Securing your devices using DNS

We have long wondered why some of the more harmful webpages are not blocked more easily using DNS, and we finally found a system that does it for us. Securing your devices using DNS may sound like an odd concept, but read on to find out more. You can now improve your Internet Security & Privacy In a Few Easy Steps

dns9.quad9.net is a great free service that blocks many bad things from talking to your computers and other devices. Alot of the viruses people get come from either webpages or email and use DNS to talk to their command and control (C&C) server(s). Quad9 provides Internet Security & Privacy
In a Few Easy Steps

dns9.quad9.net will allow you to block all harmful webpages and many other things without you even being aware of it.

If your unsure what DNS is, its the Domain Name System. in other words, its the domain name of the site (such as securetech.com.au) which resolves into an IP address of “208.113.162.199”. which one is easier to remember?

ASTARO – Adding Win 2k3 as a Authentication server

How to setup ASTARO (now sophos) UTM to authenticate with windows server 2003 through RADIUS. Step-by-step guide to getting it running.

Step 1 – Add a usergroup to Authenticate against

Screenshot of "Firewall Users" usergroup
  • Open Computer Management (Start/All Programs/Administrative Tools/Computer Management),
  • Add a new Usergroup and give it a descriptive and helpful name (I suggest something like “Gateway Users”).

Step 2 – Add users to your group

Screenshot showing user is a member of firewall users group
  • Within Computer Management (System Tools/Local Users and Groups/Users), create users (if necessary)
  • Right click on a user and select Properties
  • Under the Member Of tab, add the group that you created in Step 1 (eg “Gateway Users”)
  • Do Not close Properties dialog box, go to step 3.

Step 3 – Configure Dial-in access

Screenshot showing user properties Remote Access Permission to allow VPN access
  • Within Properties dialog box, click on the Dial-in tab.
  • choose “Allow Access” under Remote Access Permission (Dial-in or VPN)
  • Save and close the Properties dialog box.

Step 4 – Alter Group Policy for password encryption

Alter Group Policy to allow storing passwords using reversible encryption.
  • Within Active Directory Users and Computers, right click on your domain name and chose properties
  • Within the Domain Properties dialog box click Group Management tab
  • Highlight the Default Domain Policy and select “edit”
  • In the GPO Editor, navigate to Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy
  • Make sure Store passwords using reversible encryption is enabled
  • Save and close all dialog boxes

Step 5 – Add a client to the IAS RADIUS server

Create a new RADIUS client
  • Open IAS (Start/All Programs/Administrative Tools/Internet Authentication Server)
  • Right click on RADIUS Clients then chose New RADIUS Client
  • Gave the Client a friendly name of ASG and an IP address
  • Chose RADIUS Standard Vendor-Client and input a shared secret
    (note: will need to input this on the ASG, so write it down)

Step 6 – Create a new Remote Access Policy

Create a new custom Remote Access Policy
Create a new Remote Access Policy with these policy conditions
Add the name that was used in step 5
Finish creating a new Remote Access Policy
Edit the Dial-in profile
  • Within IAS, right click on Remote Access Policies and Choose New Remote Access Policy
  • In the wizard, Choose Set Up Custom Policy and give the policy a descriptive name
  • Select the NAS-Identifier policy condition and give the NAS ID of pptp (lowercase)
  • Select the Windows-Groups policy condition as well and add the group specified in Step 1
  • Choose Grant Remote Access
  • Edit the profile to include CHAP on the Authentication tab (You can include PAP as well, but this is an insecure method)
  • Save and close all configurations on the Active Directory server

Step 7 – Configure the ASG

Configure ASTARO Secure Gateway (ASG)
  • Navigate to Definitions & Users/Authentication Servers/Servers
  • Add the server, service port (keep default unless absolutely certain) and shared secret from Step 5
  • Save the configuration

You are now done with the configuration. In a few minutes, at most, you should be able to use the UTM to authenticate with windows using the RADIUS server facilities. If there is an issue where authentication continually fails, most likely there is a setting on the AD server that needs to be adjusted.

Advanced Settings

If you wanted to get fancy, you could do the following:

Setup a Group for each part of the ASTARO Secure Gateway components (such as Proxy, VPN, Webadmin, etc)

Setup a Remote Access Policy which mimicks the above, while adding “NAS-Identifier” as an extra step. ASTARO sends a unique identifier for each part, so you can setup groups within windows to authorise access to whatever you want, and then you no longer need to edit users at the ASG Web Admin.

This requires setting up “Automatic User Creation” (Definitions & Users/Authentication Servers/Global Settings).

Troubleshooting

Use the Test feature of the Edit Authentication Server Page to check if the UTM authenticates with windows and therefor the user is getting authorisation.

Use the Event viewer on the server to check the “System” Logs, Failed Logon events will show further details here (as long as ASG is setup with the correct server details.

http://technet.microsoft.com/en-us/library/cc782585.aspx is a good place to start for troubleshooting various items on the windows side.

This article was originally found at “https://support.astaro.com/support/index.php/RADIUS“. We have updated it, because the original was a little light on information, and is considered outdated now.

This was created in a hope that others can get more information, and not have to spend as much time as we did, tracking down issues and piecing everything together (not being an expert on RADIUS Authentication).

If you need help with this or other firewalls, please contact us.

RJ45 Cat 5 cable pin-outs

Ethernet RJ45 Socket 10baseT Colour Code T568B
Pin No Description Colour
1_____TX +_______Orange/White
2_____TX -_______Orange
3_____RX +_______Green/White
4________________Blue
5________________Blue/White
6_____RX -_______Green
7________________Brown/White
8________________Brown
_________________________________

RJ45 Cross Over Cable 10baseT
RJ45 Male RJ45 Male
1__________3
2__________6
3__________1
6__________2
______________________________________

RJ45 100base-T4 Crossover male to male
Name______Pin__Pin__Name
TX_D1+____1____3____RX_D2+
TX_D1-____2____6____RX_D2-
RX_D2+____3____1____TX_D1+
RX_D2-____6____2____TX_D1-
BI_D3+____4____7____BI_D4+
BI_D3-____5____8____BI_D4-
BI_D4+____7____4____BI_D3+
BI_D4-____8____5____BI_D3

It’s important that each pair is kept as a pair. TX+ & TX- must be in
the pair, and RX+ & RX- must together in another pair etc. (Just as
the table above shows).

Ethernet RJ45 Socket 10baseT Colour Code T568A

  ‘A’ Colour   Signals   Pin#   ‘B’ Colour
  Green / White   TX+   1   Orange / White
  Green   TX-   2   Orange
  Orange / White   RX+   3   Green / White
  Blue     4   Blue
  Blue / White     5   Blue / White
  Orange   RX-   6   Green
  Brown / White     7   Brown / White
  Brown   8     Brown