TBG Blog

19Jan

These days, the Internet is becoming very critical tobusinesses. Have you thought about how much your business is impacted with anInternet outage? How many of your applications are hosted in the cloud.

In the past large companies with deep pockets had theability to contract with multiple provides to get redundant Internetconnections using a routing Protocol called BGP. This works very well but isvery pricey. These days you do not have togo to that expense.

Some of the firewalls such as Fortinet, Palo Alto and othershave the ability to take a second Internet connection right on the box. You canpurchase an inexpensive DSL or cable connection and configure redundancy righton the appliance. It is very cheap and very simple. The typical investment isaround $100 dollars a month plus consulting time to configure the redundancy.

You can also plug a cellular 3 or 4G card into certain firewallsand provide redundancy that way.

If you are looking at cloud computing, you should have atleast 2 Internet connections in case you have an outage. If your email,accounting and various other applications are hosted, this will allow you tocontinue being productive and allow time for the Internet connection to berepaired.

You should also consider obtaining different Internet Circuittypes. For example a DSL and a Cable Modem. The reason for doing this is youwill have diversity of providers and physical cable medium. If you obtain aconnection from the same provider or physical cable type, you risk a big outageif both of the connections go down.

If you need help with a design such as this, feel free to contact me at james@tbjconsulting.com.

Leave a Comment

08Jan

Equipment Backups

Do you backup your network equipment? Be honest withyourself. At least once a year I receive a call from a client that has notbacked up their configurations and asks if I have a copy. It is never a good situation.

Solutions

This is a very simple problem to solve. A few years back, Idiscovered a great inexpensive product to backup the configurations call Cat Tools.It was from a company called KIWI, but was purchased by Solarwinds. The cost isaround $750 dollars and it can provide a nightly backup of all of your network equipment.It can even provide a change report of what items have changed.

The second option you have is you can outsource it tosomeone else. We at TBJ Consulting can provide this service along with somenetwork monitoring. We can provide network and error statics and nightlyreports of what devices have been backed up.

If you are interested in this service, email james@tbjconsulting.com or call 262-373-9070.

Leave a Comment

23Dec

Over the past few years, we have been recommending andselling Juniper EX series of switches. In this post I am going to discuss someof the items I like with this Switch line.

WEBUI

Juniper has a very full functioning WEBUI, you do not haveto use the command line if you do not want to. It is very easy to use and intuitive.You can change routing, VLANS, configure switch ports and do all of y ourmonitoring from this one location.

Roll Back and Compare   

Juniper has an operating system called JUNOS and it has somevery nice command line features. The first is it keeps the last 50configurations available so you can rollback. You can even do what is called acommit-confirm where if you do not confirm the commit, it will roll backchanges that you have made. You can also compare your configurations with thiscommand.

Full Line Rate Ports

Most of the switches they sell offer line rate speed on allports. Some switch manufactures oversubscribe the back plane on their switches.You get what is called oversubscription and risk having dropped packets. Eventhe lowest model of switch offers line rate, something most other manufacturesdo not provide.

Maintenance Costs

Juniper offers some great maintenance programs that willkeep your expense budget in check. They offer a great program that gives you24x7 support and all software updates and allows you to replace a switch incase of a failure.  It makes sense tohave an onsite spare with this program and will save you money over otherleading manufactures.

Innovation

Juniper also seems to be very innovative. They are sellingand supporting something called QFABRIC. QFABRIC is a next generation switchingproduct that eliminates some of the design flaws of the current switchingworld. It is very unique and I believe a game changer

Conclusion

I could talk all day about some of the great features thisswitch provides. They are a great vendor with a great product.
If you are interested, contact us at 262-373-9070 orjames@tbjconsulting.com
Leave a Comment

14Dec

I have had a majority of my clients this year call me with spyware and malware issues. Some of these clients are using Next Generation or UTM firewalls. After reading a Wall Street Journal article (It is a good read, it has more than just business in it). I discovered that advertising was causing people to receive malware.

What was happening is someone was purchasing advertising time on the websites and when they placed the ad on the website, it inserted malicious code. Some of these sites are banking and other sites.
To prevent this I had those clients block the advertising category.

Once I had the block advertising, most of them stopped receiving spyware and malware. I would highly suggest you do this simple item. It is a bit of a nuisance as you will see blocked items on a webpage, but in the end it will save you much hassle.

Leave a Comment

03Dec

Passwords in Active Directory are stored in a hash. In the90’s and most of the 2000’s the computing power was not enough to crack thehash in a timely fashion. Today with the high computing power of most devices,this attack is becoming much more common. The thing is you do not even need toperform a brute-force attack to gain access to the passwords.
Testing

Getting access to the hash database(what you will need toget the administrator password) is very easy with the availability of freedown loadable tools from the Internet.
To see if you could be vulnerable to this attack you canperform a test on your network. Running the test will require at least twocomputers, one being a domain controller and the other being a member server ofthe domain. You will also need a few free utilities from Truesec – Islsass X86and RunAsh x86. To get complete instructions go to tinyurl.com/hash338
Leave a Comment

15Nov

PaloAlto Networks Firewall’s 4.1 Release

I have been selling and supporting PaloAlto firewall’s forabout 3 years and I really like how the firewall operates. They are doing someadvanced things that no one else can really do that well. They also have just released a new version of firmware.

Application Based Firewall Rule Base

 You can really define your firewall policy usingapplications such as SMTP, FTP, Facebook instead of just opening ports. Why isthat important? Most have figured out that port 80 or 443 is the port that mostfirewalls have in use. Applications are written to use that port and yourfirewall is less secure. You don’t really know what you are allowing to bypass the firewall.
For example, say you wanted to allow someone to view Facebook,but not post or chat. The PaloAlto can allow for that. Most Firewall’s can not stop that (Unless some sort of URL filtering is in place).

Active Directory and Terminal Server Integration

 Other firewall’s can integrate and put active directory userand groups into policies, but I have not seen many that can also supportTerminal and Citrix servers. Usually on a Citrix server the first person whologs in is the person that the firewall identifies. Palo Alto Networks has anagent that you place on the Citrix server that allows you to identify the individualusers. It allows you to assign user groups to a firewall rulebase, allowing youto customize your firewall policy to different user populations. It also allowsyou to track user activity by name instead of just an IP address. You can also install agents on Domain Controllers and have them part of the rule base and in firewall logs. The users will not even know this is happening, it is transparent to them.

Threat Protection and Virus scanning

This firewall has always done a great job of virus scanningand threat prevention. It is one of the few devices that you can turn bothfeatures on and not kill the box. It will allow the needed traffic and blockthe bad traffic. The IPS has won numerous awards and after running them in my client’senvironments, I can say it works well with very minimal tuning.
They also have a new service called WildFire that will submitcertain file types up to the cloud for virus scanning. If the file is 2 MB orunder, it gets shipped to a virtual machine that will analyze what the file isdoing. If it looks like a worm, bug or a botnet, it will quarantine the file.That is good in times like these. The day of the mass virus outbreak is overand you are seeing more targeted attacks. Those targeted attacks are not noticed as muchand most modern virus scanners can miss them. Analyzing what a file is doing isa great way to stop spyware malware. With the Mafia involved with credit card and other fraud these days, you can not trust files that are sent your way. They do not want to be detected, they want the bug to come in and run in the background and steal information before it is to late.

US Based Support

This is also huge for me. I am tired of getting routed to a foreigncountry with someone that has a very heavy accent. It has been improving, but Istill dread it. With Palo Alto I get an English speaking person who is usuallyvery helpful and solves my issue quickly. I hope they keep it this way as it isa refreshing thing to see someone with that type of support.

Easy To Use WEB UI

This is another huge item for me. I can configure the entirefirewall with a web interface. I do not need a third party client. The webinterface is clear and easy to use. If you are use to working with a CheckpointFirewall, the learning curve on this firewall is small.

Summary

I have numerous other features I like about this firewall.If you are interested in a demo, I have two firewall boxes that can be used for a demo. Just contact me at james@tbjconsulting.comor at 262-373-9070.
Leave a Comment

06Nov

How many of you have heard of BYOD? It stands for bring yourown device to work and it is starting to catch on in the corporate world. Whydo you ask? With the explosion of mobile devices it is cheaper and at timeseasier to allow your employee’s to connect their own device to your network,but you have to be ensuring you have a policy and are ready for it. I will lista few pointers below….

Write a sound policy

Before you allow or are overtaken by BYOD, you will need todevelop and have sound policies in place. These policies should be developedjointly with Human Resources, legal and the IT department. They should alsoinclude your management team in your discussions

The key to the policy is too make employees aware that whenthey use their personal device for work, they will surrender some of theownership to IT in return for the convenience.

Supporting Personal Devices

To ensure success in your BYOD plans is to ensure it is openonly to users who have agreed and signed your policies.
To ensure that your data is secure and only authorized usersare accessing data from the personal devices you should.
·        Grant network access to only those who need
·        Control the ability to block certain applicationsor limit those applications
·        Require users to endure pre and post authenticationchecks
·        Consider requiring two-factor authentication
·        Ensure devices such as IPADS and tablets have acode to access them

How will you provide Device Support?

A mobile device management system is key to providing devicesupport. Some of the products are Juniper Pulse, Mobile Iron and Air-Watch toname a few. What you will find in most Mobile Device Management (MDM) is policyenforcement, remote wipe and lock are standard features. Many of theseplatforms include an internal apps store and troubleshooting tools. One thingto consider is most of these platforms requires a client to be installed on theclient device. This client costs money, so consider if the company or theemployee is going to pay for the client and the privilege to utilize the BYODdevice.

Who Pays

You will need to make sure that in your policy, you defineif you are going to reimbursement policy is. Are you going to reimburse forpart of the purchase of the device? Are you going to fund part of the devices monthlyservice plan if it has a 3G wireless card in it? Are you going to pay or havethe employee pay for clients such as the MDM platform?

Summary

BYOD is a revolution that is starting to take hold incorporate networks. Virtualization has allowed this to become a reality andalso allows it to be done easily and securely. You should start planning if you are going to allow and if so, then makesure you have your house in order with policies and the ability to manage thosedevices.

Leave a Comment

02Nov

These days everyone is talking about or discussing thecloud. The cloud has been around for a long time. It is really just hostedcomputing. That hosting can be anything from applications, email or the entirecomputing environment.

Since this has been around for a while, you do not need tofear it, just plan for it. Some applications make sense to place into thecloud. The first one that comes to my mind is email. Email can be veryexpensive for companies to host in-house these days. Various offering existfrom Google to Microsoft live 365 to host email. The first thing to considerplacing in the cloud is email. I have been running my email in the cloud forthe past 4 months and I have been very happy with it.

The next item to consider moving to the cloud might be yourbackups. This is typically combined with some sort of onsite backup system. Butwhy rely on tapes that you may or may not take offsite? Services exist thatallow you to have an onsite backup system that is online and gives you theability to restore a file quickly. You can combine that with the ability toreplicate the data to the cloud for disaster recovery purposes. This disaster recoverysite could be a datacenter that could offer the ability to host your servers.

Some items to consider when moving to the cloud are security,redundancy and who owns the data. You will want to make sure that the companyhosting your data is following industry standard best practices and is alsoencrypting your data so only you have access to it. You should also find outwhat redundancy they have in place and ask them what disaster recovery plansthey have in place. You also might want to consider redundant links to theInternet. Most firewall’s can handle them these days and the price for a secondInternet connection is fairly cheap. You also want to make sure that you ownyour data. You do not want to enter an agreement only to have someone else ownyour business data.

So remember the cloud has been around for a very long timeand you don’t have to move everything right away. Sit down and create a plan onwhat your cloud strategy. Then decide which services might make sense to moveto the cloud.

Leave a Comment

07Oct

This is the second article on this subject. The last article described some examples of hackers targeting certain employee’s.

Spies, hackers and others use what is called socialengineering to manipulate people into revealing confidential information. Thesetypes obtain this information after a careful reconnaissance on the victim theyare targeting.

We make ourselves easy targets by posting tons of information about ourselves and our jobs online. Blogs and Linkedin are veryuseful resource for criminals. Most people share information about the rolesthey have at work, which can be used to determine a corporate or IT department structure. This makes it easy for the bad guys to create a message that looks like it is from the targets boss.

Hackers included traps in targeted emails, like redirecting to a webpage with malware designed to get the employee to enter there password.In the RSA attack I mentioned in the last post, they took advantage of anunknown vulnerability in Adobe Flash that allowed a virus to be placed on their computer system.

These attacks are what are called a targeted version of phishing. Phishing emails are the ones that look like they are from your bankor from the IRS. They typically are misspelled and are easy to spot and ignore.A new type called spear phishing is a more targeted email. It contains the names of coworkers and company-specific information and may be sent from colleaguesemail accounts.

Some of the most educated users can fall victim to this attack.The hacker group anonymous broke into the security firm HBGary, Inc, because of emails that it sent to an executive from a compromised email account, askingfor user names and passwords.

This is why sending passwords in emails are very bad idea.Hackers could gain access to your account and see passwords in your email box.They could also trick you into sending those passwords, something you never intended. Never send your passwords overemail, a better idea is verbal communication or send an encrypted email that only the party you are sending the email to can access. (Don’t leave passwordsin voicemail either).

Also, verify that the email you received is really from the person. If the email seems funny, call the person first before responding.

You should also use a good complex password and change it every 30-90 days. This will help prevent your account from being compromised.

Finally, you can also send your users to security trainingthat will include phishing training. Better end user education will help prevent attacks such as this. I will have one more article in this series… Ihope this helps you to provide better security to your company.


Leave a Comment

27Sep

I read the Wall Street Journal and sometimes they write some great articles about network security among other topics. In a recent article, they discussed the biggest security threat to companies and it is you.
What do they mean by you? Most large and medium to small businesses have spent time hardening the perimeter of their network. I have helped a number of companies with this process, with next generation firewall’s and standard network hardening best practices. Today most of the criminals are not focused on hacking networks; they are focused on hacking employees.
As most network and security administrators will tell you, end users are the security gap. In the past few years, a majority of security breaches are related to hackers that gained access by exploiting employees that are well-intentioned.
I think most are familiar with the security breach at EMC’s RSA security unit, which makes dual factor authentication that a majority of banks and fortune 500 companies use. A hacker sent emails to two small groups of employee’s, including an excel spreadsheet titled “2011 Recruitment plan”. The message was convincing enough that an employee retrieved it from the Junk mail and then opened it. After it was open a bug that allowed the hacker access to sensitive company data and enabled attacks against clients of RSA.
Employees have a greater opportunity to compromise company information. Clicking on emails that contains viruses and we don’t know who they are from, that bypass corporate firewall security. (Which is why a good web filter should be used and if possible block unknown websites, which would prevent this). Employee’s also cause other issues by placing consumer-grade online cloud services and devices.
The best way to help mitigate this issue a good employee education program. Make sure your end users understand that some of what they are doing could cause a major problem for the company they work for.
This is part one of a two part blog post. In the next post, I will discuss some more security issues that happen when using social media and some ways to help mitigate some of the risk your employee’s are causing.
The Wall Street Journal Article can be found here.
Leave a Comment