Keith Smith - My Blog

Network

Keith Smith - My Blog > Network

WatchGuard Wireless, AP320 Access Points Review

Thursday, June 15, 2017 - Posted by Keith A. Smith, in Network

I’m a big fan of WatchGuard, and I’ve been using their appliances for some time now. Some other people I know have had concerns about the quality of the firmware or WatchGuard Fireware OS, and I can say that this was an issue in the earlier versions (pre-2014) when the UI was flash based. Since 2014 the UI has significantly improved, I generally get the kit with five years’ live security, knowing at the end of that five years, the kit is probably going to be obsolete and a refresh will be required anyway.

I had never used the WatchGuard Ap's before this deployment, after doing some research I saw that they integrate very tightly with the firewalls and the Dimension products, so I decided to give them a shot.  I think personally the units look great, they’re very discreet and very powerful.




They have 2 Radio’s (5GHz and 2.4GHz), 6 antennas, Up to 1.3 Gbps for 11ac Up to 450 Mbps for 11n, up to 8 SSID’s per radio, PoE, support for all the wireless standards (802.11 a/b/g/n/ac) and Fast Roaming and Band Steering.


The Wi-Fi AP's also comes boxed with a ceiling mount kit and even more useful an T-rail ceiling mounting kit which is nice for most commercial offices.



In my case, I had to "macgyver" a mounting solution for our AP’s using L shelf brackets + chrome head screws + automotive fasteners that I purchased from a local ACE hardware store shown below since none of our locations have T-rail ceiling or anything close to it.

                         

The Wi-Fi AP's also run PoE and I’m currently using a few HP 3500 Series PoE switches to provide power to them. By using PoE to power, the Access Points which great because I can also reboot any AP by turning off the PoE for that port should any of the AP's have issues down the line.

I have configured a few VLAN’s with each AP320 broadcasting wireless networks. I currently have the AP320’s set to auto regarding the channels and so it does a lot of the work in working out which channel to run on for me to ease wireless congestion. They were very easy to deploy, and wireless SSID configuration was deployed very quickly thanks to the firewall acting as the wireless controller. I've also found the updates for the AP's to be basic and can be done from the firewall (acting as the wireless controller) in a few clicks.

When you have multiple WatchGuard firewalls and WatchGuard access points it's best to use the WatchGuard System Manager  for managing all of this. The monitoring of this is also great, I can see at any point any wireless device, which AP it is connected to, the traffic volume and also its signal strength etc.

One of the issues that I ran into was a few of the AP’s rebooting during of the work hours, which as you can imagine was somewhat annoying. Initially, I though this issue was caused by HP 3500 PoE switches, but after directly connecting in a 12v 1.25A PSU it kept happening. The HP switch firmware did have a defect (PoE CR_0000207335) in the version that was running on the switches at the time of the AP deployment, however I was able to resolve that by contacting HPE support and applying the supplied software update. After the software updates for the HP PoE switches had been applied, I opened a case with WatchGuard support about the AP320's randomly crashing and restarting. I had all the latest firmware installed for the AP's at the time I  submitted the fault reports to WatchGuard, after the support person investigated the fault reports they agreed was a newly discovered bug (bug "AP-17"), which as of right now is still being worked on.

Technical Details
This bug (bug "AP-17") is related to the DFS channels being used and the scan interval. At this time the bug isn't resolved, but the workaround to this was to set the wireless scan interval to 24 hours in the Gateway Wireless Controller Settings. Here is a link on how to do this http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/wireless/ap_global_settings_c.html

You can also configure the channels manually to further reduce this issue. Be sure to select non-DFS channels. DFS channels are 50 through 144.


All in all, I’m very happy with the AP’s and the support has always been great from WatchGuard which is one of the many reasons I like company. Once the bug above is resolved, I will call this a successful deployment. I found the WatchGuard AP's to be easily scalable and easy to manage, these devices are built with quality can fit any long-term wireless solution.



-End


View Comments 0 Comments
Share Post   

Applying a “Defense-in-Depth” Strategy

Monday, May 22, 2017 - Posted by Keith A. Smith, in Network, VMware, Microsoft, Linux, Security

IT Teams and Staff can effectively maintain physical and information security with a “defense-in-depth” approach that addresses both internal and external threats. Defense-in-depth is based on the idea that any one point of protection may, and probably will, be defeated. This approach uses three different types of layers (physical, electronic, and procedural) and applies appropriate controls to address different risks that might arise in each.
 
The same concept works for both physical and network security. Multiple layers of network security can protect networked assets, data and end points, just as multiple layers of physical security can protect high-value physical assets. With a defense-in-depth approach:  

System security is purposely designed into the infrastructure from the beginning. Attackers are faced with multiple hurdles to overcome if they want to successfully break through or bypass the entire system. 
A weakness or flaw in one layer can be protected by strength, capabilities or new variable introduced through other security layers. 

Typical defense-in-depth approaches involve six areas: physical, network, computer, application, device and staff education.

1. Physical Security – It seems obvious that physical security would be an important layer in a defense-in-depth strategy, but don’t take it for granted. Guards, gates, locks, port block-outs, and key cards all help keep people away from systems that shouldn’t touch or alter. In addition, the lines between the physical security systems and information systems are blurring as physical access can be tied to information access. 

2. Network Security – An essential part of information fabric is network security and should be equipped with firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as switches and routers configured with their security features enabled. Zones establish domains of trust for security access and smaller virtual local area networks (VLANs) to shape and manage network traffic. A demilitarized zone between public resources and the internal or trusted resources allows data and services to be shared securely. 

3. Computer Hardening – Well known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of Computer Hardening include the use of: 
Antivirus software
Application whitelisting
Host intrusion-detection systems (HIDS) and other endpoint security solutions
Removal of unused applications, protocols and services
Closing unnecessary ports

Software patching practices can work in concert with these hardening techniques to help further address computer risks that are susceptible to malware cyber risks including viruses and Trojans etc.

Follow these guidelines to help reduce risk:
Disable software automatic updating services on PCs
Inventory target computers for applications, and software versions and revisions
Subscribe to and monitor vendor patch qualification services for patch compatibility
Obtain product patches and software upgrades directly from the vendor
Pre-test all patches on non-operational, non-mission critical systems
Schedule the application of patches and upgrades and plan for contingencies 

4. Application Security  – This refers infusing system applications with good security practices, such as a Role Based Access Control System,Multi-factor authentication (MFA) also known as (also known as 2FA) where ever possible which locks down access to critical process functions, force username/password logins, combinations, Multi-factor authentication (MFA) also known as (also known as 2FA) where ever possible and etc. 

5. Device Hardening – Changing the default configuration of an embedded device out-of-the-box can make it more secure. The default security settings of PLCs, PACs, routers, switches, firewalls and other embedded devices will differ based on class and type, which subsequently changes the amount of work required to harden a particular device. But remember, a chain is only as strong as its weakest link. 

6. Staff Education - Last but not least it’s important to talk to staff about keeping clean machine, the organization should have clear rules for what employees can install and keep on their work computers.  Make sure they understand and abide by these rules. Following good password practices is important a strong password is a phrase that is at least 12 characters long. Employees should be encouraged to keep an eye out and say something if they notice strange happenings on their computer.  


Educating Employees at least once a year is important
Training employees is a critical element of security. They need to understand the value of protecting customer and colleague information and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online.

Most importantly, they need to know the policies and practices you expect them to follow in the workplace regarding Internet safety.


-End
View Comments 1 Comments
Share Post   

DNS Benchmark – Advanced and accurate DNS performace benchmark tool

Tuesday, April 18, 2017 - Posted by Keith A. Smith, in Network

When it comes to DNS servers, the response speed is not the only standard to measure its performance. Certainly the response time should be as short as possible, but the stability and security is also important factors. A DNS server without stability (intermittent) will cause web page loading problems even it has very fast response.

DNS Benchmark is a unique, comprehensive, accurate freeware for Windows (and Linux/Wine) designed to measure the exact performance of local and remote DNS servers . . .


DNS Benchmark not only comes with a lot of popular, outstanding DNS servers, also has a set of algorithm which was designed to analyze the reliability of DNS servers.

-End



View Comments 0 Comments
Share Post   

XenServer to VMware Migration

Friday, September 4, 2015 - Posted by Keith A. Smith, in Network, VMware, Xen, Microsoft

Well, it's time to put XenServer out to pasture in favor of vSphere 6.0, the coolest thing I will miss is XenCenter which can be installed on any modern Windows OS. In the Citrix world, you do not need a dedicated XenCenter server. In the VMware world you do need a dedicated vCenter server.  Not that big of a deal, but something to note if any of you start comparing the products.

Start with interoperability testing
In the past, I have used some version of the vCenter Converter to convert VM's from some other product. I figured I would test the theory of simply exporting a VM's from xencenter in an ovf format and importing it into vcenter. That attempt failed with the following error "Could not parse the document: 'encoding specified in XML declaration is incorrect". Upon testing the same ovf export on VMware workstation and virtualbox I received the same error. 

Back to the old Method
It would have been great to power off VM's then export them from xencenter, then import them into vCenter. With this not being possible at the time I proceed to fire up the vCenter Converter. Using the vCenter Converter I was able to convert a few of the VM's, in some of the other attempts I received errors like converter error "Host key can't be retrieved. That error occurred on all of the nix VM's, I was able to resolve this on some of the VM's by modifying the /etc/hosts.allow and /etc/hosts.deny files because I recall them being configured to deny access.

hosts.allow:

     ALL:LOCAL,x.x.x.x

hosts.deny:

     ALL:ALL

Another workaround for the *nix VM's is to upload the virtual disks to the datastore, and then proceed to convert them. At this point, you could create a new virtual machine and use the new created virtual for that machine. For me, this worked great, and the *nix VM's would boot successfully. 
In some of the other cases, I changed from hostname to IP in the vCenter Converter, and that allowed me to convert the nix VM. I also had some instants where Windows VM's wouldn't convert; they would fail and say 3% network is unreachable host key can't be retrieved or a certificate in the host's chain is based on an untrusted root converter. For the VM's that gave those errors, I installed the vCenter Converter on the VM itself and chose This local Machine at the target. 

As you can see, I did quite a few workarounds to keep making progress on exporting the VM's. 

Into to vSphere as the final destination
At this point, I have all VM's exported, I proceed to upload them into a datastore in vSphere environment. After the uploads were complete, I had to convert the disks to proper vmdk's that could be used by the VM on vSphere. On the hypervisor I enable SSH, I then proceed to SSH into the hypervisor and make my way into the datastore that housed the VM's. There were quite a few sub directory's so I had to travel into each one cd /vmfs/volumes/whatever/foldername/VMName then run vmkfstools -i currentvirtualdiskname.vmdk newvirtualdiskname.vmdk

I had to do that for all the virtual disks that were uploaded. Once all that was done I added the vmx files to the vCenter Inventory, from there I had to remove the original virtual disk's and attach the new virtual disk I created. In the process, I was prompted to remove and delete the old virtual disks which is nice because that way I won't have to go back and clean up the old virtual disks.

I now power on one 2012R2 VM and one 2008R2 VM for testing to ensure that they boot up and function as they should. The 2008R2 boots fine however, the 2012R2 VM blows up with the BSOD. I power up another 2012R2 VM so see if this is a one-off or not, of course, the same result of a BSOD with the error of system_thread_exception_not_handled xen.sys. 



At this point I know there is something wrong with 2012R2 and Xen, I had to boot up the VM in safe mode by choosing Troubleshoot.
 
Click Advanced options

Click Startup Settings.

Click Restart

Once in safe mode I run a msconfig from the search, Under the boot tab I chose base video 


I still had the Citrix/Xen related items installed on the VM's, so that had to be the culprit.



I reboot the VM and it boots fine, at this point I uninstall all the XenServer/Citrix related items. I then restart the VM, and I was glad to see it make it to the login screen. I did have some cases where the VM did BSOD after the msconfig modification and XenServer/Citrix items were remove but upon a restart the VM does proceed to the login screen. I had to do the aforementioned procedure for every 2012R2 VM that had a BSOD system_thread_exception_not_handled xen.sys.

I should note that this project took me about 3 1/2 days to complete due to the above technical complications and many other variables.
View Comments 0 Comments
Share Post   

Screw Verizon and there stupid STB's and constant rate hikes with the

Thursday, May 28, 2015 - Posted by Keith A. Smith, in Network

In February of 2014 i finally decided to cut the cord! I returned all the Set top boxes (STB) that were in my house to the provider and cancelled my tv subscription. The customer service guy tried really hard to prevent me from canceling but i was persistent enough to see it through, during the same process I negotiated a speed tier increase which was going to be utilized by all the Internet connected things.

I like most people have more shows on hulu, Netflix and amazon prime than on anything else, the challenge was going to be with sports! How would I be able to watch football and basketball? And what would would be the device of choice for streaming? Since i don't have any smart tv's or any of that I started to do some research, i already knew of the apple tv's, roku's and chromecast's of the world but i wanted something different, on Mar 27, 2014 i heard a rumor that amazon was working on some sort of set-top box which was intriguing to me. Apr 2, 2014 Amazon unveiled a new streaming video product during a press conference it dubbed Fire TV, after looking at the specs it seemed like it do fit the bill for what i wanted.
 
On Apr 2, 2014 i pulled the trigger and purchased my first amazon fire tv, the setup was pretty straight forward and there are a few popular music apps included like Pandora, but the company says its Amazon Music Cloud player will be available soon. Currently you can't access your local video or music collection from an external drive, even though there's a USB 2.0 port. Company execs say the port is meant for accessories as well as developer support. But once the Amazon Cloud Player is ready, you can upload your songs to it and play them.

FreeTime for kids is another feature that works with parental controls and limits the amount of time your kid can watch videos and play games. It also lets you create personalized profiles for each of your children. The FreeTime service is a subscription that will cost US$2.99 per month, and is said to be arriving in the coming weeks. A month later i planned to other another Fire TV, but i needed to make a few changes first.

As i noted here i chose to go the Amazon Fire TV route for media streaming in 2014, by the time September rolled around i had not found a solution for watching football and basketball with out a tv subscription. I stumbled upon a article that reminded me that i could use a vpn solution to access certain content, I already knew of a pretty reasonable vpn provider that might be able to do this but in order to test it out i would need to and i did purchase NFL Game Pass which would allow me to stream the NFL games. To sum it all up my answer was a vpn provider and a NFL Game Pass subscription for the streaming of NFL games.
 
In February of 2015 i figured now would be the time to see if i would be able to find a solution for the streaming of NBA games. I discovered something called NBA League pass which was suppose to allow you to stream NBA games just like the NFL Game Pass did for me, after installing the app and creating a login i attempted to watch a few games but two things seemed to be vary consistent which were the following streaming quality, a lack of HD broadcasts.

The streaming quality was just dreadful, so much so that after about 4 weeks i cancelled it because of that and the customer support wasn't really helpful. My last option was to wait for the Sling TV to become available, at least then i could gain access to ESPN and TNT which are stations that sometimes carry NBA games. On February 13, 2015 i installed the Sling TV app and it filled the all gaps that were existing (e.g. HGTV, ESPN,TNT and some NBA games) in early goings I had some issues with the streaming quality but i believe quite a few people had the same sort of issues. Over the past few months the streaming quality has improved and all is well for now.
View Comments 0 Comments
Share Post   

Page  <1234>