Tag: networks

Some notes on Voice-over-IP

Somebody just asked me about VoIP options. Here’s what I know about vendors:

  • Packet8 is now 8×8, and they still stink. Lots of options, but complex and clunky, and my clients didn’t like the hardware at all.
  • RingCentral is quite good. The phones are fancy, and the handsets have a nice feel. Setup was easy, and the web app gives lots of options but not too many.
  • Internet service providers such as Time Warner Cable often have options that are not terrible, but are also not terribly full-featured.
  • Many SOHO businesses (1-3 people) can get away with a single, free Google Voice number, pointing it to ring on multiple landlines and mobile phones. Every user needs to have access, so it’s best to use a Google ID to which several people can have the password. (Really only those people who need access to the voicemails.)

Here’s what I know about the network infrastructure your office needs for something like RingCentral:

  • You need a nice, fast Internet connection.
  • You might need to pay your ISP for a “static IP” address to improve traffic.
  • You need a separate dedicated Ethernet port in your wall for each phone.
  • If that is totally out of the question, for whatever reason, each phone has two Ethernet ports. You run a cable from the wall to the phone, and one from the phone to the computer.

My problem with that last scenario is that it creates bottlenecks in your network. I spec CAT6 and gigabit (1000 Mbps) Ethernet switches for all businesses to get the best performance from their LAN and their file server, but those phones only have 100 Mbps ports, decreasing throughput 90%. Yuck. Any businesses running network-based user accounts will experience a serious degradation in productivity.

Configure one Airport Base Station to extend another

Airport Utility

Apple has really made setting up a wifi network easy. Airport Utility now requires only a few clicks, and correctly guesses what you want to do with each device.

When they start adding devices, or reconfiguring existing ones, many people are reluctant to wipe the routers and start from scratch, but that’s totally the thing to do. It saves a ton of time and guesswork.

Here’s how you do:

  1. Reset both devices to defaults
    • holding the reset button with a pen til light blinks faster
  2. Unplug your internet modem from power, count to 5, and plug back in.
  3. Set up the Airport A connected to the internet.
    • Use the same settings, including wifi network name.
  4. Make sure you can now surf the web.
  5. Plug in Airport B, in the same room as the first one.
  6. Configure B, letting Airport Utility guess correctly that you want the B to extend A.
  7. Once both are green, unplug B, and plug it in where you need it.
  8. Make sure it goes green, and you can surf in the G’s office.

DNS, DoS, and recent cyber attacks

How concerned should I be in light of the recent cyber
attacks? Is my cable modem an “open resolver”? Can it be highjacked?

The short answer: I have configured most of my clients’ routers to distribute addresses for DNS servers provided by the OpenDNS project. Read on to learn how that protects you.

I had never considered the possibility of a hacked cable box, I suppose mostly because I’ve never heard a geek mention it. I just did a googling of “hack cable modem,” resulting only in discussions of how one might rejigger one’s own modem to elevate the connection speed or get free Internet, both of which appear to be quite prosecutable offenses.

I’m no hacker, but I have a decent handle on small-network security, and I have difficulty imagining the purposes to which a miscreant might put a cable modem. It can’t send data by itself, and your own local network is protected by the router that sits behind the modem.

So, onto discussion of the recent cyber attacks against Spamhaus.

As this article explains, the attack is actually performed on vulnerable DNS servers, such as those run by less vigilant Internet service providers around the world.

What’s a DNS server?

DNS is not hard to understand — it can be thought of as the phonebook of the Internet. When you ask your web browser to go to http://www.i-wish-elliot-spitzer-hadnt-been-such-a-schmuck.com…well, let’s use http://www.google.com as a shorter example…your browser first asks your computer what DNS servers it should use to look up the address.

In my house, my computer sends my browser to the OpenDNS Project’s servers 208.67.222.222 or 208.67.220.220. (We always have a second server as a backup in case the first one isn’t available.)

Then my browser asks the OpenDNS server where to find http://www.google.com. It receives a numerical reply, the IP address of Google’s Web server. Then the browser goes to that IP address and asks for whatever web-page information the server cares to give it.

How does this help hackers?

To understand the recent malfeasance, it’s called a Denial of Service (DoS) attack. This is one example:

Imagine someone hijacks one of these vulnerable DNS servers, so that when you ask for Google.com, you actually get directed to some other Web server. Now imagine everyone using that ISP’s servers having every single one of their browser requests directed to the same Web server. The unsuspecting server would get barraged by requests, and would have to start turning some of them away — denial of service.

Service breaks down, customers get angry, service loses money, attack successful.

The big ISPs in America protected themselves against these attacks a few years back. But even before that, when the attacks first reared their heads, I looked into the proscribed ways to protect oneself, and immediately started plugging in the OpenDNS servers into all my clients’ routers. Crisis averted, at least for us.

Hackers employ several methods to affect a DoS. As I understand it, the goal is not direct monetary gain, but perhaps a hobbling of an adversary, or even an expression of protest. DoS is a typical weapon of the hacker collective Anonymous.

As you can see on the OpenDNS page, using their servers offers other benefits and features, including faster replies to queries and configurable web-content filtering for those with tender sensibilities.

Bonus nerdy information

Google actually started its own public DNS service a little while ago. You can use the servers 8.8.8.8 and 8.8.4.4 in place of the OpenDNS servers.

They have put up a page explaining DNS security in more depth.

I hope you find this information in any way helpful or reassuring.

Creating a small, secure network in your home or office

Note: The recommendations, opinions, and prescriptions are just one man’s view on creating a basic secure network. There are infinite ways to do this dependably, and these are the ones I think are easiest and most cost-effective.

I’m setting up my home network. I would like to allow connections with just one computer from outside the firewall, via VPN, and not allow any other incoming browser or FTP or any other sessions. What hardware can accomplish this?

First of all, it’s worth reading this explanation of home networking.

In many ways, any proper router, including an Apple Airport device, provides a firewall when you don’t open ANY holes in its network configuration. When a router or server manufacturer promotes its “firewall” as a feature, they mean that you can configure those holes more specifically.

Definition: Here, I use “holes” as English for “ports,” which on a network are numerical openings in a firewall, through which network traffic is allowed to pass. We might open those ports using a protocol called NAT (network address translation). With NAT, I can say, just for example, “When I am away from home, I want to securely access my home network with a web browser, to see my security cameras.” So I set my router to direct all traffic on port 443 (the secure web browsing port, or HTTPS) to the network address — the IP address — of my security system.

You might, for example, schedule certain ports to be open at certain times of the day, or direct certain traffic to one IP on your network, in case you did indeed want to have a web or FTP server. A firewall might also let you restrict outgoing traffic to specific ports, and will also keep a log — at a detail level you specify — of incoming and outgoing traffic.

In your case, I’m seeing that you want all holes blocked, except for those that would permit the VPN. A VPN allows you to establish a tunnel through the firewall — a tunnel that encrypts all the traffic going through it.

Can I achieve this with a VPN installed on Mac mini?

Yes, combined with a good router.

If I do not have a dedicated firewall, what is keeping the bad guys out?

See above. One of the most important strategies in security is not to turn services ON. Older Windows machines, especially before XP Service Pack 2, seemed to me to be wide freakin’ open out of the box, advertising their presence on a network and too easily offering basic file sharing, even without requiring a password. Macs are not that open straight off, but their firewall is not on by default, so whenever you turn on a service — iTunes music sharing, for example — it does not request permission to open a port, which does happen when you have the firewall on. The firewall on the Mac also includes logging.

On a laptop or other mobile device, I usually turn almost all services fully off. But It’s nice to have some services turned on on some desktop computers. It would be a shame, for example, to have music or photo sharing turned off on the machine where those things mainly reside.

So here’s the HEADLINE: To maintain good security, the most absolutely crucial technique is to lock down all services with good passwords, and use as many different passwords as you can safely store and readily access.

“Good,” in this case, means letters (some capitalized), numbers, and a special character or two. Learn where and how to change your passwords, and do so regularly. Don’t write them down. Your Mac stores passwords, certificates, and private notes in a well-encrypted file, the keychain, and that’s the best place for them. There’s also software called 1Password that’s worth a look.

Learn to manage passwords and you’ve learned to manage your security.

I am renovating my house, and I want to wire most of the rooms with Ethernet.

That is a fantastic idea, for several reasons: It increases the resale value of your house just like a good electrical or HVAC system does. It’s also important to realize that, while wireless networking is cool and all, there is nothing as reliable as a cable.

I have more information, and a table to help calculate the costs of setting up your network posted at Google Docs, right here.


Transferring files from PC to Mac

I want to do a quick Word file backup on my wife’s PC.  Can I use a DVD? – Thanks, JW

You sure can, JW. I don’t know what DVD burning software you have on the PC, but it should be easy enough.


For what it’s worth, however, several slightly easier, and perhaps cheaper, ways to do this are:

~ Email those files to your Mac.

~ Use a flash drive (also called thumb drive, RAM stick, memory stick), which might be cheaper in the long run if you plan to do a lot of this.

~ Turn File Sharing on on the Mac and just drag the files across your home network.
Please call me for any additional explanation on that one, or here’s one quick explanation on the web. 
Here’s a longer one.

Then, backing those files up, to a DVD or exteral hard drive is, like everything else on the Mac, easier to explain.

Forget FTP

Following up on the question about FTP software: I just listened to net@night, when they interviewed the creators of Drop.io, a nifty new web-based file-sharing service. It’s impressive. Some of the cool benefits & features:


~ free! ~ very simple ~ requires no sign-up, no login, and thus no personal information is collected ~ you can send  in files via the web, email, SMS, by phoning in an audio message, or even with a free fax number anyone can use to fax a doc into your box ~ free conference calls ???

Thought y’all who were needing FTP might want to check this out. Graphic designers can of course use this to share proofs … you get the picture.

100MB is free, and you can upgrade to 1GB for a tiny $10 a year.

End User: White Light, White Heat, White Space

Published in San Antonio Current, August 15, 2007

Urban dwellers now take their broadband for granted. Whenever I talk to folks who live near places like Floresville and La Vernia, rural communities not far from SA, I’m reminded to be grateful for my speedy connection. Outside the city limits, one has to go to weird lengths to get a decent signal, including renting a big dish that talks to another big dish far, far away. That ain’t cheap, but it’s actually cheaper and faster than satellite internet.

You may recall a few columns ago, I wrote of my frustration at lacking a Verizon phone signal in much of West Texas. The solution to blanketing America in broadband and phone access may be around the corner. Bear with me: There’s some science coming up, and some strange business happenings, but the results might be spectacular.

In July, Google made public its intent to participate in the Federal Communications Commission’s January 2008 auction of the 700 MHz spectrum, the “white space” where the traditional analog TV channels 2 through 51 currently live. Google, in characteristic egalitarian spirit, asked the FCC that the frequencies be reserved for “open access” by wireless devices, a notion in line with FCC Chairman Kevin Martin’s call for a “truly open broadband network.” And Google tossed out a figure: $4.6 billion (that’s billion with a B). Damn.

Observers speculate that Google is scheming to pit itself against current mobile-phone providers. The term “Google phone” gets batted around a lot, and it’s funny how positive everyone seems to be about the notion of the big G becoming our new mobile master. But who on Earth gets good vibes from Sprint, Verizon, or — sheesh — AT&T?

Notes: Television owners learned a couple years back that those VHF and UHF broadcast channels are going away in 2009, to be replaced by digital TV. Also, the 700 MHz spectrum actually comprises frequencies between 2 MHz and 698 MHz. One can find a complete chart of the radio-frequency (RF) spectrum online — and it’s a yummy chocolate geeksicle, broken down to the third decimal place between the big services, including AM and FM radio, broadcast TV, cellular and cordless phones, and good stuff like “maritime mobile,” “aeronautical radionavigation,” “radio astronomy,” and “earth exploration satellite.” Briefly as I can, however: Each service is assigned exclusive portions of RF, but those portions aren’t continuous. AM, for example, gets 153 to 279 kHz, 520 to 1,610 kHz, and 2.3 to 26.1 MHz. And FM radio actually occupies frequencies between TV channels 6 and 7. (These numbers are specific to the U.S., dontcha know.)

Hours before I started writing this, Sprint released its second-quarter earnings: $19 million, down 90 percent from $291 million the same period last year. Damn. The explanation is that Sprint spent $51 million on their WiMAX initiative.

WiMAX is the intended successor to WiFi, the kind of wireless network that you can set up with a $40 router, getting you a range of 100 or 200 feet, depending on your building’s structure. WiMAX is intended to travel a bit farther, going the “last mile” of network, say from a tower to your home. Similar to DSL, the speed of a WiMAX connection decreases over distance.

Sprint is set to roll out its WiMAX network in 2008. They are partnering with a mobile broadband provider named Clearwire, and with — yup — Google. Clearwire has already received FCC approval for its WiMAX card for laptops, which would provide greater speeds than do mobile broadband cards currently offered by Sprint and its competitors.

Now comes the other possibility for that coveted 700 MHz.

Back in March, a coalition of tech companies, including Microsoft, Dell, Hewlett-Packard, Intel, Philips, and — yup — Google, presented a prototype white-space wireless-broadband device to the FCC. (A second prototype was submitted in May.) The Commission will spend the next couple of years testing the technology, checking, among other things, that it doesn’t interfere with TV signals, as digital TV will continue to operate between 54 MHz and 698 MHz.

So here’s science: WiFi operates at 2.4 GHz, which has a limited range and has trouble going through walls. This is why some buildings need more than one wireless router. WiMAX works at 2.5 GHz and above, and again, WiMAX will only get to you a couple of clicks from each tower. (By the way, Sprint collaborator Clearwire purchased the 2.5 GHz spectrum from AT&T in June for $300 million.)

Broadcast TV, however, shows us that 700 MHz signals can span many miles.

Ah-hah! Could this be the beginning of internet phone everywhere? Could we finally get unlimited calling and see the end to those stupid minute-usage plans that are gouging our wallets every month? Will Sarah finally admit that it’s not Jack’s baby? Stay tuned, and rural America, hang on to your downloading hats.