We recently sent out an email regarding this, but I thought I would post it here just in case anyone missed the email. If you have any questions, feel free to contact our support department.

All 8e6 users,

In order to provide improved access and reliability, 8e6 is upgrading its Internet connection to a multi-homed configuration. Unfortunately, this change requires the renumbering of some customer-facing systems. Consequently, some changes may be required on your networks to ensure continued connectivity to 8e6 for the purposes of downloading library updates, software patches, and technical support remote access. This is a one time only change since the new IP addresses are “owned” by 8e6 and, as such, portable with respect to future Internet Service Provider changes.

Bottom line, it is extremely important that your firewall administrator is alerted to the following items, in order to ensure continue connectivity to 8e6 update servers.

FTP Update Server EOL
Concurrent with this change comes the End-of-Life for the legacy FTP update servers. As of July 31 st, updates will only be available using the HTTPS update servers. The 2.1 software release of the R3000 (scheduled for mid-July) will remove the ability to download library and software updates via FTP, and switch the transport method of all library and software updates to HTTPS.

It is recommended that you immediately ensure that your R3000 is set to use HTTPS for library and software updates. This can be done via the R3000 GUI, and is available under Library>Updates>Configuration. If your R3000 is set to use FTP, change the method to HTTPS. Once the configuration change is made you can perform a manual update to ensure that connectivity can be established.

Library, Software Patch and CFM Updates
If your network firewall rules for outbound connectivity utilize statically assigned IP addresses for access to 8e6’s patch, update and cfm servers, modification will be required to allow access to the new IP addresses indicated below.

IMPORTANT: The changes in this section must be made prior to July 31, 2008 or you may experience an interruption in the related services. To facilitate a transition window, please maintain access for both old and new IP’s until September 30 th 2008 at which time, you can remove access for the old IP’s.

All 8e6 systems (R3000, Enterprise Reporter and Threat Analysis Reporter) should have access via HTTPS to the following systems.

patch.8e6.net (software updates)
Old
209.11.161.20
209.11.161.21
New
208.90.236.69

secureupdate.8e6.com (library updates)
Old
209.11.161.24
209.11.161.25
209.11.161.26
209.11.161.27
New
208.90.236.70
208.90.236.71
208.90.236.72
208.90.236.73

cfm.8e6.com (customer feedback module updates)
Old
209.11.161.224
New
208.90.236.75

Technical Support
Similarly, you will need to modify your firewall rules to allow SSH access from 8e6’s two newly assigned “keyserver” IP addresses listed below.

IMPORTANT: The changes in this section must be made prior to July 31, 2008 or you may experience an interruption in the related services. To facilitate a transition window, please maintain access for both old and new IP’s until September 30 th 2008 at which time, you can remove access for the old IP’s.

key1.8e6.com
Old = 209.11.160.50
New = 208.90.236.132

key2.8e6.com
Old = 209.11.160.51
New = 208.90.236.133

If you have any questions regarding the above information, please contact 8e6 Technologies Tech Support at support@8e6.com or call (888) 786-7999, menu selection #3. Thank you for your support and patience in this matter.

Sincerely,

Your 8e6 Technologies Product Management Team

In our continuing efforts to broaden the coverage of our pattern filtering and application control, we have released a new set of patterns that block some of the more well known Remote Access applications and protocols. These include Virtual Network Computing (VNC), Remote Desktop (Terminal Services), GoToMyPC and Symantec’s pcAnywhere. In addition to these newly released patterns, we also leverage our URL filtering capability against web based remote access sites.

Read the rest of this entry »

It’s that time of year again — the NCAA basketball tournament is upon us. This time of year always throws a spotlight on web filtering, as Enterprises are faced with the prospect of their employees frittering away time and valuable network bandwidth watching hoops.

The tools available on the Internet for following this year’s tournament are getting more varied and sophisticated, throwing open new security and bandwidth concerns, as well as raising the old specter of productivity problems.

Security

If you’re blocking your users from watching the tournament, then you’ve got to consider the ways that they might attempt to circumvent that policy. The key thing here is that video streaming isn’t just about web sites and media players anymore.

Read the rest of this entry »

On Tuesday, we took another step in broadening the Application Management functionality in our web filtering products. We released the first set of patterns for blocking network games, commonly called Massively Multi-Player Online Role Playing Games (MMORPGs). We wrote patterns for World of Warcraft, Legend and the Steam Network, which is used by many games.

We also block a number of games through simple URL filtering. Some games rely on HTTP or HTTPS access to certain domains, so they can be shut down that way. Second Life and Lineage II are good examples of these.

There are two obvious issues with online games that should be of interest to enterprise and education IT departments: productivity and bandwidth. Cumulatively, online games have more than 16 million subscribers, with World of Warcraft alone accounting for more than 10 million of those subscribers. Blocking these applications at the gateway provides a simple, centralized way to prevent employees and students from violating what is undoubtedly already a part of your acceptable use policy.

This is the first expansion of application management in the R3000 beyond IM, P2P and proxies, leveraging a feature in the recently released 2.0.10 version of the R3000 that allows us to extend pattern coverage to any category. In the near future, we will be expanding the scope of our pattern blocking to include remote access applications like Terminal Services (RDP) and VNC, as well as streaming media protocols like RTSP.

Please submit requests for pattern coverage of other games and applications to mudcrawler [at] 8e6 [dot] com.

As the average Internet user wises up to the the classic fraudster angles, criminals have to move to new targets. People are getting better at recognizing emails phishing for their Bank of America online banking credentials. We’ve all seen 419 scams in our inboxes, which are looking for you to front money for a bigger payout down the line (aka “advance fee fraud”).

As a result, the bad guys have had to turn their attention to new targets. In 2007, we saw attacks looking to get at employers’ Monster.com accounts, individuals’ MySpace and Facebook contacts as well as Salesforce credentials. There has also been a rise in classic phishing emails targeting smaller banks or banks in emerging economies, where the average end user isn’t as experienced at dealing with phish.

But in our hurry to stay on top of the latest trends, we can sometimes lose sight of the tried-and-true fraud techniques that still work.

And sometimes it’s easier to be fooled when the threat is directed at our employers.

I recently had the following two emails forwarded to me. Folks were asking: are these for real?

Read the rest of this entry »

The guys at OpenDNS made an interesting announcement yesterday. They’re building a community authored directory of web sites to enhance their DNS-based web filtering service. OpenDNS is a free DNS service that anybody can use simply by changing their computer’s DNS settings.

This is how a DNS-based filtering service works. You change your network settings (typically the one’s served up dynamically by your DHCP server) to use the DNS servers from OpenDNS. When a user types playboy.com into the address bar, the web browser attempts to find the IP address for playboy.com using DNS. But the OpenDNS servers don’t return the real IP address for playboy. Instead they return the IP address of a server that sends the user a block page. Hey presto, the user is blocked. Frankly, it’s brilliant in its simplicity. And the community categorization approach is extra brilliant.

A DNS-based filtering solution is great at snuffing out inadvertent browsing of bad web content. When my five-year-old uses our home computer and starts clicking around on stuff, I’d like to simply prevent him from accidentally viewing nasty sites that might come back in a Google search. A DNS-based approach will absolutely solve this problem.

But my five-year-old is not what I would call a determined attacker.

Read the rest of this entry »

PBS’s Frontline recently ran a special on kids and the Internet titled “Growing Up Online”. You can watch the entire show online — and I definitely recommend it for anyone involved in education: parents, teachers, administrators, IT.

They address some interesting issues, including:

The disturbing pro-anorexia phenomenon, which I had never heard of until I got into the Internet Filtering industry. Sometimes these sites attempt to walk the line between self-help and truly being pro-anorexia. 8e6’s categorization policy is for pro-ana sites to go into Obscene/Tasteless and anorexia disorder help sites to go into Health. Often, this is a surprisingly close judgment call.

Read the rest of this entry »

You’ve probably seen the news: MySpace has reached an agreement with 49 states to take steps to make their site a safer place for kids. I just have one quick comment.

I think the state governments are attacking this from completely the wrong angle. Governments can put all the pressure they want on MySpace, and as soon as MySpace has adequate controls and age verification, the kids will have moved elsewhere.

Now don’t get me wrong, MySpace certainly has an obligation to do what they can. I’m glad to see them cooperating, especially because they only have a PR incentive to do so. They actually have a disincentive from a business perspective.

The advertisers go to MySpace to reach kids of all ages, so MySpace needs to continue to make it easy for the kids to sign up. But you lose your street cred with the kids when you let the parents in.

Providing parents the controls they want while also giving advertisers the access they demand are objectives that are fundamentally at odds with each other.

Read the rest of this entry »

… so I’m going to make the case that you should simply be blocking them en masse. But first, a little background.

Dynamic Addressing by ISPs

Internet Service Providers (ISPs) own blocks of contiguous IP addresses (aka “netblocks”) that they in turn assign to the computers that connect to the Internet through their service. When you sign up for DSL, Cable or even dial-up service and connect your computer to the Internet, the ISP assigns your computer an IP address from within a netblock it owns.

Some ISPs provide static IP services, where your computer keeps the same IP address all the time. But the vast majority of home computers are signed up for less expensive dynamic IP services, where your computer gets a new address each time it connects to the Internet. The address is often different every time you connect. But it’s always from within the same netblock.

This allows the ISP to sign up more customers than IP addresses it owns, kind of like how a bank is allowed to loan out money it doesn’t actually have in the vault. Since only a percentage of the ISP’s customers are connected at any give time, this works fine.

How to tell if an IP is in one of these Netblocks

My personal DSL provider is DSLExtreme. When my home computer connects to the Internet (actually, it’s my router), it’s always assigned an address in the netblock 72.25.123.0/24, which includes a range of IPs from 72.25.123.0 to 72.25.123.255.

Read the rest of this entry »

We have just released the latest version of our core web filtering appliance - version 2.0.10 of the R3000. General availability of the patch is set for January 7th, but you can contact Tech Support and request it today if you like. We’re going GA after the Holidays to reduce the load on Tech Support, which always sees a spike in activity after a major patch release (despite our best efforts).

There is lots of great stuff in this release. However, in this post I’m going to focus on the changes that affect how we handle proxies: improvements in our HTTPS filtering and pattern-based blocking. I’m going to cover:

• Block page on a pattern block
• New options that enhance HTTPS Medium and tame HTTPS High
• Whitelist feature for pattern detection

Let’s take a look at the details.

Read the rest of this entry »