In the past couple days there have been press release that show a large number of vulnerabilities in all Cisco Small Business routers and 79 models of the Netgear router line-up. Here are the articles:
The Cisco models are primarily used in small businesses, but the Netgear models include many that are used by home users – this could present a security risk for anyone who is still working from home. Cisco has released patches for the vulnerabilities and the Netgear vulnerabilities remained unpatched.
If your company is still using a “small business” or home based router, then contact us for assistance in checking for updates or replacing them with an business grade router with automatic updates. We also provide network security auditing for both office and home work environments.
In this unprecedented time that we are currently experiencing, you have had to set your team up to work remotely, often without thinking about how they might actually get work done, let alone security of all things. Our employee checklist and no-cost cybersecurity training course will provide your team with the tools they need to ensure that they are safe and productive – right out of the gate. These free resources are part of our initiative to keep our community safe and working during this time of crisis, without the additional disruption and financial impact of a breach.
Don’t let a change in circumstance allow for a change in cybersecurity standards.
According to the executive order made by Oregon State Governer, Kate Brown:“On Friday night, I frankly directed them to stay home. And now I am ordering them to stay home.”
The following guidelines are in effect for businesses:
It closes and prohibits shopping at specific categories of retail businesses, for which close personal contact is difficult to avoid, such as arcades, barber shops, hair salons, gyms and fitness studios, skating rinks, theaters, and yoga studios.
It requires businesses not closed by the order to implement social distancing policies in order to remain open, and requires workplaces to implement teleworking and work-at-home options when possible. They must also elect a representative who will be in charge of monitoring social distancing.
What FHN is doing?
FREE Remote Access – Just a re-iteration that all our monthly managed services clients will have remote access to their systems at no additional cost. If you are not a managed client then we can set you up with secure remote access to your data or network depending on need. Please call sooner rather than later as we have to take care of our managed clients first and there may be a wait at this point.
On-site support continues – At this time there is no restrictions on service industries who perform on-site visits to complete work, so Farmhouse Networking will continue to do so for the foreseeable future. We will be taking precautions such as protective masks, gloves, or perhaps more extreme measures (hazmat suit) to insure the safety of our staff and clients. We ask that clients keep these visits to emergency needs and planned projects until these social distancing rules are lifted.
Stocking up on essentials – We have been closely monitoring our distribution channels and several of them have been stating that non-essential items would take up to one month to receive. As a courtesy to our clients and to better service them in times of emergency IT needs, we will be stocking up on computer and network parts that are most often needed.
What should clients do?
Remote workers – Send unneeded on-site staff home to work remotely. With remote access capabilities, video conferencing, and VoIP phones – there is no reason to keep them in harms way. We are experts in these technologies and can get you up and running on them quickly.
Maintain infrastructure – For remote workers to be able to get access to their computers there needs to be a solid foundation at the business location.
Workstations, servers, and network equipment should be on battery backups to keep them from going offline unnecessarily due to power fluctuations – triggering a need to go into the office.
Is part of your network over 6 years old? Now may be the time to replace the network equipment to avoid downtime and unneeded office visits in the future.
Now more than ever backups are needed in case anything should go wrong. Recovery times are bound to be increased as the lock down on businesses increases.
Don’t forget to leave the A/C on especially if you have a server closet, they work better in cooler temperatures.
Planning – With a possible slowdown in business now is the time to take stock of your company, to get used to this new normal, and make plans for the long term implications of this craziness on our businesses.
If your company needs any help weathering the COVID-19 storm, then contact us for assistance.
In reviewing compliance documentation, we found it necessary to talk about Virtual Private Network (VPN) technology for both privacy and secure remote access. A VPN is a connection to a private network over the internet through an encrypted tunnel – think smuggling information across a secret passageway between two places.
Why use VPN?
Privacy: There has been a huge buzz lately about using VPN technology to help mask you browsing habits from the likes of the NSA or Google. VPN services offer connections that regularly change your external IP address so that a profile (marketing or otherwise) is harder to build. It also makes hacking of your information harder when these services providers offer anti-virus and anti-spam filtering as part of the VPN service.
What are the trade-offs? These VPN service providers will now be the sole owner of your browsing habits – they can sell targeted profiles to marketing companies – so read those terms of service. There will also be a performance hit to your internet speed, so if you are working from a slow network already this may not be an option. Then there is the added cost of an extra $5 to $15 per month for these services on top of your internet bill each month.
Secure Remote Access: This was the original intent of VPN technology and where it really shines. Either from remote workers using coffee shop wifi or remote offices connecting to the main office, VPN tunnels are used to securely access data, servers, and other network resources. This technology is required by all major compliance agencies so that all data transmitted is encrypted during transport. In the past servers would open ports to the internet to allow access, but it was found that this practice allowed hackers the same opportunity to gain access. With VPN tunnels there is another layer of protection from unexpected access. There is also the benefit that no outside provider gets access to your browsing habits.
What are the trade-offs? This will require a router at the main office that is business grade and capable of handling the traffic. It will then require setup of remote workers laptops or remote offices with similar business grade routers.
If your company is concerned about privacy on the internet or secure remote access, then contact us for assistance.
NIST is the National Institute of Standards and Technology. It acts as the defacto baseline that all other security and compliance organizations use to construct their standards. Reading their publications is like reading any other government document – extremely long and not interesting. Farmhouse Networking recently became aware of one such document called NISTIR 7621 aka Small Business Information Security: The Fundamentals. We took the time to distill out the main points here:
The Fundamentals aka Best Practices
Identify: Who has access to the network, who has access to the data, and what do they have access to. This includes background checking employees during the hiring process, taking an inventory of data to see who needs access to what, requiring that each user have their own login, and company policy creation.
Protect: Protection starts with separating data into shares then giving access only to those who really need it. It also includes protecting hardware with uninterruptible power supplies (UPS) and protecting software with regular updates. Protecting the network includes setting up a proper firewall, separate wireless for guest access, and VPN only access for remote users. Web filtering, SPAM filtering, file encryption, proper disposal of old equipment, and employee training are also mentioned.
Detect: Having a centrally managed antivirus software on each workstation is a must. This includes the ability to look back in time via log files or monitoring system to find the root of the security breach.
Respond: Have a disaster recovery plan and security incident response plan in place.
Recover: Need full backups of all important business data, invest in cyber insurance, and regularly access your technology to find timely improvements.
If your company does not meet these fundamentals, then contact us for assistance.
Give your business freedom from hardware constraints with the agility and functionality of cloud computing.
Cloud requires no upfront costs, which makes it an operating expense rather than a capital expense. Your business will benefit from predictable monthly payments that cover software licenses, updates, support and daily backups. Cloud technologies provide greater flexibility as your business only pays for what it uses and can easily scale up and down to meet demand.
Moving to the cloud enables your business to no longer pay to power on-premises servers or to maintain the environment. This significantly reduces energy bills.
Finally, for those concerned with security, cloud data centers employ security measures far beyond what most SMBs can afford. Your company data is much safer in the cloud than on a server in their office.
Move your business to the cloud ahead of Office 2010 and Windows 7 End of Support!
If your company is looking to make the move to cloud, then contact us for assistance.
If it seems like this is a typical question in your office then there is hope. The concept of internet failover has been around for years. With the advent of 4G LTE cellular networks internet failover is now within reach of the small business. If the main internet connection goes down then the 4G LTE cellular network will kick in automatically to keep your business flowing. When the main internet connection comes back online it will automatically switch back to restore full speed access.
How We Fix the Internet
Business Class Router: The Datto Networking Appliance has all the specs of true business class router including all the usual services (DHCP, DNS, VLAN, DMZ, Access Rules, etc). It also has all the features that you need to secure and expand your business with seven layer deep packet inspection, intrusion detection, traffic shaping (VoIP), client VPN, site-to-site VPN, and cloud management.
Connectivity: This router has all the connectivity you could ever need. It has 4 Gigabit LAN ports to help physically segment the network. It has the latest and most redundant wireless connectivity available. It has a fully integrated multi-band 4G LTE wireless cellular modem to keep you connected when wired internet fails.
Peace of Mind: Leave the connectivity worries to us. Our expert team will be monitoring and maintaining the Datto Networking Appliance at all times via the cloud management console and integrated alerting. We will know the internet is down before you do and will take the steps needed to get your ISP to fix things.
If your company’s internet is constantly going down, then contact us for assistance.
The following steps will setup Windows Server 2012 R2 RADIUS authentication via Network Policy Server (NPS) with your Ubiquiti UniFi Security Gateway (USG) for a USG Remote User VPN. This will allow users to use their current Active Directory Domain Services (AD DS) credentials to authenticate to the Virtual Private Network (VPN).
I am using the UniFi controller version 5.4.14 hosted in Microsoft Azure on a Linux Server with PostFix for alerting.
Step 1: Configure Windows NPS Server
From the Server Manager Dashboard, install the Network Policy and Access Server role using Add Roles and Features accepting all defaults.
Once installed, open the Network Policy Server Administrator Tool. Expand the RADIUS Clients and Servers, then right Click on RADIUS Clients and click New.
Give the USG router a Friendly Name. Type in the IP Address of the inside interface of the USG on the same network as the Windows Server. (This is the IP that the RADIUS requests will come from.) Click the Generate radio button, then click the generate button. Copy this Shared Secret to be pasted later. Click OK.
In the Network Policy Server window, expand Policies, right click on Network Policies, and then click New.
Enter a policy name and leave Type of Network Access Server as Unspecified. Click on Next.
In Specify Conditions click Add.. and then select Windows Group, and pick the AD Group you want to use to allow VPN access. (If you have not already then you will need to add all users who will be accessing the VPN into a seperate group.) Click Add… then Add Groups… which brings up the typical AD search box. Type in the name of the VPN Windows Group and click on OK. Click OK again. Click on Next
Leave the Specify Access Permissions at the defaults (Access Granted, Dial-in box unchecked). Click Next.
Uncheck all authentication methods other than MS-CHAPv2. Click on Next.
Accept the defaults under Configure Constraints. Click Next.
Leave all setting at the default on this page except for under Encryption. Uncheck everything except for MPPE 128-bit. Click Next.
Check your settings on the last page. Click Finish.
Finally, move the new policy above the two default policies in the list by right clicking and choosing Move Up.
Step 2: Configure the USG Remote User VPN
To create the remote access network, in the UniFi controller, go to Settings, then Networks, and click Create New Network, give the network a name and select Remote User VPN.
Fill in the appropriate Gateway/Subnet information for your environment. Make sure it is not the same as any of your current networks.
Add Manual DNS servers, if required for your environment.
Click on Create New RADIUS Profile.
Give the Profile a name, enter in the IP address of the Windows Server 2012 R2 server that will be used for RADIUS authentication and paste in the generated shared secret.
Click Save. Click on Save again.
This allows easy access from Windows default VPN connections to network assets behind the USG device.
If your company is currently using a Ubiquiti USG device and need a Remote User VPN setup, then contact us for assistance.
Had another tech firm that needed some Tier 3 assistance as they were having trouble with their VPN connection. I helped them setup Azure to Unifi USG IPSec VPN to connect their headquarters to the hosted RemoteApps server. This tutorial will go into detail about the creation of this tunnel starting with the Microsoft Azure side first using Resource Manager. It will be using the following parameters:
VNet Name: TestNetwork
Address Space: 10.10.0.0/16
Resource Group: TestResourceGroup
Location: West US
DNS Server: Azure Default
Gateway Name: TestVPNGateway
Public IP: TestVPNGatewayIP
VPN Type: Route-based
Connection Type: Site-to-site (IPsec)
Gateway Type: VPN
Local Network Gateway Name: TestSite
Local Subnet: 10.20.20.0/24
Connection Name: VPNtoTestSite
Configure an Azure VPN gateway
This part takes the longest, so it should be done first:
Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Virtual Network Gateway” and click on the “Create” button.
Give the Virtual Network Gateway a name, leave Gateway & VPN type the defaults, choose or create a local network (not covered here), choose or create a Public IP Address, leave the remaining values as their defaults and then click the “Create” button. (Please note the reminder that this takes 45 minutes to create!)
Configure an Azure Local Network Gateway
This is a reference to your on-premise network so that subnets can pass traffic:
Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Local Network Gateway” and click on the “Create” button.
Give the Local Network Gateway a name, specify the external IP address of the on-premise site, specify the on-premise address space (subnet), leave the remaining values as their defaults and then click the “Create” button.
Configure an Azure VPN Connection
This will create the tunnel from Azure to the on-premise site:
Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Connection” and click on the “Create” button.
Choose “Site-to-site (IPSec)” as the connection type, leave the remaining values as their defaults and then click the “OK” button. On the summary screen click on the “OK” button to create the connection.
Choose the newly created Virtual Network Gateway, choose the newly created Local Network Gateway, give the connection a name, specify a shared key and click the “OK” button.
This completes the setup of the Azure side of the VPN tunnel. Now to work on the Ubiquiti USG side.
Configuring an Ubiquiti USG VPN Network
This is a fairly simple process but it has to be precise:
Choose the Current Site from the top right hand side of the portal.
Click on the Settings gears down on the bottom left side of the portal.
Click on Networks then on the “Create New Network” button.
Give the connection a name, choose “Site-to-Site VPN” as the Purpose, choose “IPSec VPN” as the VPN Type, choose to Enable this Site-to-Site VPN, add the Azure subnet under Remote Subnets, get the newly created Virtual Network Gateway IP address from Azure for the Peer IP, enter the on-premise external IP address for Local WAN IP, enter the same shared key as used in the Azure VPN Connection for the Pre-Shared Key, choose “Azure Dynamic Routing” as the IPSec Profile, expand Advanced Options, leave Key Exchange Version, Encryption, Hash & DH Group as default and uncheck the PFS & Dynamic Routing boxes.
That is all there is to it. If you have any difficulties with connection then delete and re-create the Ubiquiti USG side first (those two check boxes at the bottom of the Advanced Options will check themselves again, but don’t be fooled by this quirk in the software). If your company is currently using either Microsoft Azure or Ubiquiti USG routers and would like a VPN created, then contact us for assistance.
The SANS Institute has been putting out the OUCH! newsletter for some time now in a project called Securing the Human. In the most recent Issue, they discuss some best practices and practical advice for traveling. Here are some highlights:
Minimize Possible Losses
Here are a few tips to protect information from the hazards of traveling and possible theft:
Remove any data that is not needed on the device
Use full disk encryption & strong passwords
Perform a complete backup before leaving
Install tracking software on the device
Update OSes and Antivirus
Although crime is more of a factor in some third world nations or those in active conflict, the human element of losing the device is 100x more likely. Keep inventory of your devices before, during and after transporting from one location to another. Do not leave your device in the hotel room, have the hotel front desk put it in their safe or locked administrative offices.
If you have to connect to the internet in public spaces and/or cannot afford mobile data on your trip, then make sure to do the following:
Never use public computers for sensitive information, especially banking sites
When on public wifi, only surf to sites with HTTPS:// secure connections
Consider connecting to a VPN service to further encrypt communications
If your company is requires traveling or you are planning to remotely work while on vacation, then contact us for assistance. We would be happy to walk you through the full disk encryption process, update / secure your devices and configure a company VPN service to connect to on the go.