Search Our Site

Our Newsletter

Our Ramblings

Do Small Businesses Really Need Network Management?

We meet a lot of small business owners who experience a LOT of business pain because of badly performing or just downright failing networks. Network connections, (or put more simply your broadband connection and the ability to transact and communicate) have become essential for all but the tiniest fraction of businesses nowadays. Of course, its been the dilemma for as long as technology has been a factor in business that small businesses simply cannot afford to support their technological infrastructure in the way that they know they need to.

So whats to do? Most people are just winging it to be fair. The systems we buy nowadays for business are pretty good but far from perfect.

Of course the real trouble is never expected until it arrives.

So when the perfect storm of unaffordable costs to cover the systems we need and systems failure hits, we need to make decisions we really don’t want to have to make. Unjustifiable costs suddenly become justifiable in the face of the totality of the eclipse and the value proposition changes dramatically until everything is fixed, the network goes back to sleep and calm is restored. Until the next time.

This is where a low cost management solution from Rustyice Solutions really becomes your greatest asset. Our small unobtrusive RCAD (Rustyice Control & Access Device) will sit quietly inside your network continuously monitoring the health of your network devices and also your connection to the outside world.

Our systems offer 24x7x365 real time visibility of a multitude of measurable metrics within your network ensuring that, when coupled with our realtime SMS, Email and Messenger alerts component you are always fully informed about the health of your network systems.

Imagine your business broadband connection goes down in the middle of the night. You don’t want to be in the position where you are making the necessary telephone calls having just realised the problem when you arrive at the office at 8.30. With an RCAP that process can begin via our automated systems while you sleep and can potentially be resolved by the time you get to your front door.

An RCAP is much more than a broadband & network monitor however. Through your RCAP you can monitor anything on your premises such as motion sensors, fire alarm panels, smoke alarms, in fact anything that can be measured by a sensor. You can collect statistics on printer paper use, ACU health, HVAC system performance and even the levels in the coffee machine. The RCAP from Rustyice solutions really does it all and, with a customised dashboard designed by our engineers you will have all the data you need at your fingertips, alerting you at precisely the trigger points you require to ensure your business runs smoothly.

At the superbly affordable price of £14.99 per month why wouldn’t you?

Interested? Contact us today for a test drive. With no contracts and no commitments it really is an offer you can’t afford to refuse.

Contact us today to order your new RCAP.

Cisco – Two LAN, Two WAN ISP and NAT

We recently received a request from a rural customer who was tired of their unreliable 1Mbps ADSL line to add a second ADSL line to their network. The line was ordered and installed and we then added a second ADSL wic interface to their router and set to work making it work. Our brief was to make it work so that each LAN was associated with one WAN link and only used that WAN link. This is how we went about it.

Clearly the second interface needed to be associated with a second dialer created to log in and manage the second connection. Furthermore, we needed to add a second DHCP pool. This new config is shown as follows:

DHCP config:-

ip dhcp pool pollux
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1 
   dns-server 62.6.40.178 62.6.40.162 

As you can see this connection is using BT DNS servers.

Dialer config:-

interface Dialer1
 description btbusiness
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxx
 ppp chap password xxxxxxx

We then needed to allocate a second default route to the router and this was achieved by means of the following command:-
ip route 0.0.0.0 0.0.0.0 Dialer1

We created an access list to handle the new traffic relating to the new DHCP network as follows:-
access-list 22 permit 192.168.200.0 0.0.0.255

and then we added a new access list to ensure that the traffic on each LAN network remained segregated from the other LAN. This was done as follows:-

access-list 112 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 112 permit ip 192.168.1.0 0.0.0.255 any
access-list 122 deny   ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 122 deny   ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 122 deny   ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 122 permit ip 192.168.200.0 0.0.0.255 any

Finally we needed to apply route maps to mechanise the access lists, putting them to work maintaining segregation and ensuring correct operation. The following two route maps were configured:-
route-map pollux permit 22
 match ip address 122
 set interface Dialer1
!
route-map castor permit 12
 match ip address 112
 set interface Dialer0

Putting it all together our new configuration was as follows:-

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname xxx-core-router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 512000 debugging
enable secret xxxxxxx
!
no aaa new-model
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
!
ip dhcp pool pollux
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1 
   dns-server 62.6.40.178 62.6.40.162 
!
ip dhcp pool castor
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 62.6.40.178 62.6.40.162 
!
!
ip flow-cache timeout active 1
ip name-server 212.159.13.49
ip name-server 212.159.13.50
ip name-server 141.1.1.1
!
!
!
archive
 log config
  hidekeys
!
!
! 
!
!
!
interface ATM0/0
 description btbusiness
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map castor
 duplex auto
 speed auto
!
interface ATM0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface FastEthernet0/1
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map pollux
 duplex auto
 speed auto
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxx
 ppp chap password xxxxxxx
!
interface Dialer1
 description btbusiness
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxx
 ppp chap password xxxxxxx
!
router rip
 version 2
 network 192.168.1.0
 network 192.168.200.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.88.0 255.255.255.0 192.168.200.2
ip route 212.159.13.49 255.255.255.255 Dialer1
ip route 212.159.13.50 255.255.255.255 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 12 interface Dialer0 overload
ip nat inside source list 22 interface Dialer1 overload
ip nat inside source route-map castor interface Dialer1 overload
ip nat inside source route-map pollux interface Dialer0 overload
!
access-list 12 permit 192.168.1.0 0.0.0.255
access-list 22 permit 192.168.200.0 0.0.0.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 112 permit ip 192.168.1.0 0.0.0.255 any
access-list 122 deny   ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 122 deny   ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 122 deny   ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 122 permit ip 192.168.200.0 0.0.0.255 any
route-map pollux permit 22
 match ip address 122
 set interface Dialer1
!
route-map castor permit 12
 match ip address 112
 set interface Dialer0
!
!
!
control-plane
!
!
!
alias exec arp tclsh flash:arp.tcl
alias exec shutnoshut tclsh flash:shutnoshut.tcl
!
line con 0
line aux 0
line vty 0 4
 access-class 12 in
 password xxxxx
 login
 transport input telnet
!
ntp clock-period 17207966
ntp server 85.119.80.233
!
end

 

The network worked beautifully. Another elegant solution from Rustyice Solutions.

New Satellite Technology a Possible ‘Game Changer’ for Communications

As the interoperability discussion continues, so does the frustration of many who have worked on this issue for decades but haven’t seen their goals realized. So it makes sense to take a look into the future of what could be a bright spot.

Satellite technology has proven itself during major events but its limitations are known. During Hurricane Katrina, satellite technology allowed for some semblance of interoperability when most communications systems were down. A family of satellites first launched seven years ago by Hughes has the ability to be a “game changer,” in the words of some neutral panelists at a recent emergency management summit.

The new satellites, which Hughes calls Spaceway, offer path diversity. It doesn’t just bounce up from an antenna to the satellite and reflect down to a ground hub and connect to the Internet or a data center like the traditional satellite. The Spaceway is a router in the sky that can make multiple connections at once, enabling conference calls and video conferencing.

The Department of Defence tested the satellite’s ability in 2009, creating video teleconferencing between the U.S. Northern Command, the Naval Surface Warfare Center’s Dahlgren Division and the Space and Naval Warfare Systems Center in San Diego. The after-action report described it as “relatively quick to set up with the ability to carry on high-definition, clear and stable communications with other locations.” FEMA was scheduled to test it during winter 2011.

With the Spaceway, user groups can be built prior to an event and connect when necessary. Agencies and private-sector entities that don’t work together every day can connect quickly during a crisis when other terrestrial communications are not working.

The Spaceway satellite is more akin to a mesh network than the traditional reflector satellite, which enables it to invoke community groups. Another way of describing it is “any to any” connectivity instead of “one to one” connectivity.

Tony Bardo, assistant vice president of Government Solutions at Hughes, called it a “Plan B” network. “If the ground infrastructure is down and you are unable to put together a user group, your radios and so forth are down and you can still get connected, you can quickly invoke a community of users and managers and decision-makers that have access to this Plan B network.”

During Hurricane Katrina, circuits and Bell South towers were inoperable because they were submerged by the flooding. When the towers fell during 9/11, cables and servers went down under the rubble. “These structures on the ground that support our telecommunications are very much in harm’s way when it comes to natural disasters and attacks,” Bardo said.

With Spaceway, both the satellite and the routing capacity are 22,000 miles above earth and away from harm, unlike ground-based communication infrastructure.

“If you think about that ground hub in the old system, the ground hub is the router,” Bardo said. “The intelligence is taking place on the ground. Spaceway, with its router in the sky, can enable me to communicate with you in another field office and add another party somewhere else, and out of harm’s way. I send up your IP address, and it connects me with you. I want to connect with the data center, so I send up the IP address on the antenna of the data centre and it connects me there.”

The Nessus Vulnerability Scanner

In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:

  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
  • Preparation for PCI DSS audits

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user.
According to surveys done by sectools.org, Nessus is the world’s most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

In typical operation, Nessus begins by doing a port scan with one of its four internal portscanners (or it can optionally use Amap or Nmap) to determine which ports are open on the target and then tries various exploits on the open ports. The vulnerability tests, available as subscriptions, are written in NASL (Nessus Attack Scripting Language), a scripting language optimized for custom network interaction.

Tenable Network Security produces several dozen new vulnerability checks (called plugins) each week, usually on a daily basis. These checks are available for free to the general public; commercial customers are not allowed to use this Home Feed any more. The Professional Feed (which is not free) also give access to support and additional scripts (audit and compliance tests…).
Optionally, the results of the scan can be reported in various formats, such as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX, scanning can be automated through the use of a command-line client. There exist many different commercial, free and open source tools for both UNIX and Windows to manage individual or distributed Nessus scanners.
If the user chooses to do so (by disabling the option ‘safe checks’), some of Nessus’s vulnerability tests may try to cause vulnerable services or operating systems to crash. This lets a user test the resistance of a device before putting it in production.
Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system, and can perform password auditing using dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they have been configured per a specific policy, such as the NSA’s guide for hardening Windows servers.

 

Q. What is included in the Nessus download?
A. When you download Nessus, you receive the Nessus 4.4 scanning engine (server) that includes a flash web-based client. To receive updates under either a ProfessionalFeed or HomeFeed, you will need to register your scanner.

Q. What OS platforms does Nessus have builds for?
A. Nessus 4.4 is available and supported for a variety of operating systems and platforms:
Debian 5 (i386 and x86-64)
Fedora Core 12, 13 and 14 (i386 and x86-64)
FreeBSD 8 (i386 and x86-64)
Mac OS X 10.4, 10.5 and 10.6 (i386, x86-64, ppc)
Red Hat ES 4 / CentOS 4 (i386)
Red Hat ES 5 / CentOS 5 / Oracle Linux 5 (i386 and x86-64)
Red Hat ES 6 / CentOS 6 (i386 and x86-64) [Server, Desktop, Workstation]
Solaris 10 (sparc)
SuSE 9.3 (i386)
SuSE 10.0 and 11 (i386 and x86-64)
Ubuntu 8.04, 9.10, 10.04 and 10.10 (i386 and x86-64)
Windows XP, Server 2003, Server 2008, Server 2008 R2, Vista and 7 (i386 and x86-64)

Q. What does Nessus 4.4 cost?
A. The Nessus 4.4 scanner is available as a free download.

Q. Where can I go for more information?
A. If you still have questions about Nessus 4.4, feel free to contact us, visit http://www.rustyice.co.uk/ or post to us via our contact link.