NIKTEK RSS Feed (Whitepapers,News,Case Studies,Product Reviews)

Leveraging Unified Communications

John Nikolatos — 2007-01-07T05:00:00+00:00

Optimizing Customer Support: Increasing productivity and remote access to critical information

John Nikolatos

John Nikolatos is the CEO and a chief technical engineer at NIKTEK LLC. His research has focused on computers, computer system design, security and network optimization. Mr. Nikolatos has been providing advanced IT solution for corporations over the past 15 years. He has appeared on television, hosted seminars, and his designs and solutions have been published in trade articles. He has a Bachelors of Science in Management Information Systems from Clarkson University, and various industry certifications. The certifications include Microsoft Systems Engineer, HP Accredited Systems Engineer, Citrix Certified Enterprise Engineer, Cisco CCNA, Cisco Wireless LAN Systems Engineer, and Neverfail Certified Implementation Engineer.

INTRODUCTION

A Connecticut service company, offering service and support for their IT products, had reached a growing point. Their accelerated success directly related to decreasing response times to their current clients and a loss of productivity from their transient employees. In order to compete with larger company’s, serve their current customer base and allow themselves to grow, this customer needed to design and develop a system that would solve this problem. They consulted with NIKTEK LLC for a solution. Using Cisco telephony, Unified Messaging, Microsoft Exchange and Windows 5.0 Mobile, NIKTEK developed a solution that effectively solved the issue at hand, increased productivity and allowed the client to be more competitive in the industry.

802 dot Demystified

David Conroy — 2007-01-07T05:00:00+00:00

It all started with the IEEE. IEEE stands for the Institute of Electrical and Electronic Engineers. The IEEE, formed by a merger of engineering groups in the 1960's, set out in February of 1980 to establish a standard for LAN communications. This standards effort, coined "The 802 Project" (80 for 1980 - 2 for the second month) was originally going to be a single standard, with speeds from 1 to 20MHz.

The majority of number designations after the period refers to areas of the specification only engineers need to be concerned with. The following are some of the sections that you might hear consultants and techies mention and should know more about:

802.1 - contains the introduction to the standard and contains information regarding network management.
802.3 - The basis of Ethernet - establishes communications methods for CSMA/CD
802.3u - A subcategory of 802.3 - refers to standards for 100BaseT or Fast Ethernet
802.3ab - Similar to above, standards for Gigabit Ethernet
802.3ae - 10Gb Ethernet
802.11 - The initial wireless standard, capable of 1 to 2 Mbps, and used a 2.4GHz frequency
802.11b - A subcategory of 802.11 - a standard developed that support 11Mb transmission in the 2.4GHz band
802.11g - Yet another wireless subcategory - provides 20Mbps bandwidth at 2.4GHz
802.11a - Wireless subcategory with speeds up to 54Mbps and operates at 5GHz

As you can see, the alphabetical order does not match up in order with speed, nor were they adopted in the market in that order. What the letter designations pertain to is the group responsible for development of a particular area of the standard. If you'd like to read more in-depth about the 802 project and standards, check out the following articles:

http://www.ictglobal.com/ICT009/ieee_802_standards.html - The history of the IEEE and 802 standards
http://www.smallbusinesscomputing.com/buyersguide/article.php/1440011 - Confused by all of the 802.11 letter designations? Here's an overview to help you understand what each one means and how they impact your WLAN deployments.
http://standards.ieee.org/index.html - home page for IEEE standards. Includes links to standards, FAQs, and other information.

A Firewall by any other Name

David Conroy — 2007-01-07T05:00:00+00:00

You called the phone company, ordered up a DSL connection to the internet, and your Internet Service Provider (ISP) tells you they provide a Router and Firewall. But just what is it they are providing? What is the Manufacturer/Model? Does it support VPN connections? Is it secure? Who keeps it patched w/firmware updates?

Your first inquiry into the world of DSL/Cable Modems/T-1 or whatever internet connection you subscribe to (yes, even dial-up) should be in regards to security. To make your life little easier, I will outline some basic facts and correlate them to everyday items so that you can understand what the ISP is talking about.

Router

A router is a piece of hardware which will connect you to the ISP network. Typically a router simply acts as a conduit for communications to pass from your computer or network to the outside world. You can liken a router to a highway on-ramp/off-ramp. It provides a clear path for you to send data to or receive data from the “information superhighway” as it used to be called. It simply routes internet traffic to your PC or network based on your internet address (IP Address). It typically does not look at the traffic to limit what comes in or goes out.

A router can be configured with Access Control Lists (ACL) which determine whether or not to allow traffic based on type (i.e.-www, e-mail, etc) or source/destination IP address. While this is a good start, it does not actually look at traffic content to determine whether the traffic is legitimate.

NAT

NAT stands for Network Address Translation. Basically, what this means is that your computer’s identity is masked by another IP address. You can imagine NAT as sending your child to the market for bread. The grocer simply sees your child, and doesn’t know who the bread is actually for. While ISP’s will often advertise NAT as a firewall, it is far from it. NAT, like a router, does not look at the traffic content to make sure it is safe. You could very well wind up with moldy bread, since your child is not educated to open the bag, inspect the bread, check its expiration date, and make sure you’re getting what you paid for. It’s simply making use of a go-between to retrieve and deliver what you want.

Firewall

A firewall is a program or piece of hardware which protects your network or computer from other users or networks. It not only will check where traffic comes from, where it is going, and what type it is, but it will make sure that the traffic is properly formatted, and that it was in response to an actual request made by yourself. You can think of the firewall as the security system on your house. It is comprised of various components, such as door locks, keypads, sensors, and cameras, all working together to not only control access, but keep an eye out for suspicious behavior and intruders. A firewall likewise will lock out bad traffic types, allow secure methods for access (through VPN, for example), authenticate users, monitor for suspicious activity and keep a log of everything that happens so that you can trace the source of activity and make you aware of your network’s status.

But remember – security is not a solution, it’s a process. Buying a piece of hardware is a good first step, but it must be accompanied by maintenance, patching of client pc’s, proper security settings on servers, and usage of best-practice principles in regards to passwords and user account settings. If you don’t have time, or don’t understand what’s going on, find a qualified professional to support your needs. Ignorance is what hackers and script kiddies feed on to survive.

NeverFail - True High Availibilty

David Conroy — 2007-01-07T05:00:00+00:00

{flashembed}swf=images/nfptrev5.6.4.swf|w=560|h=240|v=7|p=0|wm=t|t=Neverfail DEMO{/flashembed}

High availability is not just about data but also about the ability to continue with business regardless of the type of failure. For today's organizations, high availability is essential, especially in industries with strict compliance and regulatory requirements such as financial services, legal and government.

Typical clustering systems support high availability but at a price well beyond the budgetary goals of today's businesses. Simple replication systems lack full-recovery capabilities and require user intervention to restart applications, often taking 15, 20, 30 minutes or more to resume operations. That can mean a significant loss of revenue, productivity and reputation.

Your Comprehensive High Availability Solution

Neverfail provides an end-to-end high availability solution for companies of all sizes that will fit your business requirements and IT budget.

Award-winning Neverfail products support every major Windows®-based application, including Microsoft® Exchange, SharePoint®, SQL Server, File Server, and IIS, as well as RIM BlackBerry®, IBM® Lotus® Domino® and Oracle® Database. An added layer of powerful functionality is offered through our Low Bandwidth Module — a data compression tool, Data Rollback Module and Application Module eXtension products.

In addition, Neverfail provides two unique components as part of every Neverfail solution:

Neverfail Heartbeat technology that enables the replication of data from the active to the passive server — over a LAN or WAN and protects against a wide range of potential failures; ensuring true high availability.
Neverfail SCOPE Professional uses advanced, automated tools to gather and analyze information about key application components, services and performance attributes. This ensures the pre-installation health of your server environment, as well as the on-going reliability of your servers.
Easy-to-use Neverfail products are also ideal for IT projects requiring planned downtime such as migrations, upgrades, maintenance, and server consolidation (virtualization).

The Solution You Need

In today's business world, high availability is more than mission-critical — it's critical to the very life of an organization. With Neverfail, you'll have the true high availability solution you need for your IT environment.

Cisco PIX Firewall and VPN example

John Nikolatos — 2007-01-10T01:31:19+00:00

Here is a general example trying to explain how to set up a PIX firewall for site to site VPN and block all inbound traffic except for MAIL and WEB traffic to a specific host.

The inside IP addresses are in the range 172.16.254.X

The outside IP addresses are in the range of 161.53.124.X

The Remote network trying to site-to-site VPN into the primary location is 192.168.20.X

Add an access-list so you do not NAT VPN pool ip addresses or remote network (192.168.20.x) ip addresses
access-list 100 permit ip 172.16.254.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 permit ip 172.16.254.0 255.255.255.0 192.168.15.0 255.255.255.0

add access-list for interesting site to site VPN traffic to bring up tunnel and route packets to remote network.
access-list 110 permit ip 172.16.254.0 255.255.255.0 192.168.20.0 255.255.255.0

Add access-list for email and web -inbound
access-list OUTSIDE-EMAIL permit tcp any host 161.53.124.14 eq 25
access-list OUTSIDE-EMAIL permit tcp any host 161.53.124.14 eq 80

ip address inside 172.16.254.1 255.255.0.0

Set an outside IP address for the mail and web server at 172.16.254.6
static (inside,outside) 161.53.124.14 172.16.254.6 netmask 255.255.255.255 0 0

Allow email and web traffic in-bound by calling access-list
access-group OUTSIDE-EMAIL in interface outside

Call the access list 100 so you do not NAT traffic to other networks, use Interface0 IP address for all outside communications.
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

You need to define a IPPOOL for client software VPN's to get an IP address:
ip local pool VPN-IP-Pool 192.168.15.1-192.168.15.30

Here is config for OPEN Site to SIte VPN : "DES" encryption - call access-list to define interestign traffic (must be different access-list than others!!!) 0.0.0.0 address below allows any IP address with the correct password to terminate VPN connections.
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap 20 match address 110
crypto map newmap interface outside
isakmp enable outside
isakmp key MAKE-SOME-PASSWORD-HERE address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

This is for client software VPN termination for group called "vpn3000"
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.1.2
vpngroup vpn3000 wins-server 10.1.1.2
vpngroup vpn3000 default-domain cisco.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password MAKE-SOME-PASSWORD-HERE

Allow SSH in-bound from specific IP address example 66.3.3.3 or anyone
ssh 66.3.3.3 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside