That was until my wife went to make a Christmas book for her grandmother. Some of the pictures were missing, and all were blurry. The full sized photos were gone. I ended up having to restore everything from Time Machine, which is good for those kinds of things, so everything turned out ok. But I have always been worried about what would happen if the Mac and the connected drives were stolen. I could use an online backup service…but I don’t like to do that. There had to be a better way.

I found that you could use the unix application rsync to create a little script that would back up every file to a remote rsync server. I did not have one of those, but I did have a USB drive connected to my home wireless router, so I figured I could set is up to copy the files to that. No go. rsync does not work very well connecting to a samba server on the other end. I had to set up a real rsync server.

There was an old PC in the basement that I had set up a copy of Ubuntu linux on last year. Setting up ubuntu is ridiculously easy, especially on a PC that is a few years old. Just go to ubuntu.com, download the latest copy, put it on a USB stick, and boot to it. It sets up everything automatically.

As I researched this, I found out I could very easily set up an rsync server on the linux box and copy over files from the Mac, but it was too easy. It was too easy because rsync is not secure. All the files were sent over my wireless unencrypted. I don’t like doing things unencrypted, not protected by passwords. When security is so easy to add in to a system, it is worth taking a few extra minutes to do things right.

What I discovered was that you could set up rsync to operate over secure shell (ssh), which is encrypted. Furthermore, there is a feature built into ssh that allows trusted computers to login without having to use a username or password by using public/private key encryption. So this is what I set up. There is a simple two line script I put on the Mac that I set to run once a week, and it copies over just the changed files from the Mac to the linux box hidden in the basement. I have moved over to a 802.11n system, so the wireless runs nice and fast, good for transferring all those gymnastics pictures and videos.

So, the process is as follows:

• Give your linux box a static IP address so you can ssh to it. If you are fancy, give it a name on your internal DNS server. I am not that fancy.
• Set up the mac to be able to ssh to the linux box with signatures by generating a keypair, doing a secure copy to the non-root user account on the linux box (call it backupuser or something like that), and putting it in the trusted keys file. See this website on ssh keygen mac to see how it is done.
• Make a directory on the linux box to store the backup files. I store mine on the external USB drive, so I created a directory called  /media/Volume/USBdrive/mac_backup and gave the ownership of the directory to backupuser on the linux box.
• After you do this, you want to make sure that the USB drive mounts when the linux box is rebooted. Mine didn’t, so I had to make an entry in the /etc/fstab file to make sure it mounted on boot.
• Create a rsyncd.conf file in the /home/backupuser directory. This is the tricky part – do not configure the main box’s rsync server or its rsync.conf file. This is going to be a mini-rsync server that is kicked off when the mac does a ssh to the backupuser account on the linux box. Here is what the rsyncd.conf file should look like:

[mac_backup]
path = /media/Volume/mac_backup
read only = false
use chroot = false

#!/bin/bash
rsync -azv --delete --exclude '.DS_Store' --rsh="ssh -l backupuser"\
/Users/ backupuser@192.168.5.5::mac_backup

sudo chmod u+x rsync_backup_script.txt

./rsync_backup_script.txt

crontab -e

i
00 01 * * 2 sh /Users/username/Documents/rsync_backup_script.txt
[escape key] :qw

rsync -azv --rsh="ssh -l backupuser" backupuser@192.168.5.5::mac_backup /Users/

That is the complete exercise. I have gone through the files on the linux box and made sure they are there, so I am happy. The box has no screen or keyboard connected to it, and it looks like a chunky old PC that no one wants. The noisy 1TB mirrored hard drives in the external array are a little noisy, which is another good reason to keep it hidden away.

Of course I still make a USB copy every once in a while and take it to work, but that is the backup to the backup to the backup. Hopefully I will have good copies of my files available for many years to come.

Posted at: Geeknick

Author: Rolf Versluis

Backup Your Mac to Hidden Location with Rsync is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

While current generation firewalls have had some ability to be application aware, they do not have the inspection capabilities to deal with the large number of applications that exist and typically do not handle port hopping techniques or inspection of encrypted traffic well. Next generation firewalls are designed to deal with these environments and more. Using sophisticated layer 7 inspection capabilities these devices no longer simple perform packet by packet or flow by flow inspection, they are application aware and understand how the application operates and therefore are able to detect actions that are considered abnormal.

Next generation firewalls also give the organization much more granular control over user access based on time of day, application, userID etc allowing the organization to allow, block, or throttle a users’ access. In addition, the user may only be granted access to certain functions within the application. This level of control and inspection gives the organization the control and security needed while allowing the users access to their resources while outside the office. If you are interested in how these solutions can benefit your organization, contact Adcap Network Systems for more information.
www.adcapnet.com

Next Generation Firewalls is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

I had heard that there are viruses and trojans that are so insidious that they can not be found by scanners. Furthermore, this box could not run an antivirus program or connect to the Internet. Anytime I tried to open a browser, I would get an error message like this: “Windows cannot find ‘C:\Program Files\Internet Explorer\iexplore.exe” This was a serious problem.

After a bit of research, this is the following successful action that I took:

1. Ran an offline virus scanner that booted the machine, found viruses, and removed them.
2. Uninstalled all suspicious looking programs and stopped unneeded programs from starting at boot.
3. Fixed the registry entries that stopped the any browsers from working.
4. Installed free protection applications to prevent future issues.

Offline Virus Scanner

There are a bunch of offline virus scanners available. I found Bitdefender to be the best because it has a good user interface, it lets you find a wireless connection after it starts, and it updates itself to have the latest malware signatures before it runs its scan. In this case it found 6 virus infected files, which I deleted. The steps taken are:

1. Download the bitdefender-rescue-cd.iso file from the Bitdefender website.
2. Download the UNetbootin application from Sourceforge. This is a windows application that will install a bootable .iso file onto a USB flash drive. Just use it in the mode where you point to an .iso file and a USB flash drive and install the application.
3. Boot the infected PC to the USB flash drive. It probably won’t boot to the flash drive without fiddling around with the boot order. To do this you have to get to the BIOS setup screen and tell it to boot USB flash first. Every computer is different – I usually get to the BIOS or boot selection screen by pressing the power on button, then quickly cycling between hitting the ESC, F2, and F7 keys. That usually works.
4. The UNetbootin loader will start – choose the Bitdefender Rescue CD in English choice. After the Rescue CD boots, you will see a nice screen asking you to accept the legal agreement. BEFORE doing that, give the box a network connection. Either plug in an ethernet connection, or give it a wireless network connection; this can be done by clicking on the network icon at the bottom of the screen and making the appropriate choices.
5. The Bitdefender Rescue CD will pull down updates, then scan the entire Windows hard drive looking for infected files. When it is done, you can try to repair the files, but you will probably have to delete them.

At the end of this exercise, you should be able to boot the computer into Windows successfully.

Uninstall Suspicious Looking Programs and Minimize Boot Applications

Select Control Panel then Uninstall a Program. Look through all the programs that are installed, and Uninstall ones that are Browser Helpers, Windows Games, or have no Publisher listed. Use your best judgement, and when in doubt leave something installed. You will probably have to reboot the computer at the end of this process.

Minimize the programs that start at bootup using MSCONFIG. Run this application by clicking on Start (or the Windows Circle icon), and type msconfig at the prompt. After the application is running, click on the Startup tab at the top, and look at the many applications that start on boot. These are what cause that Windows machine to boot up slowly. Uncheck any that you do not want starting when you boot up your computer; if there are any that are necessary you can always recheck them later. After this step, reboot the computer again.

Fix Registry Entries that Stop You from Using your Browsers

I will admit, this one took a while to figure out. All the applications were running, I could run Windows Updates, and I was able to install Chrome, Safari, Firefox, and Opera browsers. None of them worked. I was just about to re-image the entire machine when I found the answer, and it was simple.

This website tells how to edit the registry to remove the entries that were causing the browsers to not start with the “Windows cannot find ‘C:\Program Files\Internet Explorer\iexplore.exe” error. Basically, there are registry entries that hijack the command to start the browser applications at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

The way you fix this is to edit the registry:

1. Run regedit by clicking on Start (or the Windows Circle icon), and type regedit at the prompt.
2. Export the registry to location where you can find it if you need it.
3. Navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
4. Delete any entry that has a browser name, including iexplore.exe, mozilla.exe, opera.exe, safari.exe, and chrome.exe.
5. Exit the regedit application.

At this point your Windows machine should be working well. Now you can make sure this does not happen again by unplugging the power cord and hiding it – just kidding!

Install Free Basic Virus and Malware Prevention Applications

I personally don’t like McAfee or Symantec, because I think they are expensive and slow the computer down. If you have like them and have a current license, then use them. Many computers I have looked at have expired subscriptions. If you are running an antivirus scanner with an expired subscription, it is better to uninstall it and install something else the is free and will stay up to date. These two programs are free and work well:

1. Download and install Clamwin for Windows. This is a free and effective antivirus scanner that can be used to scan files that are downloaded.
2. Download and Install Spybot S&D. Update and run it, and choose that options that will immunize the browsers. You can run this program every few months to keep it up to date.

That’s it. The complete process should take you just a few hours, depending on how long it takes you to download and install the applications. The most important step in this process is to run the offline virus and malware scan. If you run a scan while Windows is running, you have a good chance of not finding the problem because many trojans have the ability to hide themselves from malware scanners.

Author: Rolf Versluis

Posted at Geeknick.com

Fixing a Virus Hobbled PC Quickly with Free Tools is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

So what does this mean from a network perspective?

Too often people look at network security as simply the attempt to keep unwanted people out of systems in which they have no business being, this is done in both physical and logical methods.  Obviously this definition is a huge part, and the part that gets people on TV the most, but it is not the most common security issue.  It moves well beyond that.

The most common security issues have nothing to do with the common definition of IT security at all, it usually has to do with availability of the systems.  Security is useless if the system is unavailable (although some would argue a system that is offline is the most secure).  So now security has to do with network resiliency as much as it does typical network security.

The cost of security has therefore increase, now I worry about not only the firewall and the IPS and other security devices, I am looking at the ability to withstand various attacks such as DDOS, cyber terrorist as well as true terrorist (blowing up buildings), acts of God (tree falls on building, lightning etc) and other things that take down my users and customers ability to reach my services.

So how resiliant is enough.  The good news about resiliency, is that unlike traditional network security, it is almost always invisible to the end user and customer.  They just know their systems are working.

There have been many additions to the resiliancy world recently, the most well known is VMWare.  Now i don’t worry so much about physical machines going down due to hardware issues, my virtual machines can move all by themselves to other working hardware.

This can even work across datacenters, the problem when a machine moves locations is usually they are different layer 3 domains.  So the ip address that is on the virtual machine, no longer is of any use because its default gateway is somewhere else.  this adds workload and removes the automation should a datacenter go down for some reason. There are various L2VPN options which allow for this.

It all comes down to $$.  A network can be provided that is so resilient that should a minor issue or major catastrophe occur that workflow can continue, if not in the same location, seamlessly from another. This takes not only an infrastructure expense, but also possibly monthly recurring expenses and salary expenses.  redundant infrastructures take people to maintain and to ensure they are tested.  Nothing is worse than spending tons on a resilient infrastructure that was test 5 years ago, and today is the day something goes wrong and things don’t fail over as intended.

This makes me want to change the definition of IT security to be a bit stronger:  ”The availability of accurate data from the correct systems, when it is wanted and in the expected form.”  I believe this definition covers what IT security has become, breach security, infrastructure security and resiliency.

Where Does Security Start and Stop is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

If a username and password can be guessed or discovered, malicious hackers from anywhere in the world can use the information to authenticate with remote access systems. Although there are better solutions available, many organizations continue to use standard single-factor authentication due to their belief that more secure solutions are either too complex or costly.

There are three levels of authentication security available:

• Something you know – for example a username and password.
• Something you know and have – username, password, and a device.
• Something you know, have, and are – username, password, device, and physical feature like retina or fingerprint pattern.

There are usually two factors that drive data security adoption within organizations. The first is mandatory requirements of a group that the organization belongs to, and the second is the desire to prevent the loss of customers by keeping their data secure.

Mandatory security requirements are imposed by organizations like the Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA). For law enforcement, users that want access to the FBI Criminal Justice Information System (CJIS) and the National Crime Information Center (NCIC) have to meet strict security requirements.

With mandatory public disclosure of record loss a requirement, organizations are improving their security policies to prevent or limit the access of users to sensitive information. Instead of using common administrator level usernames and passwords, users are being required to login to sensitive devices and databases with their own usernames, and they are assigned privilege levels that match their information access requirements. These actions should improve the ability of organizations to safeguard their sensitive information and prevent loss due to malicious hacking, as long as the passwords are kept secure.

The advent of smartphones like the iPhone and Android have made the use of two-factor authentication much more straightforward. With the use of a reliable clustered application server that manages authentication and its connectivity to various end-user applications and directory servers, two-factor authentication can be implemented in a reliable and easy-to-use method. The two-factor authentication server is placed inline between the remote access device, for example a firewall, and the directory server. The end-user has a client device that is synchronized with the server, and is given a one-time password that can be used for authentication.

There is significant opportunity for improvement in data security in most organizations. Two-factor authentication is a low cost and effective method that can be used as part of an overall security policy to keep sensitive information secure.

This is a picture of how a two-factor authentication system works.

Author: Rolf Versluis

Use a One Time Password App on the Android to Prevent Data Security Loss is a post from: Geeknick

Related posts:

1. How good is your remote access security? Every day there are new reports of confidential information being...

Related posts brought to you by Yet Another Related Posts Plugin.

At the same time, an increasingly mobile workforce is demanding easier access to vital company data to do their job in the most efficient means possible. As a result most companies now have remote access strategies that allow their employees access to company data anywhere and at anytime. The limiting factor is that most organizations rely simply on username/password for network security control and many organizations do not have tight policies around password management.

Traditional static passwords are not enough to ensure access security, opening confidential data and resources to unauthorized users. A sharp increase in keylogger viruses, phishing attacks, and other online threats attributed to static password usage has made user authentication a key security concern.

So what is the solution to this problem that can allow a business to offer its employees anywhere, anytime access to critical business data but at the same time protect themselves from information theft? The answer lies in two factor authentication using one time passwords. Go to the URL below for more information about how Vasco’s DIGIPASS solution can easily and cost effectively provide you with additional piece of mind about your organization’s VPN security.

Find out more about VASCO DIGIPASS at this information page.

How good is your remote access security? is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The ability to project mobile workers has become an increasing challenge, while you may have ways to ensure their virus definitions are up to date, there is always a question of malware, and how do you control what sites your people go to on their company owned assets when they are outside of your network.

Cisco seems to have three answers to this question.

1.     Ironport Web Security Appliance, with always on Anyconnect.

Let me explain how this one works.  You are a remote worker, you boot up your laptop, or log in, your computer automatically establishes an Anyconnect session to your company.  At which point all of your traffic flows through. The company ASA and then into the Web Security Appliance.  The security appliance scans and reviews the content like it does when you are sitting in the office, and forwards the content back to the ASA for internet access.

If you can’t connect with the Anyconnect client, you can’t surf the internet or really go anywhere on the internet.  This works well for companies that have enough of an internet pipeline to have this “double traversal.”

2.     The second option is a bit different.  This is the use of ScanSafe for all of your workers.

Your workers log into their computer and all of their web queries are first run through the scan safe client, which subsequently forwards this to the scan safe proxies.  The cloud based proxies do the “heavy lifting” and scan the websites in sections, allowing you to surf websites based on their content, and in some cases allowing you to see some of the website, while blocking other portions because the website is parsed a section at a time.  This client is now part of the Anyconnect client (3.0) and therefore something many of your users can easily be upgraded to.

3.     The final option is the hybrid approach.

In the hybrid approach, you would have a WSA on site to scan users when they are in the office and protect you there.  When the users are remote, Scansafe is automatically used.  This is done through the use of an internal beacon.  Basically, if a user’s Scansafe client can reach a specifically setup server, internal to your network, and log in automatically with the correct credentials, Scansafe is turned off and the in house solution used.

This will soon be augmented with the ASA being able to do the Scansafe connections for the end clients when they are inside the network.

The drawback is that you have two areas of control and management, the WSA and Scansafe.

There are pro’s and cons to each.  The WSA is better for malware scanning and mitigation, it is able to look at all of the packets, not just the packets determined to be web, usually ports 80 and 443.  The WSA can see and do it all from that perspective, which is very powerful.

This comes down to company size and budget.  The second solution, where Scansafe is the primary and the ASA can (in the near future) do the Scansafe negotiations for you is easily scalable.  The reporting and management is centralized and easily controlled.  The fact that you can’t control malware as tightly is a drawback, but sometimes budget dictates security.

The best of all worlds in my opinion is the following..

Use Scansafe as your web usage controls, use WSA for malware and you can use your Anyconnect client to send telemetry data to the WSA for malware detection on the clients gives you reporting at least on the remote machines.  This allows fast, split tunnel internet access and some relatively good security controls.

Obviously if security is your number 1 concern, buy more bandwidth and use option 1, and have everything controlled and managed by the WSA.

ScanSafe vs WSA, work together, work separately, do I need both? is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

There are good and bad things about this change:

The good:

1. Great for use when you have DMZs, you can now effectively separate zones in a much more comprehensible manner.
2. Security can be more stringent and filtering even more granular
3. Good Troubleshooting ability

The Bad

1. Much harder to setup.
2. Can be harder to test if the firewall is the problem.
3. If not setup properly can be very hard to figure out what is going on.

With fast elimination being the crux of my issues with zone based firewalling, it can be said that you can see a lot more a lot more easily with the zone based firewalling.  But sometimes we just want to turn off the firewall just to eliminate it from the pool of possible issues.

So what is proper setup of the firewall?

The setup is done using class maps and policy maps, similar to quality of service.  The best solution to being able to follow the firewall is proper naming of the class maps and policy maps.

I recommend setting up the names ending with “ZONE_TO_ZONE”  So if you are setting up a class map to be used in a policy map that is going to be bound to traffic going from outside to inside, call the class map and policy map anything that makes sense, but end with “OUTSIDE_TO_INSIDE.”  This makes it very easy to know what the class map is doing further down.

I have discussed in previous articles, specifically on the ASA setting up, access-lists and object groups with names like HTTPS_SERVERS and SSH_SERVERS.  I recommend that here as well.  When creating the class-map doing something like the following.

class-map type inspect match-all HTTPS_SERVERS_OUTSIDE_TO_INSIDE

match protocol https

match access-group name HTTPS_SERVERS_ACL

ip access-list extended HTTPS_SERVERS_ACL

permit ip any host 192.168.5.5

A couple of things to notice, one is the “match-all” in the class-map.  This way the call must match the protocol https AND the servers in the access-list.

Another thing to note is the use of real ip addressing in the access-list.  YES, this is the real IP, on a system that is doing NAT.  NAT is done first, then run through the firewalling, so use the real, not mapped IP address for the server.

This gives a similar feel to the object-groups of ASAs.  Just add a new host to the access-list and a NAT and off you go.  I know the routers have object-groups, but I don’t like their implementation.  If I do a show access-list I expect to see all of the hosts.  In the ASA, that happens, in the router, I just get to see the object group, forcing me to do a second lookup to see the members.  Life is too short.

I would continue with this for each major server type, SSH, HTTP, HTTPS, TERMINAL, whatever your environment has.

For the more unique servers I would do nested policies.  So let’s say I have a server that needs protocols https, telnet, tftp and tcp 5901.  I don’t have any other servers like it and I don’t expect to.  I would make two class-maps.

The first is a match any to match the protocols, in this case a match-any clause is used as the calls could be coming in on ANY of the protocols.

class-map type inspect match-any TEST_PROTO_MYSERVER_OUTSIDE_TO_INSIDE

match protocol https

match protocol telnet

match protocol tftp

match access-group name TCP_5901

ip access-list extended TCP_5901

permit tcp any any eq 5901

Next you setup a match-all class-map to combine the class you created before with the server you will be allowing the traffic to.

class-map type inspect match-all TEST_MYSERVER_OUTSIDE_TO_INSIDE

match class-map TEST_PROTO_MYSERVER_OUTSIDE_TO_INSIDE

match access-group name MYSERVER_ACL

ip access-list extended MYSERVER_ACL

permit ip any host 192.168.5.6

The rest of the configuration, zones and zone pairings, those are all the same, this hopefully provides a structure through which to managed and review your firewall settings in a faster way.

IOS Zone Based Firewalling is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

MAC address filtering can be easily bypassed by simply finding a machine that is working and steeling its MAC and put it on your computer.  In all major operating systems this is a very easy task.  Unplug that machine and plug into the network.  Copiers are prime examples as are other appliances, because their mac address is usually stamped right on the casing.  Many times their menus aren’t locked down, meaning you can taking their ip addresses too.  Many times these are also in a network that has unfettered access to the rest of the system, because no one things about securing devices like copiers and printers, or their networks.

A company that has portable devices has also found this to be difficult, as the devices are being plugged in from place to place and you don’t know where its mac address might show up.  There are methods of using centralized databases to maintain MAC addresses of such devices, but again, that layer of administration has proven to be too much for many people, and have just given up.

Many people use MAC addresses to protect against “ARP Spoofing” a method of hacking that utilizes MAC address manipulation to actually trick the ARP table in computers into believing that your computer is actually the default gateway, therefore allowing the hacker to pass the traffic and capture all the data.  This is a “Man in the Middle” attack.

DHCP starvation attacks are also mitigated by hard coding MAC addresses to ports.  This is an attack where one computer requests all of the DHCP addresses from a server using multiple false MAC addresses.  After the DHCP addresses are exhausted, the hacker then sets up a rogue DHCP server which sets itself as the default gateway, again another for of the “Man in the middle” attack.

So how do you cope with a method of security that is easily hacked, but still maintain the spirit of the method?  Source Guard and DHCP Snooping is the answer.

One of the great thing with Cisco Switches is their built in security.  Most people do not utilize many of them, only a few.  DHCP Snooping and Source Guard (ARP inspection) work together to minimize your risk, while allowing for an environment where you have portable computers.

The basic idea is that the switches keep a database of IP address to MAC address mappings by utilizing DHCP snooping.  When a user plugs in, their computer requests a DHCP address.  That request is monitored by the switch as is the response.  This is what populates the database.  Another bonus of this is DHCP servers are only allowed on “trusted” ports.

The next step is the ARP inspection.  This system reviews the DHCP snooping table, married with the port number and if someone tries to come in on that port that did not originally get a DHCP address, the access is denied and logged.  This can be overridden for items with static IPs, but DHCP reservations are a more scalable way to ensure proper setup.

The configuration is relatively simple.

In the global configuration:

ip dhcp snooping !turns on DHCP snooping

ip dhcp snooping vlan 1-1005 !sets the VLANs that will use DHCP Snooping

no ip dhcp snooping information option  !Turns off option 82 for DHCP snooping

ip arp inspection vlan 1-1005 !sets the VLANS that will use ARP inspection

On the access layer interfaces:

ip dhcp snooping limit rate 100 !(sets DHCP request rate to 100 per second)

ip arp inspection limit rate 100 !(sets ARP request to 100 per second)

ip verify source !(turns on ARP inspection)

On uplink Ports:

ip dhcp snooping trust !trusts the DHCP server from upstream

ip arp inspection trust !trusts the ARP information from upstream

Of course this is a first layer of defense that is relatively easily deployed.  You should plan on the deployment in small batches.  NAC would be the next step to ensure that who is plugged into the port is authenticated as well.

Author: Alex Jerrold

Posted at www.geeknick.com

Addressing MAC Security is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

An easy way to network enable video surveillance. is a post from: Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.