Main Menu

Recent posts

#1
Routing and Switching / Re: Creating and configuring a...
Last post by deanwebb - Yesterday at 04:25:50 PM
If you know the external IP address ranges you'll use for your logins, that makes it much more secure if they're the only ones you permit to make a VPN connection from.

Setting up the Frontier router should be something in the user guide for the equipment, would likely be in the user interface under "security" or "networking". May also be a help file on their website on how to do it, as it's a common ask for things like gaming and media servers.
#2
Routing and Switching / Re: Creating and configuring a...
Last post by gdgross - Yesterday at 04:09:06 PM
Quote from: deanwebb on Yesterday at 02:12:30 PMDo you need full access on all ports or do you only need access for a specific function? For example, is this Mac Mini performing a wide range of functions, or do you only need to use it as a file share?

This can provide an additional layer of security if you lock off access on areas you don't need to use.


Thanks Dean - yeah, I will indeed want full access to the mac mini; I'd like to log into the computer and use apps/etc just as if I was sitting at the keyboard. 



Quote from: deanwebb on Yesterday at 02:12:30 PMThe diagram looks good, assuming it's home use, so you won't need commercial-grade gear for the setup. With that in mind, will the manufacturer keep the gear up to date with updates? That will be important for the sake of security.

I was thinking of this as my router: https://www.amazon.com/dp/B08QTXNWZ1?psc=1&ref_=cm_sw_r_apin_ct_9R7YHFK9VWAJCZT370XF&language=en_US shows up more than once when I google "good wired VPN routers", and it's not too pricey :-D  Hopefully they'll keep current with future firmware updates!


Quote from: deanwebb on Yesterday at 02:12:30 PMYou'll also need the ability to set up a VPN to the VPN router, which means opening up inbound ports on the modem - and that means the ports are open for the entire world. If there is an ability to authenticate with multiple factor authentication in order to open up the ports, that would be preferable.

As far as opening up ports on the modem, perhaps frontier would have to help me with that?  Or is that something I could do on my own?  Also, it might be useful to restrict the allowed ports by IP address, or location, etc, since I'd be logging in remotely from a finite number of offsite locations.  I wonder if that can be done?  (Although MFA is acceptable too, I guess.)

Do you know of any guides for dummies on doing this?
#3
Routing and Switching / Re: Creating and configuring a...
Last post by deanwebb - Yesterday at 02:12:30 PM
Do you need full access on all ports or do you only need access for a specific function? For example, is this Mac Mini performing a wide range of functions, or do you only need to use it as a file share?

This can provide an additional layer of security if you lock off access on areas you don't need to use.

The diagram looks good, assuming it's home use, so you won't need commercial-grade gear for the setup. With that in mind, will the manufacturer keep the gear up to date with updates? That will be important for the sake of security.

You'll also need the ability to set up a VPN to the VPN router, which means opening up inbound ports on the modem - and that means the ports are open for the entire world. If there is an ability to authenticate with multiple factor authentication in order to open up the ports, that would be preferable.
#4
Routing and Switching / Creating and configuring a VPN...
Last post by gdgross - Yesterday at 11:46:05 AM
Hi all - tech-y fellow here but not much in the way of IT things, although I'm learning.

I'd like to set up a way to access and log into my mac-mini from anywhere on the internet.  Currently I can do this via the splashtop app, but for various reasons, I would like to set up my own system.  I understand that this will require creating a VPN server for my LAN, and maybe some additional hardware purchases.  (specifically a dedicated VPN router?)

I'd like to be able to log in from a windows maching on a different wired network miles away from the mac mini and its LAN, using sonic wall or the windows built in VPN client, and control the mac mini via microsoft remote desktop or similar software.  I'd also like to be able to log in from my macbook pro using the same tools from any old wireless network at starbucks or wherever. 

My current network looks like this:


As i understand it, hardware wise, I will need to do something like this:


First, is my understanding of the hardware correct?

Second, what steps will I need to go through to set this up properly?  I assume the VPN router will have some software that i'll need to configure once I connect it all.  And I'll need an ip or domain or something for the VPN, and a name for the mac mini itself to connect remotely?

Thanks for your help all - I'm slowly becoming IT fluent lol.

Geoff
#5
Routing and Switching / Re: Segmentation and DHCP Serv...
Last post by deanwebb - March 23, 2024, 09:18:07 AM
Give all the offices a /24 like 10.0.1.X, 10.0.2.X,... 10.0.17.X.

Internal servers should also be divided. Then only the admin/finance have access to admin/finance server resources in the ACL. Instead of an ACL, another method is to use identity-based security with a tool like CyberArk, Okta, or something similar. Make sure you have multi-factor authentication in place, as username/password is barely any security at all.

Yes to better the Fortinet than the Cisco for DHCP.
#6
Routing and Switching / Re: Segmentation and DHCP Serv...
Last post by slash8 - March 22, 2024, 10:29:28 PM
Hello thank you so much for the reply and inputs! Sorry for the late reply, I am swamped at work at the moment lol. I also would like to give separate VLANs for each office however it might be a challenge to manage since there are lots of offices (about 17) with unequal number of devices (e.g one office has as much as 12 but one office only has 4). If I at the moment I at least divide it into two, say VLAN 10 for operations and VLAN 20 for admin/finance, but they will have the same ACL access to the internal servers. Does that make a difference in terms of security if say VLAN 10 is hit with ransomware/malware?
 
As much as I want to separate the printers as well, I can't do it at the moment since the switches in each offices are unmanaged ones lol. And thanks for sharing microsegmentation. Is that something applicable in our setup? I'd have to read more into that first.

Lastly, for the R&S side, I will leave the VLAN creation and routing to the L3 switch as you suggested. However we don't have another DHCP server at the moment, so I take it that it is better to have the Fortinet Firewall do it at the moment rather than the L3? Although I may have to test and simulate it first in GNS3 since I am not sure how to configure those. Thank you so much!
#7
Routing and Switching / Re: Segmentation and DHCP Serv...
Last post by deanwebb - March 20, 2024, 09:56:15 AM
Segmentation is done for two reasons - network traffic distribution and security.

Having separate offices in their own VLANs provides a level of organization in knowing which location is where based on IP address. IPv4 is easier to read than IPv6, but both can be managed to make human-readable address ranges. However...

... different device types have different security considerations. Printers and IoT devices are not as well-managed as PCs, typically, and present a two-way security risk. They can host malware that one does not have tools to remove other than a complete factory reset - or in some cases, replacement - and are also vulnerable to malware coming at them from more resilient PCs. One can also argue that such devices should have zero or limited Internet connectivity to complete their functions. In such cases, having those devices on their own VLAN means that the security of those VLANs can be managed.

Combining the two means separate VLANs for different devices at all locations, which may be impractical for smaller locations. In such a case, a microsegmentation solution that works with the firewall would be appropriate for handling different device types. That means getting a visibility solution into the picture and a lot more complexity than the first questions you ask. :)

So let's answer those questions from a routing and switching perspective and set aside the security. The L3 router is where I would have the VLANs created and live. For DHCP, I would get it off of the firewall and stand up a separate group of servers to provide resilience and better flexibility for DHCP service. DO NOT RUN DHCP ON PRODUCTION CISCO GEAR. Even Cisco advises against doing so.
#8
Routing and Switching / Segmentation and DHCP Server C...
Last post by slash8 - March 19, 2024, 09:31:02 PM
Hi. Pardon this noob question. My network is currently flat (single VLAN) with around 100 desktops/laptops and I want to implement basic segmentation. We have a Fortinet Firewall that is also the DHCP Server and recently acquired an L3 switch that I will be using as the core/distribution (see the attached diagram). So my question is where should I create the VLANs, VLAN routing, ACL, and DHCP server? Which of these should be configured in the firewall and which should be in the L3 switch? Thank you so much!
#9
Security / Re: Need help with ideas on ho...
Last post by config t - March 14, 2024, 07:14:19 PM
username checks out
#10
THE MUSEUM OF FORUM FAIL / TITLE IS A SPAM LINK
Last post by SPAM LINK GUY - March 11, 2024, 08:00:13 PM
JUST THE ONE SPAM LINK