- Welcome to Networking-Forums.com.
We're Here to Help!
Recent posts
#91
Security / Re: Manage security on unmanag...
Last post by DarkCorner - November 11, 2023, 02:30:43 AMOK. Thanks for your suggestions.
#92
Security / Re: Manage security on unmanag...
Last post by icecream-guy - November 10, 2023, 07:12:57 AMI'm in network security, my job is to find vulnerabilities and weaknesses in systems. But I can't even run a Tenable scan or NMAP, without authoritative permissions. otherwise it might be construed that I am hacking the network.
#93
Routing and Switching / Re: Network routing, maybe I a...
Last post by deanwebb - November 09, 2023, 08:40:15 AMIf the Windows DC is doing DHCP, then each switch with devices that need a DHCP address should have a setting that points to the DC as the DHCP server. The setting would be for an "IP Helper" or "DHCP Relay". If another device is handing out DHCP addresses, that can lead to a conflict with the Windows server.
"Next step" is either what the business needs are. If you're not in a business and this is a lab, then it's to set up a scenario you want to work with. If it is your lab, I'd make sure that the firewall is set to block incoming traffic from the nasty old Internet.
"Next step" is either what the business needs are. If you're not in a business and this is a lab, then it's to set up a scenario you want to work with. If it is your lab, I'd make sure that the firewall is set to block incoming traffic from the nasty old Internet.
#94
Security / Re: Manage security on unmanag...
Last post by deanwebb - November 09, 2023, 08:34:13 AMQuote from: icecream-guy on November 08, 2023, 05:22:00 PMDoing anything against company policy is a path to nowheresville, IN. you need buy in, and acceptance (in writing, to CYA) that anything you do is recommended and or approved by management. and only do what is approved by management, making decisions on your own leads to liability. liability leads to joblessness. not your company, not your decision, so all you can do is make recommendations, it's up to the company to make the final decisions and accept liability and task you to implement your recommendations, rather than you. if they decide not to do anything, it's not your call. it's not your company. (unless you have some stock sharing incentive that I am not aware of).
^ Quoted for truth.
Get it IN WRITING
And then make copies of that IN WRITING part for your own records, both electronic and hard copy. Store in a secure location. I am not joking around. CYAWP - cover your a$$ with paper - is the key to survival in this business.
#95
Routing and Switching / Network routing, maybe I am co...
Last post by szuguan - November 08, 2023, 08:12:59 PMDear all,
I have a situation here:
- DHCP is managed by a Windows Domain Controller.
- I have a sophos xg210 firewall.
- I have a Dlink DGS-1510-28X network switch, assumed this is "A"
- I have another 2 network switches, assumed these are "B" and "C"
- A, B and C are linked.
- Please refer to attachment (Pciture 1).
I already set a vlan in the Dlink switch(port 1 to 6) and the vlan port is able to issue ip addresses to devices connected
to these ports(port 1 to 6).
My question is:
I don't know what the next configuration to do to let those devices connected to ports 1 to 6 have internet access and access my local network.
*I may ask more questions along the way, please bear with me, and be patient. Thank you so much
I have a situation here:
- DHCP is managed by a Windows Domain Controller.
- I have a sophos xg210 firewall.
- I have a Dlink DGS-1510-28X network switch, assumed this is "A"
- I have another 2 network switches, assumed these are "B" and "C"
- A, B and C are linked.
- Please refer to attachment (Pciture 1).
I already set a vlan in the Dlink switch(port 1 to 6) and the vlan port is able to issue ip addresses to devices connected
to these ports(port 1 to 6).
My question is:
I don't know what the next configuration to do to let those devices connected to ports 1 to 6 have internet access and access my local network.
*I may ask more questions along the way, please bear with me, and be patient. Thank you so much
#96
Security / Re: Manage security on unmanag...
Last post by icecream-guy - November 08, 2023, 05:22:00 PMDoing anything against company policy is a path to nowheresville, IN. you need buy in, and acceptance (in writing, to CYA) that anything you do is recommended and or approved by management. and only do what is approved by management, making decisions on your own leads to liability. liability leads to joblessness. not your company, not your decision, so all you can do is make recommendations, it's up to the company to make the final decisions and accept liability and task you to implement your recommendations, rather than you. if they decide not to do anything, it's not your call. it's not your company. (unless you have some stock sharing incentive that I am not aware of).
#97
Security / Re: Manage security on unmanag...
Last post by deanwebb - November 08, 2023, 02:52:12 PMSmall company means as close as you can get to free is going to be the solution the bosses will want to see. Accounting is architecture.
Windows Defender with a high level of settings will accomplish a great deal on Windows desktops and PCs, and is free with Windows. Encourage people to turn it on and see if you can arrange for either yourself or managers to do walk-by spot checks to make sure it's up and running.
Do the NMAP scan daily or weekly and ping via email and chat any offenders to turn off the offending application. Be the nagware - it's free(ish) because your time is already paid for and folks will not want to turn something on that's going to result in nagging. That can close off some of the biggest potential threat vectors.
Your corporate email solution may already have anti-spam and anti-phishing measures in place. Doing a corporate phishing awareness campaign can help to reduce your exposure to that threat vector.
To determine VLAN membership, Ubiquiti has good tools for creating VLANs, placing security rules on them, and assigning switchports or wireless devices to VLANs. The catch is that if a person connects a red-zone device to a green-zone port, that person gets green-zone access for the red-zone device. Getting a full-blown dynamic network access control solution will either be complicated, more costly than what you already have, or both.
I would NOT break into HTTPS traffic. All kinds of potential legal and HR issues can result from that, and you're simply not protected in a small company from potential hazards resulting from access to encrypted information.
Windows Defender with a high level of settings will accomplish a great deal on Windows desktops and PCs, and is free with Windows. Encourage people to turn it on and see if you can arrange for either yourself or managers to do walk-by spot checks to make sure it's up and running.
Do the NMAP scan daily or weekly and ping via email and chat any offenders to turn off the offending application. Be the nagware - it's free(ish) because your time is already paid for and folks will not want to turn something on that's going to result in nagging. That can close off some of the biggest potential threat vectors.
Your corporate email solution may already have anti-spam and anti-phishing measures in place. Doing a corporate phishing awareness campaign can help to reduce your exposure to that threat vector.
To determine VLAN membership, Ubiquiti has good tools for creating VLANs, placing security rules on them, and assigning switchports or wireless devices to VLANs. The catch is that if a person connects a red-zone device to a green-zone port, that person gets green-zone access for the red-zone device. Getting a full-blown dynamic network access control solution will either be complicated, more costly than what you already have, or both.
I would NOT break into HTTPS traffic. All kinds of potential legal and HR issues can result from that, and you're simply not protected in a small company from potential hazards resulting from access to encrypted information.
#98
Security / Re: Manage security on unmanag...
Last post by DarkCorner - November 08, 2023, 08:43:27 AMFirst of all, thanks for your replies.
A first general comment right away.
This is a small company; the number of users with desktops is less than 15 and the rest are all laptops.
Sure, the warehouse worker who works alone can also secretly access a porn site; or the employee can spend her time on Facebook
But I have to leave more freedom of access to the Internet for those who work in marketing and I can't block the boss's access.
As I said initially, in my opinion the biggest problem comes from devices that are not under management.
A good example would be that of a school where students connect to the network with their laptop, but where you cannot manage their PCs or their smartphones.
Returning to the company, if there is an event in the showroom or in the meeting room, I cannot block the Internet or limit it to a predefined whitelist because there may be the need to consult an external site. For example, a competitor's website or a web magazine to see how the banner looks.
Not to mention the need to allow a guest to access his/her email or website.
I thought I could manage this by replacing the switches and access points with devices capable of managing VLANs so as to segment the network.
Again for example, in the personal apartment I can create a VLAN for personal devices (SmartTV, XBox, etc.), one for the children and one for those in the family who work in the company and who need to access the services or the NAS even from home.
User desktop PCs will be on one VLAN, company laptops on a second VLAN, agent laptops on a third, guest laptops on another, smartphones on yet another, etc.
Using Squidguard on the Squid proxy I can differentiate access by blocking entire categories (such as porn, sport and social networks) and adding specific websites into blacklists and whitelists.
However, I was wondering how to manage these filters. Not so much at the level of specific configuration or firewall rules, but primarily at the design level.
If I want to use ClamAV I have to open packets for what is now predominantly HTTPS traffic.
As I was saying, I'm perplexed by the use of the "Man in the Middle" and the difficulty in automatically configuring devices of people I don't know (such as guests and sales agents).
Furthermore, the considerations of some colleagues worry me.
I'm going to "impose" the use of wpad.dat on a person who then goes somewhere else to download a wpad.dat to an unauthorized website.
Who is responsible if something happens with this access that shouldn't have happened? Of this guest who didn't check properly or mine who allowed him to download wpad.dat automatically?
Finally, as for the budget, it is commensurate with a small company.
For switches and access points I will focus on devices like Ubiquiti while the firewall is already a PC with i5 quad core and 16GB of RAM, enough to manage both the proxy and future VPNs.
I don't think that replacing it with a appliance firewall will change anything if I don't solve the segmentation and filtering problem.
A first general comment right away.
This is a small company; the number of users with desktops is less than 15 and the rest are all laptops.
Sure, the warehouse worker who works alone can also secretly access a porn site; or the employee can spend her time on Facebook
But I have to leave more freedom of access to the Internet for those who work in marketing and I can't block the boss's access.
As I said initially, in my opinion the biggest problem comes from devices that are not under management.
A good example would be that of a school where students connect to the network with their laptop, but where you cannot manage their PCs or their smartphones.
Returning to the company, if there is an event in the showroom or in the meeting room, I cannot block the Internet or limit it to a predefined whitelist because there may be the need to consult an external site. For example, a competitor's website or a web magazine to see how the banner looks.
Not to mention the need to allow a guest to access his/her email or website.
I thought I could manage this by replacing the switches and access points with devices capable of managing VLANs so as to segment the network.
Again for example, in the personal apartment I can create a VLAN for personal devices (SmartTV, XBox, etc.), one for the children and one for those in the family who work in the company and who need to access the services or the NAS even from home.
User desktop PCs will be on one VLAN, company laptops on a second VLAN, agent laptops on a third, guest laptops on another, smartphones on yet another, etc.
Using Squidguard on the Squid proxy I can differentiate access by blocking entire categories (such as porn, sport and social networks) and adding specific websites into blacklists and whitelists.
However, I was wondering how to manage these filters. Not so much at the level of specific configuration or firewall rules, but primarily at the design level.
If I want to use ClamAV I have to open packets for what is now predominantly HTTPS traffic.
As I was saying, I'm perplexed by the use of the "Man in the Middle" and the difficulty in automatically configuring devices of people I don't know (such as guests and sales agents).
Furthermore, the considerations of some colleagues worry me.
I'm going to "impose" the use of wpad.dat on a person who then goes somewhere else to download a wpad.dat to an unauthorized website.
Who is responsible if something happens with this access that shouldn't have happened? Of this guest who didn't check properly or mine who allowed him to download wpad.dat automatically?
Finally, as for the budget, it is commensurate with a small company.
For switches and access points I will focus on devices like Ubiquiti while the firewall is already a PC with i5 quad core and 16GB of RAM, enough to manage both the proxy and future VPNs.
I don't think that replacing it with a appliance firewall will change anything if I don't solve the segmentation and filtering problem.
#99
Security / Re: Manage security on unmanag...
Last post by icecream-guy - November 07, 2023, 06:33:37 PMyes like deanwebb says, if this is a corporate network, to secure it, you NEED to have by in from management, otherwise you will probably be out of work shortly. Identify devices, build a case, make recommendations, provide solutions, request a budget for securing the network, and implement recommendations. If management is not keen on securing their network, what was is that he (deanwebb) said, hop into your Porsche Boxster and peel out of the parking lot...screaming it's all on you (expletive). cause you don't want to be there long.
The budget really depends on the solutions that management is will to support with your recommendations. I would suggest to contact 3 vendors build a Bill of Materials and present to management (with your recommendations) to support the budget request. it could be in 500K to 5M. it really depends on what you are trying to protect. and what the loss to the company would be if that data were compromised or lost, or encrypted.
Recovery cost would need to be determined by management or accounting, if it's going to cost 2M to recover and you can protect with 500K, that's a no brainer. if it's going to cost 2M to recover and 2.5M to protect, that is not your decision but may be viable depending on what you are protecting. But that is risk assessment and not part of network security.
The budget really depends on the solutions that management is will to support with your recommendations. I would suggest to contact 3 vendors build a Bill of Materials and present to management (with your recommendations) to support the budget request. it could be in 500K to 5M. it really depends on what you are trying to protect. and what the loss to the company would be if that data were compromised or lost, or encrypted.
Recovery cost would need to be determined by management or accounting, if it's going to cost 2M to recover and you can protect with 500K, that's a no brainer. if it's going to cost 2M to recover and 2.5M to protect, that is not your decision but may be viable depending on what you are protecting. But that is risk assessment and not part of network security.
#100
Security / Re: Manage security on unmanag...
Last post by deanwebb - November 07, 2023, 08:35:19 AMWelcome to the forums, and I feel that pain.
There are technical aspects to this issue, but there's a very big corporate management one. That is, if you don't have authority to implement security and the company leadership isn't behind you in that effort, you're at risk of putting something in place that gets you fired.
Step one is to get the number of devices on the network and what kinds they are - laptop, desktop, server, phone, other device. Now, if the number is under 100, you can likely do it by pulling MAC addresses off of the wifi controllers and the switches, then look up the first 6 digits of the MAC address online to find the vendor. A little more Google-fu, and you can find out what the vendor makes. That gets you device type and number.
Armed with that, you can then make a case for what should be allowed on the network and what should not. Or, if the "should not" is still permitted, what should be throttled and walled off from corporate assets. A good question to ask is, "which of these devices do you want to expose our corporate data to?"
Now, simply restricting traffic isn't going to do the job, not by half. Most of the breaches start with a phishing email, so you'll need both training and email filtering in place. Next, I recommend doing some scanning of your own - NMAP from the command line or WiNMAP for a desktop application. Scan for the worst of the misconfigured ports being open on your network - Telnet, Remote Desktop Protocol, and VLC. Look for SSH and NetBIOS, as well. Where open and responding, those devices present a clear threat and are likely already compromised. They need to be shut down and that's where corporate buy-in is necessary, so you can get an AD controller and implement some group policy on the Windows devices, at the very least.
I'm ready to carry on discussing, as I have only touched a few areas and would like to know the scale and budget for this effort before getting into solutions. All that being said, what's your gut feeling about this? Security is an area where people can get fired suddenly if they don't have strong backing from managers that understand we can't do everything and that mistakes can and will be made - security's job is to prevent where possible and to mitigate where breached.
There are technical aspects to this issue, but there's a very big corporate management one. That is, if you don't have authority to implement security and the company leadership isn't behind you in that effort, you're at risk of putting something in place that gets you fired.
Step one is to get the number of devices on the network and what kinds they are - laptop, desktop, server, phone, other device. Now, if the number is under 100, you can likely do it by pulling MAC addresses off of the wifi controllers and the switches, then look up the first 6 digits of the MAC address online to find the vendor. A little more Google-fu, and you can find out what the vendor makes. That gets you device type and number.
Armed with that, you can then make a case for what should be allowed on the network and what should not. Or, if the "should not" is still permitted, what should be throttled and walled off from corporate assets. A good question to ask is, "which of these devices do you want to expose our corporate data to?"
Now, simply restricting traffic isn't going to do the job, not by half. Most of the breaches start with a phishing email, so you'll need both training and email filtering in place. Next, I recommend doing some scanning of your own - NMAP from the command line or WiNMAP for a desktop application. Scan for the worst of the misconfigured ports being open on your network - Telnet, Remote Desktop Protocol, and VLC. Look for SSH and NetBIOS, as well. Where open and responding, those devices present a clear threat and are likely already compromised. They need to be shut down and that's where corporate buy-in is necessary, so you can get an AD controller and implement some group policy on the Windows devices, at the very least.
I'm ready to carry on discussing, as I have only touched a few areas and would like to know the scale and budget for this effort before getting into solutions. All that being said, what's your gut feeling about this? Security is an area where people can get fired suddenly if they don't have strong backing from managers that understand we can't do everything and that mistakes can and will be made - security's job is to prevent where possible and to mitigate where breached.