By Crystal Johnston - January 28, 2020
National Data Privacy day is today, so how much data are you sharing?
We have all done it, downloaded a new operating system for our phone, or did an update to our computer, and up pops the all too familiar “Agree to the Terms and Conditions.” We naturally just scroll to the bottom and click “Agree.”
Well, do you really know what we are agreeing to?
To demonstrate just how many people seem to glance over the “T&C”, a few organizations took it upon themselves to add to their T&C some interesting terms that different people would agree to. Purple, a Wi-Fi provider in the UK, added to their T&C that agreeing to their terms meant that you would be responsible for over 1,000 HOURS of community service. The “Community Service Clause” within the T&C only had one person, out of over 22,000 people, come forward stating that they read the “Community Service Clause,” and that person actually received a reward for doing so.
Will Purple hold over 22,000 people accountable for their agreed upon 1,000 hours of community service? Most likely not, but what Purple did do is make people aware of how important it is that not only you understand what you are agreeing to, but how your data may be used.
Let’s dive in a bit further.
By hitting “Agree” you are signing your electronic name to a site, and therefore signing over your agreeance to them to use your data in ways they deem fit. This could be sharing your data with 3rd parties (advertising and spam calls), using your data for research, retargeting your data (digital ads), or even selling your data (IP Address, phone number, email, surfing behaviors.) Not to mention, you could be like a group of college kinds in 2016 who registered for a fake social media platformed called NameDrop. These students unknowingly authorized NameDrop to obtain their first-born child, as well as authorizing NameDrop to forward all personal information to the National Security Agency.
Now, if you are anything like me, you are thinking to yourself “I still do not want to go over pages and PAGES of T&C. I don’t have the time, nor can I understand half the crap they are talking about. Well, there’s a way that you can at least somewhat get through the endless jumbled words of the T&C.
When it pops up, just hit “Ctrl+F”, this kicks off the “find” feature, or just skim the document like the good ole days. Look for terms that include: Agree, Submit, Acknowledge, Permission, Accept, Authorize, Retain, Retention, and Third Party. These terms do not tackle all areas of the T&C but is it at least a bit better than just clicking “agree” and hoping you didn’t just give up your first born.
For another added measure, you can use a browser plugin that will scan a T&C and let you know its graded level of issue (A-F.) ToS;DR or “Terms of Service; Did not Read” is a plugin that can assist with going through the T&C to detect what risks may be involved in clicking the “I Acknowledge” button. Is it fool proof? No, but it is just one more tool to help keep your data safe with YOU.
Understanding what data we are sharing not only benefits our own selves, but it can help those around us that are not as computer savvy, and who trust what the web has to say. When a new T&C comes through, or an update, I make sure to get my parents on the phone so that they can be walked through exactly what they are signing up for. The last thing I would ever want is to see is individuals who do not know about these “agreements” sign away their information to be used in anyway deemed fit.
While surfing the web, make sure you have your life vest on and are watching for sharks!
By Liam Keegan - January 23, 2020
I’ve found my new favorite platform for branch infrastructure. I’m talking about the Cisco ENCS 5400 appliance, paired with Cisco’s NFVIS virtualization software.
Who should read this article? Financial, retail and other multi-location organizations that want to simplify and standardize their branch infrastructure while at the same time making it much easier to react to business curve-balls. If you’d like to discuss this possibility for your organization, let’s book a time.
There are two things here to explain:
With a traditional branch router (or SD-WAN gateway), you’re limited to just that box’s functionality. An ISR router is an ISR router. A PAN firewall is a PAN firewall. When your business requirements change, you’re rolling a truck. With ENCS+NVFIS, there are no more redeployments when you get a curveball.
I like the ENCS platform because it has everything you need for a branch and nothing more. I believe that 90% of organizations need a router/SD-WAN gateway, maybe a firewall, and maybe a local utility server.
Even with an SD-WAN, adding a 4G backup connection usually makes sense. With the ENCS platform, you can add a 4G NIM, without an external router.
If you’re running one-off NIM cards in your ISRs, this topology may require you to make some compromises. If you have FXO interfaces, move them to SIP, convert FXS ports to ATAs, etc. Everything in this business is about choice and compromise, so the need for flexibility might override changing supplementary service form factors.
With the ENCS, you get that, and more if your business demands ever change! At heart, ENCS is a virtualization platform. Need a router? Install Cisco ISRv. Want a firewall? No problem... vFTD. Have a Cisco SD-WAN? Deploy a Viptela image.
Think about this: you’re doing a significant upgrade. Instead of modifying production infrastructure, you setup your new router/firewall in parallel, then flip to it. Something goes wrong? Just change back. A/B testing for your network!
Here’s where this gets awesome… look at all the non-Cisco stuff you can deploy.
The NFVIS platform is designed to be zero-touch provisioned and has a full suite of APIs to manage the environment. If your team is configuring these boxes via console cable, you’re leaving a lot of efficiencies on the table. Let’s look at a real-world example using a bank.
Let’s look at a next-gen deployment for BankCo, who go all-in on the ENCS platform.
BankCo’s vendor (24/7 Networks, of course!) sends a spreadsheet with all the serial numbers of the ENCS units. Plug and Play (PnP) configuration templates are generated that configure each serial number to the chassis :
After the NFVIS software running on the ENCS is in a known-good state (verified by making API queries against the unit), we start the deployment process.
At this point, it doesn’t matter if BankCo deploys one or one thousand ENCS systems. In traditional deployments, the hard part is getting to the finish line. With an automated deployment, all the work goes into getting the first one out the door. After that, it’s just a matter of scale.
Lather. Rinse. Repeat.
When it comes time to look at branch refresh, take a peek at ENCS + NFVIS and see if it’s the right fit for your organization and the business needs. There are some drawbacks, and the cost may not be at par, but you may gain operational efficiencies that make it worth it as your organization changes and evolves.
If you’d like to discuss this as an option for your organization, book 30 minutes on my calendar. Let’s virtually whiteboard to see if it makes sense for you and your team. No pressure, no pitch.
And, seriously, that picture is untouched. Seriously. I mean it. Seriously.
By Crystal Johnston - January 2, 2020
Nothing beats free, or in this case: freemium. I’ve put together a list of a few free SaaS services that will make your lives easier, and don’t have huge hurdles to implement.
All of my recommendations have enhanced paid-for plans, but what good is spending money on stuff if you’re not getting even the most basic value first? Start small, realize success quickly, then build upon that.
Without further interruption…..
Cisco’s Duo Security offers 10 free 2FA users, and UNLIMITED protected devices. How many IT departments are more than ten people? For the low, low cost of FREE, you should make it your New Years resolution to enable 2FA on EVERY. SINGLE. SERVICE. that is accessible via the Internet or has a privileged login.
Duo is brain-dead simple. To protect a Windows machine, double-click on an MSI file. To protect a Linux box, load the Duo PAM module. Have a Cisco/Palo Alto/Checkpoint VPN, or any infrastructure that uses RADIUS for authentication? Install the Duo authentication proxy and those devices are 2FA secured. Protection in a matter of minutes.
I can’t stress this enough — there is NO REASON that EVERY organization shouldn’t have two-factor authentication protecting everything that has a privileged administrative login or external network access.
On a final note, if you’re an Office 365 customer with an assigned license, did you know that you get Microsoft’s Authenticator two-factor application at no charge? If you don’t do anything else…
I have two freemium platforms for you. The first is one of my longtime favorites: Uptime Robot. Uptime Robot lets you monitor up to 50 devices with a 5-minute polling interval from multiple Internet points for free.
If it’s Internet-reachable, Uptime Robot can monitor it. Websites, SD-WAN devices, SaaS services, and services running on custom ports. Get a notification if your stuff that you depend on is down before your users let you know.
If you’re running a Meraki firewall, you’ll automatically get a dynamic DNS hostname for each ISP on your SD-WAN firewall. Put each hostname into Uptime Robot so if an ISP drops you know about it without having to rely on managing a spreadsheet of static IP addresses. In your dashboard, you’re looking for something like this:
Finally, my other recommendation for a free tool is BGPmon. BGP is the protocol that makes up the backbone of the Internet, by ensuring that networks are routed properly to their intended destination. Sometimes this delicate trust breaks, and you’re left wondering why you can’t get to where you need to go.
Create a free BGPmon account, and add up to five IP address prefixes into it. If Uptime Robot says that if all of your stuff is offline, you can cross-reference it against what BGPmon reports, ensuring that a larger backbone outage isn’t the culprit.
This one is a bit more off the map, but I’m a big fan of JumpCloud. Odds are, your organization has a Microsoft Active Directory and all of the “things” that go along with that (upgrades, patching, servers, licensing, etc).
JumpCloud provides that directory service completely in the cloud. Their free plan allows 10 users and 10 machines. You can do practically everything that you can do with Active Directory, but you’re not managing any of the back-end infrastructure.
With their free plan, you get:
While I don’t use this for my office, I do use it for my home. I get full enterprise-grade security for my Wifi and computers that I do from an enterprise-grade corporate network, and it’s really easy to lock out my kids from the network when they’re not doing their homework!
Seriously, think about how many SMB companies could get an enterprise security and management stack for their 10 or less people for the low, low cost of FREE. For small companies, this should be a no-brainer.
Phishing emails and websites are out there. It’s just a matter of time before you (or someone like you) accidentally clicks on a link and gives up your password. For a fighting chance against them, use a DNS provider that filters results.
DNS is what turns easy-to-remember hostnames (like medium.com) into IP addresses (like 188.8.131.52). A DNS provider that filters blocks bad domains (like mysupersecretmalwaredomain.com) from resolving to the infected IP address.
To get basic protection, you simply need to enable your clients to use the provider’s DNS.
Cisco Umbrella offers two sets of DNS servers usable at no charge:
Comodo Secure DNS is an alternative:
Ensure your guest Wifi has some sort of filtered DNS servers configured, to keep guests from looking at content that wouldn’t be appropriate in the workplace. It’s not going to stop a determined user, but it’s better than nothing.
That’s it, folks. May you have a secure, reliable and protected 2020!
Cisco published a Field Notice this week (here’s the link to the original document, CCO login required) that details how devices won’t form IPSEC connections because of the self-signed certificates expiring on January 1, 2020. It’s an issue in IOS and IOS-XE software, not for any other product lines.
We’ve been getting a lot more questions about this than usual, but the impact in our customer base has been minor, so here’s a quick recap of what’s at risk.
With all of these examples, if you’ve replaced the cert with a “real” (meaning issued by a Trusted CA) certificate, the defect doesn’t apply.
Unless you’re running X.509 based authentication (using certificates), you’re not at risk. Username and password SSH authentication is and will continue to work when you try to access the box for management access.
If you are running ‘ip http secure-server’ with a self-signed certificate, your web browser will show that your certificate is expired and untrusted. However, odds are that it says that anyways, since your browser doesn’t trust self-signed certs. If you are using RESTCONF to manage your devices and you’re doing strict certificate checking, that’ll break.
If you’re running SECURE voice (SRTP) this is an issue. This affects CME/SRST, dspfarm, SCCP and MGCP services, as well as API Gateway in HTTPS mode. This only will affect traffic going to an IOS or IOS XE gateway that’s encrypted.
If you’re terminating tunnels on an IOS or IOS XE router and you are running “authentication local rsa-sig” in your ISAKMP profile with a self-signed certificate, the tunnel will break on 1/1/2020. If you have auth pre-share or auth rsa-encr in your config, you’re fine.
There’s a bug with old WAPs made before 2005 where the manufacturer certificate has an expiration date. Make sure you’re running a newer version of the code train you’re on and you should be good. Check the WAP compatibility matrix prior to upgrading. Here’s the link to that particular notice.
If you’re vulnerable, the simplest way to work around this issue (besides a software upgrade) is to generate a new certificate with OpenSSL, then import the certificate to the device. It’s documented in the Field Notice as Workaround 3.
bash# openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 4000 -out tmp.cer -subj “/CN=SelfSignedCert” &> /dev/null && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer && openssl base64 -in certificate.pfx
Then, import it to the affected box and ensure the trustpoint is changed to the new entry (in this case, one named TEST):
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint TEST
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# revocation-check none
Router(config)#crypto pki import TEST pkcs12 terminal password Cisco123
If you have any questions, please let me know!