Author Archive

India blocks access to porn. How did they do it?

August 4, 2015 4 comments

blockedYesterday, against a Supreme Court decision, the telecom regulator in India ordered all ISPs licensed and operating in the country to block access to pornographic websites. This was after a private suit that petitioned the government to block the websites as part of the process to rid India of a negative image as the rape capital of the world (some people have suggested albeit jokingly that India changes its name to Rapistan). According to the suit, unfettered access to pornography is responsible for the high number of rape cases in the country.

Considering that most of the content on the internet is now hosted on content delivery networks (CDNs) such as Akamai and also on distributed cloud platforms, how does a country block access to pornography whose source server could be the same one hosting other non-pornographic websites? This is to say, a CDN server by a company such as Akamai could be hosting within it both a pornographic website and a religious website, how then is it possible to block one and not the other using common tools that that can block an IP or a port (port 80 or 443). If say the CDN server in my example has an IP (random IP for illustration purposes) and is hosting both the religious content and porn on the same webserver listening on port 80, if we block the IP or the port then we lose access to all the content in the server and not just the pornographic content. How then did India do it?

Deep Packet Inspection

Ordinarily, most network equipment we interact with (including your home WiFi router) operate from layer 4 and below of the OSI model, it therefore means that these devices can act on layer 4 and below attributes such as port numbers, IP addresses and MAC addresses. Due to the shared nature of most internet infrastructure today, these tools become ineffective in selectively blocking content which is at the application layer of the OSI model. An appliance that operates above the OSI layer 7 is therefore needed to accomplish this. Simply blocking CDNs IP addresses such as Akamai  would lead to outage to other websites that are also hosted there

These appliances are able to ‘see’ layer 7 traffic so that access to our server example that’s hosting and a both on port 80 can be told apart by the layer 7 appliance.

These devices achieve this through what is called Deep Packet Inspection (DPI). Does that mean there is Shallow Packet Inspection? Sort of, when a router seated at later 4 looks at a packets header to see what source and destination address the packet has, it’s a form of shallow packet inspection as it doesn’t venture beyond the packet headers. With DPI, the appliance goes further and looks into the payload in the packet that’s carrying the actual user content and determines what type of content the packet is carrying. By use of unique signatures within the packet payload, the appliance can therefore tell apart porn from non-porn content. How they do this is a trade secret.

The appliance signatures can be classified as a group in a rule (e.g. Adult content or Social media) or be applied individually such as signatures that can detect Facebook, Twitter, Gmail etc. These can then be applied to various rules such as blocking or admitting the content. Further refinement of these rules can also be applied for example a rule to block Facebook and twitter in an office during working hours or block them completely 24/7 as is the case in China where the two social media platforms are blocked.

DPI can also do further identification of traffic for a more refined control. For example, the appliance might be configured to allow Facebook but block any videos shared on Facebook. It can also be used to block Facebook status posts with certain key words while allowing the rest of the content.

This as you can imagine gives immense power to any government or institution to block access to or posting of content it deems unfit for public consumption. This power can also be abused by regimes by suppressing access to content that is deemed dangerous to the regimes existence and rule as is the case in Turkey where the government blocks twitter at will if it feels threatened.

a Layer 7+ appliance output showing ability to classify content at above layer 7. Worth noting is all these protocols in this output happened on port 80.

A Layer 7+ appliance output showing ability to classify content at above layer 7 of the OSI model. Worth noting is all these protocols (other than HTTPS)  in this output happened on port 80 but the device can identify each protocol by use of DPI signatures, it can even tell apart HTTP browsing from HTTP file download with some appliances able to tell even the type of file and size.

Broadband as a value add? Yes, Its about the eyes.

June 5, 2015 Leave a comment

InternetThe days of ISPs making super profits are long gone. The margins being created by ISPs world over are thin. Also, should Internet connectivity prices go lower due to either more competition or legislation, ISPs stand to create even thinner margins in future. There will therefore be little if any revenue/profit oriented incentives for ISPs to be in business.

Having worked in the industry for about 12 years now (That’s eons in Internet growth terms), I have seen the ISP industry evolve both on the technology front and its value proposition to customers. The liberalization of the sector in most countries has also attracted many investors into the industry, this has created a stiff and competitive market, this has brought with it diminishing returns on investments. Small ISPs are dying or being bought out as they cannot stay afloat. Large ISPs are also merging to create economies of scale to survive.

With the coming projects such as Google’s project Loon and Facebook’s (and subsequent Internet by drones project) and many more that aim to provide nearly free Internet to the worlds’ unconnected, there will be no financial incentive for a commercial ISP to go into business anymore.

So what do ISPs need to do?

There has been a lot of talk in the market about value addition and that ISPs should stop selling ‘dumb pipes’ and offer value over and above just the internet pipe. All this has already happened and at the moment ISPs have been outmaneuvered by OTT providers who are providing this value addition type of services over the links the ISPs are providing to their customers. For example, some years ago, all ISPs were offering VoIP as a value add, now with the likes of Skype and Whatsapp calls, ISP-provided VoIP is a dud. Another example is dedicated hosting at ISP provided ‘data centers’ (a room with access control and cooling :-) ), with the maturity of cloud services, such a service is also not appealing anymore to customers. ISPs are at the end of their rope.

If you carefully analyze all recent ISP mergers and buyouts in Africa (and beyond if you have the time), you will realize that buy out decisions are less and less being based on an ISPs profitability or revenues and cash flow position. They are now based on subscriber numbers. But what is the commercial point of buying a unprofitable or low revenue business? Answer: Its about the eyes.

ISPs are and will no longer be about direct internet pipe derived revenues but about indirect revenues. Sources of these indirect revenues include online advertizing, OTT services and content delivery and purchase. This is the very reason why giants such as Google and Facebook have entered the ISP business, Its about the eyes. An ISP with more subscribers and loss making is now more attractive to buy than one with few subscribers and super profitable. Unbelievable isn’t it?

End to end control.

OTT operators such as Facebook have been blamed by traditional ISPs for using the ISPs network infrastructure to do business with the ISPs end users. Attempts by ISPs to make these operators pay for delivery of content has been met with opposition due to fears that such an arrangement can result in a tiered internet and with that a demise of net-neutrality that has been one of the key characteristics and a supposed catalyst of internet development. Attempts to camouflage net-neutrality-flouting arrangements by use of ISP led offers such as Facebook’s where users on certain networks access Facebook and Whatsapp for free outside their data plans have also been meeting resistance. Being so froward thinking, I am of the opinion that these companies foresaw the resistance to their initiatives to offer their content for free by paying the traditional ISPs, this is why they are all rushing to roll out their own infrastructure to provide free or near free internet to the masses. At the moment, other than their Satellite/baloon projects being tested in New Zealand, Google is already testing out high speed fiber -FTTH in select American cities. This will give them end to end control of the broadband supply chain and therefore quell concerns of creation of a tiered internet. This of course assumes they will come up with a way to show regulators that they have fair access policies for all third party traffic.

The future

As i see it, the traditional ISP will die a natural death if they don’t adapt to the coming changes. What was once a value add will become the product and vice versa. Internet broadband will be a value add to content and OTT services. A content provider such as Facebook or Google will offer you free internet to access their content. Internet broadband provision will be a value addition to content providers. As someone once said, if the product/service is free, you are the product. The free internet will come with privacy strings attached so as to enable advertizers track your habits and offer more targeted adverts. This targeting is getting more accurate and spookier if the tweet below is anything to go by.


The use of browser safety features to disable cookies wont work as companies such as Google are now using what is known as device finger printing to identify you. Device finger printing works on the basis that your computers OS, installed programs (and the dates they were installed), CPU serial number, hardware configuration (RAM/HDD/attached peripherals) will give your computer a unique identifier if applied to an algorithm. Therefore your computing device is unique and can therefore be tracked without the need to set cookies.

Why Is Kenya Power Dumping Pre-paid Meters?

May 19, 2015 5 comments

meter2Recently, the country’s only power utility company announced that it was slowing down the roll out of the prepaid metering system that they launched about 6 years ago. The reason given for this about turn was that the company is losing revenues as it is now collecting less from the same customers who are now on prepaid metering than they did before when the same group of customers were on post paid metering system.

According to the Kenya Power records, about 925,000 out of the 3.17 Million customers are on prepaid meters. Before the 925k moved to prepaid, they were collecting about four times more than what they currently collect from the same customers. The Kenya Power MD stopped short of accusing customers with prepaid meter tampering as his explanation of the reduced revenues. With the reduction in revenues, Kenya power has decided to classify this reduction as ‘unpaid debts’ in their books. Meter tampering would be across both pre and post paid users if he still holds the opinion that prepaid users are tampering with meters. In fact there are lower chances of a prepaid user tampering with the meter than a post paid user doing the same.

My little accounting knowledge tells me that it is every company’s dream to convert all their customers to prepaid. This shifts the cash flow position to a very favorable one of positive cash flow, you have the money from customers before they consume your service/product. With a prepaid metering system, Kenya power was heading to accounting nirvana but the recent revelations about the accumulating ‘debts’ from prepaid customers was a shock to many. First and foremost, if you do not buy prepaid meter tokens, you cannot consume power on credit and pay later, so how is this reduction in  revenues from prepaid meter consumers classified as a debt as opposed to an outright reduction in collected revenue?

Faulty meters?

There are two main brands of power meters used by Kenya power, Actaris and Conlog. The later brand was found to be defective 3 years into the roll out, the meters were erroneously calculating remaining power tokens especially after a power outage, you could be having say 30Kwh’s remaining on your meter and after a power blackout, the meter reads -30Kwh or some other random negative value. This is what consumers would notice, we cannot for sure say that the same meters also under bill on the same breath. Of course if it under bills, very few consumers would complain or even notice, they would however be quick to notice a negative token value because they would lose power. Could faulty meters be the problem here? Could Kenya power be suffering from substandard meters? Here is a blog link to one affected consumer who complained in 2012 about the faulty meters. Kenya power attempted to replace some Conlog meters but I still see some in the wild in use.

Reality of estimate billing?

We have all been there, where you receive an outrageous bill from Kenya power. This is because more often than not, they estimate power consumed and never get to read the meters in your house. When was the last time you saw a Kenya power meter reader on a motor bike in your estate if you are on postpaid? According to Kenya power books, one post-paid domestic customer consumed 12 Kwh of electricity and on average paid Sh1,432. And each prepaid customer consumed an average 23 Kwh and paid roughly Sh756 to the power company. This can only mean two things:

  • The postpaid customers are over billed due to poor estimation methods as meters are seldom read. I noticed this on my water bill too. When my bill is say 600/= and i overpay 2000/= when settling the 600/= bill, my next bill will be in the regions of 2000/= (estimated from my last payment). So i make sure i pay the exact amount on the bill these days to deny them room to estimate and over bill me.
  • The prepaid meters are spot on accurate. This is the most plausible reason and I will explain below.

Prepaid meters are accurate?

Unlike the old school postpaid meters that measure total ‘apparent’ power consumed, the new prepaid meters assume an efficient electricity grid and measure effective or real power consumed by the customers appliances.  In a situation where the power distribution grid is inefficient, the voltage and current are not in phase. This leads to a lot of ‘wasted’ power. In postpaid, consumers pay for the grid inefficiencies, in prepaid, they do not. This is why there has been a drastic reduction in revenues because consumers are now paying for what they consume and not the wastage on the grid. Perhaps this is what Kenya power sees as ‘consumed but unpaid for power’ by the prepaid meter users? Could be, this is because its not possible to consume more than what you have paid for on a prepaid meter. apparent power is consumed but not measured by the meters. This is especially true if you have appliances with electric motors in them such as washing machines, water pumps and air condition systems.  Read more about power factor by clicking here

You can read older articles on my blog touching on Kenya Power by clicking the links below:

  1. How Kenya can enjoy lower electricity tariffs
  2. Kenya is ripe for a Demand Response Provider
  3. Kenya Power Needs To Be Penalized For Blackouts
  4. There is need to end the Kenya Power monopoly

What Whatsapp voice means for MNO’s

April 1, 2015 5 comments

Facebook inc recently introduced the ability to make voice calls directly on its Whatsapp mobile application. This is currently available on Android OS and soon to be made available on iOS.

What this means is that mobile users with the updated app can now call each other by using available data channels such as Wi-Fi or mobile data. Going by a recent tweet by a user who tried to use the service on Safaricom, the user claims that they made a 7 minute call and consumed just about 5MB’s of data. If these claims are true, then it means that by using Whatsapp, a user can call anyone in the world for less than a shilling a minute. This is lower than most mobile tariffs.

Is this a game changer?

Depends on who you ask. First lets look at what happens when you make a Whatsapp call. When a user initiates a call to another user over Whatsapp, both of them incur data charges, in the case of the twitter user I referred to above who consumed 5MBs, the recipient of the call also consumed a similar amount of data for receiving the call. If it so happens that both callers were on Safaricom, then just about 10MB’s were consumed for the 7 minutes call. The cost of 10MBs is close to what it would cost to make a GSM phone call for the same duration of time anyway. Effectively, to now receive a Whatsapp call, it is going to cost the recipient of the call. This is unlike on GSM where receiving calls is free.  When the phone rings with an incoming Whatsapp call, the first thought that crosses a call recipients mind is if he/she has enough data ‘bundles’ on their phone to pick the call. The danger is if there is none or the data bundle runs out mid-call, the recipient will be billed at out of bundle rate of 4 shillings an MB. Assuming our reference user above called someone whose data had run out, Safaricom will have made 5 Shillings from the 5MBs and 28 shillings from the recipient. A total of 33 shillings for a 7 minute call translating to 4.7 shillings a minute which is more than the GSM tariffs.

This effectively changes the cost model of making calls. the cost is now borne by both parties, something that might not go down well with most users. I have not made a Whatsapp call as my phone is a feature phone but I believe if a “disable calls” option does not exist, Whatsapp will soon introduce it due to pressure from users who do not wish to be called via Whatsapp due to the potential costs of receiving a call. That will kill all the buzz.

Will operators block Whatsapp calls?

It is technically possible to block Whatsapp texts and file transfers using layer 7+ deep packet inspection systems such as those from Allot’s NetEnforcer and Blue coat’s Packeteer. I believe an update to detect Whatsapp voice is in the offing soon and this will give operators the ability to block Whatsapp voice. The question however is what will drive them to block it?  MNO’s will have no problem allowing Whatsapp traffic as it wsill mot likely be a boon for them if most of the calls are on-net (They get to bill both parties in the call). If however most calls are off-net (Like those to recipients on other mobile networks locally or international), then MNO’s might block or give lower QoS priority to make the calls of a poor quality to sustain a conversation. They might however run into problems with the regulator should subscribers raise concerns that they think the operators are unfairly discriminating Whatsapp voice traffic. Net neutrality rules (not sure they are enforceable in Kenya yet) require that all data bits on the internet be treated equally, it should not matter if that bit is carrying Whatsapp voice, bible quotes or adult content. This will mean that operators can be punished for throttling Whatsapp voice traffic in favour of their own voice traffic. This therefore presents a catch 22 situation for them. What they need to do is come up with innovative ways to benefit from this development like offering slightly cheaper data tariffs for on-net Whatsapp voice to spur increased Whatsapp usage within the network (and therefore bill both participants).

Worth noting is that it costs the operator more to transfer a bit on 3G than it does on 4G. Operators who roll out 4G stand to benefit from Whatsapp voice as they can offer data at a lower cost to them and this benefit can be passed down to subscribers. The fact that voLTE is all the rage now, Whatsapp voice can supplement voLTE and can even be a cheaper way for operators to offer their voice services on their LTE networks without further investment in voLTE specific network equipment.

In short any operator who wants to benefit from Whatsapp voice has to go LTE.

Much A Do About Bundles

March 2, 2015 1 comment

data bundlesKenyans (especially the Internet savvy ones) are an angry lot. Angry because a mobile operator has put in place what they term as restrictive terms of use of purchased data plans such as:

  • Expiry of the purchased data plans 30 days after activation
  • Restricted data bundle sharing ability. A user can only share his or her data with other up to a maximum of 10 times in a month down from 50.

Kenyan’s argument is simple; The operator took their money in exchange for the data and therefore the users have a right to use the plans for as long as they please and share as many times to as many people as they wish. This simplistic argument is based on a layman’s understanding of what exactly happens when you purchase a data plan.

When a user buys a data plan, a contract comes into force, this contract is between the buyer and the mobile operator. The contract obliges the operator to deliver the purchased data when and if required by the user. What we need to note however is that the contract comes into force to offer an option, not a product or a subscription.

An Option is defined as “the ability to take a predefined action for a fixed period of time in exchange for a fee. A product on the other hand is defined as tangible form of value. For value to be provided via an option, the seller must:

  • Identify some action people might wants to take in the future (browse the internet)
  • offer potential buyers the right to take that action before a specified deadline (guarantee the connection to download the purchased GBs)
  • Convince the potential buyers that the option  is worth the asking price (Marketing activities)
  • Enforce a specified deadline for taking action. (Data plan expiry)

Options allow the purchaser the ability to take a specific action without requiring the purchaser to take that action. If you buy a movie ticket for example, you have the ability to take a seat in the movie theater but you don’t have to if a more ‘plotious’ plan comes up that’s better than the movie. Being an option, you cannot seek a refund for not having  watched the movie at the advertised times.

Data plans are not a product, they are an option and are therefore bound by time for the specified action to take place. What you purchase is the ability to download xGBs and not the ‘actual’ GBs. This ability is time bound just like your movie ticket. I think the fact that most Kenyans refer them as ‘bundles’ signifies their belief that they have purchased a product.

Some people are arguing that by the fact that money changed hands, the end-user should determine his or her pace of use of the data plan/bundle and there should be no time limit of the usage. What we forget however is that the contract came into place when you purchased the data plan, but ownership was not transferred from the operator because this is not a products but an option. The contract specifies the terms on which the data plan (not bundle) will be delivered to you but it does not transfer any deeds to the end-user. Because options amount to dispositions of future property, in common law countries they are normally subject to the rule against perpetuities and must be exercised within the time limits prescribed by law.

Just like in companies that mostly offer employees share options and not share ownership. Options have limited specified actions and a time limit attached to it as opposed to share ownership.

The best the users can do is to petition the operator to revise the rules governing the options but not pontificate online about what is essentially an offer to take up an option and not buy a product.

When the operator came up with the feature that enabled a user to share or sambaza their purchased data plan to others, what was happening is that users were transferring their purchased option to a different party on commercial basis. The fact that a user could do the transfer many times posed a danger for the operator because:

  • The exchange of money and the option was between the operator and the purchaser. The contract is therefore enforceable between these two. Sharing the data bundle was innocently aimed at fostering data usage but had the inadvertent effect of complicating the options contract. Who should complain if the service is slow/poor? The original purchaser or the shared data recipient? You might argue that the recipient has a SIM card and is therefore in contract with the mobile operator, purchasing a SIM card and activating it constitutes an invitation to treat and no contract comes into force by activating a SIM card.
  • The option rules must have been understood by the recipient for them to accept. The fact that some people had started purchasing wholesale data and retailing it at much lower prices that the operator was doing wasn’t the issue, the issue was the operator found themselves in a legal quagmire as there were now people on the network exercising options they had not purchased. The retailers were purchasing the wholesale bundles as options and selling them as products.
  • An option for a wholesale data bundle has a longer specific action period in which the user can exercise the option. This is assumed to be the consumption of the data bundle in a manner that will deliver the agreed quality of service. A 200GB bundle has a longer expiry period to say a 10MB bundle, this is because based on the network resources, the higher GB bundle can be delivered over a period of time. If you now take the 200GB and ‘sell’ by sambaza-ing 2GB each to 100 people who will then proceed to consume the 200GB within 3-4 days, that voids the contract because the 200GBs were offered at a much cheaper price because there is an element of predictability of the network resources required over a longer period of time in which the 200GB was to be consumed and if these were consumed in a manner inconsistent to the initial agreement which was to ensure that its consumption also enables other users to enjoy their options, the contract is void. Same way you cannot demand a movie in a theater to be fast forwarded  on scenes you don’t like, data options have usage rules, if you make such a demand in a movie theater, the option contract becomes void and you will be asked to leave the movie theater with no refund.

Citations on some legal terms taken from:

  • Wikipedia

New ideas needed in the African telecoms scene in 2015

December 31, 2014 2 comments

telcoAs 2014 comes to a close, the continents telecom sector players have had a rather mixed year. Those who were lucky and made a tidy return during the year need to be aware that most of the innovative technology that enabled them return a profit is approaching a point of diminishing returns. if they are to make it through 2015 and beyond, they will need to out-innovate themselves and competition.

In the last Africacom conference held in Cape Town, it was noted by several leading telecoms analysts that telecom operators in Africa (especially Mobile) are confused; unsure if they are banks, insurance firms, hardware vendors, money transfer entities or fixed broadband ISPs. In my opinion this confusion lies in the fact that African operators are close to 100% dependent on vendor driven as opposed to market driven innovation. Noting that there are about 5 major vendors who serve most of African operators (Ericsson, Nokia, Huawei, ALU, Cisco), a lot of copy cat innovations have been shoved down the operators throats. The lack of in-house or external but vendor independent innovation ‘think tanks’ (for lack of a better word) will be their undoing.

Below are some points that I believe any wise telco CEO needs to be aware of in 2015.

Application software (Apps)

For a long time, broadband operators in Africa have been selling bandwidth pipes to connect users to the Internet. With the ‘Appification’ of many services and platforms, browsing via web browsing software is slowly diminishing. The good thing with this is that to some extent the end users cede control of how much is being transferred to the apps leading to higher data consumption spread over a 24 hour period per person. More data use=more revenues. Spread of usage pattern over 24hours = more predictable and stable network.

African operators need to work with content providers in the development of apps which will spur bandwidth consumption and simplify life for users. The burden of app development has been left to mostly young hobbyists in incubation centers and freelance programmers, its time operators took this seriously and worked with developers especially funding their start-ups. Operators such as Safaricom in Kenya and Milicom in TZ have already set-up a venture fund towards this. The effect of this is that these apps will spur a data boom.

Video On Demand

In the past, operators have been cautious over offering VOD services due to several factors such as:

  • Lack of a payment platform due to the very low penetration of credit cards in Africa
  • Unstable networks that would ruin a VOD experience
  • Expensive bandwidth that made it cheaper to lease/buy a DVD movie
  • Lack of VOD ready customer premise equipment

The above barriers are now rapidly vanishing, for example, there might not be a massive uptake of credit cards in Africa, but mobile money platforms have to some extent covered this gap, the other promising feature is the ability to pay for services and downloads from your mobile phone airtime aka Mobile operator billing. The main area that need to be worked on by operators and regulators is the high cost of bandwidth that is still prevalent in many countries in Africa. The telecoms sector is a major source of revenue for many governments by way of spectrum and operating license fees. This cost is passed down to consumers making services expensive. If the governments lowered their appetite for revenues from license and instead let the cheaper bandwidth spur economic gains, the continent stands to gain more. There are over 100 VOD registered operators in Africa and this number is bound to grow if bandwidth was cheaper. With a counterfeit movie DVD going for about $0.5 in Nairobi streets, VOD will take off when the cost of demanding a video online is lower than that, that’s 1.4GB for less than $0.5. The African VOD experience needs not be a carbon copy of the US or EU versions, lower quality videos (hence lower bandwidth consumption) will find a niche here I believe. Remember when people dismissed YouTube by saying who would want to watch grainy videos shot by amateurs from a mobile phone? remember when people dismissed Nollywood saying there is no market for such low-cost, simple plot movies? Low quality VOD could work here in the short-term.

VOD can avail additional revenue streams to operators if done well. It can also backfire on operators if they will not meet the surge in data demand due to VOD. It is one thing to say you offer VOD and it is another to ensure that your network does not collapse due to VOD load. Video will have increased 14-fold between 2013 and 2018. It is estimated that over two-thirds of data on most networks including mobile will be video by 2018. VOD is an opportunity for the prepared and a risk for the unprepared.

Shift from Infrastructure investment to service delivery

Too many operators today are busy investing in and maintaining infrastructure. This is a very outdated way of doing things. We have begun to see a shift in this here where in 2014 we saw Airtel sell its cellphone towers to a third-party and pay to get service from them. This has a two major effects:

  • Infrastructure associated costs now move from the fixed costs to variable cost column of the financial books. This has a great boost to the financial health and makes the company more resilient to market and revenue shocks.
  • Ownership of infrastructure by operators makes them very rigid and fail to adapt to the changing customer needs and make money, sometimes, this change if it happens is not fast enough to meet market demands. I remember working on a project to install a MMS platform for a local MNO, before the service was even officially launched, Whatsapp took the multimedia file exchange scene by storm. The firm had already spent millions. If this was a third-party service instead, they would have spent less or minimized the risk associated with the dismal uptake of MMS services.

Operators need to shift from being technology oriented companies to being service oriented. By service oriented I do not mean becoming a service marketing company by outsourcing everything other than the sales and marketing, I mean their critical business decisions should be informed by meeting customer needs as opposed to deploying the latest, fastest, smoothest or shiniest piece of tech.

Re-look at Value Added Services (VAS) strategies

The ‘VAS or perish’ song has been sung so many times in many a conference I have attended. The problem that is now arising is operators are coming up with what they believe is VAS but is in effect a burden to the consumer. Take for example a certain operator in South Africa who sent me about 4 SMS’s after every call I made on their line about enabling directory services, offer to automatically send my vCard to every person I called, how much airtime my call consumed, an offer for an international bundle whose activation process involved 5 steps and many more. That was outright annoying and took repeated calls to their call center to turn them off. It felt more of value attrition than addition.

That aside, most people relate VAS to mobile operators only, fixed line ISP’s, broadcast and others need to embrace the idea of value addition to their existing services. The tragedy is that many have confused product improvement to value addition, the two are different and can easily be told apart. A fast food restaurant improving the quality of their burgers and fries is product improvement, adding a small toy to all kids meals is value addition. This example therefore means that for value addition to happen, the product must first meet customer expectations otherwise VAS is a waste of time. Many operators use value addition to try to improve the product instead of using it for the purposes of eliciting further delight from the customer (which then creates stickiness). Of what use is the toy in a badly prepared kids meal? In short, if what an operator is calling VAS ends up improving the product as opposed to eliciting customer delight, it’s not VAS. Many operators in Africa are adding toys to burgers with rotten patties. This is why many so-called VAS strategies don’t work because they were simply product improvements disguised as VAS.

Have a happy new 2015!

Ideas For CIOs and IT Managers On Securing Their Networks

November 21, 2014 4 comments

cyber-securityThere has been a lot of talk about increased cases of cyber criminals accessing information stored on computing networks. Many an events organization have also held conference after conference targeting IT managers and CIOs to ostensibly sensitize them on the matter. Many have gladly drawn attendance cheques in favour of these conference organizers for a seat or two where they will go through slide after slide of how to protect their information and data. After the conference, the usual group photo (and many selfies) are taken, not forgetting that one photo where the IT manager or CIO is receiving a certificate of participation from the organizers and their sponsors.

The reality on the ground is that many conference-certificate-waving CIOs still continue to ignore and fail to implement basic measures to protect their networks and information.  Their ignorance however is no defense as cyber criminals continue to seek ways to get into their networks. These criminals try to gain access to networks for two main reasons:

  • To steal information and data from you
  • To use your network as a launch pad for further attacks, this is mostly done by criminals to cover their tracks. A Romanian criminal attacking say a US bank will most likely carry out the attack from an unprotected network in Africa or anywhere else.

I would like to put the issue of cyber security into perspective based on my experience in running large networks for the last 10 years or so.

Why are you a target?

You are a target because you are connected to the public internet, it’s as simple as that. As long as your IP addresses are routed over the public Internet, you will be a target. It’s not because you are a bank, insurance firm, government, Vatican or even a small 2 computer CBO office in Lokichar. You will be attacked for as long as you are online.

How do you tell if you are under attack?

No, when you get attacked, you wont see your computer mouse moving on its own opening files and spewing thousands of lines of code scrolling on your screen like in the movies. It is hard to tell if you are under attack by just sitting on your PC, However if you measure several key parameters on your network, you can know if you are under attack (whether the attack is successful or not is not the issue here). The first thing is your firewalls CPU usage. Many firewalls are low CPU users if configured properly (i am using the term firewall loosely here for now). rarely will a properly sized firewall consume more than 25% CPU. If your firewall is consuming more than that, it is either the wrong firewall size for your network or it is wrongly configured. So if  your CPU usage deviates from the normal by a huge margin, you are under attack. Below is a graph of my firewall CPU when it was busy fighting off a massive attack. As seen, CPU shot to 100% for sometime as cyber criminals initiated a DDoS  on all my /20 and /18 public address space on the Internet. If under ordinary operation my CPU was say 85%, that would leave just 15% to fend off possible attacks and gives a higher probability of an attack being successful because of using a smaller/less powerful firewall

CPU usage on the firewall showing a spike in % CPU cycle usage during an attack.

CPU usage on the firewall showing a spike in % CPU cycle usage during an attack.

The other symptom that you are under attack is an unusually slow network response times. However, network performance should not be used as the only indicator, rather it should be used together with other symptoms. This is because there are many other factors that can cause your network to slow down other than an attack. Firewall software systems reside in memory for faster access by the firewall engine, you will therefore rarely note an increase in memory utilization during an attack. Memory utilization increase in firewalls is mostly due to turning on of additional features on the firewall, for example a firewalls memory utilization increases if you turn on inbound SSL certificate inspection or mail scanning. it is advisable to turn off features you do not use on any device on your network. Also, just because a firewall has a feature you need, it does not mean u have to use it on the firewall device. For example, instead of letting the firewall do email spam scanning, you can turn that off and do it on a dedicated mail scanner Linux box. This action frees up CPU power for network protection.

Next Generation firewalls have inbuilt systems that can warn you if they detect suspicious activity. These warning can be in the form of an email sent to you with details about the attack. A good example is the email below showing attempted tcp scan for any open SSH ports 22 on my network from a criminal in Russia and an ICMP flood attempt by another in China. If the Russian criminal had managed to see some open port 22 on the scanned IP, he would then embark on hacking the device that has that port open, he was however blocked at the firewall and the attempt reported.

A screenshot of an email from a  NextGen firewall detailing attempted attacks on the network

A screenshot of an email from a NextGen firewall detailing attempted attacks on the network

Getting a good system that can prompt you of suspicious activity via email or SMS is highly recommended. You do not want to arrive at work in the morning and find a gory cyber crime scene just because you never got alerted when it all started.

Are all firewalls equal?

Of course not. Many IT admins grew up in Cisco environments and sat for Cisco certifications which they proudly display on their CV’s, they have therefore been conditioned to believe that Anything by Cisco must be the best in the market. That is very far from the truth. From experience, Cisco will offer very good protection up to layer 4 of the OSI model. beyond that (where most attacks occur), its’ performance has been very poor even with their attempt to move from Cisco PIX to the Adaptive Security Appliance (ASA). There are many comparisons online of ASA vs other firewalls like this one here which compared the Cisco ASA and the Fortinet’s Fortigate firewall (Which in my opinion is the best firewall in the world)

Next Generation firewalls have  Intrusion Prevention System (IPS), OSI layer 7 application control with Deep Packet Inspection (DPI). This therefore means the system is both application and content aware. This offers a Unified Threat Management (UTM) system.

Measures to protect your network

There is no one size fits all solution to tackling the ever-increasing attacks on cyberspace. However based on my experience, the following steps are recommended:

  1. Shut down all unused services on your network. For example if you have a Linux server that has Domain Name Service (DNS) running yet you do not use it, stop the  DNS daemon. This lowers the risk of a criminal gaining access to your network, remember that they need to establish a network/Internet socket to gain access. A socket is made up of an IP address and a port. They have the IP, don’t give them the port.
  2. Use non default ports. If you have to use a service within your network, it is advisable to use non-default ports for these services. For example, everyone knows that SSH runs on port 22, that will be the port a cyber criminal will most likely look for. Running SSH on say port 2222 will contribute to an extent to the security of your service incase the criminals manage to gain access past the UTM system. In addition to this, avoid using public DNS for domain name to IP mapping for internal services. But how will users access the services and DNS if they are outside the office network? (see point 4 below)
  3. Control access. Even after changing the ports as per the point above, it is also advisable to set access control rules to the services running on your network. This can be done by use of authentication (username/strong password pair), restricting which IP’s can access the ports via the use of access lists, restricting time of day when the services can be accessed if possible, use management policies such as frequent mandatory password changes. Also, highly recommended is the use of RSA  security tokens in addition to the passwords.
  4. Use of Virtual Private networks (VPNS). if you have users who need to access resources in the office network from outside the office (e.g a traveling salesman), they should do this by use of a Dial-In VPN service. This service should terminate at your UTM device
  5. Use a proven UTM appliance. Do your research before falling for marketing ploys, just because it’s from Cisco, it does not mean its the best. Just because its expensive, it does not mean it can do more/better/faster. Use of “systems that can scale” is a common buzz word in the ICT world mostly applied to having a system that will grow with your use. In the UTM world, a system that can scale is one which other than growing with your needs will also adapt quickly to changing nature of threats. For example, how long did your UTM vendor take to update their IPS signature with the heartbleed vulnerability? a 6 hour delay after the discovery of the threat led to the Canadian Revenue Agency losing taxpayer data.
  6. Enforce Bring Your Own Device (BYOD) policies. One of the easiest ways for criminals to gain access to your network is through the use of compromised systems belonging to your staff. That iPad that your CEO or that smart phone your accountant brings and connects to the office WiFi, is it safe? There are now many BOYD best practice recommendations including the simplest which is having such devices connect to a different and policy controlled VLAN in the office. many free apps that smart phone users download have back doors through which criminals can gain access to your network if the device is connected via WiFi.
  7. Control resource use. By use of policies such as those offered by Microsoft domain controllers, the IT admin can enforce resource use policies such as disable installation of software onto computers by staff. Many pirated software programs habour malware and back doors that can be used by criminals.
  8. Use of Internet Security Software. Also commonly known as Antivirus programs, each node on a network should have an updated Internet security software. These have evolved from being plain Antivirus detectors to security suites that provide protection from phishing, malware and insecure web browsing. The jury is still out on which is the best security software. I would highly recommend Kaspersky end point security software followed by Sophos.
  9. Gain visibility. A survey showed that over 70% ofCIOs have no idea what type of traffic runs on their network. By gaining visibility on what is running on the network and what time,CIOs can lower the risk of an attack. The graph below shows traffic running on a network identified by a device that can do Deep Packet Inspection (DPI). a simple system will classify Facebook traffic as HTTP (because its via port 80 at layer 4), with a DPI device, you can gain insights into exactly what is running on a network and control it. In the example below, because he can now see whats running on the network, a CIO may decide to block Yahoo mail access from the office network if he feels it poses a threat to the network if users will download malware or click on spam links on personal emails from within the office network.


    Graph from an application aware DPI device showing protocols at layer 7

What about encrypted traffic?

With the increase in the use of Secure Socket Layer (SSL) encryption on the open internet after the NSA debacle, many networks are noting a steady rise in encrypted traffic especially HTTPS. Older UTMs are unable to inspect encrypted traffic and this therefore poses a great danger to networks.  A recent report by Gartner Research says that less than 20% of organizations inspect encrypted traffic entering or leaving their networks. You might be wondering if it is possible to inspect SSL encrypted traffic, yes it is possible to decrypt most SSL encrypted traffic and confirm certificate authenticity with the use of a good UTM system. This ensures that only traffic with genuine encryption certificates enters the network.


Get every new post delivered to your Inbox.

Join 116 other followers