Small office network setup - A+ Cert help

Discussion in 'Networking & Security' started by horrorshow, Feb 6, 2019.

  1. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Basically, I need to design a small office network for 20-ish users that includes a secure file server.

    Here's the official question:

    "You are contributing to a project to get new access points (APs) installed in your building and set up a new wireless network therein. There are roughly 15-20 people in your building who each have a company-issued laptop and everyone in the building has a cell phone with WiFi capabilities. The wireless network the CFO wants your team to design will broadcast the intranet to include the company's file share server and other proprietary information. Describe how you would go about designing this network. Would you allow the company's employees to access the internet through this WiFi connection? What security measure would you take, if any?"

    Now, here is my thinking thus far:

    1. Purchase 2 of these (setting one to access point mode)
    https://www.amazon.com/Synology-RT2...=2025&creative=165953&creativeASIN=B01N5MPTG1

    2. enable the standard security stuff: firewall, wpa2, and HTTPS on the router (are ssl and https the same thing? I'm still confused about that)

    3. my understanding is for security purposes, I should set the file server/NAS to a VPN....? Apparently this Synology router has this function built-in so it should be pretty darn easy.

    Also, the second to last sentence of the question regarding internet access. What are they referring to here exactly? Am I forgetting some sort of internet-filter type security?

    - I am NOT looking for a handout here. I'm sincerely trying to learn this stuff (I'm just a little sick, can't seem to focus, and this is due tomorrow). Just guide me, hints, whatever you think is appropriate.

    Please help out a [H] member trying to better himself!

    Many thanks as always,
    Matt aka Horrorshow
     
  2. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Frankly, I respect the lack of response lol

    Here's where I'm at now, please just point out if I'm an idiot:


    "
    1. I would purchase two of the linked Synology routers. Positioning the secondary unit across the office and set it to "access point mode" within the router.

    https://www.amazon.com/Synology-RT2600ac-Prevention-Management-Expandable/dp/B01N5MPTG1

    2. Within the router itself, I would:

    - Setup SSID’s using WPA2 encryption

    - Enable both 2.4 and 5Ghz networks set to Wave 2 multi-user mode (MIMO) over 802.11ac (most of this should be handled automatically thanks to Synology’s intuitive software, including DHCP, NAT being turned on & the proper channel range set between access points (1,6,11) etc).

    - Note: remote access should be disabled unless requested.

    3. Then setup HTTPS and create the proper certificate. (thereby enabling SSL logins etc)

    4. Followed by using/setting-up Synology’s included VPN software. (which based on my research, creates a static IP for the server and increases security – among other benefits like remote access)

    Between WPA2, the built-in firewall, HTTPS secure logins to the server, and the NAS being assigned a single, static IP via VPN – I think it should be fairly secure....

    Frankly, this Synology router looks like it’ll do most of the work for me!
    "


    I'd prefer not to look stupid so please let me know if I'm on the right track here....??

    Thanks again!
     
  3. TordanGow

    TordanGow Gawd

    Messages:
    689
    Joined:
    May 25, 2015
    One word: VLAN

    I'll let you do the rest.
     
    Machupo, horrorshow and Domingow like this.
  4. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Thank you so much for responding! I sincerely appreciate it.

    I'm looking into it right now. (based on what I'm seeing, this looks like Networking+ level stuff - which is cool, I'm here to learn)

    EDIT: Yep, VLAN is Networking+ stuff. So it was a "trick question". Can't say I'm surprised with this instructor.... He's quite a character etc.
     
    Last edited: Feb 6, 2019
  5. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,301
    Joined:
    Jul 6, 2013
    I'll add: WPA2 Enterprise. Not WPA2. And MAC ACL. Both of those before even considering giving access to confidential information over the network.
     
    horrorshow likes this.
  6. BlueLineSwinger

    BlueLineSwinger Gawd

    Messages:
    602
    Joined:
    Dec 1, 2011

    No one uses (or at least should be using) MAC ACLs for WiFi. Too easy to defeat, and management of the list becomes onerous as the number of devices increases.

    If you need to make sure only certain machines can access a particular SSID you tie 802.1x auth into a cert issued to them through your PKI.
     
    horrorshow likes this.
  7. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    So since I'm just taking A+ and this isn't covered till Networking+; it was a "Tom Sawyer, you tricked me!" kinda ruse?
     
  8. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,301
    Joined:
    Jul 6, 2013
    I'll give you that it's a lot of overhead management. But, it's another security measure available. Don't make it easy on the hacker. Don't dismiss another security measure simply because "it's easy to defeat" either. Technically, with enough computing power, WPA2 with a 50 character password is "easy to defeat".
     
    horrorshow likes this.
  9. H2R2P2

    H2R2P2 Limp Gawd

    Messages:
    413
    Joined:
    Jun 18, 2006
    I don't want to speak for BlueLineSwinger, but the overhead management isn't the major issue with MAC address based security. The issue is that its trivial to circumvent. So not only is it a management nightmare, its also 100% ineffective as accomplishing anything positive.
     
    horrorshow likes this.
  10. ZeqOBpf6

    ZeqOBpf6 Gawd

    Messages:
    585
    Joined:
    Aug 24, 2014
    CompTIA's stance is that MAC filtering is obfuscation and ineffective. For the scope of an A+ test it is going to be an incorrect solution.

    Re OP:

    I don't know. If it makes you feel any better, I passed my A+ less than 6 months ago and did pretty well (89%)

    I'm guessing this is out of a paid practice test? There were a lot of questions from the test I wish I remembered because I was stumped, and when you get your results it just gives you general areas on what you missed and doesn't write the specific question.

    Also, there are a few "lab" questions, like this, but they give partial credit and it's not going to be this difficult. It's more like you have a few "devices" including cables and you just have to drag and drop them in a way to satisfy the problem. There were a few unnecessary components, but I think it said if you had to use everything or not, so be mindful of that.

    A quick example (they aren't this easy would be

    Assemble a wireless network for grandma

    Equipment:
    Router
    Firewall
    cable modem
    server rack
    POE injector
    Coaxial cable
    Ethernet cable
    fiber cable

    You'd drag a coax cable from the coax plug to a modem, an ethernet cable from the modem to the router, and that would be it.
     
    horrorshow likes this.
  11. BlueLineSwinger

    BlueLineSwinger Gawd

    Messages:
    602
    Joined:
    Dec 1, 2011

    Pretty much this. If I can defeat a supposed security measure simply by scanning the network for valid client MAC addresses to spoof, it's basically useless. Also, far less difficult than cracking a WPA2 password.
     
    horrorshow likes this.
  12. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,168
    Joined:
    Nov 16, 2009
    MAC filtering is 'easy to defeat' because it's broadcast in plain text, so I can sit there with a wifi scanner and see the MAC of every device connected. I don't even have to be on the network, just passive scanning. Then you just spoof the MAC on your machine.... MAC filtering is 100% useless and not even worth implementing.
     
    horrorshow likes this.
  13. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,301
    Joined:
    Jul 6, 2013
    I'll clarify here since it seems that I wasn't clear enough. I am explaining a MAC ACL for VLAN access to the NAS with confidential information for only the devices that need access. Without more information than is already here, this could be beneficial. I'm not claiming that it isn't possible to easily gather MAC addresses and spoof them. What I'm stating is that if you control access to VLANs more granularly with MAC addresses, this adds another layer for the hacker to have to get around. What you don't want to do is make anything easy on them.

    Will they guess a device with access on the first try? Maybe. Could it help prevent unauthorized access? Possibly. However, with WPA2 Enterprise in place, it'd be very unlikely that anyone was on the network with unauthorized access to being with. ;)
     
    horrorshow likes this.
  14. EniGmA1987

    EniGmA1987 Limp Gawd

    Messages:
    161
    Joined:
    May 2, 2017
    If VLAN stuff isnt covered till later and you know nothing about VLANs, then I would use three access points for this. Two would be used on the company network with WPA2-Enterprise, with the Radius server for that, on the main office subnet, and then just for kicks hide the SSID so the stupid people walking around dont even bother clicking on it at all. Then the third AP would be on its own second subnet to the router, with basic WPA2-Personal like any consumer device, with isolation mode enabled so clients on that AP cant talk to each other, and make sure there are firewall rules that say each subnet is not allowed to talk to the other at all. Depending on the router you may be able to also add website filtering too that just covers that whole "guest" subnet for easy deployment. So everyone's phones and the guest wifi is all on its own over there. You can figure out the other security stuff anf file server things yourself.
     
    horrorshow and FNtastic like this.
  15. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Update: I was one of the few students that even attempted the assignment. (which seems par for the course, the farther along we get)

    I'm starting to get this odd feeling that only 1 in 3 or so even get certified....

    Also, thanks everybody! This was awesome.

    - I might post again over the weekend whilst studying for the 901 I'm taking next week. But, I'm already averaging over 85% on their official practice tests so maybe I'm overdoing it....
     
  16. H2R2P2

    H2R2P2 Limp Gawd

    Messages:
    413
    Joined:
    Jun 18, 2006
    MAC filtering on the VLAN has the same issue since all the users in the above hypothetical academic scenario are on WIFI connections. So again, its pointless. *IF* you wanted to protect the VLAN manually, forget MAC filtering and use static IP addresses with an obscure netmask for the VLAN. That would make it so even if someone did spoof a WIFI NIC, and somehow found or knew there was a VLAN, there would be no way for them to sniff and discern the VLAN even existed let alone how to access it. They would need inside information or just through blind luck change their IP and subnet mask to the correct info.

    So, MAC filtering is still not worthwhile. The only type of MAC filtering I can think of that does actually make some sense is if you wanted to enable port level MAC filtering on a switch to determine if someone came in and tapped a network connection (as you would see two MAC addresses on the same port at the same time), or plugged another switch in a LAN port to run a bunch of machines, or someone installed a VM on a local machine already connected to the network, or heck even if you wanted to monitor if someone installed a VPN client on a machine on your network. These scenarios are the type of things where MAC level monitoring makes complete sense.. It shouldn't be used for access control.
     
    horrorshow likes this.
  17. H2R2P2

    H2R2P2 Limp Gawd

    Messages:
    413
    Joined:
    Jun 18, 2006
    No such thing as over doing it. If you are looking at using these skills in an actual career, you will come up against things a lot harder than this. The thing to remember when taking classes is that's its a free chance to screw up without any consequences. Screw ups in the real world are NOT good, so you should get as much exposure while playing with the Nerf toys that you can.
     
    ZeqOBpf6 and horrorshow like this.
  18. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Yup. This has been my attitude thus far.

    Thanks for reinforcing it :)
     
  19. ZeqOBpf6

    ZeqOBpf6 Gawd

    Messages:
    585
    Joined:
    Aug 24, 2014
    Other stuff I'd like to point out from A+ testing vs training questions I found on examcompass, professormesser and maybe another site I can't remember

    There was nothing on sockets or chipsets. I found a lot of practice questions like "Was Socket T LGA or PGA, AMD or Intel, how many pins, what chipset?"
    Thank god, nothing on that garbage.

    I also had nothing like "What was the latest version of Windows to call it My Network Places, before switching to 'Network' and what year was it?"

    I doubt only 1/3 pass the test tbh. It wasn't a slam dunk easymode test but it wasn't like the CCNA, CCENT, or CCNP stuff I've managed to get my eyes on.
     
    horrorshow likes this.
  20. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Thanks for this.

    Any other study-related tips are much appreciated!
     
  21. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,301
    Joined:
    Jul 6, 2013
    I covered this in my statement. You're changing the scenario to fit your statement. My statement fits my scenario. Don't say something is useless if it doesn't fit your specific use-case.
     
  22. H2R2P2

    H2R2P2 Limp Gawd

    Messages:
    413
    Joined:
    Jun 18, 2006
    I didn't change anything. I simply answered the question the OP actually asked (which involved WIRELESS CLIENTS in case you happened to miss that)..

    If you wanted to change the scenario from all wireless clients to an entirely wired network and wanted to add a separate VLAN with a corresponding NAS storage device...…. and you were worried about unauthorized access to the network...…. so you decided to implement MAC ACL's to the NAS to further lock it down to protect it from "hackers"? Then by all means.. Go right ahead.
     
  23. scrappymouse

    scrappymouse n00b

    Messages:
    21
    Joined:
    Mar 18, 2016
    You're thinking too specific for the A+, they generally aren't real world type scenarios, You need to take the information you have, look at the key-words(company issued laptops), 15-20people,(they also have cell phones), So think a little more general...AP's generally support multiple SSID's. So instead of what brand, what firewall rules, what features you'd implement. Think more of Work Network for laptops, Guest network for phones, Work laptops need to authenticate to same company log-on server once connected to Wifi, while guest network has no access to internal network....think along those terms
     
  24. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Yeah, he read mine and was like "...... all I wanted was 'multiple SSID's'.."

    (I haven't cracked a book in over 10 years so apparently now I'm over-doing it)
     
    FNtastic likes this.
  25. scrappymouse

    scrappymouse n00b

    Messages:
    21
    Joined:
    Mar 18, 2016
    It's all good, if you have any other questions I may be able to help, I have my A+, Net+ Sec+, CASP(so I'm well versed in CompTIA lol), I also have my JNCIA :)
     
  26. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    I sincerely appreciate that man!

    I def see many, many questions once I get to Networking+ lol
     
  27. scrappymouse

    scrappymouse n00b

    Messages:
    21
    Joined:
    Mar 18, 2016
    I HIGHLY recommend two free resources, one the introductory Networking Video that is on Juniper's website(Free, about 5hrs video series), just need to sign up for a juniper account. After that video, ProfessorMesser(although dated, the fundamentals are great)
     
    horrorshow likes this.
  28. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Is this relevant to A+ or just Networking+??

    I ask because after many practice tests, the only areas I'm not constantly acing are network-related.
     
  29. scrappymouse

    scrappymouse n00b

    Messages:
    21
    Joined:
    Mar 18, 2016
    The A+ does have some minor networking in it, but the above are mainly for Network+...the Juniper video is an amazing overview of the concepts however.
     
  30. horrorshow

    horrorshow [H]ardness Supreme

    Messages:
    6,408
    Joined:
    Dec 14, 2007
    Welp, you beat me.... I got an 86% this morning :)

    I blame the laser printer stuff frankly. Whatever, done and done.

    - On to 902, then Networking+.
     
    ZeqOBpf6 likes this.
  31. scrappymouse

    scrappymouse n00b

    Messages:
    21
    Joined:
    Mar 18, 2016
    Congrats! don't focus on the score at all, there is no such thing as "being more certified" than someone else. You're either certified or you're not. Welcome to the club :)
     
    horrorshow likes this.