Tag Archives: Tips

Cabling Trials and Tribulations: Tips on Avoiding Problems | IT Infrastructure Advice, Discussion, Community


I’ve been involved in quite a few engagements that require new cabling. When I’m allowed, and it is a small job, I do it myself since its quicker. Lately, I’ve had to rely on cabling companies and been reminded of how things can go horribly wrong.  In this article, I will outline what I’ve run into with the hopes that you will be prepared for your next cabling run. About 90 percent of the time the cabling companies do a great job, but every so often things go wrong.

Preparation is everything

I make sure I have drawings, specific instructions, photos, labels, and anything else that will make the cabling run as straightforward as possible. In most cases, I meet with the installers to walk them through what I need and ask for an ETA. I explain that I want to ensure that all cabling, patch panels, and everything else are labeled and accompanying documentation is provided. I also ask that we meet again after the work is completed to ensure all is well before and any documentation is delivered before I sign off on the work.

So here’s some of the odd ball stuff I’ve run into:

Electrical tape as a labelling technique: I’ve had three companies use electrical tape to identify new cable runs. Not sure what happened to good old cable labels. I went back and put proper labels on everything after they left and then documented accordingly.

Short runs: And I’m not talking about little to no slack. I’ve had two companies run cable that was 3 to 4 feet too short. When I showed one of the cabling companies that it was too short, they gave me some Ethernet female to female couplers and suggested I use a longer patch cable to make up the difference.

Connectors: I had an installation company literally pull and leave the cabling unterminated. When I asked when they would have the cabling terminated, the reply, “That’s extra.”

Outdoor cabling: One company used indoor cabling outside. When I explained that there’s outdoor grade cabling and asked why they used indoor cabling outside, they said, “Outdoor cabling is not required since the cabling is up against the building and protected.” Yikes!

Grounding: If your installer does not know the concepts of grounding and when it’s required, call someone else.

CAT5 vs. CAT6 vs. CAT7: I had a few companies install CAT5 and CAT6 when CAT7 was specifically ordered. One admitted that they used CAT5 since they have a lot of in stock.

The moral of the story is that you, or have someone you designate, go back to check on the installation. In this video, I show you one of the short runs I ran into. In this case, I was able to cut the tie wraps, reroute the cabling, and mount the equipment at the top of the rack to make it work.

 



Source link

Best Practices, Tips, and Tricks to Switch Configuration | IT Infrastructure Advice, Discussion, Community


I’m working on a new network design for a remote location and thought I would share some of my best practices, tips and tricks.

In this article I will assume the general design has been sorted out and will go to the configuration phase.

In some large companies, this step can be very simple. You get an IP address and password configured.  After the switch is installed and powered on, the network staff can remote in and ‘push’ the final configuration to the switch. In this case, I do not have that option.

My checklist of items to configure will be based on the client design documentation. Here’s a quick list of items to cover: DHCP, routing, VLANs, Spanning Tree, passwords, backups/upgrades, access lists, interface descriptions, time servers, authentication details, telnet/SSH, web interface, sys logging, and SNMP. Let’s look at these items in more detail.

DHCP

(Cisco configuration example)

If your switch supports it, I always enable DHCP for the installation since the network connection to the production DHCP server may not be available. In some cases, I create a vendor VLAN, with DHCP that only allows access to specific networks or devices. That way the vendor isn’t always asking for a static IP when on site or guessing and causing a duplicate IP address situation. I’m sure we’ve all seen people invert the default and host IP address.

Routing

If the switch has routing capabilities, it is important to configure the proper default gateway or which specific routing protocols need to be supported. Pay attention to those scenarios where you may have two or more default routes since every vendor treats this differently. Some round robin between destination IP address, or treat it as a fail over, or load balance based on all sorts of options. In this case, the client specified a static route to a single destination, easy.

VLANS

(Cisco configuration example)

Typically you will have two VLANS: admin and clients. Or in some cases three VLANS: admin, clients, and VOIP. It is very important to figure out as much of this in advance for your IP subnetting design. In most cases, contiguous IP subnets are preferred. Don’t forget to put descriptions on your VLAN interfaces, if your device supports it. Deciding on your VLAN tagging configuration also falls into this category.

Spanning tree

Spanning tree, rapid spanning tree, or the many other names that cover this same protocol is always significant. This also include specific items such as BODU blocking and manually configuring Priority values. In some specific cases, I disabled spanning tree but refer to your design document.

Passwords

Figure out your password naming convention, how often it will change, and if you must include any authentication servers like Radius TACAS+. You should check your equipment manual to see if your device supports some advanced features like incorrect login lockouts/accounting/alerts.

Backups/updates

I always keep the base configuration on the device and a USB key while installing in case I need to revert back to the original configuration. You need to consider how often you will back up device configurations. There are many options, from manually backing up configurations, to scripts and finally applications that will back up whenever changes are made.  I have written quite a few scripts for clients that did not have a solution in place to perform a weekly backup. Don’t forget about backing up your firmware, IOS, and equipment software.  It is quite common to discover the device needs updates even though you just received it.

Access lists or filters

 This covers device to protocol access. Device access is how you connect to the device with physical ports like Ethernet, Serial, USB, and others. I am not a fan of leaving physical ports without passwords unless the client specifically requests it. If you device has various ‘levels of access’ avoid using the same password. If you are going to create multiple user accounts, try to do it by job function or department like WAN, WiFI, Voice, and others.

Then there is other forms of access like HTTP/HTTPS, Telnet/SSH, API’s, and vendor specific applications/protocols. Protocol access involves allowing access to specific protocols, IP addresses, or IP subnets.  Depending on your product, this might cover such items such as telnet, SNMP, RMON, Netflow, HTTP/HTTPS, and others. During the installation I believe it is critical to monitor new equipment and ensure all is well. In some cases we might enable SNMP for a while until the equipment is added to the corporate monitoring system.

Interface descriptions

(Cisco configuration example)

I can’t stress enough how important descriptions are for ALL devices when possible. Device such as switches, routers, and firewalls may be in secured locations or offsite so knowing what is connected to speeds up troubleshooting. Do not solely rely on vendor discovery protocols since they may not be compatible with all equipment and you never know what devices will send them out. In specific scenarios, I actually disable discovery protocols from untrusted or public ports or networks since a lot of important information is being sent out all ports in clear text.

Sys logging, time servers and SNMP

This also covers other monitoring protocols Netflow, RMON, and more. The point here is to decide what the addresses and credentials are of these devices in your environment and ensure the relevant protocols work before walking away.

All these points should be confirmed and reviewed during support and configuration changes.



Source link

Four Tips to Worsen Your Network Security | IT Infrastructure Advice, Discussion, Community


If you want to keep your network infrastructure secured, you need to monitor what’s going on with routers, switches, and other network devices. Such visibility would enable you to quickly detect and investigate threats to perimeter security, such as unauthorized changes to configurations, suspicious logon attempts, and scanning threats. For example, improper changes of network device configurations will leave your network vulnerable to hackers who could break into your network. If you want to strengthen your network security, never follow these four tips.

Tip # 1: Don’t care about unauthorized logons

Most attempts to log on to a network device are valid actions by network administrators — but some are not. Inability to promptly detect suspicious logon attempts leaves your organization vulnerable to attackers. Unusual events include access by an admin outside of business hours or during holidays, failed logon attempts, or the modification of access rights, etc. An immediate alert about suspicious events enables IT personnel to take action before security is compromised. This practice is also helpful for compliance audits, as it gives evidence that privileged users and their activities on your devices are closely watched (e.g., who is logging in and how often).

Tip # 2: Configure your devices at random

The key threat associated with network devices is improper configuration. A single incorrect change can weaken your perimeter security, raise concerns during regulatory audits and even cause costly system outages that can bring your business down. For example, a firewall misconfiguration can give attackers easy access to your network, which could lead to lasting damage. Visibility into who changed what will provide you with insight and control of your network devices. Continuous auditing would enable you to have better user accountability and detect potential security incidents more quickly before they cause real trouble.

Tip # 3: Ignore scanning threats

Hackers often use network scanning to learn about a network’s structure and behavior to execute an attack on the network. If you avoid monitoring of your network devices for scanning threats, you might miss malicious activities until your sensitive data is compromised. To strengthen your protection against scanning threats and minimize the risk of data breaches, ensure continuous monitoring of network devices. Such visibility would enable you to understand which host and subnet were scanned, from which IP address it was initiated, and how many scanning attempts were made.

Tip # 4: Ease control of VPN logons

Virtual private network (VPN) access is a popular way to improve the security of remote connections for many organizations, but there are many security risks associated with it. In reality, VPN connections are usually used by anyone in the organization without any approvals. The best practices recommend providing access to network resources via VPN only after proper approvals and only to users that need access according to their business need. However, practice shows that there are no 100 percent secured VPNs and any VPN connection is a risk. The major risk scenarios include a user connecting via public Wi-Fi (since someone might steal their credentials) or a user who doesn’t usually work with VPN suddenly beginning to use it (which can be a sign that a user has lost their device and someone else is trying to log in using it). Visibility into network devices enables you to keep track of each VPN logon attempt. Such visibility also provides information about who tried to access your network devices, the IP address each authentication attempt was made from, and the cause of each failed VPN logon.



Source link

5 Easy Tips for Linux Web Browser Security | Linux.com


If you use your Linux desktop and never open a web browser, you are a special kind of user. For most of us, however, a web browser has become one of the most-used digital tools on the planet. We work, we play, we get news, we interact, we bank… the number of things we do via a web browser far exceeds what we do in local applications. Because of that, we need to be cognizant of how we work with web browsers, and do so with a nod to security. Why? Because there will always be nefarious sites and people, attempting to steal information. Considering the sensitive nature of the information we send through our web browsers, it should be obvious why security is of utmost importance.

So, what is a user to do? In this article, I’ll offer a few basic tips, for users of all sorts, to help decrease the chances that your data will end up in the hands of the wrong people. I will be demonstrating on the Firefox web browser, but many of these tips cross the application threshold and can be applied to any flavor of web browser.

1. Choose Your Browser Wisely

Although most of these tips apply to most browsers, it is imperative that you select your web browser wisely. One of the more important aspects of browser security is the frequency of updates. New issues are discovered quite frequently and you need to have a web browser that is as up to date as possible. Of major browsers, here is how they rank with updates released in 2017:

  1. Chrome released 8 updates (with Chromium following up with numerous security patches throughout the year).

  2. Firefox released 7 updates.

  3. Edge released 2 updates.

  4. Safari released 1 update (although Apple does release 5-6 security patches yearly).

But even if your browser of choice releases an update every month, if you (as a user) don’t upgrade, that update does you no good. This can be problematic with certain Linux distributions. Although many of the more popular flavors of Linux do a good job of keeping web browsers up to date, others do not. So, it’s crucial that you manually keep on top of browser updates. This might mean your distribution of choice doesn’t include the latest version of your web browser of choice in its standard repository. If that’s the case, you can always manually download the latest version of the browser from the developer’s download page and install from there.

If you like to live on the edge, you can always use a beta or daily build version of your browser. Do note, that using a daily build or beta version does come with it the possibility of unstable software. Say, however, you’re okay with using a daily build of Firefox on a Ubuntu-based distribution. To do that, add the necessary repository with the command:

sudo apt-add-repository ppa:ubuntu-mozilla-daily/ppa

Update apt and install the daily Firefox with the commands:

sudo apt-get update

sudo apt-get install firefox

What’s most important here is to never allow your browser to get far out of date. You want to have the most updated version possible on your desktop. Period. If you fail this one thing, you could be using a browser that is vulnerable to numerous issues.

2. Use A Private Window

Now that you have your browser updated, how do you best make use of it? If you happen to be of the really concerned type, you should consider always using a private window. Why? Private browser windows don’t retain your data: No passwords, no cookies, no cache, no history… nothing. The one caveat to browsing through a private window is that (as you probably expect), every time you go back to a web site, or use a service, you’ll have to re-type any credentials to log in. If you’re serious about browser security, never saving credentials should be your default behavior.

This leads me to a reminder that everyone needs: Make your passwords strong! In fact, at this point in the game, everyone should be using a password manager to store very strong passwords. My password manager of choice is Universal Password Manager.

3. Protect Your Passwords

For some, having to retype those passwords every single time might be too much. So what do you do if you want to protect those passwords, while not having to type them constantly? If you use Firefox, there’s a built-in tool, called Master Password. With this enabled, none of your browser’s saved passwords are accessible, until you correctly type the master password. To set this up, do the following:

  1. Open Firefox.

  2. Click the menu button.

  3. Click Preferences.

  4. In the Preferences window, click Privacy & Security.

  5. In the resulting window, click the checkbox for Use a master password (Figure 1).

  6. When prompted, type and verify your new master password (Figure 2).

  7. Close and reopen Firefox.

4. Know your Extensions

There are plenty of privacy-focused extensions available for most browsers. What extensions you use will depend upon what you want to focus on. For myself, I choose the following extensions for Firefox:

  • Firefox Multi-Account Containers – Allows you to configure certain sites to open in a containerized tab.

  • Facebook Container – Always opens Facebook in a containerized tab (Firefox Multi-Account Containers is required for this).

  • Avast Online Security – Identifies and blocks known phishing sites and displays a website’s security rating (curated by the Avast community of over 400 million users).

  • Mining Blocker – Blocks all CPU-Crypto Miners before they are loaded.

  • PassFF – Integrates with pass (A UNIX password manager) to store credentials safely.

  • Privacy Badger – Automatically learns to block trackers.

  • uBlock Origin – Blocks trackers based on known lists.

Of course, you’ll find plenty more security-focused extensions for:

Not every web browser offers extensions. Some, such as Midoria, offer a limited about of built-in plugins, that can be enabled/disabled (Figure 3). However, you won’t find third-party plugins available for the majority of these lightweight browsers.

5. Virtualize

For those that are concerned about releasing locally stored data to prying eyes, one option would be to only use a browser on a virtual machine. To do this, install the likes of VirtualBox, install a Linux guest, and then run whatever browser you like in the virtual environment. If you then apply the above tips, you can be sure your browsing experience will be safe.

The Truth of the Matter

The truth is, if the machine you are working from is on a network, you’re never going to be 100% safe. However, if you use that web browser intelligently you’ll get more bang out of your security buck and be less prone to having data stolen. The silver lining with Linux is that the chances of getting malicious software installed on your machine is exponentially less than if you were using another platform. Just remember to always use the latest release of your browser, keep your operating system updated, and use caution with the sites you visit.

5 Storage Administrator Survival Tips


IT administration is under siege today. Automation is the buzzword in computer management and that holds true for data storage. The traditional storage admin has to wonder if he or she has is a future in IT or if it’s time to become an Uber driver!

The cloud has precipitated this changing and volatile environment. For large cloud providers that are massively scaled, automation is the only option To compound the storage administrator’s woes, though, the decline of the storage area network (SAN) clearly indicates that traditional skills of LUNs and rebuild windows won’t suffice much longer.

But there’s a huge opportunity in the new storage approaches! We already are seeing a rich ecosystem of new tools and approaches. On the one hand, we have small, but ultra-fast solid-state drive appliances, while an alternative architecture leads us to hyperconverged systems. Around each of these is a constellation of software products to manage and optimize storage operations. All of these provide a place for those admins willing to expand their horizons to find a meaningful co-existence with automation.

My first tip for survival is to make yourself useful to the business. No, that doesn’t mean becoming the go-to man for SANs! Your managers and the CIO all feel that grim reaper too. They’ll want to explore alternatives, so learn enough to test out new storage technologies. You don’t have to be an expert; remember, in the land of the blind, the one-eyed man is king! But you have to know enough to be credible. 

The new storage solutions are going to look like Lego parts, with a huge variety of pieces complementing the basic bricks. You’ll need to gain some software skills and learn best practices for putting these pieces together in a way that best fits your company.

With some foresight and willingness to go beyond their comfort zone, storage administrators can weather the rapidly changing IT environment. Read ahead for ideas on how to extend your storage career into the future.

(Image: Igor Drondin/Shutterstock)



Source link