I always say that a great network troubleshooter needs to possess a wide range of skills that might be outside of his or her core competency. A good analogy would be to think of yourself as a networking MacGyver. An example would be whipping up quick perl scripts or batch files to help automate a process or to assist in troubleshooting. I believe that having some skills outside of traditional networking also gives analysts a different perspective when troubleshooting.
In this blog post, I'll describe how being a networking MacGyver helped a company protect network assets without additional costs.
A while ago, I worked with a client who set up a temporary WiFi network in order to provide attendees with WiFi access at an event the client was hosting. Employees at the company also wanted to use the attendee WiFi network to get the real end-user experience, but had some security concerns.
They knew that some of the applications they use can be easily deciphered if the packets are captured. For example, some use clear text, Telnet, and non HTTP while others use very weak hash algorithms. Usually this isn’t a concern since the employees typically use a cabled connection at their desks and the systems they access have filters to block unauthorized access.
This company allowed attendees WiFi subnet access to its systems, but wanted to know if there was anything it could do to prevent users from capturing their data. Since this event network was going to be taken down after a few days, the client didn't want to make it any more complicated than necessary or incur any extra expenses. Things like extra VLANs, SSIDs or additional access points fell into that category.
I explained that there is nothing you can do to stop people from capturing your data, but you can make it difficult for them to read it.
The IT team was told that a VPN server is about $10K, which is out of the question for their budget. I suggested the company simply take a Windows 7 computer and set it up as a VPN server in order to encrypt the data. You can create a VPN server without purchasing any additional hardware or software in just five steps.
- Click "Start" or the windows Orb, and then type ncpa.cpl into the "Search" box and press Enter.
- In the "Network Connections" window, click the "File" menu and choose "New Incoming Connection." The "Allow Connections to This Computer" window will display.
- Click the check box next to each user account displayed that you wish to grant access to connect and use the VPN connection. Click the "Next" button. You can also create a new account here such as VPN.
- Select the "Through the internet" box and then click the "Next" button. Choose the default settings list of protocols displayed by clicking the "Allow Access" button.
- Click the "Allow callers to access my local area network" box, click the "Assign IP addresses automatically using DHCP" radio button and then click the "OK" button. Click the "Close" button.
The computer is now configured to receive VPN connections from Windows and Android clients. Now employees can VPN into the Windows 7 computer and all their data will be encrypted regardless of what application or server they access.
This may work with other versions of Windows, but they had spare Windows 7 computers available. In addition, Linux versions of this method also are available.