Setting Up PIA VPN In My Overly Complicated Network

After getting my hands on a WiFi Pineapple (a post on this to follow!) and enjoying exploring its features I quickly realised my mobile device is super promiscuous when it comes to joining open access points I'd previously connected too (Premier Inn, McDonalds etc). This got me started on looking into VPN solutions and after … Continue reading Setting Up PIA VPN In My Overly Complicated Network

DHCP Snooping, Dynamic ARP Inspection and IP Source Guard

With a client going for an ISO standard which dictates stringent controls over both the external and the internal network resources I decided to put in some additional controls to ensure confidentiality, integrity and availability of the internal network. As the client uses Cisco hardware on premise, this consisted of a trio of additional measures … Continue reading DHCP Snooping, Dynamic ARP Inspection and IP Source Guard

Stopping the Spread of WannaCry within the LAN

The recent WannaCry outbreak highlighted just how vulnerable machines are within the LAN, even behind the perimeter firewall. The attack took advantage of a vulnerability in SMBv1 but also in the way we traditionally look at network security whereby the things on the outside are untrusted, but everything inside is trusted. This attitude allowed the … Continue reading Stopping the Spread of WannaCry within the LAN

Controlling Logons to Cisco Devices with Active Directory

Something I see quite often is local passwords being used to authenticate network administrators onto switches and routers. While this is fine for smaller organisations with a small IT team and few network devices, it can quickly become a headache when trying to update the password across all devices or add a new user. There are … Continue reading Controlling Logons to Cisco Devices with Active Directory

802.1x MAC Authentication Bypass (MAB) to an NPS Server

Continuing to build on earlier posts where we setup 802.1x to authenticate users and place them in predefined VLANs, then extended this to dynamically assign the VLAN, this post will look at what to do for devices that don't speak 802.1x such as printers etc. While there is a guest VLAN command for dot1x we could use … Continue reading 802.1x MAC Authentication Bypass (MAB) to an NPS Server

Dynamic VLAN Assignment (Cisco and NPS)

In an earlier post we used 802.1x to authenticate users into the network and assign them into a VLAN based on either a successful or unsuccessful authentication as well as a VLAN for clients who did not send an initial EAPOL message. While this can be quite useful, it can also be quite restrictive - what … Continue reading Dynamic VLAN Assignment (Cisco and NPS)

Securing Baby Monitors and Webcams

There has been quite a bit in the media lately about consumer grade webcams and Internet of Things (IoT) devices being used as a springboard for DDoS (Distributed Denial of Service) attacks on popular web services. This post is more aimed at the general consumer  as opposed to those who deal with IT in their … Continue reading Securing Baby Monitors and Webcams