Take Basic Connectivity to a New Level

The Cisco® RV 120W Wireless-N VPN Firewall combines highly secure connectivity – to the Internet as well as from other locations and remote workers – with a high-speed, 802.11n wireless access point, a 4-port switch, an intuitive, browser-based device manager, and support for the Cisco FindIT Network Discovery Utility, all at a very affordable price. Its combination of high performance, business-class features and top-quality user experience takes basic connectivity to a new level.

 Cisco RV 120W Wireless-N VPN Firewall

Product Overview

• High-speed, standards-based 802.11n wireless connectivity to help employees stay productive while away from their desks

• Integrated 4-port 10/100 switch with quality of service (QoS) support for enhanced voice, video and data traffic

• Support for separate “virtual” networks enables you to control access to sensitive information and to set up highly secure wireless guest access

• IP Security (IPsec) VPN support with hardware acceleration to deliver highly secure, high-performance connections to multiple locations and traveling employees

• Support for static routing, Routing Information Protocol (RIP) versions 1 and 2, and inter-VLAN routing to enable flexible connection sharing

• Proven stateful packet inspection (SPI) firewall, plus advanced wireless security to help keep business assets safe

• Simplified configuration through an intuitive, browser-based device manager

• Support for the Cisco FindIT Network Discovery Utility

Figure 2. Back Panel of the Cisco RV 120W

Figure 3. Typical Configuration

Product Specifications

Table 1 gives the product specifications for the Cisco RV 120W.

Table 1. Product Specifications

Feature	Description
Routing	• Static routing • RIP v1 and v2 • Inter-VLAN routing
Layer 2	• 802.1q -based VLANs • 4 active VLANs (1 to 4094 range)
Network	• Dynamic Host Configuration Protocol (DHCP) server, DHCP relay agent • Point-to-Point Protocol over Ethernet (PPPoE), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) • DNS Proxy • IGMP Proxy and multicast forwarding • Dynamic Domain Name System (DynDNS, TZO) • Network Address Translation (NAT), Port Address Translation (PAT), Network Address Port Translation (NAPT), Session Initiation Protocol Application Layer Gateway (SIP ALG), NAT traversal, one-to-one NAT • Multiple DHCP pools • Port Management
IPv6	• Dual-stack IPv4 and IPv6 • Multicast Listener Discovery (MLD) for IPv6 (RFC2710) • Stateless address auto-configuration • DHCP v6 • Internet Control Message Protocol (ICMP) v6
Security	Access control:  • IP access control lists (ACLs) • MAC-based wireless access control Firewall: • SPI firewall • Port forwarding and triggering • DoS prevention • Software based DMZ Content filtering: • Static URL blocking or keyword blocking Secure management: • HTTPS • Username/password 802.1X • Port-based RADIUS authentication (Extensible Authentication Protocol [EAP], Protected EAP [PEAP]) Certificate management • X.509 v3 certificates • Certificate upload using PEM format
VPN	• 10 QuickVPN tunnels for remote client access • 10 IPsec site-to-site tunnels for branch office connectivity • Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES) encryption • Message Digest Algorithm 5 (MD5)/Secure Hash Algorithm (SHA1) authentication • Dead Peer Detection (DPD) • IPsec NAT traversal • VPN pass-through of PPTP, L2TP, IPsec
Quality of Service	• 802.1p port-based priority on LAN port, application-based priority on WAN port • 4 queues • DiffServ support • Traffic Metering
Management	• Simple Network Management Protocol (SNMP) versions 1, 2c and v3 • Event logging: local, syslog, email alerts • Firmware upgradable through web browser; imported/exported configuration in text format • Simple browser-based configuration (HTTP/HTTPS) • UPnP, Bonjour • Network diagnostics with packet captures
Performance	• NAT throughput: 95 Mbps • 1000 concurrent sessions • VPN throughput: 25 Mbps

Those of you who are using a notebook computer or mobile device such as an iPad, iPhone, Android or Android tablet and connecting to those public free wifi access hotspots may want to just ditch the WiFi after what I heard about today…

In spite of what I said about safe browsing from public wi-fi hotspots using a VPN a while back, it sounds like a “proof of concept” is about to be published which states that the mere action of connecting to a public WiFi hotspot, then establishing the VPN can potentially give away the VPN credentials. This could potentially happen whether it is an open (unsecured) access point, or a rogue (man-in-the-middle) AP.

If this is true, which we should know in a few weeks, then it sounds to me like ditching WiFi all together is not a bad idea if your data is valuable. 3g and 4g connectivity through your wireless provider may well be the best bet.

Obviously, this is not platform specific (Mac would be just as vulnerable as a Windows PC), and it is not a bug in the operating systems or VPN software.

I will be posting more information should it be proven to be a legitimate threat. Until then, stay safe….

I believe when it comes to data, MORE IS BETTER! Yeah, so call me a hoarder, it’s okay. I have plenty of room and hard drives are cheap!

Case in point…  Yesterday I received a call from the IT administrator for a corporation based out of MA about a router that was down. When I arrived, I found an old Cisco 2500 router that would not boot up. Sure, you can replace a nonoperational router, but what about that configuration? You see, when an IT service dude or dudette walks into a business in this kind of mess and no records are available, you are left with a bunch of question marks…

What is the WAN IP? What is the WAN gateway? What’s the netmask? What’s the LAN information? Are there VPNs? Where do they point to? What about access in from the outside world to internal resources, what goes where?

You can get some of this information by calling the internet service provider, you can get some by checking a desktop for where it might already be pointing for it’s gateway, but some of it is a certain blank without having notes.

One thing better in this situation is having a backup of the running configuration from the router.  Guess what? The IT administrator at the main office has the foresight to save a copy 4 or 5 years ago, and he was able to provide that information to me, allowing for a very rapid replacement of the equipment and a reconfig!

The moral of this story is – hang on to those old emails, keep those old configs, even if they are 4 years old.

Hard drives to store data on are inexpensive, the cost to recreate the data is NOT when you consider the downtime, the service charges for a technician to sit on hold to find out simple information, etc.

-

Homeland Secure IT provides computer, server & network sales, service & support to Greenville / Upstate SC businesses and individuals. Call 864.990.4748 or email info@homelandsecureit.com for more information.

Secure your Wi-Fi Connection with a VPN

WSPA’s Amy Wood (@TVAmy) had a great segment on last night (2011-02-07) in which she had Doug Cone (@nullvariable) a local web/graphics “devsigner” discussing the dangers of using public Wi-Fi. You can find that story here.

He demonstrated a tool which allows even the most novice of “hackers” to see a list of others who are using any given open wireless access point. He did this at a coffee shop and then went around and scared the bejeebus out of people by showing them how much information was at his fingertips.

In a discussion on Facebook the other day with Doug and Russell Tripp (@RussellTripp), I suggested that those two get together and product a video showing the same information in depth and then explaining how to protect yourself from this all-too-real security threat. I believe they may be doing that as a follow-up to the WSPA story and will post that information here as a reply when that becomes a reality.

In the mean time, I thought I give some info about one tool that is both readily available and super-affordable that you can use to secure your connection when using a public Wi-Fi hotspot. That tool is a VPN, or Virtual Private Network. Yes, the same VPN technology that has been around for a very long time and used in businesses and larger corporations, and it is so easy, a caveman could do it. (I’m sure a lawsuit is forthcoming for my use of that slogan)

A VPN connection established to your home will allow you to connect to the open wireless network of your choice, build a “tunnel” to your home connection, and then send all traffic through the wireless network through the encrypted tunnel, providing a very secure transport.

All that is needed is a VPN capable router or firewall at your home. But wait, you say you can’t afford a Cisco ASA 5505 (or WatchGuard or SonicWALL security appliance). That’s okay, you don’t need one.

You may already have a compatible home router that can be setup with the free DD-WRT (the website http://www.dd-wrt.com has a list of compatible routers) which provides VPN capability to your 40 dollar Linksys or similar device!

The setup is pretty straight-forward once the device end is ready. Connecting takes only seconds.

The VPN is not just for Microsoft Windows, but also Apple Mac OSX, iPad, linux, freebsd, solaris, etc. Most smartphones including Android, iPhone, Windows Mobile and Blackberry should have the ability to utilize your VPN too.

If you don’t have a compatible router, you could optionally use OpenVPN on your PC, and last but not least, you could use the OpenVPN HOSTED service. The hosted solution comes with a price tag, but for many it may be worth it to protect their privacy.

If you are fortunate enough to work for a company with a VPN already in place, you could probably use that as an option, assuming the IT policy permits you to do so.

Should you require assistance in Greenville or the Upstate for your personal or business VPN needs, we are partners with Cisco, WatchGuard, SonicWALL, ZyXEL and have a solution that is right for you. Call 864.990.4748 or email info@homelandsecureit.com.

Do you have a SIP Voice over IP system in use at your business? Then you may want to take a couple minutes to read this…

It seems that many of these systems are being setup without any consideration for security at all. Leaving the potential for a malicious person to do things such as attack your system by sending a DoS flood to it, or even to make phone calls from your VoIP system! (This is referred to as “Toll Fraud”)

So how do you protect yourself? The best thing to do is to cut off access to your VoIP server via a firewall. If you don’t need access to something, disable it.

Try not to put your VoIP system in the DMZ (De-Militarized Zone) that offers no protection.

The most obvious way into your system is via the web configuration, usually on port 80. If that is wide open and default passwords are in use, a person could log into your box, add extensions, voice mail, etc. So be sure to change your default passwords and disable access to the machine from outside, unless you NEED access from outside, and then if that is the case, setup your firewall to allow connections ONLY from specific IP addresses you use.

The standard SIP port of 5060 is another gaping hole. If you must have SIP open to the outside world, consider changing the port from the default to something else so it doesn’t easily show up on the radar of people who might be doing port scans. You could also set your firewall to only allow connections from known outside IP addresses.

Either of those options can help prevent a SIP flood which could make your VoIP system unusable.

The SIP extensions probably have default passwords when you create those, depending upon which VoIP system you are using. Do not be tempted to use easy passwords…

One of the best ways to protect your SIP VoIP system is to use a VPN connection from any location that will be connecting to your main site. Cisco SPA 525g phones have the capability built-in to connect via VPN, making them a great phone to deploy to those who work out of their home.

If you would like further information, please call 864.990.4748 or email info@homelandsecureit.com. We sell Cisco, Polycom, Digium and other VoIP systems, phones and components, and offer consultation, installation and service in the Greenville / Upstate SC area.

Homeland Secure IT Alert

Homeland Secure IT Alert for Saturday, October 30, 2010

 

FireSheep add-on for Firefox browser is proof-of-concept why you should NOT use public / unencrypted Wi-Fi to access without extreme caution.

Last week, a tool was released that makes it possible for anyone to easily hijack your web sessions from within a browser view. When I say anyone, that means anyone. It has always been possible to do this, but this tool is so easy to use, a child could do it, or is that a caveman could do it?  Either way, once the browser extension is installed, the hacker can see a list of everyone using the public unencrypted Wi-Fi network he/she is on and what sites they are on.

The person can see in a browser sidebar WHO is logged into Facebook, Google, Twiter, Dropbox, WordPress, Evernote, Amazon, Flickr, etc, and then they simply click on your session to be logged in as you. Yes, they become YOU…  It works because it hijacks your cookie which is sent in the clear.

So think twice before you log into some site via public enencrypted Wi-Fi!!!

What can you do about this?  Good quesiton.

Option 1: Avoid public unencrypted Wi-Fi, defeating the purpose of having easy access, but offering you the highest level of protection.

Option 2: Only use sites that offer SSL/Secure logons – Actually this is sketchy because to sign into the “secure” section of most sites, the session info is still sent in the clear, so be careful.

Option 3: Use a VPN back to a gateway at your office. This insures all your traffic is encrypted.

Option 4: Try information that is available here: Force TLS

It doesn’t matter whether you are using Microsoft Windows, Apple Mac OS X, Linux, etc, this is not a *bug*, it is the nature of the beast.

Be careful out there….    If you have any questions or need assistance, please call us at 864.990.4748 or email info@homelandsecureit.com.

Homeland Secure IT Alert

This morning I was having a discussion with a potential client and we were talking about the “Homeland Secure IT” name, the individual mentioned that they understood the play on words, however they were simply not sure how to take “IT”, because they thought of “IT” only in the terms of “Information Technology”…

I explained that the “IT” in our case is an all encompassing catch-all term that covers just about anything you plug into the wall. We sell, service, repair, support a wide range of technologies, not just a computer, server or network, but VoIP systems, CCTV and network security camera systems, firewall appliances, anti-virus software and software in general.

So basically, whatever IT is, we can help you with IT!

I am unsure of a way to indicate everything we work with, but suffice it to say, it is not limited to just a notebook computer fix, or a simple virus cleanup. While we DO those things, we also deploy Blackberry Enterprise Server so your mobile users can stay connected. We help integrate wireless devices like Androids, iPads and more into your Microsoft Exchange. We configure VPNs that allow a mobile workforce or a branch office to connect to your data as if they were physically in your office. We design and deploy Voice over IP phone systems. We offer biometric and card swipe time clocks.

Again, if it plugs into your network, or connects wirelessly, or you WANT it to, we can help. Give us a call at 864.990.4748 or email info@homelandsecureit.com to discuss your unique needs! We serve the Greenville & Upstate SC area!