Posts Tagged ‘VPN’

Quick Update to a Radiotope Guide for Built-In Mac OS X VPN Connections

Tuesday, March 26th, 2013

Just a note for those folks with well-worn bookmarks to this post on Ed Marczak’s blog, Radiotope.com, for authenticating VPN connections with Mac OS X Server’s Open Directory, which is still valid today. When trying to use the System Preferences VPN client/network adapter with the built-in L2TP server in Sonicwall, though, I was curious why OD auth wasn’t working for me, but users that were local to the Sonicwall were. Having been a while since the last time I’d set it up, I went on a search engine spelunking and found a link that did the trick.

In particular, a comment by Ted Dively brought to my attention the fact you need to change the order(in the VPN sidebar item, L2TP Server, when the Configure button pop-up is clicked, it’s under the PPP tab) that the L2TP service is configured to use for authentication type, PAP instead of the more standard MSCHAPv2.

Where it's done

We hope that is of help to current and future generations.

Secure Site-to-Site VPN tunnel using the ASA

Sunday, April 8th, 2012

Site to Site VPN enables an encrypted connection between private networks over a public network (i.e. the Internet).

Basic steps to configure a site-to-site VPN with a Cisco ASA begin with defining the ISAKMP Policy. An ISAKMP/IKE policy defines how a connection is to be created, authenticated, and protected. You can have multiple policies on your Cisco ASA. You might need to do this if your ASA needs to connect to multiple devices with different policy configurations.

  • Authentication: specifies the method to use for device authentication
  • Hash: specifies the HMAC function to use
  • Encryption: specifies which algorithm to use
  • Group: specifies the DH key group to use

Next, you will need to establish IPsec transform set. Different Firmware versions and different Cisco devices have different options for the following…

  • Esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm
  • Esp-aes: ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithim.
  • Esp-des: ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm.
  • Esp-3des: ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)
  • Ah-md5-hmac: AH with the MD5 (HMAC variant) authentication algorithm
  • Ah-sha-hmac: AH with the SHA (HMAC variant) authentication algorithm

3. Configure crypto access list-

Crypto ACL’s are used to identify which traffic is to be encrypted and which traffic is not. After the ACL is defined, the crypto maps use the ACL to identify the type of traffic that IPSec protects.

It’s not recommended to use the permit ip any any command. It causes all outbound traffic to be encrypted, and sends all traffic to the specified peer.

4. Configure crypto map

Used to verify the previously defined parameters

5. Now apply crypto map to the outside interface.

VPN PIC

Configuration of ASA-1

You might have to enable ISAKMP on your device

ASA-1(config)#crypto isakmp enable

First defined the IKE polices on ASA-1

ASA-1(config)#crypto isakmp policy 10

The lower the policy number, the higher the priority it will set the ISAKMP policy to, affecting which policies will be used between sites.

General rule of thumb is to give the most secure policy the lowest number (like 1) and the least secure policy the highest number (like 10000)

ASA-1(config-isakmp)#encryption des

(enable encryption des)

ASA-1(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-1(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-1(config-isakmp)#group 2

(enable group 2)

ASA-1(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA-1.

ASA-1(config)#crypto isakmp key office address 10.1.1.2

(Here the Key is “office” and 10.1.1.2 is ASA-2 Address)

  • Now create an access list to define only interesting traffic.

ASA-1(config)#access-list 100 permit ip host 10.1.1.1 host 10.1.1.2

(100 is access list number and 10.1.1.1 is source address and 10.1.1.2 is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-1(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing method is md5-hmac)

ASA-1(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-1(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-1(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-1(config)# crypto map testcryp 10 set peer 10.1.1.2

(Set remote peer address)

  • Now apply the crypto map to the ASA – A interface

ASA-1(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-1(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Configuration of ASA-2

First defined the IKE polices on ASA-2

ASA-2(config)#crypto isakmp policy 10

(10 is isakmp policy number)

ASA-2(config-isakmp)#encryption des

(enable encryption des)

ASA-2(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-2(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-2(config-isakmp)#group 2

(enable diffie-Helman group 2)

ASA-2(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA – B.

ASA-2(config)#crypto isakmp key office address 10.1.1.1

(Here Key is “office” and 10.1.1.1 is ASA – A Address)

  • Now create an access list to define only interesting traffic.

ASA-2(config)#access-list 100 permit ip host 10.1.1.2 host 10.1.1.1

(100 is access list number and 10.1.1.2 is source address and 10.1.1.1 is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-2(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)

ASA-2(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-2(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-2(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-2(config)# crypto map testcryp 10 set peer 10.1.1.1

(Set remote peer address)

  • Now apply the crypto map to the ASA – B outside interface

ASA-2(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-2(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Now to verify the secure tunnel, ping to other remote location.

ASA-2(config)# ping 10.1.1.1

Use SSH Tunneling to Access Firewalled Devices

Friday, December 4th, 2009

Many environments have numerous Desktops or Servers which we may need to support remotely, but lack a full-fledged VPN solution. If the client has a server on a DMZ, or is forwarding SSH ports to a specific server, you can use SSH to then access other machines otherwise protected by the firewall.

For instance, say client MyCo has two servers: backup.myco.com, and mail.myco.com. In this scenario, the backup server has no remote access, and mail.myco.com has access available over port 22. Lets say the need arises to provide remote support for the backup server, which has both SSH and ARD/VNC enabled.

In this scenario, it is possible to open up a remote ARD session to the backup server from my remote laptop by utilizing ssh tunneling. To do so, I run the following command from my laptop:

ssh -L 5901:backup.myco.com:5900 -N mycoadmin@mail.myco.com

This command tells ssh to open up the local port: 5901, and tunnel it to mail.myco.com, which will in turn forward traffic to server backup.myco.com over port 5900.

Once I have ran this command, I can open up a VNC connection to my local machine, which will then be forwarded through ssh to the clients private backup server:

open vnc://127.0.0.1:5900

Alternatively, you may only want shell access to the firewalled server, to accomplish that, we can instead open up port with ssh (once again, from my laptop):

ssh -L 50022:backup.myco.com:22 -N mycoadmin@mail.myco.com

From here I can ssh to the local port, which will once again forward to the backup server (this time over port 22):

ssh mycoadmin@127.0.0.1 -p 50022

Considerations:

In order for this to work, ssh must be enabled on any client or server that you want to access. Also, publicly accessible server must be able to resolve the target name that you provide. For instance, in the above example if “backup.myco.com” doesn’t properly resolve on mail.myco.com, then the solution will not work. In this instance, you could specify the internal IP of the backup server:

ssh -L 50022:192.168.55.10:22 -N mycoadmin@mail.myco.com

The local port is somewhat arbitrary (5901 and 50022 in my examples), you just want to make sure that the port is not in use, which can be determined by looking at the output of `netstat -a -p TCP`, or through `lsof -i TCP:50022` where ’50022′ is the local port you want to open.

The VPN

Wednesday, September 23rd, 2009

Virtual Private Networks, abbreviated “VPN” is technology that that allows users to connect from one place to another securely.  What makes it secure is that the connection between point A and point B is encrypted.  An encrypted tunnel is built between Point A and Point B, and then data is passed through that tunnel.

VPN’s come in many different types (protocols).   Some of the most common include the following:

PPTP

Often called “dial up VPNs”, it technically extends the functionality of PPP. It was originally started by Microsoft, US Robotics, Ascend Communication, 3Com, and ECI Telematics.  Their first draft of their IETF document for the protocol extension was submitted in June, 1996.  The protocol extension is supported by Linux, Mac and Windows workstations.

Current versions of all three operating systems include the VPN Client application pre-installed in the operating system.  All three operating system server versions can also be setup to allow PPTP connections. A Microsoft Routing and Remote Access Server (RRAS) typically uses Microsoft Point to Point Encryption (MPPE) which is based on RSA RC4 and supports up to 128 bit encryption.

IPSec

IPSec is short for Internet Protocol Security.  It works on Layer 3, and is often called “Site to Site VPN”.  It is usually used to connect one LAN to another LAN, most times using two hardware VPN units at each side communicating with each other.  It can also be used to connect a workstation to the corporate LAN, typically using proprietary software from the VPN manufacturer/developer (although you can sometimes use the built in software in the operating system – as is the case with Windows). The protocol can function in two modes (Transport and Tunnel) and provides end to end security by authenticating and encrypting the packets between parties.  It can support up to 168bit encryption with 3DES.

SSL VPN

SSL VPN is a type of VPN that allows communication to happen over https via web browsers.  The main advantage of SSL VPN is that no additional client software is required besides a web browser.  Since no software needs to be installed on a computer, a user can access the corporate network via VPN from just about any computer (i.e, Public Computer, kiosk, etc.).   The disadvantage is that because it tends to make the applications you would normally use a web type of application, you often lose some of the intended user experience of those converted applications.

L2TP

L2TP is short for Layer 2 Tunneling Protocol.   It doesn’t do any encryption on it’s own, and is often used in conjunction with IPSec (L2TP/IPsec VPN). The biggest thing to remember about L2TP is that it allows more types of applications to communicate through the VPN connection that otherwise are not supported in a standard IPSec implementation.

In a nutshell, deciding which VPN protocol to implement depends on your budget, the hardware that you have, what will be connecting (workstation/user, or LAN to LAN) and the ease of use.  Please feel free to contact us, and we will be happy to help plan out your VPN infrastructure, or answer any questions that you may have.

Traversing SonicWALLs with NetBIOS

Friday, August 15th, 2008

This article assumes that you already have a functioning Site to Site VPN connection setup.

1. On the SonicWALL with OS Standard, go to the ‘VPN > Advanced’ page and uncheck the box next to ‘Disable all VPN Windows Networking (NetBIOS) Broadcasts This is a global setting, and unless unchecked, no VPN SA will be able to pass NetBIOS broadcasts. When done, click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.

2. Then, go to the ‘VPN > Settings’ page and click on the ‘Configure’ icon next to the VPN policy you previously created to connect to the central site. On the pop-up that appears, go to the ‘Advanced tab and check the box next to ‘Enable Windows Networking (NetBIOS) Broadcast’. This is a per VPN SA setting and applies to this VPN tunnel only. When done, click on the ‘OK’ button to save and activate the change.

3. On the central site SonicWALL with OS Enhanced, go to the ‘VPN >Settings’ page and click on the ‘Configure’ icon next to the VPN policy you previously created to connect to the remote site. On the pop-up that appears, go to the Advanced tab and check the box next to ‘Enable Windows Networking (NetBIOS) Broadcast’. When done, click on the ‘OK’ button to save and activate the change.

4. Then, go to the ‘Network > IP Helper’ page. Check the box next to ‘Enable IP Helper’, make sure the box next to ‘Enable DHCP Support’ is unchecked (unless you are using this feature – DHCP enabled enabled you may not be able to uncheck this setting), and check the box next to Enable NetBIOS Support’. You will notice that there will be an autocreated IP Helper Policy listed as a result of the previous step’s configuration. When done, click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.

5. On XP workstations you will need to reboot them (or wait about 30 minutes) for the broadcasting to work, and NetBIOS results to populate “Network Neighborhood”
NOTE: On Vista workstations you can hit refresh a couple of times (this may take up to 5 minutes – but no reboot required), and it should start populating pretty quickly.

Setting Up VPN Clients in OS X, Vista and Windows XP

Thursday, November 29th, 2007

The steps for setting up VPN connections are straightforward for both Macs and PCs. Here are the steps to follow for setting up new VPN connection on a client desktop or laptop to their server:

Mac OS X (Tiger) – * First, open the ‘Applications’ folder by going to the Finder and choosing “New Finder Window” from the “File” menu. Click on the ”Applications” icon, then scroll down until you see the “Internet Connect” icon. * Click on the “Internet Connect” icon. * Next, go to the ‘File’ menu and select “New VPN Connection Window.” * On the window that pops up prompting you to choose which type of VPN, click ‘PPTP,’ then click ‘Continue.’ * In the new window, for the configuration, Click on the ‘Other’ and select ’Edit Configurations…’ * A new window will come up. You should then type in a description of the VPN connection in the Description text field. * Type in the DNS name of the server you want to connect to as the ‘Server Address.’ * Type in the username you will use to access the server. This username should have already been created on the server. * In the next text box, enter your VPN password. The password should also have been previously set. * Un-check ’Enable VPN on demand’, and ’Encryption’ should be set to ’Automatic’. * Click the ’OK’ button. Your configuration is saved, and you are ready to connect.

Mac OS X (Leopard) – * Go to the Apple menu in the upper left-hand corner of the top menu. * Click on System Preferences from the drop-down menu. * Click on ‘Network’ icon. * In the right-hand menu, click on the drop-down menu next to ‘Configuration’ , which currently says ‘Default’, and select ‘Add Configuration’. * Type in a name the configuration CITES VPN or the alternate name you chose in step # 8.

Mac OS X (Lion) – * Go to the Apple menu in the upper left-hand corner of the top menu. * Click on System Preferences from the drop-down menu. * Click on ‘Network’ icon * Click on the ‘plus’ button on the bottom of the left column and choose VPN from the Interface dropdown menut. * Choose the type of connection from the ‘VPN Type’menu (typically PPTP). * Label the connection with a name of your choosing in the ‘Service Name’ field. * Enter the proper information in the the ‘Server Address’ and ‘Account Name’ fields * If you are not using a shared computer you can click on the ‘Authentication Settings’ button and enter your password to store it for future sessions * Check the box labeled, ‘Show VPN status in menu bar’ * From the menu choose Connect yourchosenVPNlabel – the status of the connection will update and start counting seconds when you are connected.

12. In the right-hand menu, enter the following information:

Configuration: DAS VPN (or a name of your choosing) Server Address: the.vpn3.domain.com Account Name: Your guest ID Encryption: Maximum (128 bit only) from the drop-down menu

13. Check the box next to Show VPN status in menu bar.

Windows Vista: 1. From the Start Menu, right click on Network, select Properties. This will open the Network and Sharing Center. 2. On the left side, click on Set up a connection or network. 3. Select Connect to a workplace. 4. Click on the Next button. 5. Select Use my Internet connection (VPN). 6. Replace the Example with the actual WAN IP address of the VPN server you will be connecting to. Also, you can change the name from VPN Connection to something that is more meaningful. 7. Click on the Next button. 8. Enter in the User Name and Password of your VPN account. 10. Now from the Network and Sharing Center, you can go to Manage Network Connections to see the new VPN connection. This is also where you disconnect. To reconnect later, go to the Network and Sharing Center and click Connect to a network.

Using Apple AirPorts

Wednesday, November 29th, 2006

Intro
AirPort is a local area wireless networking system from Apple Computer based on the IEEE 802.11b (which runs at 11Mbps) standard (also known as Wi-Fi) and certified as compatible with other 802.11b devices. A later family of products based on the IEEE 802.11g (which runs at 54Mbps) specification is known as AirPort Extreme, offering speeds up to 54 megabits per second and interoperability with older (802.11b) products.
AirPort and AirPort Extreme in common usage can refer to the protocol (802.11b and 802.11g, respectively), the expansion card or the base station.
In Japan, AirPort is known as AirMac due to trademark conflicts.

When logging into a non-Mac machine into an airport runniwn WEP you will need to translate the WEP password into Hex. This can be achieved by clicking on the password icon in the menu bar.

Airport Interface
Airport express and Airport extreme have a firmware limitation that limits the amount of concurrent connected users. Airport Express is limited to 10 concurrent users and the Airport Extreme is limited to 50 users.

Select “Enable interference robustness” when the base station is in an environment with other 2.4 Ghz devices that can interfere with your network. Devices that can cause interference include cordless telephones, some television repeaters, and microwave ovens.

The GUI interface of Airport Admin only allows for 1 port at a time to be directed to an internal IP.

WAN
Airport uses WDS. A Wireless Distribution System is a system that enables the interconnection of access points wirelessly. As described in IEEE 802.11, it allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them. Base stations connected thru WDS cannot share their internet connection with other remote base stations. WDS can automatically be configured by the main base station as long as you have all of the airports with their default settings and default passwords. WDS lists are built and tracked using airport IDs.

All base stations in a Wireless Distribution System must be configured to use the same radio channel, and share WEP keys if they are used. They can be configured to different service set identifiers. Since WDS needs all wireless stations to be on the same channel, changing the channel will break WDS.

LAN
PPPoE, Static IP, DHCP, WDS are all types of internet connections. PPTP is a VPN protocol. A virtual private network (VPN) is a private communications network often used within a company, or by several companies or organizations, to communicate confidentially over a publicly accessible network. VPN message traffic can be carried over a public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service provider’s private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider.

PPPoE only requires Account name and User Password for a connection. PPPoE is primarily a DSL type of connection is used to only provide authorized access to the internet connection.

Which is NOT an option for the LAN Addressing when setting up DHCP Ranges?
There are three classes of internal IP addresses. A,B,C. Class A has range of 10.0.0.1 – 10.255.255.255 with a subnetmask of 255.0.0.0 which translates to about 16,777,215 addresses. Class B has a range of of 172.16.0.1 – 172.31.255.254 with a subnetmask of 255.255.0.0 which translates to about 1,048,576 addresses. Class C has a range of 192.168.0.1 – 192.168.255.254 which translates to about 65,536 addresses. Every address with a prefix with of 10., 172., or 192., is an internal IP.

DHCP needs to be turned on to be able to use the NAT feature. NAT might prevent users from printing to appletalk printers due to appletalk being an unroutable service. Distribute IP addresses needs to be uncheck if appletalk printing is needed.

Security
Using airports in conjunction with a RADIUS server allows for a stronger layer of authentication. Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations

A SSID is visible by default. By checking the “Create a Closed Network” button you will be hiding the SSID. In order to connect to a hidden SSID network, you must select “other” from the airport dropdown menu.

Access control feature on the Airport is used to allow only authorized MAC addresses wirelessly access to the Airport. This feature does not support access control on the wired interface. This is not very secure since there are ways to spoof MAC addresses. Airport allows for exporting of the list for backup purposes or for importing to another base station.

Features
As a feature Airport offers parental controls for AOL as long as the AOL client is installed and configured properly.

DMZ is available on the airport by selecting the “Enable Default Host at” check box in the base station options.

Updating the firmware is simple and easy. If the interface prompts you for a firmware upgrade, simply hit the upload button to upgrade the firmware.

When sharing printers on an airport or airport express use the bonjour protocol to setup the printers.

serveradmin in OS X

Monday, November 20th, 2006

Mac OS X Server is a strange beast. It has the ability to cause you to
think it’s the greatest thing in the world in that you can do all kinds of
complicated stuff quickly through a nice GUI. It can also dismay many of us
who know where Unix-specifics live in the OS and would prefer to configure
things there. So, where are all those settings that override so many of
the default Unix configuration files? Serveradmin is a command that gives
access to much of what you see in Server Admin and much of what you don’t.

Serveradmin use starts out with viewing data on a specific service. For
example, type sudo serveradmin fullstatus vpn and see a full status on the
settings and use of the vpn service. Or issue an sudo serveradmin settings
ipfilter command and see the settings applied to the firewall service. To
see all of the services you can configure and view type sudo serveradmin
list. Then look at doing a serveradmin start afp followed by a serveradmin
stop afp. Suddenly you are stopping and starting services on a server using
the command line, meaning you can actually issue these over an SSH session
rather than having to use ARD to connect. This can become invaluable when a
bad firewall rule locks you out of the Server Admin tool. Just issue a
serveradmin stop ipfilter and you’re right back in!

You can also set settings that aren’t available in the GUI. For example,
look at VPN. Let’s customize where we put our logs. First, type in sudo
serveradmin settings vpn. Now, look for the following entry:
vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = “/var/log/ppp/vpnd.log”

To change this setting, let’s type in:
Serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:Logfile =
“/var/log/ppp/pptpvpnd.log”

Now the PPTP logs will be stored in a separate location than the logs for
the rest of the VPN service. This couldn’t have been done using a
configuration file, but only using the serveradmin command. Nifty!

Now let’s look at NAT. NAT is cool, but there’s just two buttons: Start and
Stop. So how would we require a proxy for Internet traffic? How about
this:
Serveradmin settings nat:proxy_only = yes

Or we could log denied access attempts using:
nat:log_denied = no

These options aren’t available from the GUI at all. But what really happens
when we’re using these commands? Well, typically a plist file is being
updated. Any time you see a yes or no value then you are looking at a
boolean variable in a plist file. That log_denied variable is also stored
in /private/etc/nat/natd.plist in the lines:
log_denied

Fun stuff! In my book I actually go into a little more detail about
forwarding specific ports to other IP addresses using the NAT service as
well. That too happens in a plist.

Dual WANs for Your Office

Tuesday, September 5th, 2006

Often, a single internet connection is all that is needed to allow a group of computers to access the internet for websites, email and chatting. DSL, Cable Modem or a single T1 can often provide enough bandwidth for a small group of users.

As your company grows, there can come a point where the speed of the internet connection becomes a bottleneck, increasing the time for web pages to load and for emails to be sent and received. After you hit the limits of what a single connection is able to provide, one very cost effective way to address the issue is to add a second connection.

Adding a second internet connection to your network is also highly recommended if your business relies heavily on the internet. In the event of a downed internet connection, the outage could cost companies thousands of dollars in lost productivity and client interaction. By utilizing a second internet connection from an alternate provider, businesses can ensure a higher level of availability and uptime.

The equipment can be set up in one of two ways. When setup in a failover configuration, the second internet connection is used only when the primary fails. In typical configurations, the fast data connection such as a T1 is supplemented by the slower connection, such as DSL, to bear the burden of connectivity in the event of an outage.

When setup with load balancing, both internet connections are used simultaneously, with the traffic load being split and routed to the more ‘available’ connection. In this configuration, both data circuits should be sufficiently fast to allow the load to be effectively shared between both circuits, typically T1’s.

318 is an expert in setting up and integrating Dual-WAN networks. It can be as simple as using a DSL line and a cable modem, or as robust as using two T1s from two different providers. Or even an mix of a T1 and WiMax link. If you think this is a situation that would suit your business, give 318 a call to discuss your options.

The Basics of Telecommuting

Wednesday, January 18th, 2006

Trying to imagine how to run an office in Los Angeles, New York City and London (with thoughts of Paris)? Well, there are a whole host of products looking to make your life easier. The hard part is figuring out which ones work best for each and every specific environment. Usually it boils down to matching your company’s business logic to products that are offered with an emphasis of working within your budget while attaining goals set forth by senior management.

Typically, the most paramount need businesses have with Remote Access Services (RAS) is file sharing. From Word and Excel documents to Final Cut projects, sharing files means sharing budgets, pictures, correspondence and other digital assets. It becomes increasingly important for individuals to be able to share files the larger an organization grows Ð and increasingly important to ensure that it’s done so securely.

There are technologies today that allow for the efficient sharing of large files.

Companies with file servers know that a central repository (or a server) has many benefits, but when opening branch offices, special considerations must be given to the access that individuals have to the place where everyone’s data resides. Companies that haven’t yet encountered a need for a server may find that it is essentially required in order to share data between remote locations. Sometimes, files that are easily shared locally on one server, become difficult to share between remote locations due to size or motion video issues.

Virtual Private Networks (VPNs) are the most common method in securely connecting multiple offices or locations. This is often handled within a company’s gateway (router). VPNs send data over the public Internet through encrypted “tunnels.” Using a VPN to connect two or more networks is also a way to help ensure ease of use, which becomes paramount in organizations that are increasingly complex from a technical point of view.

VPN Encryption ensures safe delivery of your data.

The second most common type of data for sharing between multiple locations is contacts, calendars and schedules. This type of sharing is often called “groupware.” Cross-Platform groupware products include Microsoft Exchange and Now Up-To-Date/Now Contact.

Groupware means workflow automation.

Exchange, a centrally managed groupware solution, allows staff members highly configurable access to items that other staff members or workgroup members are working on. With the release of Office 2004, most of the Exchange features available for the PC are now available through the Mac. Sharing calendars, emails and contacts is what Exchange is all about. However, the product is still a little limited in what it can do on the Mac.

Many cross-platform companies still have the need for this detailed level of sharing, and have turned to products like Now Up-To-Date and Now Contact. With Now Up-To-Date it is possible to view schedules across networks easily. One use of this has been to use a key to specifically switch between the calendars of Editors in London and editors in Los Angeles. This allows one person to handle schedules in multiple offices, and everyone to see live scheduling data.

The same goes for contacts. Using Keywords or categories (two different options), users can find contacts quickly based in whichever city they choose. Using the notes feature of Now Contact, it is possible to track correspondence, meetings and phone calls on a per contact basis. This way, each person that talks to a client is able to see who spoke to him or her last, when they spoke to them and what it was about. This enables companies to rely on the data as opposed to the people, allowing business processes to occur out of any office they choose.

Internet Security 101

Monday, January 16th, 2006

“We’re not a high profile target.” We’ve heard it countless times before, but that argument just doesn’t hold up any more. There are malicious applications out there that scan entire chunks of the internet for computers that are vulnerable to specific attacks.

Most small businesses hold the position that because they are not a “high profile target”, such attacks do not represent a threat to them. In terms of modern security, the attitude of “We’re not NASA, and therefore our information is not confidential enough to protect”, just doesn’t hold up.

The security attacks described in this article are sometimes less about your competition covertly gaining access to your trade secrets or client/job data, and more about random entities exploiting your precious technology resources. In addition to stealing confidential data, Internet hacks can compromise the performance of your technology assets with Bots and other Spyware as well as use up most if not all of your Internet bandwidth. all of these potential symptoms cost business in lost productivity and the direct costs of having to resolve these performance issues.

No device that’s open to the web’s protocols is secure

Nearly every router and firewall, from consumer grade to professional grade has the option to create what is called a Demilitarized Zone, or a DMZ. DMZs offer the ability to quickly split an Internet connection to many computers while still moving all incoming traffic into a specific computer. Often, the standard setup is to DMZ a server in a small office that has one server. This is especially common when this server is being used for multiple purposes (such as a web server, FTP server, mail server, etc.). Each one of these services uses a specific port to differentiate incoming requests. For example, web traffic typically uses port 80. When selecting ports coming into a network, it is important to remember that the less traffic that comes into a network, the better. However, when using DMZ, all ports are open, giving attackers a virtually limitless amount of ports to scan, infiltrate, and exploit.

Selectively granting access is now a must.

Attackers are also using Google to find unsecured stations that accidentally get crawled (a book on hacking with Google was just released ). If one of your systems is compromised by a hacker and used to launch an attack on another computer, then those victims have every right to sue you for damages in court.

Another excuse that doesn’t hold up any more is, “It’s a Mac, and they’re secure.” It’s true that Mac OS X has been labeled the “most secure” OS on the market. However, the MOST secure doesn’t mean FULLY secure. Macs are going to become higher profile targets in that more and more attacks can be launched from them, even if there are still fewer people attacking them than Windows.

Since nothing that’s open to the web is secure and most every business relies on open connections to the Internet to remain competitive, Three18 recommends that our clients keep as many copies of everything important in as many locations as they can, as well as having routine security audits and port scans.

Rotating redundant offsite backup solutions are critical.

The best way to protect your data is to back it up. When evaluating the costs, ask yourself how much money one day’s data is worth to your company. A week? A month? An hour? Then, make decisions on how often to back up based on the backup cost vs. the cost to recreate the data.

Protecting your assets requires a plan for both your perimeter and your data as well as your technology assets.

Now having said all of this, the real cost of security is inconvenience. The rule of thumb is that the more security is applied to an environment, proportionally the less convenient access to that environment becomes.

More often than not, the cost of 100% security is too high for two reasons: it limits the convenient access of a company’s data both internally and remotely, which often is required to support a company’s business logic as applied to technology; and it simply costs too much money to implement.

The best analogy is that of the homeowner who chooses to get an alarm system and put high quality locks on all the doors of his/her home, but opts to leave all of the windows on the home’s first floor without bars. In this case, the home is safe from the typical entry points, but at the price of maintaining a nice view through the windows, the home is vulnerable at the same time.

Sometimes less than 100% is good enough.

Security, as with most business decisions, is a risk-based decision. Factors of costs, convenience and liability must all be considered to fully understand the implications of business security.