Sometimes you need to decomission services, and move them to new servers. Sometimes this requires the change of the IP address. This is no big deal as long as accessing clients use DNS, or until you can change the IP address to connect to the services using a central mechanism. DNS and LDAP are two of these services. They come often as part of Microsoft Active Directory Domain Controllers. Sometimes customers use the IP address of a DC and put this IP address hard coded into other IT systems or config files.
By default, credentials such as RADIUS or TACACS authentication keys, are stored separately from the switch configuration, and are not shown when saved or running configurations are displayed or copied using TFTP or SSH. You can change this behavior using the include-credentials command. This clearly seems to be a security issue, because the displays credentials are unencrypted. You can check the current status using show include-credentials.
HP Switch(config)# show include-credentials Stored in Configuration : Yes Enabled in Active Configuration : Yes Include ClearPass Keys : No If you want to encrypt these credentials, you can use the encrypt-credentials command.
Many of you might know Pi-hole and use it for blocking ADs. I also used it for a long time in my homenetwork, running it on a Raspberry Pi. A customer of mine then drew my attention to dnsforge.de.
What is dnsforge.de?
dnsforge.de is a censorship-free, secure and redundant DNS resolver without logging, but with an ad blocker.
The server are hosted in Germany. dnsforge.de also offers clean.dnsforge.de, which offers parental control blocklists and Safe Search for search engines and YouTube.
Usually I tend to use the iPhone WiFi hotspot feature. But lately, I had to switch to USB tethering, because I had to work a whole workday using the hotspot feature. USB tethering saves battery and the connection was more reliable for me. Please note, that you need to install iTunes to use USB tethering, because the necessary Ethernet driver is only available with iTunes. Without this driver, Windows won’t recorgnize the iPhone as an Ethernet connection.
Yesterday, I passed the first exam of the year. In this case the WatchGuards Network Security Essentials exam. The exam covers basic networking and firewalling skills, as well as the necessary knowledge to configure, manage, and monitor a WatchGuard Firebox. If you were familier with networking and firewalls in general, this exam is a “low hanging fruit”. I had to take it due to partner conditions.
WatchGuards offers a pretty good study guide for this exam which you can get for free.
A customer is running their PCs behind their VoIP phones. Nothing unusual, most VoIP phones I know have an embedded ethernet switch, so that you only need one cable to connect PC and VoIP phone to your network.
As part of a network security project, my colleague and I implemented IEEE 802.1X port-based Network access control at one of our customers networks. The setup consists of multiple Alcatel-Lucent Enterprise OmniSwitches (6450-P10 and 6860/E) and Aruba ClearPass.
Usually, bypassing a firewall is not the best idea. But sometimes you have to. One case, where you want to bypass a firewall, is asymmetric routing.
What is asymmetric routing? Imagine a scenario with two routers on the same network. One router offeres access to the internet, the other router provides access to other sites with site-2-site VPN tunnels.
Patrick Terlisten/ vcloudnine.de/ Creative Commons CC0
Host 1 uses R1 as default gateway.
The last two days, I have supported a customer during the implementation of 802.1x. His network consisted of HPE/ Aruba and some HPE Comware switches. Two RADIUS server with appropriate policies was already in place. The configuration and test with the ProVision based switches was pretty simple. The Comware based switches, in this case OfficeConnect 1920, made me more headache.
The customer had already mac authentication running, so all I had to do, was to enable 802.
Open network ports in offices, waiting rooms and entrance halls make me curious. Sometimes I want to plugin a network cable, just to see if I get an IP address. I know many companies that does not care about network access control. Anybody can plugin any device to the network. When talking with customers about network access control, or port security, I often hear their complains about complexity. It’s too complex to implement, to hard to administrate.
The HPE OfficeConnect 1920 switch series is designed for SMBs. The switch is perfect for small environments, that require features like VLANs, routing or 802.1x. This switch is smart-managed, so it has “only” a web interface and only a limited CLI.
I have two switches in my lab: A 1910-8G and the successor, a 1920-24G. Although the device supports IPv6, it doesn’t support SLAAC (Stateless Address Autoconfiguration) by default. The switch does not send router advertisements (RA).