Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - deanwebb

#1
If you know the external IP address ranges you'll use for your logins, that makes it much more secure if they're the only ones you permit to make a VPN connection from.

Setting up the Frontier router should be something in the user guide for the equipment, would likely be in the user interface under "security" or "networking". May also be a help file on their website on how to do it, as it's a common ask for things like gaming and media servers.
#2
Do you need full access on all ports or do you only need access for a specific function? For example, is this Mac Mini performing a wide range of functions, or do you only need to use it as a file share?

This can provide an additional layer of security if you lock off access on areas you don't need to use.

The diagram looks good, assuming it's home use, so you won't need commercial-grade gear for the setup. With that in mind, will the manufacturer keep the gear up to date with updates? That will be important for the sake of security.

You'll also need the ability to set up a VPN to the VPN router, which means opening up inbound ports on the modem - and that means the ports are open for the entire world. If there is an ability to authenticate with multiple factor authentication in order to open up the ports, that would be preferable.
#3
Give all the offices a /24 like 10.0.1.X, 10.0.2.X,... 10.0.17.X.

Internal servers should also be divided. Then only the admin/finance have access to admin/finance server resources in the ACL. Instead of an ACL, another method is to use identity-based security with a tool like CyberArk, Okta, or something similar. Make sure you have multi-factor authentication in place, as username/password is barely any security at all.

Yes to better the Fortinet than the Cisco for DHCP.
#4
Segmentation is done for two reasons - network traffic distribution and security.

Having separate offices in their own VLANs provides a level of organization in knowing which location is where based on IP address. IPv4 is easier to read than IPv6, but both can be managed to make human-readable address ranges. However...

... different device types have different security considerations. Printers and IoT devices are not as well-managed as PCs, typically, and present a two-way security risk. They can host malware that one does not have tools to remove other than a complete factory reset - or in some cases, replacement - and are also vulnerable to malware coming at them from more resilient PCs. One can also argue that such devices should have zero or limited Internet connectivity to complete their functions. In such cases, having those devices on their own VLAN means that the security of those VLANs can be managed.

Combining the two means separate VLANs for different devices at all locations, which may be impractical for smaller locations. In such a case, a microsegmentation solution that works with the firewall would be appropriate for handling different device types. That means getting a visibility solution into the picture and a lot more complexity than the first questions you ask. :)

So let's answer those questions from a routing and switching perspective and set aside the security. The L3 router is where I would have the VLANs created and live. For DHCP, I would get it off of the firewall and stand up a separate group of servers to provide resilience and better flexibility for DHCP service. DO NOT RUN DHCP ON PRODUCTION CISCO GEAR. Even Cisco advises against doing so.
#5
As Otanx mentioned, an outage for the VPN vendor is the same as a VPN failure: you'll reconnect from the home IP during the outage and then go back to the VPN when it is back online.

And if you have it set to only allow traffic via the VPN and not have a local fallback, you'll still have the anomalous ping latency regardless of the choice of router VPN.
#6
Straight technical answer: If your router VPN terminates in another location, it will have the IP of that remote location as the source IP for all traffic emerging from the VPN.

If they're looking for that, you'll be found out in an instant. If they're not looking for that, well, you may have longer than an instant.  :smug:
#7
Here's the thing... a good number of us are in roles where we have to be in the USA and can't be accessing systems from outside the USA. We can get into trouble or even lose our jobs if we attempt that access and we can lose our jobs if we advocate or even observe discussion of methods of evasion for a role in the Federal Civilian/Defense sphere, including contractor roles.

If your boss says it's OK but HR has an issue, then it's not overall OK within your organization. If we recommend a solution and then the IT department gets a tool that is able to go around that solution, then you don't just have the issue of working in the wrong location, but also are now deceiving the employer deliberately.

On top of that, there are numerous scams where persons claim to be citizens of and living in a certain country during the interview process and then the workload is handed off to a person that lives somewhere else, but the original person acts as the face for the foreign worker. The "face" can have multiple identities and work in 2-3 roles in this manner. Lots of felony fraud counts in that set-up. Not saying that you yourself are party to such a scam, but if we provide a solution to you then we also provide a solution for scammers. The use cases are quite similar.

VPN detection technology is becoming more sophisticated because streaming services want to maintain their licensing for content by limiting it by region. What worked fine in 2023 may not work at all in 2024, we need to keep that development in mind.

The termination point for the VPN in the nation one desires to present as being present in is going to be in a block of IPs that is either known as a pool of VPN termination addresses or can be learned. Those IPs would show up as the source IP for your AnyConnect traffic, as that's what destination traffic has to be routed back to in order to keep the communications going.

A person willing to engage in deeper levels of frauds could create a system of confederates and falsified documents to permit a build-out at a residence to act as a privately-managed VPN termination point, but that itself is risky on multiple levels. The VPN itself may not be properly maintained and thus subject to compromise. Each fraud entered into to create the ruse is itself vulnerable to penetration via other information sources that reveal activity or transactions that prove one was not where one said one was. Do not underestimate the quality or quantity of corporate information-gathering to find deceptive employees.

My firm partners with security vendors that do that very thing. The vendor has multiple sources that are correlated to build a profile on each employee and then maintains continuous updates. Should your name come up at all in the country you're actually living in, the game's over. And should you live under an assumed identity in the other country, then that's one more layer of fraud in the picture. But that's an example of a detection made possible that doesn't even look for a VPN connection. We could potentially solve for the network issue, but your firm likely subscribes to a service such as I've described that would prove false your claim without having to rely on the IT angle for proof.

The easier solution is to have your boss get a waiver from HR. If that works out, great, no deception needed. Best case would have been if you got that clearance prior to moving to the other country. As it stands now, you are currently in a place where you should not be to do the job that you are doing. I don't know how going a legitimate business process route works out for you, but I see it as the only way to do this properly. That, or move back to the country where HR expect you to work from.
#8
Any time those breach announcements comes out, we need to have HOW that breach happened.
#9
Secure file transfer: that's where you have a system where USB drives are created and tagged with the secure file transfer system, then they are checked in at a kiosk prior to installation on the endpoint. If the endpoint has an interactive OS, the kiosk can be a service running locally that blocks untagged USBs or tagged USBs whose contents don't match the file manifest. For headless devices, a hardware kiosk would serve that function at the entry point to the secured area.
#10
Wireless / Re: Wireless AP upgrade
March 04, 2024, 05:48:35 PM
Wait, so you don't want to use your neighbor's wireless? I'm confused...  :smug:
#11
The answer is that yes, we do both. If all we had was one switch, everything would be end-to-end and no more. But because we can't connect everything to one switch and because we don't necessarily want all traffic in an organization going to every other endpoint in the organization, we have multiple switches with multiple subnets to control traffic. And even if we did want that, the fact that electrical signals only travel so far before they need to be repeated means that for network traffic to span distances such as across a large campus or between cities or nations, we will need multiple devices to carry the signal, each acting as hops.

To get traffic from one subnet to another, we need to know which route to take. Because the route will traverse multiple devices, we will need to determine the hops that will collectively form the end-to-end route. When we consider the billions of devices connected to networks with Internet access, we need to have methods of summarizing how traffic moves locally, to indicate if the traffic will stay in our organizational networks or go out across the Internet.
#12
THE MUSEUM OF FORUM FAIL / Re: Wrong way to spam...
February 27, 2024, 04:02:16 PM
I have to say, it's easier when the spam is posted directly in the thread already titled "Wrong way to spam..."...  :smug:
#13
My concern with the Brax VPN is that it's a vanity project. It all revolves around the one guy, and if he goes away, so does the product.

As for other commercial VPNs, I have no guarantee that their private keys haven't been captured by those who listen in, allowing them to listen in - and may target me specifically because I'm using a VPN that they have keys for.
#14
I've been dealing with Windows upgrades since 1995, and always hit issues on upgrades that get resolved with a clean install. Stuff just breaks with upgrades, so I never upgrade. I just get a new laptop with the OS it installs with and ride that to the end of that laptop's life.
#15
Is this a clean installation or an upgrade?

If an upgrade, is there any way you can do a clean install?