Friday, 22 August 2008

How to Secure Your Small Business with a PIX Firewall

One of the more popular firewall products for the small business market is the Cisco PIX 501. Out of the box it requires just a few configuration entries and you are up and running.

In this guide, we will walk through the steps for configuring your brand new pix at the network edge.

This guide is written for the user who has no knowledge of the PIX firewall. As such, it is not a treatise on network security, but a quick, by-the numbers guide to configuring a PIX firewall with as little jargon as possible.

We are assuming that you have an internet connection with at least one static IP address. While the PIX can easily handle a dynamic IP address (that is the default configuration), you won't be able to easily configure remote access, VPNs, Mail, or web servers without a static IP address.

Your PIX should have come with an AC adapter, a yellow CAT 5 cable, an orange CAT5 cable and a flat, (typically) baby blue cable with a 9-pin serial connector on one end and an RJ-45 plug on the other.

The yellow CAT5 cable is a standard Ethernet cable and is used to connect your pc or server to the 4-port Ethernet switch built into the PIX. The Orange CAT5 cable is a cross-over cable and may be required to connect the outside interface of the PIX to your ISP's router (if your PC's or workstations are plugged into a Cisco switch inside the network, you will also require a cross-over cable for connecting to one of the switch ports on the PIX).

What we are going to use for our configuration is the baby blue rollover cable. Insert the serial jack into one of the serial ports on the back of the PC or laptop you will be using to configure the PIX. Then, insert the RJ-45 plug into the port on the back of the PIX labeled "console."

Windows has a built in application that is used for (among other things) configuring serial devices. Using the start menu, go to Start > Programs > Accessories > Communications > Hyper Terminal.

Choose the Hyper Terminal application. You may get a dialog box asking if you'd like to make Hyper Terminal your default telnet application. Unless you have a preference, go ahead and choose yes.

Then you will be asked for the area code from which you are dialing, although it isn't applicable here, the program still wants to know, so fill it in and click 'next' or 'ok.'

You can call the connection anything you'd like; in this example we'll use PIX. Click 'ok' to move on.

Next, we'll be asked to enter the details for the phone number we'd like to dial. Since we aren't dialing a phone number, use the drop-down selector at the bottom of the box to choose COM1 or COM2 (whichever is applicable). If you have no idea which one is which, you may need to try it both ways.

Now, you will be expected to tell the application some specifics about the port settings so that it can effectively communicate with the PIX.

Luckily, it isn't too complex, just remember 9600, 8, none, and 1. Enter these settings into the drop down selectors of the box on your screen.

Now we are ready to set up the PIX. Insert the power cable and you will be greeted with the startup monologue (it's not a dialog in this case; it's just informing you of what is occurring).

Then, you will be greeted with a screen that asks if you'd like to program the PIX using interactive prompts. For the purpose of this exercise, type no and click 'enter'.

You will now get a prompt that looks like this: 
pixfirewall> 
Type the word 'enable' (no quotes), when prompted for the password, just click 'enter' as the default is no password.

The prompt has changed to a hash mark: 
Pixfirewall# 
Type the phrase 'configure terminal' (no quotes); you are telling the PIX that you want to enter the global configuration mode and you will be doing your configuration via the terminal window.

Your prompt will now look like this: 
pixfirewall(config)#

The first thing we want to do is give your pix a host name. The PIX command syntax is: 
Variable name

Thus, to set the hostname we will enter: 
pixfirewall(config)# hostname mypix

Now, the domain name; it's alright if you don't have a domain set up on your network, you can call it whatever you like. However, give some thought to whether a domain might be a possibility at some point and plan your naming scheme appropriately. 
pixfirewall(config)# domain-name mydomain.com

As you can see from the configuration above, the ethernet0 interface is the outside interface, with a security setting of 0, while ethernet1 is the inside interface with a security setting of 100. Additionally, you can see that the interfaces are shutdown. All we need do to bring them up is enter the speed at which they should operate. As they are Ethernet interfaces, any software version after 6.3(3) will take 100full, prior to that, use 10full.

pixfirewall(config)# interface ethernet0 100full 
pixfirewall(config)# lnterface ethernet1 100full

Now to assign an address to the inside and outside interfaces; the ip address command sets the ip address of an interface. The syntax is as follows: 
Ip address

An example might be as follows: 
Ip address outside 
pixfirewall(config)# ip address outside 12.25.241.2 255.255.255.252 (this IP address, netmask combination should not be used, it is shown here for example only. Use the IP address/mask given to you by your ISP).

Then the inside IP address 
ip address inside 
pixfirewall(config)# Ip address inside 192.168.0.1 255.255.255.0

A brief word about IP addressing is in order here.

One way that is used to conserve public IP addresses is through the use of non-routable IP addressing blocks specified in RFC 1597. You may sometimes hear them referred to as "private" IP addresses, which is fine, but not quite technically accurate. There are three different blocks to choose from: 
10.0.0.0 - 10.255.255.255 with a netmask of 255.0.0.0 
172.16.0.0 - 172.31.255.255 with a netmask of 255.255.0.0 
192.168.0.0 - 192.168.255.255 with a netmask of 255.255.255.0

as long as your internal network's IP addresses are all within one of those blocks of address space, you will not need to introduce the complexity of routing within your LAN. An example scheme for those who are not familiar is shown below: 
PIX - 192.168.0.1 netmask 255.255.255.0 
File/DHCP server - 192.168.0.2 netmask 255.255.255.0 
Workstations - 192.168.0.10 - 192.168.0.254 netmask (each) 255.255.255.0 
* I intentionally skipped over the 192.168.0.3-9 addresses to plan for future expansion and the possible need for additional servers, you don't have to do this. 
* Configure your DHCP server to hand out addresses in the specified block using your ISP-provided DNS servers for name resolution. Make sure to change this should you ever decide to install a name server within your own network. 
* If you don't want to set up a DHCP server, just configure each PC with the IP address, default gateway, netmask & DNS servers

It is very important now to add a default route to the PIX configuration. Another term for default route is the "default gateway." You need to tell the PIX that if it receives traffic destined for a network that isn't directly connected, it should send it to the connected ISP router. Your ISP should have given you the IP address of your default gateway when you received your setup information.

Here is the syntax: 
Route 
The English translation is "if packets destined for interface on the network specified by network address are bounded by mask then route it via a next hop at the optional command is used to give an indication of distance.

For example 
pixfirewall(config)# Route outside 0 0 1 
(if packets are destined outside the network to any ip address with any netmask, send them through the ISPs default gateway, which is one hop away, meaning it is the device to which the PIX is connected on the outside interface).

To password protect your PIX in order to prevent unauthorized access, use something that is secure and hard to guess. Try to stay away from the names of spouses, children, pets, birthdays or other easily guessed variable. Whenever possible, use a combination of letters and numbers. The syntax is as follows (but please don't use cisco as your actual password) 
pixfirewall(config)# Passwd cisco (note the abbreviated spelling of the word password) this will set a password for basic access (rembember the pixfirewall> prompt?) 
pixfirewall(config)# Enable password cisco this will set the password for administrative access

Now that your PIX has been given a basic configuration, you should be able to access the internet, while preventing unauthorized access to your resources.

Ron Jones is the Founder and President of The Fulcrum Technology Group, Inc. www.fulcrumtechnologygroup.com [http://www.fulcrumtechnologygroup.com] Located just North of Atlanta, this consulting firm specializes in business technology solutions that will enable you to maintain a competitive advantage by increasing productivity, improving reliability and reducing expenses.

Wednesday, 30 April 2008

Technology Transforming Future Generations

Nature Valley launched an ad campaign in early July that showed a huge difference between the generations alive today.

They asked 3 generations the same question: "When you were little, what did you do for fun?"

From the grandparents and parents you heard answers like berry-picking, growing watermelons, playing baseball, and building forts.

The children's responses to the same question included video games, texting, sending email, and watching videos. Nature Valley didn't stop there, though. They spread the gap even wider when asking the kids how long each day they spent on their electronics. They responded with at least 3 to 5 hours everyday and one little girl aged around 6 said she would "die" without her tablet, their tagline following: "Nature has always been a part of childhood."

What changed from one generation to the next?

There are currently 6 living generations today:

The Greatest Generation (1901-1926)
Silents (1927-1945)
Baby Boomers (1946-1964)
Generation X (1965-1980)
Generation Y/Millennial (1981-2000)
Generation Z/Boomlets (after 2001)
Technology was introduced during Generation X and Generations Y and Z grew up not remembering a time without certain technologies. The technological revolution that brought along the first mac computers to cell phones to smartphones happened all within the short span of 42 years. Yet, already it seems that technology is changing the habits and lifestyle of future generations. It is a scary thought to think that for so many years prior to this revolution, generations grew up in nature and sent this tradition down, yet in less than a lifespan of the average human being, this healthy and natural way of being has virtually gone out the window (quite literally).

The Greatest Generation, Silents, Baby Boomers, and Generation X are the only generations alive today who remember a world without computers and cell phones. They are the ones who spent a majority of their childhood outdoors and did not have all the conveniences of life as we have them today (some of The Greatest Generation grew up without electricity, refrigerators, or air conditioning). In the 1950s the obesity rate in America was at 9%, but about 50 years later, after the technological revolution, this rate tripled to 33% and in 2006, not a single state reported obesity rates below 10%. An estimated 1 in 3 children are overweight in America today. Is this just a coincidence that as soon as generations starting becoming addicted to technology, obesity rates skyrocketed? While there are more factors to obesity than exercise (diet is also a huge factor), it seems as though children who spend up to 5 hours a day playing video games or texting on their cell phones are not prioritizing time outside of the house. Today, the typical child spends an average of 30 minutes outside per day.

Being outdoors has been proven to be beneficial for children's body, mind, and spirit. Along with exercise building strong bodies, being outside in the sunlight provides essential vitamin D, which helps protect against future health issues with heart disease, bone problems, diabetes, and more. It can also be said that being outside can improve distance vision and help prevent nearsightedness (which is also a common issue today). Some studies have found that being in an environmental setting can extensively improve symptoms of ADHD, while an outdoor-style education can increase test scores and critical thinking skills. Another study shows that children's stress levels decrease immediately when they see nature and playtime outside reduces the anxiety that come from the fast-paced, 24/7 world that technology provides.

Not only does technology steal most of the time children spend outside in nature, but there are a number of studies today that show other negative implications of continuously using electronic devices.

Addiction to some forms of technology are real medical conditions. One boy, around 6 years old, answered that sometimes he forgets that he has a family--parents, a sister, a dog--because he is so immersed in the virtual life of his video game. Nomophobia--the fear of being separated from your cell phone--is also a real term that many people feel everyday. Addiction to technology, just as addiction to anything, is considered a psychological disorder that is treatable. Addiction to video games, for example, is being treated as an "impulsive control disorder" along the same lines as compulsive gambling. Along with the side effects of any addiction such as depression or anxiety, addiction to technology also hinders social development.

Even more alarming studies today have claimed that certain technologies, such as cell phones, can physically cause harm to the body over time. Cell phones, while switched on, emit invisible electromagnetic radiation that is absorbed by the body. There has been much debate over a vast array of health effects of mobile radiation over the years including cancer, infertility, autism, learning disabilities, depression, hormonal imbalance, and more.

Currently in US, the Federal Communications Commission (FCC) has set a regulation for the specific absorption rate (SAR) of mobile radiation allowed to sell a cell phone in the marketplace. Today, phone companies are testing their SAR's with a dummy designed after a 220 lb (100 kg), 6'2" (1.88m) adult man. Clearly, this model doesn't work well for children who may be a quarter of that size or less-in fact, Om Gandhi, a professor at the University of Utah, children absorb 10 times the amount of radiation that adults absorb. Even if the health effects associated with cell phone radiation haven't been proven yet, it can't be good to have your child constantly absorbing high amounts of electromagnetic radiation that is speculated to have these effects.

None of this is to say that you should unplug yourself or your children from technology entirely--some of it acts as a necessity in our society today. Without a computer and cell phone, almost all businesses would not be able to function. The important thing to take away from this information is to be cautious and healthy about the way you approach technology. Limiting time spent on electronic devices, making time to spend with your family outdoors, and remembering that we are just human beings, not robots controlled by technology, are important in leading a healthy lifestyle for you today future generations to come.

For more articles and info on the issues of infertility and mobile radiation, check out the WaveWall blog. Protect your manhood today with a WaveWall anti-radiation phone case.

Tuesday, 29 April 2008

Apple Watch - First Impression

Apple Watch has been around for a few months. Well, in some countries at least. It arrived here, in Thailand in mid-July and I made sure I got it on the first day it became available. So, after calling all the people I know have anything to do with Apple, I got it reserved. Into a car right after work, 2 hours in traffic, another 30 minutes to find a parking spot and another 20 to find the shop and... I was finally able to put my hand of the watch. Or rather, to put Apple Watch on my hand.

The first thing you want to do it to link it to your iPhone and start playing with it but... you need to be patient. It takes a few good minutes to boot. It seems like forever as you want to play with your new Apple Watch right away. After all, this is very different from any other Apple product.

So, 5 minutes passed and I was at last able to play with my new toy. First thing I wanted to do was to check the watch faces. I expected 20 or 30 faces and was given a choice of just 10! Just 10 faces is not enough and, to be honest, they are not that exciting. Modular face is what I went for as you are able to add 5 complications to it. So I added things I use more often, namely weather, calendar, date, activities and battery status.

Next, let's have a look at the apps. There are some apps preloaded and more and more apps have the Apple Watch version now. You can upload apps to your watch via iPhone. The process is smooth and very fast. The menu of the apps might be a bit confusing in the beginning. All those little circles moving around might be something overwhelming at first but you will get used to it. And soon you will realize that it is probably the best possible layout. A long list of apps would not, most likely, work well. Also, you can change the layout of the apps on your iPhone. You should place the apps you will be using most often closer to the center for easier access.

On your hand, Apple Watch feels good, it is light, touchscreen works very well. Overall, the user experience is great. If only we had more faces and apps that run natively on the watch it would have been perfect. Yes, now the apps run on the iPhone and are mirrored on your Apple Watch. Because of this, they are sometimes slow to load. However, it should all change with WatchOS 2.0 where the faces will open for the developers and apps will run natively on the Apple Watch.

I am sure that once you spend some time with your Apple Watch you will find it easy to use and, what is even more important, you will find it very useful. But how you can use your Apple Watch is something that I will cover in my next article.