WTF is Ngrok?

Ngrok better than sliced bread!

As a software engineer developing telecom based web applications, testing and validating software can be a major time sync.  How do you get your lab system on the Internet, accessible with a public IP, so you can test a Webhook or REST API for example?   What if you are working behind a router that has a dynamic IP address?   Reconfiguring your firewall for each test of the new code is a pain!  There has to be an easy way to enable testing without going through 20 acts of vaudeville to test your application code!
We recently discovered two tools that are now essential elements of our software engineering toolkit!   Ngrok is very creative service that solves many problems for testing network-based applications during the pre-deployment, development process.  Ngrok is a software service developed by Alan Shreve, clearly a genius,  who often goes by the name “Inconshreveable”!  In its simplest form, Ngrok is a solution that enables you to expose your lab web server which is normally installed behind a NAT or firewall, and connect with it over the Internet.   Ngrok makes it easy to set up a secure outbound SSL tunnel that can be reached by a hyperlink to a public IP.

Secure tunnels on Demand!

Ngrok is a powerful tool and Alan Shreve is an extraordinary personality!   He makes this available for free use!  No credit card required!   Just open an account here and give this a try!   Then download Ngrok to your local Windows, MAC O/S or Linux development platform, unzip it and run it with a very simple configuration command.   You might enter  “Ngrok http 80” into your terminal window to indicate that you have a web server listening on port 80 on your local machine.

Ngrok then displays a DNS link that you can point at to access and test your application.   Now you can demo without deploying, simplify mobile device testing, build webhook integrations or run personal cloud services from your own private network!   For a modest monthly fee, you can change the random number Ngrok generates for your unique link to a reserved domain name.  So https://92832de0.ngrok.io can become https://yourcompanyname.ngrok.io which will not change and is easy for you to deal with!  The free account generates a random number that will change each time you run Ngrok.   Using a reserved domain also makes webhooks a lot easier.  For example, when developing Twilio applications you would have to change your webhook every time you ran Ngrok.  The paid version enables a reserved domain name that you can now use to stabilize your Twilio webhook!

You can also build secure tunnels that are password protected and able to support multiple simultaneous connections.  Open http://localhost:404o on the platform running your Ngrok client and you can inspect and replay traffic:

We now regularly use Ngrok not only for development testing but also for remote support applications so we don’t have to worry about VPN credentials!    You can create TCP tunnels as easy as you set up HTTP tunnels!  This resource will save you more than enough time to pay the annual fee of $60 for a basic account (1 online process, 3 reserved domain names and eight tunnels per process).     Alan is online from time to time and otherwise provides a link to ask questions!   (Learn about Alan’s other projects here)!  No serious developer, network engineer or remote support technician can afford to be without this power utility! – DrVoIP
(As a product of the 60’s you might note that Grok was first used in “stranger in a strange land”, a SiFi novel.  Profound effect on most of the 60’s generation).

Cloud based Next Gen Firewalls?

Firewall or Security Appliance?

Along with the general tend for business to move to a subscription based, recurring revenue model, the ubiquitous firewall has also moved to the cloud!   In the case of the firewall, however, there is measurable and dynamic benefit to be realized by coupling your firewall to a cloud based subscription.   The “wild west” that characterizes the internet in the 21st century demands a dynamic, self healing, unified treat management strategy!    It is no longer acceptable to use simple statefull packet inspection based firewalls that limit activity based on network layer source and destination IP address matching.  Firewalls must now become “security appliance” solutions!   Content Filtering Intrusion detection and prevention and a growing shared database of malware protection with cross referenced “reputation” based real time analysis is now the minimum daily adult requirement for network Internet work security.

Most of the popular firewalls in the commercial market place now couple some form of a subscription service to the base cost of the actual hardware.  Generally these subscriptions are spam and email filtering solutions at the low end, but include very advanced content filtering and malware protection at the high end.    Effective content filtering and malware protection requires access to a ever growing database where global information about daily treat and reputation analysis can be analyzed and shared among subscribers.    Identity based networking is also an essential component in managing network resource access.  Group policies that limit the facilities that the “guest” wireless network can access and the bandwidth that it can use, from the facilities and bandwidth that the corporate user can access begin to define the minimum specification for network computing.

Meet My Meraki!

We are particularly fond of the Meraki solution as a good fit alongside of the more sophisticated CISCO Next Generation and “SourceFire” solutions.  Both technologies are recent CISCO acquisitions and significantly expand the company’s well established range of threat management, Identity and VPN solutions.   The Meraki products are not only subscription based,  but are truly “cloud” resident.   This makes it very attractive for IT teams or Managed Service Providers to remotely install, configure and monitor geographically distributed firewalls and VPN devices.    When coupled with the subscriptions for ongoing software updates, the system provides unparalleled cost/benefit performance in the following key areas:

  • Identity Based Access and User Group Policy Control – Local or Active Directory definition of users and guest
  • Intrusion Prevention – Active before, during and after monitoring of known treats
  • VPN Automation – Mesh or Hub and Spoke configurations to integrate remote offices and work groups
  • Content Filtering – Limit internet access by specif URL or Group like “peer to peer”,  “file sharing” or “Social Media”.
  • Anti Malware and Anti Phishing – Active scanning of all HTTP traffic
  • High Availability and Fail over – Device and connection security through multiple uplinks
  • Application Visibility and Control – Know exactly who is using what and how much!
  • Centralized Management  – Log into the device through your cloud based “dashboard

Content Filtering and Central Management

Content Filtering is based on subject matter or specific site URL and is intuitive to configure as show below.     The group polices enable you to assign content filtering based on Active Directory identity and group authentication.  Guest log in pages enable visitors network access.   All of this functionality is dynamically made current through subscriptions and is centrally managed through a “dashboard” that is defined in the “cloud” and accessible by authorized personnel from anywhere on the Internet!

 

merakicontentmanager

Register for a webinar and qualify for a free switch, firewall or WAP!

Use an Ingate SIParator and you are “virtually there”!

We have written on the subject of SBC quite extensively in the past and have also covered the easy installation of the Ingate product (see DrVoIP here).   Readers must find this interesting because the hit counter for our Ingate videos continues to grow, indicating engineers are eager to learn more about this product.   We generally regard ourselves as CISCO brats, but when it comes to Session Border Controllers, we remain deeply impressed with both the Ingate product and, most importantly, the Ingate support team!  Pre-sales support is typically as good as it gets when developing a relationship with a vendor.  Post sales support, however, is where the true value system of a company is tested and Ingate passes with high marks.

Ingate SIParator as a virtualized appliance

Ingate, began shipping product as early as 2001 and has its roots in firewall security products.  Ingate has now made its very popular SIParator Session Border controller available as a virtual software appliance.  The SIParator E-SBC, scalable from 5 -20K sessions can be obtained as either a hardware appliance or as a software package.  There are over 10K SIParators installed and working worldwide, making Ingate the “go to” knowledge base for documented SIP deployment experiences that is without equal on a global basis!   Those of you working with ShoreTel have already discovered how powerful a vmware ESXi deployment can be.   New options for fail safe, high availability and increased reliability magically appear when you virtualize your deployment!   Ingate is no different and the availability of the Ingrate SIParator as a virtualized appliance adds a significant level of both reliability and flexibility to your ShoreTel deployment.

The most widely asked question in the DrVoIP technical support forum:  “Is there a need for a Session Border Controller?”   Why can’t we just use our firewall is a common theme.  Though it is possible to use a firewall to do a SIP trunk implementation, it is not our best practice recommendation to use a firewall in that way.  Even firewalls with AGL SIP functionality fall short of the wide rage of features needed for true SIP arbitration.   We are firm believers that firewalls already have enough work to do and are being attacked even more ferociously every day by a wider group of hackers and evil doers than ever before.   If you are committed to using a “firewall” to do SIP deployments, then we urge you to consider at least using an Ingate SIParator Firewall as a best of breed solution!

A dedicated Session Boarder Controller

Session Border Controllers have a lot of work to do!  The concept of normalization alone could fill a text book.  The fact is,  not all SIP implementations are equal.It is often necessary to swap SIP message headers to achieve the desired results!   Try getting your firewall, unless it is a SIParator, to do a SIP message header translation and you will quickly understand why a dedicated Session Boarder Controller makes sense!

IngateFeatures

The software SIParator is easy to obtain, easy to install, easy to configure, and easy  to license.  Ingate has adopted a pay as you go philosophy, and though the software product scales from 5-2000 channels, you only pay for what you use!  In fact, Ingate is so confident in the adoption rate of its product over competitors,  they offer a 30 day free trial.  Just click here to take advantage of this outstanding offer.

The video is Part one of a two part video on the product!   Part one shows how to obtain, download, and install the virtual SIParator software package.  Part two goes through the configuration of the SIParator on a ShoreTel system for use in SIP trunking deployments.  This material was previously covered in our YouTube video on Ingate and that material is still relevant!

Kudos for Ingate

Lastly, we want to commend Ingate not for having a great product,  but for the quality of the support they offer the entire industry by an ongoing commitment toward the education of the market place on SIP and, now WebRTC technology.   We are not talking about thinly masqueraded advertising, but serious SIP education programs for serious technology students, and a demonstrated sincere desire to advance the state of the art!  They offer an endless variety of webinars,  seminars, ebooks and even work in partnership with the SIP school to further develop and educate industry stake holders.    Excellent work  Ingate and well done! – DrVoIP

 

V14 Configuring ShoreTel SIP Trunks P2 -SonicWall or InGate SBC?

A question that keeps coming up in the support ticket system is the subject of InGate and Session Border Controllers.  Folks want to know if you need a SBC to configure a SIP trunk.  Why not just use a Firewall?  Can you configure ShoreTel SIP trunks to work without a SBC?  The simple answer is “yes” but the smart answer is “no”.  In our humble opinion, just because you can do it, does not mean you should do it!   Session Border controllers, like those offered by Intuit for ShoreTel,  provide functionality not normally found on a firewall.   “Normalization” for example, the ability to mediate ShoreTel SIP and your carrier’s  SIP, as they most likely speak a different “dialect” of the common language SIP, is not a standard firewall feature.

Application Level Gateways, sometimes take actions that are injurious to SIP messages.  Remember, SIP was not designed for NAT based networks.   Something has to keep track of which internal private trusted network users made a SIP request for service to another IP address across an untrusted boundary!  Which RTP (voice, video or “media”) ports need to be opened to support this request?  SBC can do this more effectively than firewalls. At the end of the day, you end up turning off the SIP ALG functions in your firewall to make it work! (In SonicWall turn off  “consistent NAT” and “SIP transformations”.)

We have never recommended bringing your SIP services into your VoIP deployment over the same circuit as your Internet circuit, but so be it.   At least, let’s use a separate IP address and make use of the DMZ port on your firewall, if you are not going to use a separate circuit!  Let us try to keep the SIP traffic from undergoing the same port specific inspections you put the Internet traffic on!  Again our best practice recommendation for ShoreTel, if you are serious about SIP trunks as the main Communications link for your company, is get an Intuit SBC and bring your service in on a separate circuit or IP!

SonicWall has for sometime, had a number of “service objects” to support the ShoreTel MGCP phones.  In fact, before SIP was enabled on ShoreTel, all media flowed on port 5004 which was really great for enabling transport level QoS!   Though there is a steady trend to use TLS and get both SIP messages and RTP over a single port, most SIP carriers expect to send messages on UDP 5060.   So if you are using a SonicWall, you will need to create new Service Objects, and put them in new Service Groups to get SIP to work.   You will need to configure Network Objects for your ShoreTel SIP proxy and configure access rules.  We recommend you also create a network object for your ITSP rather than enabling  an open 5060 for all the script kiddies running SipVicious!

We will do this again on a  CISCO ASA 5505 just for giggles as we get a lot of requests for that as well!  At the end of the day, however, for a serious business application of SIP trunks on ShoreTel, get a separate circuit and invest in an Ingate SBC!  Heck, you can even get a virtualized version of InGate!

Network Security begins with an “Acceptable Use” Policy!

Most folks seem to understand what a firewall is and why it is so very important. They intuitively understand they need something between the “trusted” internal computer network, and the wild west we call the Internet! The installation of a firewall is generally something all business do, from the wireless network at the local coffee shop, to the medium size law firm and the giant multinational distributed enterprise. The barbarians are at the door, but with a firewall we all feel protected! The largest percentage of cyber security risks, however, do not come through the front door and your firewall will never see them enter. The largest risk to the security of your network comes from the employees and guests allowed, either connected by wire or wireless, to attach to your corporate network.

As a CISCO Certified Security Professional, DrVoIP does a great deal of work in the area of computer network security. When called on to do a “Security audit”, “voice readiness” or “network assessment”, the first question we ask executive management is where is your AUP? After all, we can tell you what protocols are running around on your network, and even which user is consuming the most bandwidth. We cannot, however, tell you if they are allowed to use that bandwidth! The creation of an “acceptable use” policy (i.e., AUP) is an essential first step in network security. The AUP communicates to all network users what is supported and what applications are allowed on the network. It describes what is acceptable regarding personal email, blogging, file sharing, web hosting, instant messaging, music and video streaming. It defines what activity is strictly prohibited on the network and clearly outlines what constitutes “excessive use”. The computer network is a valuable corporate asset and as such, it needs to be valued, protected, and secured.

Does your company have a network access and authentication policy? What is the “password” policy? Do you even 0need a password to use the company network? Can anyone just come in and plug whatever phone, pad or computer device they happen to have into the company network? What is the data storage and retention policy? Do you allow VPN tunnels that extend your company network to a home office or coffee shop? Do you allow your users to connect third party provided equipment to your network? Is it acceptable that Bob just added a hub to his office network connection so he can plug in his own printer? How do we feel if Bob plugs in his own wireless access point? Do we have a “guest” network and do we let those folks know what is acceptable on your network?

What are the legal ramifications and liabilities you are exposed to if you are providing a computer network as part of a lease agreement? Are you liable for damages if your computer network is unavailable or “down for any reason? If Home Land Security shows up because your company’s public IP address was traced as originating a terrorist treat, do you have the user agreements in place to mitigate the costs you are about to incur defending your good name and reputation?

Computer network security is more than a firewall. A computer with an Ebola virus, Adware or nefarious RAT (remote access terminal) will infect all computers on your network, threaten your corporate data and render your firewall as useless as a screen door on a submarine. If your company has taken the prudent step of providing a Human Resource or employee manual that spells out the company’s position on work force violence, sexual harassment, vacation day accrual and drugs in the workplace, why don’t you have a manual that defines the acceptable use of your most vital corporate assess, the computer network?

Contact DrVoIP@DrVoIP.com and ask us to send you a sample AUP!   We can assist with the creation of an acceptable use policy that makes sense for your company and your employees while protecting your valuable communication and collaboration asset, the company Intranet!  Then and only then can we do an effective “network assessment”. – DrVoIP

VPN’s and VoIP – Getting economical “full mesh” Connectivity without MPLS!

We see a lot of VoIP deployments that come to us for trouble shooting.  A common problem statement is that our HQ site can call both Chicago and Dallas, but Dallas and Chicago can’t call each other.  Savvy network administrator will have figured out that there is a routing issue, but how so?  Clearly HQ knows how to reach each remote site and the remote sites know how to reach HQ, so where is the break down!   At about this time, we learn they have VPN’s that provide tunnel connections to each location and we go clear!

The standard “tunnel” solutions include IP Security (IPSec), GRE, Easy VPN and the new “tunneless” Group Encrypted Transport VPN or  GET-VPN. Most folks make the mistake of picking IPSec for connectivity and being an inherently point-to-point technology, they end up with the problem statement summarized above.   Even a “hub and spoke” solution is not ideal unless we make it possible for “spoke to spoke” connectivity.   Ideally, we need to configure our VPN so Dallas can communicate with Chicago, without passing through HQ!

IPsec is really an encryption and authentication technology that enable secure communications through a public internet.  It is generally used in a multiple vendor deployments.   IPsec does not support any protocol other than IP,  so it can not be used with the routing protocols that might otherwise be used to solve our issue.   For this reason, many deployments will use GRE over IPsec.   GRE to address the routing protocol issues and the  IPsec to provide the security of authentication and encryption.  We are still however, in a point to point mode, or in heavy manual administration mode to configure a simple mesh!

The smart money is on “next hop resolution protocol or NHRP” used in strategies like FlexVPN, GETVPN or DMVPN.  These solutions provide a full mesh option while providing for encryption and data integrity.   In the problem statement above, had we installed FlexVPN, the Chicago and Dallas sites could communicate directly without having to route through HQ or hub.   We would have “spoke to spoke”  to communications!  As broadband becomes more widely accepted and bandwidth becomes less of an issue, we should see more VPN technology deployed in place or in concert with private network technologies like MPLS (GetVPN over MPLS is really kool).

Give us a call and we can noodle out what “full mesh” technology makes the most sense for your organization, both technically and economically!  We are here to help make the network!

 

Is there a RAT Virus in your phone system?

If you have a device on your network that you do not have root privileges for, then your entire enterprise is at risk for a Cybercrime! Do you want to know what a Trojan horse might look like? It might very well look like a Linux appliance provided by an outside manufacturer, delivered and installed on your network. This might be a network camera, firewall, phone system or monitoring device. As network security professionals we would never allow any device to be connected to our network, in which we did not have root administrative authority. IT Directors who budget for network security, intrusion prevention and detection and apply best practice to the care and feeding of their enterprise networks seem to overlook this very large potential security vulnerability. Every day, new networking equipment, appliances and hosts are connected to your network and nobody every questions the fact that you do not have root authority?

Most of the younger folks carrying an Android device have “rooted” their phone, why? Yet you will allow your company to install equipment for which you do not have root authority? Makes no sense to us? The fact is that most modern VoIP phone systems like those from ShoreTel and CISCO are delivered with key components built on Linux like platforms. These devices are placed on the network inside the firewall and perimeter security devices yet the root privilege is not available to the system owner. A very curious practice, would you not agree? Even if you have no clue about network security and hacking, would you allow someone to come into your place of business and install a “box” for which you have not access rights?

Anyone with root access could easily put programs on that appliance that could act unnoticed by network security devices. No virus protection would take note and the device would have complete access to the entire network. A common and popular hack is the RAT, a Trojan horse that can easily be placed on an unsuspecting users phone, computer, or other network device. These RAT’s or “remote access terminals” can be remotely controlled to turn on you microphone, camera and would have full access to all files and network resources. They become remotely controlled “bots” or computer zombies. The good news is that most modern virus protection will find these RAT’s if they are installed on a host computer. What about that appliance you just added to your network, the one you do not have root access privileges? You would never even know that RAT was there and you do not even have access permission to check!

Business owners, regardless of their personal level of technical savvy, need to question every device installed on their enterprise network. Who owns the box and who administers the box? Do you have root administrative authority on every device in your network? If not, why not?

Don’t look now but you have been hacked!

Hackers at the Front Door?

Most every home and business office now has a firewall that separates your internal computer network from the wild west of the world wide internet. The good news is that firewalls have become increasingly more sophisticated and properly configured can do an excellent job in securing your internal computer network devices.  Modern firewalls now include intrusion detection and prevention, email spam filtering, website blocking and most are able to generate reports on who did what and when. They not only block evil doers from outside your network, but they police the users on the inside from accessing inappropriate resources on the outside internet. Employees can be blocked from visiting sites that can rob your business of valuable productivity time or violate some security compliance requirement.  Prime business hours is really not the time to update your Facebook page! Nor do we want our medical and financial service folks using an instant messaging service to chat with and outsider!

The Firewall is the electronic equivalent of the “front door” to your computer network and there is an endless parade of potential evil doers spray painting your doors and windows, relentlessly looking for a way in. A properly configured, managed, and regularly updated Firewall can be very effective in protecting your computer network, both in the office and at home. Behind the firewall, must desktop computers and office servers have local software based firewalls installed that also provide virus protection.  Hopefully if something does get past the firewall, the internal virus and desktop firewall solutions will provide an additional level of security.

What is a Firewall Anyway?

Firewalls are both reasonable and appropriate but here is the bad news. Most of the hacking you now hear and read about is not done by evil doers coming through your firewall! The real damage is done by those inside your network! Malicious users and dishonest employees will always a treat. There is always the treat of the unscrupulous employee swiping credit card data or passing security information for money. The real danger, however, is from users who are just ignorant of today highly sophisticated security vulnerabilities. The most honest employee can unwittingly become the source of a major security breach resulting in the loss of their own personnel data, or the personal and financial data of your customers.

Take your average laptop user as a perfect example. How many times have you gone down to Starbucks and setup shop?  Beautiful day, open air, sun and a high speed internet connection, wireless phone and it is business as usual! If I told you how easy it is to setup a “man in the middle” attack at Starbucks you would give up coffee for the rest of your life. You think you are on the Starbucks WiFi, but actually that kid in the back of the Starbucks with the Wireless Access Point attached to his USB connector, has spoofed you into thinking he is your door to the Internet. He has been monitoring every key stroke on you laptop since you logged in. In fact he now has your log in, password and most everything else on your computer.  Now when you head back to the office and plug in,  you just unleashed a bot on the company network and he will be back later tonight!

If laptops were not enough, everybody is now walking around with a Smartphone!  Did you know that your Smartphone keeps a list of all the WiFi networks you have used recently? Remember when you were down at Starbucks checking your email while waiting for that cup of coffee? Now everywhere you go your phone is sending out a beacon request that sounds like “Starbucks WiFi are you there?” hoping it will get a response and auto connect you to the internet. Remember that kid we were just talking about?  He decided to answer your beacon request with a “yeah here I am, hop on!” Just another “MITM” attack and what he can do to your Smartphone, especially those Androids makes your laptop look like Fort Knocks!

Sometimes for fun and entertainment, while sitting at a gate in an airport waiting room, I will net scan the WiFi to identify how many phones, computers and ipads are online and connected. Not saying that I would do this, but I think you could execute a Netbios attack in less the five minutes?  It is amazing how many people leave their printer an network sharing options on when they travel.  Even more people leave their “Network Neighborhood” settings  in the default configuration!  The drill is always the same:  map the network to see what hosts are connected; port scan for know vulnerabilities; out the exploit tool kit and the rest is actually getting relatively boring for the ethical hacker.  Now credit card thieves on the other hand…….

Chances are your Internet browser is worst enemy when it comes to securing your privacy.  Every website you visit, every email you send and every link you follow is being tracked by hundreds of companies. Don’t believe me?  If you are using Firefox, install an add in extension named DoNotTrackme and study what happens.  Assuming you are an average internet surfer, in less that 72 hours you will have a list of over 100 companies that have been tracking your every move on the internet!  These companies don’t work for the NSA,  but they do sell your “digital profile” to those willing to pay for the information.  Where has your GPS been? What sites did you visit, what movies did you watch, what products did you buy, what search terms did you select – all of this dutifully reported back by you and your unsuspecting employees.  Ever wonder if your competitors want to know what your viewing on line?

Voice Over IP phone systems offer an entirely new range of vulnerabilities waiting to be exploited by the unscrupulous evil doer!  We recently illustrated to a client Law Firm (as a paid intrusion detection and penetration testing consultant and with the clients permission) just how easy it is to covertly switch on a conference room based speakerphone and broadcast the entire conference to a remote observer over the internet! In fact, capturing voice packets for replay is the first trick script kiddies learn in hacking school!

VoIP, Bluetooth, WiFi, GPS, RFid, file and print sharing and even the “cloud” all add up to a list of vulnerabilities that can be easily exploited. What can you do? You need to educate yourself and develop your own “best practice” for safe computing.  You need to educate your employees and co-workers about the various vulnerabilities we all face every day as we become more “wired” and more Mobile.  Hire a competent Computer Network Security professional to do “penetration testing” on your corporate network and firewall.  It would be better to pay a professional to “hack” you, then pay to  fix it after you have been hacked!  Remember if we can touch your network, we will own your network!

(DrVoIP provides VoIP network readiness assessments and is a certified  Network Security consultancy.   If you contact DrVoIP@DrVoIP.com we recommend that you use Ipredator to do so!)