Network Security Help & Support

In view of the pandemic, 300-500 staff are to work from home
using VPN.

I'll need an assessment if GPO update (push down to those
remote PCs that are company-owned PCs) should be disabled
or enforced so need assessments from experts here.

a) if we don't push down the latest policies, NAC requirements
like AV signatures & patches may not be up-to-date & this
work-from-home arrangement can last 1-2 months (subject
to how long the health authority retain the alert level)

b) however, if we enforce & critical PCs are blocked from
accessing due to outdated signatures/patches, it will be a
service disruption to those critical users. Or if it's blocked,
feasible for the support guys to exempt those PCs to
enable them to temporarily connect (to get AV updates
from our internal AV server) & WSUS?

c) is the GPO update going to consume a lot of bandwidth?
we have 50Mbps dedicated for VPN users

d) for some reason (I don't know why), we permit split
tunnelling on our VPN though the PCs' browsers are
locked (greyed out & users can't change) to go thru
our company proxy so they can't browse public Internet
using IE/Chrome/FFox but an ultra-secure browser (that
disallows upload/downloads): only for trusted sites like
our Intranet, zoom.us (for remote conferencing) & O365
URLs, we whitelist in the GPO (ie the 'exclusion' URLs/
IP section in IE/Chrome) & proxy to enable IE/Chrome to
…

6 Comments

Is there a way to secure a VPN client settings? Just want to know so that if a computer is stolen, how can we prevent the VPN client settings from the thief?

4 Comments

Hi

We have at the moment Server 2008 R2 Standard and are going to replace it soon with Server 2019 Standard. We would like to introduce Two-Factor Authentication for our VPN connections. We would also like to introduce Two-Factor Authentication for our Office 365 subscriptions. We do not mind having two separate ones but would be nice to just have one solution for these two - could be texts or the app. I know Microsoft has free Authenticator app.

I assume that we will have to pay for the Two-Factor Authentication for our VPN connections so as long as it is within our budget it is okay. It would be perfect if we could introduce it now on Server 2008 R2 too.

What would you suggest? What are you using yourself?

12 Comments

I am working with a simple ACL, denying traffic to a subnet, outside of DNS services. However I am unable to get it to work correctly unless I use IP instead of TCP or UDP

The DNS server is a simple BIND server

This does not work:

ip access-list extended "Guest Vlan Access"
10 permit udp 10.160.0.0 0.0.255.255 eq 53 10.10.4.21 0.0.0.0
20 permit tcp 10.160.0.0 0.0.255.255 eq 53 10.10.4.21 0.0.0.0
30 deny ip 10.160.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log
40 permit ip 10.160.0.0 0.0.255.255 0.0.0.0 255.255.255.255
exit

This works but opens up more than I want:

ip access-list extended "Guest Vlan Access"
11 permit ip 10.160.0.0 0.0.255.255 10.10.4.21 0.0.0.0
30 deny ip 10.160.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log
40 permit ip 10.160.0.0 0.0.255.255 0.0.0.0 255.255.255.255
exit

Ideas?

2 Comments

Does someone have a policy statement or can direct me to one for Wifi. My company has internal wi fit, staff that travels so airports, starbucks, bars (!). What should be telling them. So far, we have said avoid any wifi with no password protection is a no. I rush off the plane and check my email and before you know it, I have been on the airport wi fi (no password) for an hour. Executives pay for access on the plane, is that safe?

g

4 Comments

refer to attached.

What does "20/30 sec" under "cp attack" mean?
Was googling for various Aruba docs but can't
locate any documentation on this.

Appreciate if can point me to the documentation
/link & indicate the page as need to explain to
Audit
Aruba_cpAttack.png

2 Comments

If we don't do "NTP authentication" for our network devices (Aruba AP & switches,
Cisco devices), what mitigating reasons can we cite? The fact that NTP traffic is
only within internal network, ... <pls add on>

Was told by Wintel colleague that currently our AD servers (on win2008 R2 which
are going EoL this month) are configured that it can't support NTP authentication,
is this something very difficult to configure?

4 Comments

What other "microsoft.com" website do you recommend besides the below to get a patch HISTORY list ?

https://portal.msrc.microsoft.com/en-us/security-guidance

1 Comment

What "Network discovery .... software" do you recommend that will do something like https://www.solarwinds.com/engineers-toolset ?

Details
1. Users =50
2. VLAN = 1
3. OS = Windows 10 Pro
4. Switches = HP, willing to purchase NEWER models since mine are OLD
5. Cost = under $500 if possible, but OK if more

1 Comment

We are subscribing to Teammate SaaS (that's hosted in AWS)
& our data to be hosted is deemed sensitive.

Q1:
by default is data at rest encrypted by default (whether it's
default offering by AWS or by Teammate)?

Q2:
Is backup offered by default (by Teammate or by AWS?) or
this is an optional item that we must subscribe/purchase
separately?

Q3:
For data sovereignty purpose, can we specify to Teammate
(or is it AWS) that the data must be hosted in AWS DC in
the local country only & not 'synced' to overseas?

1 Comment

We are recieving Sonicwall notifications as follows....

01/01/2020 09:32:05 - 82 - Security Services - Alert - 208.83.110.20, 443, X1 - 184.X.X.X, 17448, X1 - tcp - TCP scanned port list, 9413, 60235, 21498, 10021, 30893 - Possible port scan detected

This email was generated by: SonicOS Enhanced 6.5.1.3-12n (18B1-69EB-9734)

X1 - 184.X.X.X is our WAN interface. This is an external port scan, correct? I like to eliminate this low profile notification.

*** Alert from Network Security Appliance *** [FW-01P] [Port Scan Possible, Attacks, Security Services

7 Comments

How can we tell if an IP is assigned to a home user or an organization?
For IP below, it's indicated to the ISP Starhub but if we block it, it may
block entire organization from accessing our website.
122.11.164[.]183

Is it likely a home user is granted a static IP?

6 Comments

I know an ex-colleague has a way at command line (script or whatever) to automate
adding of IP to block malicious IP for Nokia Checkpoint : that's years ago.

My current network colleague says it's very tedious to add IP as he has to create
object, then go into another screen to add it to a group & we often get 100-700
IP from threat Intel (from a cyber regulator): is there a way to automate to mass
block it for CheckPoint Security Gateway 12600?? Isn't there a way to get to
SG12600's Unix command prompt & write a script to automate?

For sure Linux iptables, we can do it easily by Shell script.

Heard Palo Alto has an interface to add IP en masse but my network guy says
CheckPoint (& possibly Fortigate) don't.

8 Comments

We have quite a handful (about 3 dozen) staff who bring our corporate laptops to
our China branch & they're based there for months. We enable local admin for
them (as sometimes when they're there, they need to install certain softwares as
there's no PC/end-user support there) & we enable their laptops to connect to
hotel/public places' Wifi.

They'll often VPN back to the local head-office here to join our domain for Intranet
services and this is when their PCs are found to have malwares or when they are
back here locally, their PCs were found to have numerous malwares: we never
know what happen that why their PCs' AV signatures are not updated while they're
in China.

I'm proposing an apps whitelisting (that some of our critical PCs are mandated to
have) installed as AV is a 'blacklisting' solution while apps whitelistg is more effective
but my colleague supporting apps whitelisting has concern below:

"Not really suitable. Gotta be connected to vpn at least 2 hrs for baseline to complete, n if sth really breaks and they cant initiate vpn back, the whole laptop is as good as totally disconnected from network already. High risk thing to do. Wont be able to remotely change app whitelist settings unless they manage to connect back to vpn network. Main worry is if user hit prob doing vpn. "

Q1:
Is the limitation/concern above valid & isn't there a way to overcome it?

Q2:
What other mitigations can we do for this group of users assuming we can't
take …

3 Comments

http://avigilon.com/products/video-security/cameras/

We're installing IP cameras, yet to determine which model.

What are the cybersecurity measures we ought to take?

Q1:
Any hardenings that can be done? Any other cyber measures
to take?

Q2:
Cameras to be connected to user VLANs or a totally dedicated
VLAN by itself or ??

Q3:
The recorded videos will be archived to a server? Encrypt it with
which encryption & any other handling methods?

Q4:
Reckon IP cameras are treated as IOTs so in the event they need
to be connected to Internet, what further measures ought to be
taken?

Q5:
Should we do a pentest using Tenable/nessus against it? I recall
we ever did it with a PABX (which runs a custom RHEL & many of
the vulnerabilities of RHEL are applicable)

7 Comments

Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

Q1:
What's the rule of thumb for max number of rules for 12600? We estimated the
number of IP to block to reach 5000 per year.

Q2:
There's currently 1 rule ie "Deny Threat_intel_list All for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster? In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

Q4:
To do firewall rules review (ie remove rules, permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits. Heard …

5 Comments

We need a solution that will allow us to send information (credit card #s, confidential memos...etc) to and from our remote offices, while having the ability to determine when that info gets automatically deleted on the remote end.

Network Security

7 Comments

We're getting Nessus Tenable for vulnerability scans (likely with admin-credentialed scans)
& likely penetration tests.

Q1:
https://security.stackexchange.com/questions/71389/where-to-place-a-vulnerability-scanner-within-a-data-center
Above link has various views & I don't understand one of the line:
"If you're not granting the scanner admin level access to your assets and you're allowing an IPS to interfere then you're doing yourself a disservice."

Q2:
I intend to scan through the Network IPS because we may not be able to apply patches
in time (can't test out patches & obtain downtime in time), so most likely we'll deploy
NIPS virtual patches as interim remediation. So do we still scan using 'admin credential'
scan in my scenario?

Q3:
Certainly dont plan to scan from public Internet but where is the best location within
our Prod network should we connect up this virtual (runs in VM) scanner? Management
VLAN or in each Prod subnet, we place one scanner or run from laptop & connect to
a switch port which is assigned all the VLANs or we just place in DMZ or internal
subnet & open up firewall rules? Firewall may slow down the scans.

Q4:
From secure perspective, which is the most secure place to connect it as we may
use admin credentials (at this moment, no idea how to get it to integrate with
TPAM though we may move to CyberArk in 12-16 months' time as Nessus told
us it integrates with Cyberark, querying the password from Cyberark)

5 Comments

Dear Experts

I am looking for the best practice network design to connect 03 offices which is 3 different locations with secured links with redundant links. Below explained
Data center where business applications are hosted in the location 1 here the business applications which are web-based applications, windows AD for authentication, file server, email server are maintained, cisco 1010 FTD and Cisco FMC is in place and two ISP’s.
Location 2 which is far of distance is going to be connected to location 1 data center with MPLS VPN link and for redundancy broad band link planning for SD WAN solution. Finalized and implementation is in progress.
Now that all the employees who were so far working in location 1 that is at data center location to be shifted to the location 3 which is of little distance from location 1. However, we are not shifting data center and our employess are of 20 users who is going to work from location 3 and they have to login for authentication to location 1 where the windows AD and file server for their document store and business application they use CRM.
1. Please suggest the best network design to connect location 3 to location 1, should I have to plan for MPLS VPN as one link and secondary link as leased line and use SD WAN solution here or any other best practice please.
2. How much bandwidth would be needed between location 3 to location 1 for web-based and store documents in the folder
3. as we have 20 users is it required to setup …

6 Comments

Question by

Math Tec

2019-11-11Solved

Firepower 4110

Hi,

I have question. Can we manage Firepower 4110 without using FMC (Firepower management center) or I will need to buy one?
Which appliance or virtual FMC I need to buy? and is there any free license or no?

Thanks in advance

1 Comment

Hi All,

We use WatchGuard Friebox as our firewall. Last couple of days it has detected and blocked a relatively high for us(1oo hits) of activity it labels as MASSCAN Activity. I have traced this back to a handful of IP addresses. These tried to attack a couple of our web server that we have to publish on the internet. Only ports 80 and 443 are open on these connections.

Is there anything etc I can/need to do to help stop this activity, or is it one of those things I have to live with as long as WatchGuard is blocking it.

Cheers,
Paul

1 Comment

We are having loads of trouble configuring a Site2Site VPN with a pair of Watchguard T35 firewalls.
Neither is configured pretty much outside of the initial setup wizard.
The current site 2 site vpn is stock from the vpn configuration guide from Watchguard.

We tried a number of different configs, but have currently deleted them to restart fresh.
Also we are trying to set the connection to initiate from SiteB to SiteA just to limit randomness, but can set bidirection or SiteA to SiteB as initiator. Doesn't really matter to us

My theories may be off, so I'll just throw out the logs from each to see what you may think is happening.

Thank you in advance.

Site A
*** WG Diagnostic Report for Gateway "AA-to-TC-Gateway" ***
Created On: Tue Oct 29 09:22:49 2019

[Conclusion]
	Error Messages for Gateway Endpoint #1(name "AA-to-TC-Gateway")
		        Oct 29 09:22:35 2019 ERROR  0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.


[Gateway Summary]
	Gateway "AA-to-TC-Gateway" contains "1" gateway endpoint(s). IKE Version is IKEv1.
	  Gateway Endpoint #1 (name "AA-to-TC-Gateway") Enabled
		Mode: Main
		PFS: Disabled 	AlwaysUp: Disabled
		DPD: Enabled 	Keepalive: Disabled
		Local ID<->Remote ID: {IP_ADDR(A.A.A.A) <-> IP_ADDR(B.B.B.B)}
		Local GW_IP<->Remote GW_IP: {A.A.A.A <-> B.B.B.B}
		Outgoing Interface: eth0 (ifIndex=4)
			ifMark=0x10000
			linkStatus=0 (0:unknown, 1:down, 2:up)
		Stored user messages:

Open in new window

…

2 Comments

We get an audit finding from one of the Big Four audit firms as follows:
"A study should be conducted to determine the granularity of the segmentation of end-users. Minimally,
IT administrators should be in a separate network segment from the rest of the end-users."
"Inadequate network segmentation increases the ease and risk of lateral movement by cyber-
attacks, if a server or device in the segment is compromised."

As sysadmins have "privileged" access to servers & compromise of their PCs will risk compromising
the servers in a 'privileged' way, we'll adopt the recommendation.

I'll need some good points/arguments to support our stand of not further segmenting each
departments from each other:

a) the main exposures are from "Internet surfing" & emails access (lots of malicious attachments,
phishing, spam emails seen in email gateways) besides USB ports

b) all other users belong to same trust domain as they read emails & surf internet (yes, the
sysadmins are encouraged to surf internet on PCs not used to surf Net & read emails)

c) for workstations used for Industrial Control Systems/Operations Tech, they don't have email
access & Internet surfing & have been rightfully segregated as per existing set-up

d) To prevent lateral attacks, EDR, AV & email security (forwarding of malicious emails to
other colleagues) are in place with SIEM for detecting such events in the pipeline

e) if we were to segregate every departments (eg:…

5 Comments

Hi, I'm using the Quarantine feature from Watchguard and this creates a Quarantine website users can log onto. But the problem is that it's an intranet server and as such doesn't have an 'official' SSL certificate. I tried to create a self-signed one etc but I keep on failing ... could someone please give me step-by-step instructions on how to create a self-signed certificate and attach it to that website so that the browsers won't throw their security warnings anymore? Thanks!

9 Comments

How can I lower the Java Security Rules for internal networks only?

Currently our users are needing to manually enter an internal web address in their Java Exception list. I have been charged with trying to make the process more automatic for our users. Specifically to allow all URL's for internal web addresses to allow the Java Applet.

I did find a way to create an Exception list for the computer: https://community.spiceworks.com/how_to/123766-java-site-exceptions-list-and-certificates-for-all-users

but, this option takes away the user's ability to have their own list or to add the web sites that they want and the list will be managed by the local administrator. Equally important, if I used the above mentioned web page documentation then it will overwrite any Java exception list that the user already created. We do not want to go that route.

Is there a way to allow internal web addresses to have a lower Java Security level then external web addresses? TO actually allow Java to be run on those internal web url's.

4 Comments

Network Security

Related Topics

Network Security

Related Topics