We help IT Professionals succeed at work.

Network Security

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.

I am trying to setup squid proxy to re-encrypt connections between old TLS1.0 enabled devices and modern web sites which mostly support only TLS1.2+
It is capable now to do TLS downgrade, like translate TLS1.3 to TLS1.2. I know that, because I can connect to a site which understands only up to TLS1.2 with the following command:
openssl s_client -tls1_3 -CAfile /etc/squid/cert.pem -connect tls12only.site.com:443 -tlsextdebug -proxy

Open in new window

And s_client output contains lines:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

Open in new window

Removing the -proxy option in the command above makes the connection impossible.
So, now I need to make it work opposite - to upgrade the TLS version.
However, I found out that squid apparently does not support TLS1.0/TLS1.1 at all. OpenSSL itself does support that. The following command succeeds:
openssl s_client -tls1 -connect tls1only.site.com:443 -tlsextdebug

Open in new window

with the following in the output:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA

Open in new window

But the same does not work through the proxy:
openssl s_client -tls1 -CAfile /etc/squid/cert.pem -connect tls1only.site.com:443 -tlsextdebug -proxy
140360358970496:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70
no peer certificate available
No client certificate CA names sent
SSL handshake has read 46 

Open in new window

which one is best splunk or ossec for security monitoring and alerting?
We have overseas IT vendors who need to access our systems &
we need them to go through our Barracuda WAF (it's internet-
facing) before they connects to our CyberArk (a PAM solution
like Thycotic, BeyondTrust) to get a video-recorded session to
gain access to the production systems.

However, Barracuda engineering & CyberArk vendor can't get
the 2 products to work, so now we have to expose the Cyberark
portal to Internet which audit will require 2FA.

Anyone know if Cyberark comes bundled with 2FA solution?

If not, is there any free 2FA solution that could work with
Cyberark?  Something that sends OTP to the specific IT
vendor's overseas phone.  We don't have the budget to
get a 2FA solution.  Mind giving me the steps to set this
up as well?

I am trying to find out the company who owes is IP address as it is being blacked list -  

I am using this link https://www.ultratools.com/tools/ipWhoisLookupResult and see the IP belongs to a server in 1and1network.  

Please advise if there are additional thing I should do.  


We are using O365 with Office 365 Pro Plus.

There are times when some of our users need to include sensitive PII information in their emails to outside parties.  

What is the best way to secure those emails?  

Please advise.  

Hi All,

We have a Branch Office VPN established to one of our third party suppliers for support purposes (We use a WatchGuard at our End). They would like a secondary tunnel establishing with different settings,  that will run side by side of the existing one. Am I ok to use the existing external IP (Ours) as the external IP of the new tunnel. Will this work if both tunnels are required to be active at the same time or does each tunnel have to have its own external IP assigned?

In view of the pandemic, 300-500 staff are to work from home
using VPN.

I'll need an assessment if GPO update (push down to those
remote PCs that are company-owned PCs) should be disabled
or enforced  so need assessments from experts here.

a) if we don't push down the latest policies, NAC requirements
    like AV signatures & patches may not be up-to-date & this
    work-from-home arrangement can last 1-2 months (subject
    to how long the health authority retain the alert level)

b) however, if we enforce &  critical PCs are blocked from
    accessing due to outdated signatures/patches, it will be a
    service disruption to those critical users.  Or if it's blocked,
    feasible for the support guys to exempt those PCs to
    enable them to temporarily connect (to get AV updates
    from our internal AV server) & WSUS?

c) is the GPO update going to consume a lot of bandwidth?
    we have 50Mbps dedicated for VPN users

d) for some reason (I don't know why), we permit split
    tunnelling on our VPN  though the PCs'  browsers are
    locked (greyed out & users can't change) to go thru
    our company proxy so they can't browse public Internet
    using IE/Chrome/FFox but an ultra-secure browser (that
    disallows upload/downloads): only for trusted sites like
    our Intranet, zoom.us (for remote conferencing) & O365
    URLs, we whitelist in the GPO (ie the 'exclusion' URLs/
    IP section in IE/Chrome) & proxy to enable IE/Chrome to
Is there a way to secure a VPN client settings?  Just want to know so that if a computer is stolen, how can we prevent the VPN client settings from the thief?

We have at the moment Server 2008 R2 Standard and are going to replace it soon with Server 2019 Standard. We would like to introduce Two-Factor Authentication for our VPN connections. We would also like to introduce Two-Factor Authentication for our Office 365 subscriptions. We do not mind having two separate ones but would be nice to just have one solution for these two - could be texts or the app. I know Microsoft has free Authenticator app.

I assume that we will have to pay for the Two-Factor Authentication for our VPN connections so as long as it is within our budget it is okay. It would be perfect if we could introduce it now on Server 2008 R2 too.

What would you suggest? What are you using yourself?
I am working with a simple ACL, denying traffic to a subnet, outside of DNS services. However I am unable to get it to work correctly unless I use IP instead of TCP or UDP

The DNS server is a simple BIND server

This does not work:

ip access-list extended "Guest Vlan Access"
     10 permit udp eq 53
     20 permit tcp eq 53
     30 deny ip log
     40 permit ip

This works but opens up more than I want:

ip access-list extended "Guest Vlan Access"
     11 permit ip
     30 deny ip log
     40 permit ip

Does someone have a policy statement or can direct me to one for Wifi.  My company has internal wi fit, staff that travels so airports, starbucks, bars (!).  What should be telling them.  So far, we have said avoid any wifi with no password protection is a no. I rush off the plane and check my email and before you know it, I have been on the airport wi fi (no password) for an hour.  Executives pay for access on the plane, is that safe?

refer to attached.

What does "20/30 sec" under "cp attack" mean?
Was googling for various Aruba docs but can't
locate any documentation on this.

Appreciate if can point me to the documentation
/link & indicate the page as need to explain to
If we don't do "NTP authentication" for our network devices (Aruba AP & switches,
Cisco devices), what mitigating reasons can we cite?   The fact that NTP traffic is
only within internal network, ... <pls add on>

Was told by Wintel colleague that currently our AD servers (on win2008 R2 which
are going EoL this month) are configured that it can't support NTP authentication,
is this something very difficult to configure?
What other "microsoft.com" website do you recommend besides the below to get a patch HISTORY list ?

What "Network discovery .... software" do you recommend that will do something like https://www.solarwinds.com/engineers-toolset ?

 1. Users =50
 2. VLAN = 1
 3. OS = Windows 10 Pro
 4. Switches = HP, willing to purchase NEWER models since mine are OLD
 5. Cost = under $500 if possible, but OK if more
We are subscribing to Teammate SaaS (that's hosted in AWS)
& our data to be hosted is deemed sensitive.

by default is data at rest encrypted by default (whether it's
default offering by AWS or by Teammate)?

Is backup offered by default (by Teammate or by AWS?) or
this is an optional item that we must subscribe/purchase

For data sovereignty purpose, can we specify to Teammate
(or is it AWS) that the data must be hosted in AWS DC in
the local country only & not 'synced' to overseas?
We are recieving  Sonicwall notifications as follows....

01/01/2020 09:32:05 - 82 - Security Services - Alert -, 443, X1 - 184.X.X.X, 17448, X1 - tcp - TCP scanned port list, 9413, 60235, 21498, 10021, 30893 - Possible port scan detected

This email was generated by: SonicOS Enhanced (18B1-69EB-9734)

X1 - 184.X.X.X is our WAN interface.  This is an external port scan, correct?  I like to eliminate this low profile notification.

*** Alert from Network Security Appliance *** [FW-01P] [Port Scan Possible, Attacks, Security Services
How can we tell if an IP is assigned to a home user or an organization?
For IP below, it's indicated to the ISP Starhub but if we block it, it may
block entire organization from accessing our website.

Is it likely a home user is granted a static IP?
I know an ex-colleague has a way at command line (script or whatever) to automate
adding of IP to block malicious IP for Nokia Checkpoint : that's years ago.

My current network colleague says it's very tedious to add IP as he has to create
object, then go into another screen to add it to a group & we often get 100-700
IP from threat Intel (from a cyber regulator):  is there a way to automate to mass
block it for CheckPoint  Security Gateway 12600??     Isn't there a way to get to
SG12600's Unix command prompt & write a script to automate?

For sure Linux iptables, we can do it easily by Shell script.

Heard Palo Alto has an interface to add IP en masse but my network guy says
CheckPoint (& possibly Fortigate) don't.
We have quite a handful (about 3 dozen) staff who bring our corporate laptops to
our China branch & they're based there for months.  We enable local admin for
them (as sometimes when they're there, they need to install certain softwares as
 there's no PC/end-user support there) & we enable their laptops to connect to
hotel/public places' Wifi.

They'll often VPN back to the local head-office here to join our domain for Intranet
services and this is when their PCs are found to have malwares or when they are
back here locally, their PCs were found to have numerous malwares: we never
know what happen that why their PCs' AV signatures are not updated while they're
in China.

I'm proposing an apps whitelisting (that some of our critical PCs are mandated to
have) installed as AV is a 'blacklisting' solution while apps whitelistg is more effective
but my colleague supporting apps whitelisting has concern below:

"Not really suitable. Gotta be connected to vpn at least 2 hrs for baseline to complete, n if sth really breaks and they cant initiate vpn back, the whole laptop is as good as totally disconnected from network already. High risk thing to do. Wont be able to remotely change app whitelist settings unless they manage to connect back to vpn network. Main worry is if user hit prob doing vpn. "

Is the limitation/concern above valid & isn't there a way to overcome it?

What other mitigations can we do for this group of users assuming we can't
take …

We're installing IP cameras, yet to determine which model.

What are the cybersecurity measures we ought to take?

Any hardenings that can be done?  Any other cyber measures
to take?

Cameras to be connected to user VLANs or a totally dedicated
VLAN by itself or ??

The recorded videos will be archived to a server?  Encrypt it with
which encryption & any other handling methods?

Reckon IP cameras are treated as IOTs so in the event they need
to be connected to Internet, what further measures ought to be

Should we do a pentest using Tenable/nessus against it?  I recall
we ever did it with a PABX (which runs a custom RHEL & many of
the vulnerabilities of RHEL are applicable)
Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

What's the rule of thumb for max number of rules for 12600?  We estimated the
number of IP to block to reach 5000 per year.

There's currently 1 rule ie "Deny Threat_intel_list All  for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster?  In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

To do firewall rules review (ie remove rules,  permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits.  Heard …
We need a solution that will allow us to send information (credit card #s, confidential memos...etc) to and from our remote offices, while having the ability to determine when that info gets automatically deleted on the remote end.
We're getting Nessus Tenable for vulnerability scans (likely with admin-credentialed scans)
& likely penetration tests.

Above link has various views & I don't understand one of the line:
"If you're not granting the scanner admin level access to your assets and you're allowing an IPS to interfere then you're doing yourself a disservice."

I intend to scan through the Network IPS because we may not be able to apply patches
in time (can't test out patches & obtain downtime in time), so most likely we'll deploy
NIPS virtual patches as interim remediation.  So do we still scan using 'admin credential'
scan in my scenario?

Certainly dont plan to scan from public Internet but where is the best location within
our Prod network should we connect up this virtual (runs in VM) scanner?  Management
VLAN or in each Prod subnet, we place one scanner or run from laptop & connect to
a switch port which is assigned all the VLANs  or we just place in DMZ  or  internal
subnet & open up firewall rules?  Firewall may slow down the scans.

From secure perspective, which is the most secure place to connect it as we may
use admin credentials (at this moment, no idea how to get it to integrate with
TPAM though we may move to CyberArk in 12-16 months' time as Nessus told
us it integrates with Cyberark, querying the password from Cyberark)

I have this vulnerability in my environment and I need to fix it, but I don't know how, can someone help?
"Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific.
 Note: ensure that SMB signing configuration is done for incoming connections (Server)."


Network Security

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.