NetConnect Blog - Your Resource For IT Tips, Tricks and News

Jeremy Hostrup

Recent Posts

It's Not If, It's When

Posted by Jeremy Hostrup on Jan 25, 2017 8:15:00 AM

It today’s world, it’s a stark reality, odds are that at some point you will get hacked. This may come in many forms and fashions. Sometimes it’s just annoying like pop-ups in your browser and others can be more severe like ransomware. There are other types that are way more concerning. Consider this, a user receives an email that appears like it’s from someone inside your company with an excel document. They click on the document and they get an annoying bar that says click here to enable macros. They click the enable button and nothing happens from what the end user can see. What the user can’t see is that they’ve just connected their PC to a hacker that now has complete access to the user’s computer. From there, they can log keystrokes and gain information from the user. They can also pivot and try to find an administrator username and password and if they can do this, they now have complete administrative access to your systems.

So what can you do? Well, what do you do if you’re cold? If you’re like me and you get cold, you put on another layer of clothes. Still cold, add another layer. Cyber security is similar to that. You can add as many layers as you need until you’re no longer “cold”. Cisco has a family of products that when used in conjunction with each other, provide layers of security that prevent most hackers from gaining access and exploiting your systems.

pexels-photo2.jpgThe most important first layer is AMP for endpoint. This is hardware agnostic and recommended for any customer. This is an anti-malware program that runs on computers and servers that provides a layer of protection to identify and block dangerous traffic. I’ve seen the benefits of this firsthand when I tried to open an attachment that I thought was from a known sender but after looking further was not. Essentially, I got a pop from AMP that said what was wrong with the file and didn’t allow me to open it. Like most Cisco security products, AMP for endpoint relies on the Talos database to protect you from zero day threats. Another very important feature of AMP for endpoint is that it will prevent malware from spreading host to host.

The second layer I’d recommend for any customer with any hardware would be OpenDNS. OpenDNS works on the DNS level and prevents the attack before it could even happen. If OpenDNS blocks a DNS request for information from the Internet, the attack cannot possibly happen. Another added benefit of OpenDNS is that you can do URL filtering as well.

The third layer I’d recommend, especially if you have the X series of ASA’s, is Sourcefire. Sourcefire provides intelligence to your firewall and allows you to do things like URL filtering, advanced malware protection, heuristics, inline SSL decryption, geo-blocking, alerting, and more.

pexels-photo-90333.jpegNow, what about the situation where a user needs to send an encrypted email or you’re receiving multiple phishing emails? Cisco has a solution for that as well. Cisco email security provides you the ability to do encrypted emails, filter out unwanted emails, scan attachments, prevent ransomware, and more.

Have you ever thought about what would happen if an employee was getting ready to leave the company and started uploading all their files to an HTTPS site? Would you know, what would you do, how could this impact you? Cisco has a product called Stealthwatch that watches the network and can catch anomalies.

I know that’s many different products doing a multitude of things but in a perfect world, those would be my layers. Not everyone lives in a perfect world with an unlimited budget so at a minimum, I think everyone should have AMP for endpoint running on all systems that can run it. Add OpenDNS to that and they make a perfect team to identify and stop threats inside and outside your network. Also, if you already run the new X series of ASA’s, it’s a minimal investment to reap the benefits of Sourcefire.

NCI Contact Us Button

Topics: Cyber Security

Why 3CX Phone System with Ubiquiti Infrastructure?

Posted by Jeremy Hostrup on Mar 17, 2016 10:00:00 AM

Recently, we’ve started selling a new line of products to try to expand our services offering to benefit our customers. I had the opportunity to look into and test a number of products and we made the decision to go with 3CX phone system, Ubiquiti switches and firewalls to provide a very cost effective, functional environment for (generally) smaller businesses. I’d like to take this opportunity to discuss each of those providers and how they work together.

picture1.jpg3CX provides a lot of features for a comparatively small cost. The high level features that I’ll discuss in more details are:

  • Easy Admin and Install
  • Android and IOS Clients
  • Windows and Mac Softphones
  • Unified Communications
  • Web Conferencing

The administrative web page for 3CX is very simple and intuitive to use. 3CX runs on a windows server easing management as well. One of the nicest features I’ve seen is that when I provision a user, the system automatically generates a welcome email with the installation instructions for the soft clients as well as the provisioning file. The windows client has a professional appearance and provides instant messaging and presence information, directory information, voicemails, and many other features.

Another feature that is provided with the system is web conferencing using WebRTC. Essentially, WebRTC allows you to have video conferencing without installing anything. With a couple clicks, you can have a video web conference using Google Chrome and have people join from almost any computer with an Internet connection, Android phone, and iOS phone (apps required for mobile). These web conferences give you the ability to share your screen, and provide remote support by allowing you to control another’s computer if you are given permission.

picture2.jpg3CX licensing is also a very simple model. Essentially, you pay for the number of simultaneous calls that you’re going to have. All that information is provided on their web page:

Ubiquiti Unifi switches and firewalls provide a very nice infrastructure for small businesses. Ubiquiti has done a very nice job with software defined networking with this product line at a very reasonable cost. They offer firewalls, POE switches, and access points. The configuration for the devices is all via the Unifi controller and that also provides statistics for the devices. Shown is a screen shot of the initial dashboard. More information about their Unifi products can be found here:

For more information on how 3CX phone systems along with Ubiquiti switches and firewalls can benefit your business, contact the knowledgable team at Network Center, Inc. by following the link below. 



Topics: Firewall, 3CX Phone System, Ubiquiti Switches

ASA VPN Dual Factor Authentication

Posted by Jeremy Hostrup on Apr 6, 2015 4:45:00 PM

2factorI’ve had multiple talks lately about dual factor authentication for VPNs. Basically, there are two options that I’m aware of to accomplish this: a token or a certificate. Dual factor authentication can basically be broken down into two pieces, something you have and something you know. The something you know would be your username and password; the something you have would be your token or certificate. There are benefits to each. Using tokens are easy and most people have had some experience with them. Certificates get a bit tricky because it’s not a skill set that a majority of IT professionals possess. I’m going to touch less on tokens and more on certificates.

Certificate authorities can be configured on a Windows server, a Cisco ASA, or even a Cisco router. The CA on the Cisco ASA and Cisco routers are less scalable and have fewer features than a Windows CA, usually for deployments of less than 50 users. Another major benefit of using a Windows CA is that is usually has a much lower TCO than using tokens.

Once the CA is configured, you then have the challenge of getting the certificates to employees. You can use AD Group Policy to push the certificate to domain computers. You can also use SCEP to easily deploy certificates to mobile and non-AD devices.

Here’s a high level task list for configuring the user template:
1. Duplicate the User certificate template
2. Configure the validity period
3. Check the extensions
4. Disable the export of certs
5. Select the subject criteria (email must be populated for auto-enroll)
6. Set the security permissions on the template and publish it

Once the certificate template is published, you can then use Group Policy to get the certificate onto the domain computers.

352627-what-you-need-to-know-about-two-factor-authenticationTo configure SCEP enrollment on the ASA, you need to install the CA Server Certificate chain on the ASA. Once that is done, you can set the enrollment mode for the trust point to request a certificate from a CA. The ASA basically acts as a SCEP Proxy so that clients don’t request certificates directly from the CA.

To prevent users from sharing certificates, you can prefill the username with the certificate CN. Hopefully by doing this only the person that is authorized the certificate will be able to user it. You can also perform checks with the ASA to see if the certificate has moved machines. Optionally, you can use the machine ID as the common name on the cert to tie the cert to a machine. You can then use a dynamic access policy on the ASA to verify device / certificate pair. You can also use a hybrid cert that is a combination of the username and machine name to gain more granular control over who and what can connect. If you decide to use machine identity or hybrid identity certificates, you will need to enroll devices prior to them using the VPN. However, if you use user identity certificates, you can auto enroll the user with SCEP proxy on the ASA.

Another feature that can be used with this is limiting what resources the client is authorized to use during the SCEP enrollment process. Meaning that until they have been enrolled and a certificate issued, you can limit the user to only have http and https access to the CA server.

This is a pretty cool video that shows the process of SCEP enrollment through the ASA with the AnyConnect client. They don’t use prefill on this video, but if you were to prefill the username from the CN of the cert, the user would not have an option to enter their username.

Here is also a link to the Cisco Live breakout session that covers PKI and VPN. You’ll need to register to get a Cisco live account but it’s free.

If you have any questions about VPN dual factor authentication, please contact Network Center, Inc.

Contact Us Today!

Topics: Two Factor Authentication, Token, Certificate, VPN Two Factor Authentication, Dual Factor Authentication, VPN, VPN Dual Factor Authentication

Which Routing Protocol is Best for You?

Posted by Jeremy Hostrup on Aug 4, 2014 2:30:00 PM

router image resized 600Once in a while I get surprised by the amount of static routing left in larger networks, those with more than a couple locations and more than 10 layer 3 devices. Static routing is easy to implement but it can be time consuming to make changes. Another piece that you lose with static routing is the ability to change routes easily if something changes on your network. That is what routing protocols were designed to do, find the best route to a network and install that route in the routing table. There are three main interior routing protocols: RIP, EIGRP, and OSPF. RIP is a routing protocol that I would have thought would be gone by now but they have introduced support for IPv6 so it is trying to stick around. EIGRP is Cisco’s proprietary routing protocol. OSPF is the industry standard routing protocol.

There are many reasons to switch from static routing to a routing protocol. The main reason that I’ve seen is the ease of adding a new subnet to a network. If you were to add a new subnet in a static routing environment, you would need to add that static route to every layer 3 device. That is a time consuming and tedious process. With a routing protocol, you would just add that subnet to the device running the routing protocol that is closest to where that subnet exists and it will propagate through the network. The routing protocol will use its metrics to determine what the best route to get there is. This means that you don’t have to touch every layer 3 device and add the static route.

Another benefit of using a routing protocol is you get automatic failover if you have redundant connections. So let’s assume you have a main office with two connections to a remote office. If you use static routing and one of those connections fail, you would have to either have track statements tied to your static routes to get failover or you would have to get into the remote office router and change the static routes. You would also need to get into the main office router and change those static routes as well. With a routing protocol, you wouldn’t need to do anything, it would detect that the link went down and it would automatically install the other route into the routing table. This also works if you have two internet connections.

Brocade routerWhich routing protocol you use really depends on how your network is configured and what the future plans are. If you plan on having Cisco everything, you would have no problem using EIGRP. If you have SonicWALL firewalls, Brocade layer 3 switches, and Cisco routers, you should probably use OSPF. Each one is configured a bit differently and they choose the best route using different metrics but at the end of the day, if they are implemented correctly, they are both great routing protocols. OSPF, EIGRP, and RIP do play nicely together. For instance, you can have a Cisco router running EIGRP and OSPF and redistribute routes between the two routing protocols.

The one routing protocol I haven’t touched on is BGP. Essentially, BGP is the routing protocol for the Internet. It is a very powerful routing protocol with many, many features but it is usually not advisable to run that protocol inside your network. Because BGP is designed for extremely large networks, it does not failover quickly.

So if your network has grown to the point where manually adding and removing routes is becoming a time consuming and tedious process, consider moving to a routing protocol like EIGRP and OSPF. It will make management of your network easier and also provide you with automatic failover if a link goes down.

If you have any questions about routing protocols, contact NetWork Center, Inc. today.

Contact Us Today! 

Topics: Technology Solutions, NetWork Center Inc., Routing protocols

Features & Benefits of Voice Over Internet Protocol (VoIP)

Posted by Jeremy Hostrup on Apr 19, 2013 5:10:00 PM

VoIP phone systemMany companies are making the transition to Voice over Internet Protocol (VoIP) phone systems. There are many features and benefits that companies can gain by making the transition to VoIP. One of the main benefits of VoIP is the reduced costs of add’s, move’s and change’s. The average cost of add’s, move’s, or change’s with digital/analog phone systems can vary but are generally more expensive than with a VoIP phone system. Some of the advantages of using a VoIP system include: remote phone access, easy integration with call recording software, instant messaging, voicemail, call center software, ability to easily tie together multiple sites over a WAN, toll bypass, and extension mobility.

With an analog phone system it is not generally possible for someone to take the phone off their desk, bring it home and have that phone work like they were sitting at their desk. With VoIP this is made possible with a few configuration changes on the firewall and the phone system. After the configuration changes are made, the phone will create a VPN tunnel to the phone system through the firewall and will work like it’s in the office from basically anywhere with an internet connection.  Another way this is possible with a VoIP system is with the use of a soft phone and VPN from the user’s computer. (A softphone is a piece of software that is installed on a PC that has most of the functions of an IP phone.) Since most users already have VPN on their computers for offsite access, it is easy to install a softphone and connect that back to the office.

voip business phone system resized 600Most VoIP phone systems have the ability to integrate very easily with call recording software, instant messaging, voicemail, and call center software. With call recording software, you could have a server that was dedicated to recording phone calls for a call center for auditing purposes. Instant messaging software can also be tied into a VoIP phone system so that users can see if someone is on the phone, make a phone call from their desktop, or click a number on their computer and have their desk phone call the number. In addition, voicemail comes with many VoIP phone systems and can be integrated directly into email for a single place to manage all messages. Call center software can be used to provide call queuing for customer service needs.

Toll bypass or tail end hop off (TEHO) is easy to implement with a VoIP phone system. An example would be if you have an office in California and one in Delaware, you could configure the VoIP system so you have 4 digit dialing between the offices. Then if you were to dial the Delaware office from the California office, it would be considered local, allowing you to avoid long distance charges.

VoIP advantagesExtension mobility allows a user to log out of their phone and log into any other phone connected to the VoIP phone system. This allows a user to go between locations or offices and maintain their extension and preferences. This is very useful if you have people that use the same desk on different shifts or if you have personnel that travel between offices.

There are many features and functionality that can be leveraged from current VoIP systems to give your business the ability to communicate better internally as well as providing a better experience for your customers. If you have any questions in how a VoIP solution could better help your business please don’t hesitate to contact us by clicking on the contact us button below.

Contact Us Today!


Topics: Technology Solutions, NetWork Center Inc., VoIP

5 Ways to Protect Your Network from Internal Attacks

Posted by Jeremy Hostrup on Nov 21, 2012 4:10:00 PM

network securitySecuring your network is an important part of any security plan. The majority of professionals focus their attention on securing their network from outside threats, which is an important piece to network security but internal threats sometimes get overlooked. However, the majority of all network attacks come from inside the network.

Those attacks could be someone plugging in an unauthorized access point, switch, computer, or someone trying to attack switches and routers. There are many ways to mitigate these threats but they occasionally get overlooked.

Here are five general guidelines that can be followed to secure your internal network with little work:

  1. Hard code all of your switch ports to access ports and assign them to a specific vlan. This way, if an unauthorized switch is plugged in, it cannot auto-negotiate a trunk to the other switch. The default setting on a Cisco switch is to auto-negotiate a trunk if another switch is plugged in. Setting the access ports to use spanning-tree portfast with bpduguard is another way to disable a port if a switch that sends bpdus is plugged in.
  2. Use port security on the switch ports to limit the number of mac addresses a single port can have. This will prevent someone from plugging a hub into a switch port. With port security, you can set the maximum number of mac addresses for the access ports. You can also specify what actions you want the switch to take if the access ports exceed the maximum number of mac addresses. The default action is to shut down the port.
  3. Put Access Control Lists (ACLs) on the management interfaces of switches and routers to only allow management from certain IP addresses. This way if someone installs a program like Putty on their computer, they would not be able to get the log in screen on routers and switches.
  4. Configure switches and routers to only use secure shell (ssh) so usernames and passwords are not transported in clear text. Telnet transports usernames and passwords in clear text so if someone had a traffic sniffer on their computer, it would be possible for them to capture the username and password.
  5. Disable switch ports that are not in use or assign them to an unassigned vlan so that if someone plugs into them, they can’t access your network.

network security piecesIf you want to get a little more involved, you could implement RADIUS for login authentication on the network equipment. This could be tied in with active directory and provides another level of security. This way, only users in a specific active directory group would have access to login into the network equipment.

You could also use RADIUS with the dot1x protocol to automatically assign a vlan to a switch port based on the user’s authentication to the RADIUS server. Using dot1x, you could also specify the vlan for users that don’t authenticate to the RADIUS server.

How much you invest in your network is dependent on your unique set of requirements. If you have spent thousands of dollars on your network, that investment could be compromised by an internal threat if you are not prepared.

network securityThere are different ways to protect a network from different threats depending on the risk involved. And there are many additional ways to secure your network but these are just a few to get you started. Feel free to contact us for a review of your network security. 

Contact Us Today!


Topics: Technology Solutions, NetWork Center Inc., Network Security

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all