Some notes on Voice-over-IP

Somebody just asked me about VoIP options. Here’s what I know about vendors:

  • Packet8 is now 8×8, and they still stink. Lots of options, but complex and clunky, and my clients didn’t like the hardware at all.
  • RingCentral is quite good. The phones are fancy, and the handsets have a nice feel. Setup was easy, and the web app gives lots of options but not too many.
  • Internet service providers such as Time Warner Cable often have options that are not terrible, but are also not terribly full-featured.
  • Many SOHO businesses (1-3 people) can get away with a single, free Google Voice number, pointing it to ring on multiple landlines and mobile phones. Every user needs to have access, so it’s best to use a Google ID to which several people can have the password. (Really only those people who need access to the voicemails.)

Here’s what I know about the network infrastructure your office needs for something like RingCentral:

  • You need a nice, fast Internet connection.
  • You might need to pay your ISP for a “static IP” address to improve traffic.
  • You need a separate dedicated Ethernet port in your wall for each phone.
  • If that is totally out of the question, for whatever reason, each phone has two Ethernet ports. You run a cable from the wall to the phone, and one from the phone to the computer.

My problem with that last scenario is that it creates bottlenecks in your network. I spec CAT6 and gigabit (1000 Mbps) Ethernet switches for all businesses to get the best performance from their LAN and their file server, but those phones only have 100 Mbps ports, decreasing throughput 90%. Yuck. Any businesses running network-based user accounts will experience a serious degradation in productivity.

Configure one Airport Base Station to extend another

Airport Utility

Apple has really made setting up a wifi network easy. Airport Utility now requires only a few clicks, and correctly guesses what you want to do with each device.

When they start adding devices, or reconfiguring existing ones, many people are reluctant to wipe the routers and start from scratch, but that’s totally the thing to do. It saves a ton of time and guesswork.

Here’s how you do:

  1. Reset both devices to defaults
    • holding the reset button with a pen til light blinks faster
  2. Unplug your internet modem from power, count to 5, and plug back in.
  3. Set up the Airport A connected to the internet.
    • Use the same settings, including wifi network name.
  4. Make sure you can now surf the web.
  5. Plug in Airport B, in the same room as the first one.
  6. Configure B, letting Airport Utility guess correctly that you want the B to extend A.
  7. Once both are green, unplug B, and plug it in where you need it.
  8. Make sure it goes green, and you can surf in the G’s office.

DNS, DoS, and recent cyber attacks

How concerned should I be in light of the recent cyber
attacks? Is my cable modem an “open resolver”? Can it be highjacked?

The short answer: I have configured most of my clients’ routers to distribute addresses for DNS servers provided by the OpenDNS project. Read on to learn how that protects you.

I had never considered the possibility of a hacked cable box, I suppose mostly because I’ve never heard a geek mention it. I just did a googling of “hack cable modem,” resulting only in discussions of how one might rejigger one’s own modem to elevate the connection speed or get free Internet, both of which appear to be quite prosecutable offenses.

I’m no hacker, but I have a decent handle on small-network security, and I have difficulty imagining the purposes to which a miscreant might put a cable modem. It can’t send data by itself, and your own local network is protected by the router that sits behind the modem.

So, onto discussion of the recent cyber attacks against Spamhaus.

As this article explains, the attack is actually performed on vulnerable DNS servers, such as those run by less vigilant Internet service providers around the world.

What’s a DNS server?

DNS is not hard to understand — it can be thought of as the phonebook of the Internet. When you ask your web browser to go to http://www.i-wish-elliot-spitzer-hadnt-been-such-a-schmuck.com…well, let’s use http://www.google.com as a shorter example…your browser first asks your computer what DNS servers it should use to look up the address.

In my house, my computer sends my browser to the OpenDNS Project’s servers 208.67.222.222 or 208.67.220.220. (We always have a second server as a backup in case the first one isn’t available.)

Then my browser asks the OpenDNS server where to find http://www.google.com. It receives a numerical reply, the IP address of Google’s Web server. Then the browser goes to that IP address and asks for whatever web-page information the server cares to give it.

How does this help hackers?

To understand the recent malfeasance, it’s called a Denial of Service (DoS) attack. This is one example:

Imagine someone hijacks one of these vulnerable DNS servers, so that when you ask for Google.com, you actually get directed to some other Web server. Now imagine everyone using that ISP’s servers having every single one of their browser requests directed to the same Web server. The unsuspecting server would get barraged by requests, and would have to start turning some of them away — denial of service.

Service breaks down, customers get angry, service loses money, attack successful.

The big ISPs in America protected themselves against these attacks a few years back. But even before that, when the attacks first reared their heads, I looked into the proscribed ways to protect oneself, and immediately started plugging in the OpenDNS servers into all my clients’ routers. Crisis averted, at least for us.

Hackers employ several methods to affect a DoS. As I understand it, the goal is not direct monetary gain, but perhaps a hobbling of an adversary, or even an expression of protest. DoS is a typical weapon of the hacker collective Anonymous.

As you can see on the OpenDNS page, using their servers offers other benefits and features, including faster replies to queries and configurable web-content filtering for those with tender sensibilities.

Bonus nerdy information

Google actually started its own public DNS service a little while ago. You can use the servers 8.8.8.8 and 8.8.4.4 in place of the OpenDNS servers.

They have put up a page explaining DNS security in more depth.

I hope you find this information in any way helpful or reassuring.

Creating a small, secure network in your home or office

Note: The recommendations, opinions, and prescriptions are just one man’s view on creating a basic secure network. There are infinite ways to do this dependably, and these are the ones I think are easiest and most cost-effective.

I’m setting up my home network. I would like to allow connections with just one computer from outside the firewall, via VPN, and not allow any other incoming browser or FTP or any other sessions. What hardware can accomplish this?

First of all, it’s worth reading this explanation of home networking.

In many ways, any proper router, including an Apple Airport device, provides a firewall when you don’t open ANY holes in its network configuration. When a router or server manufacturer promotes its “firewall” as a feature, they mean that you can configure those holes more specifically.

Definition: Here, I use “holes” as English for “ports,” which on a network are numerical openings in a firewall, through which network traffic is allowed to pass. We might open those ports using a protocol called NAT (network address translation). With NAT, I can say, just for example, “When I am away from home, I want to securely access my home network with a web browser, to see my security cameras.” So I set my router to direct all traffic on port 443 (the secure web browsing port, or HTTPS) to the network address — the IP address — of my security system.

You might, for example, schedule certain ports to be open at certain times of the day, or direct certain traffic to one IP on your network, in case you did indeed want to have a web or FTP server. A firewall might also let you restrict outgoing traffic to specific ports, and will also keep a log — at a detail level you specify — of incoming and outgoing traffic.

In your case, I’m seeing that you want all holes blocked, except for those that would permit the VPN. A VPN allows you to establish a tunnel through the firewall — a tunnel that encrypts all the traffic going through it.

Can I achieve this with a VPN installed on Mac mini?

Yes, combined with a good router.

If I do not have a dedicated firewall, what is keeping the bad guys out?

See above. One of the most important strategies in security is not to turn services ON. Older Windows machines, especially before XP Service Pack 2, seemed to me to be wide freakin’ open out of the box, advertising their presence on a network and too easily offering basic file sharing, even without requiring a password. Macs are not that open straight off, but their firewall is not on by default, so whenever you turn on a service — iTunes music sharing, for example — it does not request permission to open a port, which does happen when you have the firewall on. The firewall on the Mac also includes logging.

On a laptop or other mobile device, I usually turn almost all services fully off. But It’s nice to have some services turned on on some desktop computers. It would be a shame, for example, to have music or photo sharing turned off on the machine where those things mainly reside.

So here’s the HEADLINE: To maintain good security, the most absolutely crucial technique is to lock down all services with good passwords, and use as many different passwords as you can safely store and readily access.

“Good,” in this case, means letters (some capitalized), numbers, and a special character or two. Learn where and how to change your passwords, and do so regularly. Don’t write them down. Your Mac stores passwords, certificates, and private notes in a well-encrypted file, the keychain, and that’s the best place for them. There’s also software called 1Password that’s worth a look.

Learn to manage passwords and you’ve learned to manage your security.

I am renovating my house, and I want to wire most of the rooms with Ethernet.

That is a fantastic idea, for several reasons: It increases the resale value of your house just like a good electrical or HVAC system does. It’s also important to realize that, while wireless networking is cool and all, there is nothing as reliable as a cable.

I have more information, and a table to help calculate the costs of setting up your network posted at Google Docs, right here.