Loading ...

Category: VPN

Setup Azure to Araknis IPSec VPN

Had a local medial office want to move their current server into the cloud and because they are already an Office 365 customer, I chose to use Azure for their Virtual Machine. I helped them setup Azure to Araknis IPSec VPN to connect their headquarters to the hosted server. This tutorial will go into detail about the creation of this tunnel starting with the Microsoft Azure side first using Resource Manager. It will be using the following parameters:

  • VNet Name: TestNetwork
  • Address Space: 10.10.0.0/16
  • Subnets:
    • Primary: 10.10.10.0/24
    • GatewaySubnet: 10.10.0.0/24
  • Resource Group: TestResourceGroup
  • Location: West US
  • DNS Server: Azure Default
  • Gateway Name: TestVPNGateway
  • Public IP: TestVPNGatewayIP
  • VPN Type: Route-based
  • Connection Type: Site-to-site (IPsec)
  • Gateway Type: VPN
  • Local Network Gateway Name: TestSite
  • Local Subnet: 10.20.20.0/24
  • Connection Name: VPNtoTestSite

Configure an Azure VPN gateway

This part takes the longest, so it should be done first:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Virtual Network Gateway” and click on the “Create” button.
  • Give the Virtual Network Gateway a name
  • Select matching Region to where Azure resources are located
  • Leave Gateway & VPN type the defaults
  • Choose a SKU <- These have changed since the article was created, so my “standard” now is WpnGw1 with Active / Active turned off (this is a good balance of performance and cost)
  • Choose or create a local network (not covered here, but must contain Gateway Subnet) that matches internal resources
  • Choose or create a Public IP Address
  • Leave the remaining values as their defaults and then click the “Create” button. (Please note the reminder that this takes 45 minutes to create!)Azure Virtual Network Gateway

Configure an Azure Local Network Gateway

This is a reference to your on-premise network so that subnets can pass traffic:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Local Network Gateway” and click on the “Create” button.
  • Give the Local Network Gateway a name
  • Select matching Region to where Azure resources are located
  • Specify the external IP address of the local on-premise site
  • Specify the on-premise address space (subnet)
  • Leave the remaining values as their defaults and then click the “Create” button.
  • Azure Local Network Gateway

Configure an Azure VPN Connection

This will create the tunnel from Azure to the on-premise site:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Connection” and click on the “Create” button.
  • Choose “Site-to-site (IPSec)” as the connection type
  • Give the Connection a name
  • Select matching Region to where Azure resources are located
  • Leave the remaining values as their defaults and then click the “OK” button. On the summary screen click on the “OK” button to create the connection.Azure Connection Basics
  • Choose the newly created Virtual Network Gateway
  • Choose the newly created Local Network Gateway
  • Specify a shared key
  • Leave the remaining values as their defaults and click the “Create” button.
  • Azure Connection Settings

This completes the setup of the Azure side of the VPN tunnel. Now to work on the Ubiquiti USG side.

Configuring an Araknis IPSec VPN Network

  • Connect to Araknis router (need at least a 310 for this to work)
  • Click on Advanced > VPN
  • Scroll down to IPSec and click add new tunnel
  • Fill in the Remote IP address of the Azure VPN Gateway
  • Araknis VPN Settings
  • Fill in the Remote Subnet Mask
  • Araknis VPN Settings
  • Make the following changes to IPSec Setup
  • Araknis VPN Settings

That is all there is to it. If your company is currently using either Microsoft Azure or Araknis routers and would like a VPN created, then contact us for assistance.

Retail Routers for Work From Home

This blog post is more about the use of retail routers at the office than at home, just to make that clear from the beginning. We would also recommend non-retail routers at home, but that is not feasible for everyone. 

What is a retail router?

This is a phrase I am coining to describe any router that is generally available from your local retailers like Staples, Walmart, etc or delivered as part of the internet service from your local provider. They include brand names like ASUS, D-Link, Linksys, and Netgear. They range in price from $30 for the extreme low end to $450 for a gaming router. These routers are built for home and small office networks that have very few users or devices connected at any given time. They may include some features that sound “business-like” such as Virtual Private Network (VPN), Stateful Packet Inspection (SPI), VLAN, and Quality of Service (QoS) – remember though that these are also only able to support a minimum number of users and devices connected at any given time. If you try to use a retail router to run your business network then you will find that performance will be severely degraded and these features will not work as advertised.

There is also the issue of security. These routers are rarely if ever updated even when new vulnerabilities are found. This makes them ineligible for PCI or HIPAA compliance situations. 

Is there a non-retail router?

So what to do about this situation? Time to call your trusted IT services provider who will be able to get you a non-retail router, but that begs the question – what is a non-retail router? 

These routers are built by network professionals who design the hardware to perform under the pressures of the office environment and to handle the work from home remote workload. These routers include brands like Cisco, Juniper, Ubiquiti, and Araknis. They range in price from $150 for an office of up to 5 people to $10,000 for a high traffic company with hundreds of users. These routers handle VPN, SPI, VLAN, QoS, and many other services all at once with ease. Security is baked into these routers with the best ones having the ability to be managed from the cloud. They provide consistent access to all connected users and devices at all times. Your trusted IT services provider will work with you to “right size” the router to your business needs. 

If your company is going to have full time work from home employees and is concerned about their ability to perform, then contact us for assistance.

Recent Router Hacks Found

Vulnerability Prevention - Grants Pass, OR

In the past couple days there have been press release that show a large number of vulnerabilities in all Cisco Small Business routers and 79 models of the Netgear router line-up. Here are the articles:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-stack-vUxHmnNz

https://www.bleepingcomputer.com/news/security/79-netgear-router-models-risk-full-takeover-due-to-unpatched-bug/

The Cisco models are primarily used in small businesses, but the Netgear models include many that are used by home users – this could present a security risk for anyone who is still working from home. Cisco has released patches for the vulnerabilities and the Netgear vulnerabilities remained unpatched. 

If your company is still using a “small business” or home based router, then contact us for assistance in checking for updates or replacing them with an business grade router with automatic updates. We also provide network security auditing for both office and home work environments. 

Work From Home Checklist

remote worker - Grants Pass, OR

In this unprecedented time that we are currently experiencing, you have had to set your team up to work remotely, often without thinking about how they might actually get work done, let alone security of all things. Our employee checklist and no-cost cybersecurity training course will provide your team with the tools they need to ensure that they are safe and productive – right out of the gate.  These free resources are part of our initiative to keep our community safe and working during this time of crisis, without the additional disruption and financial impact of a breach.
 
Don’t let a change in circumstance allow for a change in cybersecurity standards.

COVID-19: Preparing for the Long Haul

remote worker - Grants Pass, OR

According to the executive order made by Oregon State Governer, Kate Brown:“On Friday night, I frankly directed them to stay home. And now I am ordering them to stay home.


The following guidelines are in effect for businesses:

  • It closes and prohibits shopping at specific categories of retail businesses, for which close personal contact is difficult to avoid, such as arcades, barber shops, hair salons, gyms and fitness studios, skating rinks, theaters, and yoga studios.
  • It requires businesses not closed by the order to implement social distancing policies in order to remain open, and requires workplaces to implement teleworking and work-at-home options when possible. They must also elect a representative who will be in charge of monitoring social distancing.

What FHN is doing?

FREE Remote Access – Just a re-iteration that all our monthly managed services clients will have remote access to their systems at no additional cost. If you are not a managed client then we can set you up with secure remote access to your data or network depending on need. Please call sooner rather than later as we have to take care of our managed clients first and there may be a wait at this point.

On-site support continues – At this time there is no restrictions on service industries who perform on-site visits to complete work, so Farmhouse Networking will continue to do so for the foreseeable future. We will be taking precautions such as protective masks, gloves, or perhaps more extreme measures (hazmat suit) to insure the safety of our staff and clients. We ask that clients keep these visits to emergency needs and planned projects until these social distancing rules are lifted.

Stocking up on essentials – We have been closely monitoring our distribution channels and several of them have been stating that non-essential items would take up to one month to receive. As a courtesy to our clients and to better service them in times of emergency IT needs, we will be stocking up on computer and network parts that are most often needed. 

What should clients do?

Remote workers – Send unneeded on-site staff home to work remotely. With remote access capabilities, video conferencing, and VoIP phones – there is no reason to keep them in harms way. We are experts in these technologies and can get you up and running on them quickly.

Maintain infrastructure – For remote workers to be able to get access to their computers there needs to be a solid foundation at the business location.

  • Workstations, servers, and network equipment should be on battery backups to keep them from going offline unnecessarily due to power fluctuations – triggering a need to go into the office.
  • Is part of your network over 6 years old? Now may be the time to replace the network equipment to avoid downtime and unneeded office visits in the future.
  • Now more than ever backups are needed in case anything should go wrong. Recovery times are bound to be increased as the lock down on businesses increases. 
  • Don’t forget to leave the A/C on especially if you have a server closet, they work better in cooler temperatures. 

Planning – With a possible slowdown in business now is the time to take stock of your company, to get used to this new normal, and make plans for the long term implications of this craziness on our businesses. 

If your company needs any help weathering the COVID-19 storm, then contact us for assistance.

VPN for the Win

Remote User VPN - Grants Pass, OR

In reviewing compliance documentation, we found it necessary to talk about Virtual Private Network (VPN) technology for both privacy and secure remote access. A VPN is a connection to a private network over the internet through an encrypted tunnel – think smuggling information across a secret passageway between two places.

Why use VPN?

Privacy: There has been a huge buzz lately about using VPN technology to help mask you browsing habits from the likes of the NSA or Google. VPN services offer connections that regularly change your external IP address so that a profile (marketing or otherwise) is harder to build. It also makes hacking of your information harder when these services providers offer anti-virus and anti-spam filtering as part of the VPN service.

What are the trade-offs? These VPN service providers will now be the sole owner of your browsing habits – they can sell targeted profiles to marketing companies – so read those terms of service. There will also be a performance hit to your internet speed, so if you are working from a slow network already this may not be an option. Then there is the added cost of an extra $5 to $15 per month for these services on top of your internet bill each month.

Secure Remote Access: This was the original intent of VPN technology and where it really shines. Either from remote workers using coffee shop wifi or remote offices connecting to the main office, VPN tunnels are used to securely access data, servers, and other network resources. This technology is required by all major compliance agencies so that all data transmitted is encrypted during transport. In the past servers would open ports to the internet to allow access, but it was found that this practice allowed hackers the same opportunity to gain access. With VPN tunnels there is another layer of protection from unexpected access. There is also the benefit that no outside provider gets access to your browsing habits.

What are the trade-offs? This will require a router at the main office that is business grade and capable of handling the traffic. It will then require setup of remote workers laptops or remote offices with similar business grade routers.

If your company is concerned about privacy on the internet or secure remote access, then contact us for assistance.

Small Business Information Security: The Fundamentals

CyberSecurity

NIST is the National Institute of Standards and Technology. It acts as the defacto baseline that all other security and compliance organizations use to construct their standards. Reading their publications is like reading any other government document – extremely long and not interesting. Farmhouse Networking recently became aware of one such document called NISTIR 7621 aka Small Business Information Security: The Fundamentals. We took the time to distill out the main points here:

The Fundamentals aka Best Practices

Identify: Who has access to the network, who has access to the data, and what do they have access to. This includes background checking employees during the hiring process, taking an inventory of data to see who needs access to what, requiring that each user have their own login, and company policy creation.

Protect: Protection starts with separating data into shares then giving access only to those who really need it. It also includes protecting hardware with uninterruptible power supplies (UPS) and protecting software with regular updates. Protecting the network includes setting up a proper firewall, separate wireless for guest access, and VPN only access for remote users. Web filtering, SPAM filtering, file encryption, proper disposal of old equipment, and employee training are also mentioned.

Detect: Having a centrally managed antivirus software on each workstation is a must. This includes the ability to look back in time via log files or monitoring system to find the root of the security breach.

Respond: Have a disaster recovery plan and security incident response plan in place.

Recover: Need full backups of all important business data, invest in cyber insurance, and regularly access your technology to find timely improvements.

If your company does not meet these fundamentals, then contact us for assistance.

Is the internet down again?

broken internet - Grants Pass, OR

If it seems like this is a typical question in your office then there is hope. The concept of internet failover has been around for years. With the advent of 4G LTE cellular networks internet failover is now within reach of the small business. If the main internet connection goes down then the 4G LTE cellular network will kick in automatically to keep your business flowing. When the main internet connection comes back online it will automatically switch back to restore full speed access.

How We Fix the Internet

Business Class Router: The Datto Networking Appliance has all the specs of true business class router including all the usual services (DHCP, DNS, VLAN, DMZ, Access Rules, etc). It also has all the features that you need to secure and expand your business with seven layer deep packet inspection, intrusion detection, traffic shaping (VoIP), client VPN, site-to-site VPN, and cloud management.

Connectivity: This router has all the connectivity you could ever need. It has 4 Gigabit LAN ports to help physically segment the network. It has the latest and most redundant wireless connectivity available. It has a fully integrated multi-band 4G LTE wireless cellular modem to keep you connected when wired internet fails.

Peace of Mind: Leave the connectivity worries to us. Our expert team will be monitoring and maintaining the Datto Networking Appliance at all times via the cloud management console and integrated alerting. We will know the internet is down before you do and will take the steps needed to get your ISP to fix things.

If your company’s internet is constantly going down, then contact us for assistance.

Ubiquiti USG Remote User VPN RADIUS Authentication

The following steps will setup Windows Server 2012 R2 RADIUS authentication via Network Policy Server (NPS) with your Ubiquiti UniFi Security Gateway (USG) for a USG Remote User VPN. This will allow users to use their current Active Directory Domain Services (AD DS) credentials to authenticate to the Virtual Private Network (VPN).

I am using the UniFi controller version 5.4.14 hosted in Microsoft Azure on a Linux Server with PostFix for alerting.

Step 1: Configure Windows NPS Server

  1. From the Server Manager Dashboard, install the Network Policy and Access Server role using Add Roles and Features accepting all defaults.
  2. Once installed,  open the Network Policy Server Administrator Tool. Expand the RADIUS Clients and Servers, then right Click on RADIUS Clients and click New.
    USG Remote User VPN - Create New RADIUS Client
  3. Give the USG router a Friendly Name. Type in the IP Address of the inside interface of the USG on the same network as the Windows Server. (This is the IP that the RADIUS requests will come from.) Click the Generate radio button, then click the generate button. Copy this Shared Secret to be pasted later. Click OK. USG Remote User VPN - Create New RADIUS Client
  4. In the Network Policy Server window, expand Policies, right click on Network Policies, and then click New.
    USG Remote User VPN - Create New Network Policy
  5. Enter a policy name and leave Type of Network Access Server as Unspecified. Click on Next.
    USG Remote User VPN - Create New Network Policy
  6. In Specify Conditions click Add.. and then select Windows Group, and pick the AD Group you want to use to allow VPN access.  (If you have not already then you will need to add all users who will be accessing the VPN into a seperate group.) Click Add… then Add Groups… which brings up the typical AD search box. Type in the name of the VPN Windows Group and click on OK. Click OK again. Click on Next
    USG Remote User VPN - Create New Network Policy
  7. Leave the Specify Access Permissions at the defaults (Access Granted, Dial-in box unchecked). Click Next.
  8. Uncheck all authentication methods other than MS-CHAPv2. Click on Next.
    USG Remote User VPN - Create New Network Policy
  9. Accept the defaults under Configure Constraints. Click Next.
  10. Leave all setting at the default on this page except for under Encryption. Uncheck everything except for MPPE 128-bit. Click Next.USG Remote User VPN - Create New Network Policy
  11. Check your settings on the last page. Click Finish.
    USG Remote User VPN - Create New Network Policy
  12. Finally, move the new policy above the two default policies in the list by right clicking and choosing Move  Up.

Step 2: Configure the USG Remote User VPN

  1. To create the remote access network, in the UniFi controller, go to Settings, then Networks, and click Create New Network, give the network a name and select Remote User VPN.
    USG Remote User VPN - Network Setup
  2. Fill in the appropriate Gateway/Subnet information for your environment. Make sure it is not the same as any of your current networks.
  3. Add Manual DNS servers, if required for your environment.
  4. Click on Create New RADIUS Profile.
  5. Give the Profile a name, enter in the IP address of the Windows Server 2012 R2 server that will be used for RADIUS authentication and paste in the generated shared secret.USG Remote User VPN - Create New RADIUS Profile
  6. Click Save. Click on Save again.

This allows easy access from Windows default VPN connections to network assets behind the USG device.

If your company is currently using a Ubiquiti USG device and need a Remote User VPN setup, then contact us for assistance.

Archives

Categories

Plant a Seed 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2022- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

[contact-form-7 id="452" title="Free Network Evaluation"]