

MEF has previously worked on orchestrating connectivity services, like wavelength and IP, and intends to deliver that work early next year, Menezes said. MEF has started developing SD-WAN orchestration standards, as well, citing its role as a bridge between connectivity layer services and other services, like security as a service and application performance, he added.

These services are automated and orchestrated via MEF LSO APIs. MEF released two LSO APIs earlier this year and will continue to develop more within MEF’s LSO reference orchestration framework. The certification programs will correlate with upcoming releases and are subscription-based, he said.

The fourth MEF 3.0 component involves what MEF calls community collaboration. This involves open source contributions, an enterprise advisory council, hackathons and partnerships with other industry groups. MEF and ONAP, for example, announced earlier this year they are working together to standardize automation and orchestration for service provider networks.

In a separate announcement this week, MEF said it plans to combine its efforts to determine how cloud applications connect with networks with work conducted by the International Multimedia Telecommunications Consortium (IMTC) to define application performance. According to Menezes, MEF will integrate existing IMTC work into its new applications committee and will take over any active projects as part of the MEF 3.0 framework. 

“IMTC has been focused on real-time media application performance and interoperability. It made a lot of sense to bring that work into MEF,” Menezes said.

Network command-line interface to remain part of the mix

Ivan Pepelnjak, blogging in ipSpace, waded into the debate over the future of the network command-line interface, or CLI. Pepelnjak criticized the idea that the network command-line interface is on its last legs. In his view, much of the debate is stoked by startups trying to sell different automation and management approaches. Yet, Pepelnjak conceded, there is a very big difference between Linux CLI and the “arcane stuff you get on network devices.”

Rather than eliminate network command-line interfaces, he said the ultimate goal should be automating as much network infrastructure as possible. He recommended an amalgamation of approaches, encompassing a GUI for casual users, an API for upstream software — say, for orchestration — and a CLI for advanced users to make their own modifications.

To ease complexity and prevent dangerous faults, Pepelnjak suggested crafting Ansible playbooks wrapped in bash, Python or Perl scripts and making them executable with inv or in larger Python systems. Network automation teams need to pay careful attention when they determine what needs to be done and the best tool kit for the job.

Explore more of Pepelnjak’s thoughts on network command-line interfaces.

Intent and network verification

Peter Welcher, an architect and contributor to NetCraftsmen, wrote about Veriflow, one of a number of new vendors focusing on intent-based networking. Veriflow, Welcher wrote, offers vendor-agnostic software that verifies implementations, enabling users to ensure the network complies with business intent. According to Welcher, the challenge is conveying the right intent, and Veriflow’s ability to perform this low-level checking is what makes it stand out.

Veriflow’s platform collects configuration data, along with data plane information, time-stamped to gauge the state of the network. The vendor also offers an API to automate intent rule creation. In Welcher’s view, the benefit of the product comes from its ability to understand and work with different network topologies and device configurations, potentially boosting the capabilities of a network without retooling it with new hardware or software.

“This is something I don’t hear in ‘networking people should code’ discussions: The best use of your time may be supplementing existing tools, not building tools from scratch,” Welcher said.

Read more of Welcher’s thoughts on Veriflow.

Evaluating hyper-converged infrastructure performance

Jack Poller, an analyst with Enterprise Strategy Group in Milford, Mass., explored the best approaches to evaluating hyper-converged infrastructure (HCI). ESG research indicated that organizations are now comfortable enough to deploy HCI as their primary infrastructure, housing tier-one applications. In ESG’s view, the three key criteria to consider before adopting HCI are speed, scalability and stability.

To evaluate HCI, Poller recommended using lightweight workload generators such as IOmeter, FIO, Diskspd or VDbench to simulate business application behavior, from databases to emails. HammerDB, Swingbench and SLOB are higher-level workload generators that can simulate tasks such as data mining or virtual desktop infrastructures — simulated using Login VSI.

Additionally, Poller said, with the release of TPCx-HCI from the Transaction Processing Performance Council, users can now benefit from tools designed to evaluate the performance of HCI systems. “This simplifies and standardizes the process of submitting and publishing industry-audited results and should shorten the time to the first publicly available benchmark results,” Poller said.

Dig deeper into Poller’s thoughts on HCI.

Golden Frog VyprVPN (for Mac)

Using a virtual private network is a great way to keep the bad guys, the three-letter agencies, and even your ISP from snooping on your web traffic. Golden Frog VyprVPN is a particularly competitive VPN service, and it shines on macOS with excellent speed scores and a strong offering of advanced features, as well as a smart tutorial for new users. It’s an excellent VPN for Mac, but it’s edged out by Editors’ Choice winners for macOS VPN: NordVPN, Private Internet Access, and TunnelBear VPN.

Similar Products

What Is a VPN?

When you connect to the internet, your web traffic may not be as secure as you’d like. Your ISP, the NSA, anyone on the network, and whoever controls the Wi-Fi router you’re connected to can potentially monitor your activities or even redirect you to phishing pages. Consider this the next time you log on to the Wi-Fi network at Starbucks: how do you know Starbucks operates this particular hotspot? This is why you need a VPN.

When you switch on a VPN, it’s a different story. Doing so creates an encrypted tunnel between your computer and a server operated by the VPN company. Your web traffic travels through the tunnel, secure from peeping eyes.

From the VPN server, your traffic heads off to your desired destination. That means anyone watching would see your traffic as emanating not from your computer, whose geographic location can be divined via IP address, but from the VPN server. That’s an additional layer of anonymity.

This may sound like paranoia, but reporting has revealed that the NSA has access to most internet traffic. Also, Congress gave the green light to ISPs to start selling anonymized user data. A VPN defeats, or at least greatly frustrates, these adversaries.

Pricing and Plans

Golden Frog offers VyprVPN for free for 30 days, after which you’ll need to start paying. Other VPN services have free options that stay free; AnchorFree Hotspot Shield and TunnelBear are two excellent examples. Most free VPNs have some kind of data limit or other restriction, however, though they generally perform well within those limits. Notably, the Opera browser now ships with a robust VPN built in, for free.

If you decide to spend money on VyprVPN, you’ll have to chose between the vanilla version and the higher-end plan. VyprVPN costs $9.95 per month, but only allows three simultaneous connections. That’s probably enough for one person living alone, but certainly not for someone whose family involves more people or gadgets. Those people will want to spring for VyprVPN Premium, which costs $12.95 per month; allows up to five connections; and grants access to two additional features, the Chameleon VPN protocol and VyprVPN Cloud.

That’s on the high side for a VPN service. Private Internet Access, which offers an extremely robust network of servers, costs only $6.95. TunnelBear VPN is just slightly more at $9.99 per month. Both have offerings comparable to VyprVPN’s.

The additional features that Golden Frog reserves for the highest VyprVPN tier require some explanation. The Chameleon VPN protocol is an encryption protocol that the company says is harder to detect as VPN traffic and therefore harder to block. The company recommends that users in China, or anywhere else that attempts to block access to certain parts of the internet, should use this protocol. If that’s not your thing, the macOS client also supports L2TP and IPsec, as well as my preferred option: OpenVPN. In addition to being open-source code—and therefore scrutinized for errors by a community of volunteers—OpenVPN also tends to be faster and more resistant to disconnection. Note that the VyprVPN app for iPhone only supports the IKEv2 protocol.

The other premium feature is VyprVPN Cloud. This is a specialty feature that allows you to access your cloud services on Amazon Web Services (AWS), DigitalOcean, and VirtualBox via the security of a VPN. It’s certainly a niche feature, and it’s a bit of an odd one at that.

Note that Golden Frog also offers Cyphr, a free encrypted chat app for Android and iOS, as well as Outfox, a VPN service specifically for gaming. NordVPN doesn’t offer a chat service, but it does have specialized servers for using BitTorrent, connecting via VPN to the Tor anonymization service, and more besides.

Features and Privacy

I go into detail about VyprVPN’s features and performance in my review of VyprVPN for Windows. I’ll summarize the important points here.

Golden Frog makes much of the fact that it owns all of the servers used for VyprVPN. There’s something to be said for this, since it gives the company far more control over the hardware customers rely on to keep them safe. This amounts to over 700 servers, which is comparatively few, however. Presumably, competitors are able to field more by using a mixed of owned and rented servers. Most VPN services offer over 1,000 servers and in the case of Private Internet Access, over 3,000. A surplus of servers means that you’re less likely to find yourself using an overcrowded server where each user gets a small slice of the bandwidth pie. The more servers, the fewer people per server; the fewer people per server, the better the performance.

VyprVPN does, however, have a respectable roster of server locations. These include some 70 cities and regions in six continents. I am pleased to see that in addition to such typical VPN locations as the US and Europe, VyprVPN also has several servers in regions often ignored by the industry, such as Africa and the Middle East. The company also offer servers in areas that tend to have repressive control over internet access: China and Russia, specifically.

A large number and diverse distribution of server locations means two things. First, that if you’re looking to spoof your location, you’ll have lots of options. Second, if you are a world traveler, you’ll have an easier time finding a nearby server. The distance between yourself and the VPN server has an important impact on performance.

The VyprVPN app comes loaded with some excellent advanced features. You can configure the VPN to connect automatically if you’re using an untrusted Wi-Fi network. You can also block local (LAN) traffic to your machine while connected to the VPN, ensuring that other infected devices aren’t sneaking peeks at your activity.

One thing that VyprVPN won’t do is block ads when running. That’s not a huge loss on a desktop computer where there are many excellent in-browser alternatives such as Privacy Badger—my ad-blocker of choice. It’s more of a detriment on Android because Google does not allow ad-blockers in its app store.

Golden Frog is headquartered in Switzerland, which, according to the EFF, does not have mandatory data retention laws. Golden Frog’s privacy policy states that the country’s “favorable privacy laws reflect our mission.” The company does not log DNS requests or the content of your traffic. Golden Frog does, however, log the source IP address, connection time (start and stop), and the total volume of traffic. It retains this information for 30 days. The company says it will not “sell or otherwise release identifying information, unless ordered to do so by a court of competent jurisdiction in the matter.” That’s an important caveat, but is also par for the course among VPN services.

Note that if you are keen to use BitTorrent over VPN, you can do so with VyprVPN. However, keep in mind that downloading copyrighted material can still be detected through other means.

Hands On With VyprVPN

Golden Frog does not offer a VyprVPN client through the Apple App Store. Instead, you’ll have to download it from the Golden Frog site and install it yourself. Unlike other VPN clients, VyprVPN has a brief tutorial that points out major features and lets you configure some of the client’s core abilities. I like this approach, since many customers may not be aware of all VyprVPN has to offer.

The client itself is a single window, the top half of which shows your network traffic in a color-coded graph—blue when it’s secured by VyprVPN and red when it is not. It seems very much at home on macOS, although it did not take advantage of the Touch Bar on the 15-inch 2016 MacBook Pro I was using for testing. Three toggles let you configure VyprVPN to connect automatically on untrusted Wi-Fi, block malicious sites, and activate the app’s kill switch. This last feature automatically shuts down internet communications should your VPN disconnect accidentally.

The large button at the bottom connects you to the fastest available server by default. Typically, this is a server that’s geographically near to you. Click the map pin icon on the connect button to open the full server list in a separate window. Here, you can filter the servers by region and view the ones you have marked as favorites. A search box at the top lets you quickly cull the list, and the app shows ping times to the left of each entry.

While VyprVPN looks quite good against the macOS backdrop, Editors’ Choice winner TunnelBear is even better looking. This application is brightly colored and filled with friendly bears. It’s got a touch of whimsy, but is also extremely easy to use, which helps make it an Editors’ Choice winner.

Opening the Preferences window reveals more precise controls. You can, for example, designate apps that must use the VPN connection. That’s handy, as it can let you avoid slower speeds or outright blocking for certain activities. There’s also an option to block all LAN traffic, which is a rarely seen feature. The Advanced section is truly advanced, letting you set Route Delay time in seconds, Log Verbosity, and Maximum Transmission Units, among other options that the average person probably shouldn’t mess with.

By default, VyprVPN uses the OpenVPN protocol and VyprDNS. Both of these can be changed from the settings menu as well.

Netflix is not a fan of VPNs, since you can use them to spoof your location and access content locked for other regions. However, I had no trouble streaming movies when connected via VyprVPN. Keep in mind that this could change at a moment’s notice. If you’re concerned about losing access to Netflix, I suggest sticking with short-term VPN subscriptions.

Speed and Performance

When you’re using a VPN, your data jumps through more hoops than usual. The result is usually increased latency, as well as reduced upload and download speeds. But we have found through years of testing that not all VPNs are created equal, and that some have greater negative (or, surprisingly, positive) impact on performance.

To really determine the performance of a given VPN service, I would have to test multiple times a day at different locations and times over the course of many days. That’s not a viable option. Instead, I opt to take a snapshot, and then I compare the difference between average speeds and latency results and find a percent change.

I first run this test while connected to a nearby VPN server and using a nearby test server. I run the same tests again, but while connected to a VPN server in Australia and a test server in Anchorage, Alaska. This second test is to evaluate how the VPN performs when connected to far-flung international servers. All of my speed test data is gathered using the Ookla speed test tool. (Note that Ookla is owned by PCMag’s publisher, Ziff Davis.)

In my domestic VPN testing, I found that VyprVPN had the largest increase in latency among Mac VPNs, at 22.1 percent. To be fair, most other VPNs are clustered around the same figure, although Private Internet Access had the least impact, at only 8 percent. VyprVPN redeemed itself in the download speeds test, where it slowed downloads by just 6.9 percent. dragged downloads down by 21.1 percent, but TunnelBear actually improved downloads speeds by 22.1 percent — the only VPN to improve downloads I’ve yet seen for macOS. Unfortunately, VyprVPN dropped the ball in upload speeds, where it had the biggest impact among Mac VPNs. It reduced upload speeds by 33.2 percent. In this same test, Private Internet Access reduced uploads by only 6.1 percent.

VyprVPN fared a bit better in the international tests. Here, it increased latency by 171.4 percent—the best score I’ve yet recorded for macOS testing. It nearly beat KeepSolid VPN Unlimited in the download test; VPN Unlimited reduced download speeds by 11 percent and VyprVPN by only 13.2 percent. It continued doing well into the upload test, where it slowed uploads by 17.8 percent, another new record for macOS testing.

In general, you will almost certainly not notice any significant slowdown when using VyprVPN. In fact, you might even notice things run a little quicker in some circumstances! With its collection of top scores in some important areas, it’s a strong contender for speed on macOS. But then again, racked up truly outstanding numbers on Windows, where it improved downloads by over 400 percent in some cases.

PureVPN didn’t perform as well in my macOS testing. As such I consider it to be the fastest VPN service for Windows. I haven’t reviewed enough VPNs on macOS to make a similar judgment.

One for the Short List

Golden Frog offers an impressive service with VyprVPN, and it’s especially good on macOS. The client is equal parts understandable and powerful, with a tutorial for new users and powerful settings for those already comfortable with IT matters. While it lacks ad-blocking and has comparably few servers, it nevertheless earned several top speed test scores in our tests.

It’s an excellent choice for macOS users, but we continue to recommend our Editors’ Choice winners for macOS for their individual merits. NordVPN has an excellent collection of features, Private Internet Access has an unbeatably robust server roster, and TunnelBear VPN is the easiest and friendliest VPN for macOS.

Support for Open AI Ecosystem Grows as Amazon Web Services Joins ONNX AI Format – Microsoft Cognitive Toolkit

It’s been an exciting few months! In September we introduced the Open Neural Network Exchange (ONNX) format we created with Facebook to increase interoperability and reduce friction for developing and deploying AI. In October a number of companies that share our goals announced their support for ONNX.

Today Microsoft and Facebook are excited to share Amazon Web Services (AWS) is contributing ONNX support for Apache MXNet and joining the ONNX initiative. Amazon recognizes the benefits of the ONNX open ecosystem to enable developers working on deep learning to move between tools easily, choosing ones that are best suited for the task at hand. It’s great to have another major framework support ONNX: Caffe2, PyTorch, Microsoft Cognitive Toolkit, and now MXNet.

At Microsoft we believe bringing AI advances to all developers, on any platform, using any language, with an open AI ecosystem, will help ensure AI is more accessible and valuable to all. With ONNX and the rest of our Azure AI services, infrastructure and tools such as Azure Machine Learning and the recently announced Visual Studio Tools for AI, developers and data scientists will be able to deliver new and exciting AI innovations faster.

We invite others in the community to visit http://onnx.ai to learn more and participate in the ONNX effort. You can also get ONNX updates on Facebook and @onnxai on Twitter.

Remediation engine to improve Nyansa Voyance network monitoring

Network analytics company Nyansa Inc. has introduced more powerful software that spotlights problems in infrastructure devices and recommends corrective actions to prevent degradation in service.

Nyansa unveiled its “remediation engine” this week as the latest addition to the company’s Voyance performance monitor for wired and wireless networks. The Nyansa Voyance system, launched last year, blends cloud-based analytics and real-time deep packet inspection with an easy-to-understand management console.

The new software — part of a Voyance upgrade — will flag the cause of trouble and recommend configuration changes to correct it. For example, the application could recommend turning off 2.4GHz radios or changing channel assignments to reduce co-channel interference on wireless access points in a specific area.

The remediation engine also calculates the benefits of the corrective action. In the example above, the software would measure the number of lost client hours avoided through the fix.

More data fed to Nyansa Voyance

Nyansa has increased the number of data sources feeding the Voyance system to improve its analytic capabilities. The latest iteration can ingest syslog data from Cisco’s Identity Services Engine, Aruba’s ClearPass and the open source network access protocol, FreeRADIUS. The three technologies provide secure access to network resources through authentication, authorization and accounting of devices.

Along with more data coming in, Voyance can send more data out. Nyansa has added RESTful APIs for sending network information to an IT workflow application, such as team messaging service Slack or IT service management system ServiceNow. The latter could, for example, generate a trouble ticket and send it to IT when Voyance finds a device configuration problem.

Being able to reach network managers before there’s an outage enables them to become more proactive in solving problems, said Zeus Kerravala, the principal analyst at ZK Research. “IT can be on top of the problem instead of always in reactive mode.”

Nyansa adds remediation engine in Voyance upgrade
Nyansa Voyance recommendations for fixing network performance troubles

To help improve IT response time further, Nyansa has made it possible for Voyance users to tag mission-critical devices attached to an IP network. The devices could include heart or infusion pumps used in healthcare or robots found on the manufacturing assembly line. Voyance would measure and track every network transaction on the machinery and alert IT workers when performance-damaging events occur.

Nyansa is providing the latest features at no additional cost to Voyance customers, which include Netflix, Tesla Motors and Uber.

The company markets Nyansa Voyance as simplifying network monitoring by replacing the multiple tools IT managers use to determine the network’s health. Enterprise Management Associates Inc., a research firm in Boulder, Colo., has found today’s IT manager has six to 10 different management tools in use at one time.

Nyansa competitors include NetScout Systems Inc.; Cisco, which offers AppDynamics; and Hewlett Packard Enterprise, which has Aruba IntroSpect.