Loading ...

Category: Networking

Retail Routers for Work From Home

This blog post is more about the use of retail routers at the office than at home, just to make that clear from the beginning. We would also recommend non-retail routers at home, but that is not feasible for everyone. 

What is a retail router?

This is a phrase I am coining to describe any router that is generally available from your local retailers like Staples, Walmart, etc or delivered as part of the internet service from your local provider. They include brand names like ASUS, D-Link, Linksys, and Netgear. They range in price from $30 for the extreme low end to $450 for a gaming router. These routers are built for home and small office networks that have very few users or devices connected at any given time. They may include some features that sound “business-like” such as Virtual Private Network (VPN), Stateful Packet Inspection (SPI), VLAN, and Quality of Service (QoS) – remember though that these are also only able to support a minimum number of users and devices connected at any given time. If you try to use a retail router to run your business network then you will find that performance will be severely degraded and these features will not work as advertised.

There is also the issue of security. These routers are rarely if ever updated even when new vulnerabilities are found. This makes them ineligible for PCI or HIPAA compliance situations. 

Is there a non-retail router?

So what to do about this situation? Time to call your trusted IT services provider who will be able to get you a non-retail router, but that begs the question – what is a non-retail router? 

These routers are built by network professionals who design the hardware to perform under the pressures of the office environment and to handle the work from home remote workload. These routers include brands like Cisco, Juniper, Ubiquiti, and Araknis. They range in price from $150 for an office of up to 5 people to $10,000 for a high traffic company with hundreds of users. These routers handle VPN, SPI, VLAN, QoS, and many other services all at once with ease. Security is baked into these routers with the best ones having the ability to be managed from the cloud. They provide consistent access to all connected users and devices at all times. Your trusted IT services provider will work with you to “right size” the router to your business needs. 

If your company is going to have full time work from home employees and is concerned about their ability to perform, then contact us for assistance.

Convert Cisco 3700 AP from Controller Managed to Autonomous

Recently had to convert Cisco 3700 AP from Controller managed to Autonomous when I client separated from their parent company and bought out the IT equipment (that was a very costly mistake – if converting from corporate to small business invest in business grade IT equipment as it is much cheaper, by thousands of dollars). I researched online and found several posts about using the “archive sw-download” method on the AP, but those didn’t work with the TAR file that I was downloading from Cisco. I found another means of doing this by resetting the AP to factory defaults which allowed me to login via the console port and switching to manual boot.

Reset AP to Default

  • Remove power from the AP
  • Hold down the MODE button
  • Plug back in power
  • Wait 30 seconds then release the MODE button

Configure AP to Manual Boot

  • You should now be able to login with the “enable” command using the password Cisco
  • Type in the following command:
    • debug capwap con cli
    • conf t
    • boot manual
    • reload

Use TFTP to update firmware

  • Download / Install a TFTP server software of your choice.
  • Move Firmware TAR file into server directory
  • Once the AP finishes the manual boot process the prompt with be ap:
  • Type in the following commands:
    • set IP_ADDR <IP Address on same subnet as TFTP server>
    • set NETMASK <Subnet Mask on same subnet at TFTP server>
    • set DEFAULT_ROUTER <IP Address of default gateway>
    • ether_init
    • tftp_init
    • tar -xtract tftp://<IP Address of TFTP Server>/<Name of firmware TAR file> flash:
  • use “dir flash:” and cd to find directory name and firmware file name, then issue the last commands:
    • set BOOT flash:/<Directory name>/<File name>
    • boot

The AP will reboot with the new firmware and be ready to access a new configuration. This method works great as long as the TFTP extraction of the TAR file completes successfully.

If you need any help gaining access to your Cisco network gear or with configuring your Cisco equipment, then contact us for support.

Using an Old Teamviewer Makes You Vulnerable

Looks like the trusted remote access / remote support tool has an exploit that could allow an attacker to figure out your network password.

Please take the time to update your Teamviewer software to the latest version or contact us to setup our free remote access software on your systems. 

Most Popular Home Routers Have ‘Critical’ Flaws

Even though we recently sent out another email newsletter about this topic, we have to keep raising this issue as the work from home remains a regular occurrence. A German think tank analyzed 127 popular home routers with the majority having at least one flaw (D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel were affected by 53 critical-rated vulnerabilities each). The biggest problem is that most (91%) are built on top of an old version of Linux operating system and their makers rarely publish updates.

There are several solutions that we can discuss to secure your work from home networks, so contact us for assistance.

Recent Router Hacks Found

Vulnerability Prevention - Grants Pass, OR

In the past couple days there have been press release that show a large number of vulnerabilities in all Cisco Small Business routers and 79 models of the Netgear router line-up. Here are the articles:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-stack-vUxHmnNz

https://www.bleepingcomputer.com/news/security/79-netgear-router-models-risk-full-takeover-due-to-unpatched-bug/

The Cisco models are primarily used in small businesses, but the Netgear models include many that are used by home users – this could present a security risk for anyone who is still working from home. Cisco has released patches for the vulnerabilities and the Netgear vulnerabilities remained unpatched. 

If your company is still using a “small business” or home based router, then contact us for assistance in checking for updates or replacing them with an business grade router with automatic updates. We also provide network security auditing for both office and home work environments. 

Work From Home Checklist

remote worker - Grants Pass, OR

In this unprecedented time that we are currently experiencing, you have had to set your team up to work remotely, often without thinking about how they might actually get work done, let alone security of all things. Our employee checklist and no-cost cybersecurity training course will provide your team with the tools they need to ensure that they are safe and productive – right out of the gate.  These free resources are part of our initiative to keep our community safe and working during this time of crisis, without the additional disruption and financial impact of a breach.
 
Don’t let a change in circumstance allow for a change in cybersecurity standards.

Can Passwords Be Strong & Easy To Remember

The COVID-19 scare and ensuing rush to remote access has us thinking security. What is more basic to security than passwords. In an effort to find a way to make passwords both secure and easy to remember, I have found a website that seems to fit the bill:

https://xkpasswd.net/

A Secure Memorable Password Generator

The concept is surprisingly simple and is said to be based on a cartoon:

XKCD - Password Strength

I have played with the settings and found the following to generate some good password settings. Here they are for those who are interested:


The only other option would be to use random passwords stored in a password keeper. This also allows secure sharing of passwords throughout the organization. 

If your company is using remote access, then contact us for assistance to make it secure.

COVID-19: Preparing for the Long Haul

remote worker - Grants Pass, OR

According to the executive order made by Oregon State Governer, Kate Brown:“On Friday night, I frankly directed them to stay home. And now I am ordering them to stay home.


The following guidelines are in effect for businesses:

  • It closes and prohibits shopping at specific categories of retail businesses, for which close personal contact is difficult to avoid, such as arcades, barber shops, hair salons, gyms and fitness studios, skating rinks, theaters, and yoga studios.
  • It requires businesses not closed by the order to implement social distancing policies in order to remain open, and requires workplaces to implement teleworking and work-at-home options when possible. They must also elect a representative who will be in charge of monitoring social distancing.

What FHN is doing?

FREE Remote Access – Just a re-iteration that all our monthly managed services clients will have remote access to their systems at no additional cost. If you are not a managed client then we can set you up with secure remote access to your data or network depending on need. Please call sooner rather than later as we have to take care of our managed clients first and there may be a wait at this point.

On-site support continues – At this time there is no restrictions on service industries who perform on-site visits to complete work, so Farmhouse Networking will continue to do so for the foreseeable future. We will be taking precautions such as protective masks, gloves, or perhaps more extreme measures (hazmat suit) to insure the safety of our staff and clients. We ask that clients keep these visits to emergency needs and planned projects until these social distancing rules are lifted.

Stocking up on essentials – We have been closely monitoring our distribution channels and several of them have been stating that non-essential items would take up to one month to receive. As a courtesy to our clients and to better service them in times of emergency IT needs, we will be stocking up on computer and network parts that are most often needed. 

What should clients do?

Remote workers – Send unneeded on-site staff home to work remotely. With remote access capabilities, video conferencing, and VoIP phones – there is no reason to keep them in harms way. We are experts in these technologies and can get you up and running on them quickly.

Maintain infrastructure – For remote workers to be able to get access to their computers there needs to be a solid foundation at the business location.

  • Workstations, servers, and network equipment should be on battery backups to keep them from going offline unnecessarily due to power fluctuations – triggering a need to go into the office.
  • Is part of your network over 6 years old? Now may be the time to replace the network equipment to avoid downtime and unneeded office visits in the future.
  • Now more than ever backups are needed in case anything should go wrong. Recovery times are bound to be increased as the lock down on businesses increases. 
  • Don’t forget to leave the A/C on especially if you have a server closet, they work better in cooler temperatures. 

Planning – With a possible slowdown in business now is the time to take stock of your company, to get used to this new normal, and make plans for the long term implications of this craziness on our businesses. 

If your company needs any help weathering the COVID-19 storm, then contact us for assistance.

FBI Cyber Defense Best Practices

A recent briefing from the FBI’s Internet Internet Crime Complaint Center (IC3) detailed current best practices and industry standards for cyber defense. Here is a summation:

Cyber Defense Best Practices

  • Backups – Regularly back up data and verify its integrity. Backups are critical in ransomware; if you are infected, backups may be the only way to recover your critical data.
  • Training – Employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
  • Patching – All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
  • Antivirus – Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. Centrally managed is even better.
  • File Permissions – If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.
  • Macros – Disable macro scripts from Office files transmitted via email.
  • Program Execution Restrictions – Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs.
  • Remote Desktop Protocol – Employ best practices for use of RDP, including use of VPN, auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
  • Software Whitelisting – Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy. This one takes careful planning.
  • Virtualization – Use virtualized environments to execute operating system environments or specific programs. No physical access to servers makes hacking harder.
  • Network Segmentation – Implement physical and logical separation of networks and data for different organizational units. Keep guest traffic out of your business network.
  • No Saved Passwords – Require users to type information or enter a password when their system communicates with a website. Better yet use a password management tool.

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Sophos DNAT – Change Different Port Number

This article came from the need of another local tech company to forward an Exacqvision Web Portal to something other than port 80, as it was already in use. I could not find a detail article on how to accomplish Sophos DNAT while changing the port number:

How to configure Sophos DNAT for an internal server

  1. Navigate to Firewall then click +Add Firewall Rule and select Business Application Policy.
    Sophos DNAT - Add Firewall Rule
  2. Select Application Template and choose DNAT/Full NAT/Load Balancing.
    Sophos DNAT - DNAT Template
  3. Fill out the settings as shown below:
    Sophos DNAT - Firewall Rule Details
    1. Rule Name
    2. Source Zones: WAN (and LAN if needed)
    3. Allowed Client Networks: Any
    4. Destination Host/Network: WAN Interface (#eth0-? whichever one you use)
    5. Services: Either select the service you already created or create a new one for the external port to be used as below
      Sophos DNAT - Service Creation
    6. Protected Servers: Select an existing or create a host entry for the internal server.
    7. Protected Zone: Select the Zone in which the host resides (LAN or DMZ).
    8. Change Destination Port(s): Check this then change the port to the internal port.
  4. Click Save to save the configuration.

If your company is using a Sophos router and is unsure of how to configure it, then contact us for assistance in making the best use of your router.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2024- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

[contact-form-7 id="452" title="Free Network Evaluation"]
And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10