BUGS BYTE
Cisco Meraki Logos
Meraki MX Firewall as a Cisco ISR Router

If you are looking for a solution so replace your aging fleet of Cisco ISR 2900 and 3900 routers – then you are not alone. See how we ended up with Meraki MX firewalls as this story unfolds.

Cisco’s end-of-life announcements ends software maintenance and security support at the end of 2020. By 2022 the entire lines are considered obsolete and no support is offered.

A metropolitan housing authority in Ohio has found themselves in this position. They have a couple dozen properties in the county with small connected management offices. They reached out to us for a solution.

The proposed solution is Meraki MX67W at each management office or branch.

The unique component to this solution is their WAN topology. In this case, each branch is connected to a datacenter by a private MPLS cloud. Each branch then traverses a datacenter uplink for public access.

In contrast; most topologies will have direct internet access (DIA) to each branch, which is also used as IPSec VPNs for connecting to other sites.

The fundamental difference with the customer’s WAN topology is that there is no reason to firewall the branches’ uplinks to the datacenter. Further the datacenter can NOT be firewalled when reaching the branch. Similarly NAT (network address translation) breaks the organization’s access to each respective site.

Finally the point-to-point links, or the private MPLS, costs per megabyte are magnitudes higher than the cost per megabyte for broadband.

Our solution replaces the routers with firewalls but circumvents the firewall features for the inter-site traffic. Further, the design allows the customer a future transition to the far less expensive broadband without the purchase of any equipment.

The problem with the design is that Meraki MXs are managed thru the Meraki cloud, they call it their “Dashboard“. The MX will only connect with the Dashboard over a WAN interface that is both firewalled and NAT’d. But we cant have the uplink traffic inspected nor manipulated.

In our solution we proposed two options:

  1. NAT Exemption” & firewall whitelist
  2. A dedicated link for Dashboard access

The problem with the NAT Exemption feature is that it is not fully supported by the vendor, Meraki. It has been in BETA testing for over two years.

The problem with the dedicated link for Dashboard access is that the Telco equipment may not have the extra port. Or the Telco may not provision more than a single port for the customer.

It remains to be seen which way this cookie crumbles when the customer weighs in. While both options have their associated risks, the design process and considerations were a good exercise.

Which way would you go if you were responsible for the environment after the IT consultant walked away?

Public WiFi for your Business

Business WiFi

Customers using WiFi at retail business spend 23% more and increase visit frequency by 19% when compared to customers that do not connect to WiFi. Customer spend and frequency rates decrease even more when businesses are in cellular dead zones.

Retail business providing WiFi service to customers see 28% more customer loyalty when compared to their competitors that do not provide customer access to WiFi.

Retail businesses see an increase in customer spend and loyalty within 10-days of a new WIFi implementation. Public signage of WiFi service increases foot traffic. Menu mentions of WiFi increases customer loyalty as well as improves labor efficiency.

Public WiFi and Hotspots are the single most exploited target for business cybercrime and customer identity theft. Savvy customers will know if WiFi is in-secure and will not use, circumvent systems and exploit access.

Everyday Edgebrook WiFi leverages all these benefits and eliminates the risks.

Your Edgebrook WiFi Customers will have easy one-click, reliable access to spend more time and return more frequently – because they know they are secure from cyber threats and identity theft. No passwords getting to the wrong people and no need to routinely change passwords.

Your business systems are secure against threats from customers and the Internet. Protecting your business operations and point-of-sale for your PCI compliance.

Features:

  1. All your customers will recognize familiar networks and logos from other community businesses
  2. Customer access click-thru sign-on – no password needed, still secure
  3. No upfront costs (AT&T/Comcast service is required)
    1. Equipment financing, maintenance and on-going support available for low monthly charges (bartering agreements are available too)
  4. Cloud managed for
    1. quick remote support, easy changes and upgrades
    2. See who is in your store now – staff and customers from the Internet
  5. Secure all customer device traffic and isolate business operations
  6. 100% WiFi coverage across your entire store without dead zones
  7. Market your website, promotions and Facebook pages
  8. Cross marketing from participating Edgebrook businesses (coming soon)
  9. Cross promote reward/loyalty programs (coming soon)
  10. Intrusion detection and prevention – prevent cybercriminals from accessing your point of sale (PoS)
  11. Deep packet inspection – see what Internet services and mobile devices your customers use most
  12. Email alerts when new customers sign-in or when system failures occur
  13. Bolt-on services for security cameras, telephones and energy efficient lighting solutions too
  14. Control staff and customer access on an individual basis.

About Us

Kevin Benson is a professional technical Architect specializing in information security, system virtualization and networking – providing business critical solutions to the countries fortune-1000 customers.

Kevin has always been a native Chicagoan, and a Sauganash resident for 12-years. Kevin supports the community and local business, and is passionate about technology. It is for this reason that he offers to work for community businesses on a freelance basis and accepts barter in trade for these valuable services. Kevin freelances under the company name of Bugs Byte (www.bugsbyte.com)

My Jams

I have just figured out the best of all ways to listen to my favorite music. A tiny 32GB USB drive loaded with MP3s. The drive works on my computer, in my car and my home amplifier – everywhere I would want to be listening to music. A simple, very low-upfront cost, free from monthly charges, elegant solution.

Remember when you’d spend hours in a record store picking out and discovering new music. Weather it was vinyl, cassette or CD, all of us (of a certain age and older) have a music collection. Even if it is collection of MP3 files is on our computers, USB drives or cloud storage – its still a collection even if there is no album art nor liner notes. It is something we can actually interact with, hold in our hands, and loan to friends or bring on a road trip.

I think this sense of owning something tangible seems to be something we are learning to do without. Why “have” something when you can get it just when you need it, and not have it take up space when you don’t need it – some would say a “dust collector”

But I really like having my own things. Call me “old-school”.

In my teems I was very proud of having amassed a my music collection of 200 or so albums (using the term “album” generically so as not to giveaway my age). I remember the experience around discovering the music and the store where I found it. Listening to the music brings me back in time to a particular “phase” of my life. I recall listening to the album, digesting each lyric from the liner notes and learning something new about the band.

So what’s the difference between my music and the plethora of options we have today to listen to music? Think of streaming services like Pandora, Tidal and Spotify; or broadcast radio XM and music channels from your TV provider.

The difference is that it is mine. I can transport myself to another time of my choosing when I want to. I can listen to the story of an album, in track order, as the artist intended for it to be heard. The difference is that I am listening to the studio edits and not the live versions Pandora plays. I am not listening to music that Spotify’s algorithms say are like my favorites. Another big deal is that I am not paying money every month and still not being interrupted by commercials.

I use Pandora, occasionally receive XM Radio’s during promotional weekends, and a Plex server loaded with my own music and videos. All nice to have, but nothing as simple, cheap and elegant as a 32GB of MP3 files the size of my thumbnail.

by: “My Artsy Side”
11/16/2019

IT Projects – What’s Most Important

I just finished a project to upgrade a state university to Citrix Virtual Apps and Desktops (formerly XenApp & XenDesktop) v7.15 LTSR CU5 and Citrix ADC (formerly NetScaler) v12.11.55.

We follow a engagement methodology we refer to as A.D.I.M.E.. An acronym for Asses, Design, Implement & Evolve. Obviously some engagements are heavier on some of these phases, and lighter in others; however EVERY engagement will have each one of these phases to some degree.

Our customer came to us with this project stating their business need to upgrade their entire Citrix deployment. They are a returning customer to us so naturally we’re glad to work with them.

As we do with every engagement we start out with the “A” for assessment around the customers stated business need and put a Statement of Work (SoW) document specifying some engagement milestones. At this point we have a good idea of how much work (and perhaps product) will be needed and the customer knows how much the work costs and can schedule around it as needed.

Great! Everyone knows exactly what to expect and is getting what they want out of the engagement for agreeable consideration. All is fine right?

Except in the real world, the customer says :

“we think it should only take half the time”

WHAT?!?! I thought we were in agreement!

OK, regroup, perhaps we had differing pre-conceived notions. Go back to the customer and find out which milestones the customer can do without in order to cut the time in half. after that conversation the customer comes back with :

 “we still want to get it all done, just in half the time”

Ah. I get it now. the customer has time constraints or a deadline to meet. No problem, we can work with that. We’ll assign a second resource or another person to get twice as much work done in the same amount of time. OK! we’re all good with that. Now in this third exchange the customer gets to the point with :

“we only want to do this for half the price”

Grrrr….. regroup, perhaps we again disconnected on proprieties here. We like business, we like to keep busy, heck we certainly like to have customers. We can make this work. After all, half of something is always better than all of nothing. I got it. let us push out the schedule to a time when we’re slow anyway or have resources sitting on a bench – unutilized. Lets get back with the customer and see how flexible they can be. Of course, guess what we get back in return :

“we need it done right away”

What the…!?!?!? We started out so good with everyone in agreement – didn’t we?

So let me summarize. We have to get everything done in half the time, for half the price, done right away – right? That’s not too much to ask is it? no mention yet of the quality of the work. No worries if we deliver on time and on budget, but the system falls apart in 10-days.

Naturally our quality is our reputation – so we cannot compromise on that. Even if no one has considered it once in the course of this conversation.

So how did this engagement go for this university? We got it all done on time and it will last.

So what was lost? A) a lot of hair (as it was pulled out from stress) – both for the customer and the consultant. Moreover the assessment, design & evolve in the A.D.I.M.E methodology was stricken from the list – no time for it.

Foraging ahead to get this done meant working with blinders on. Ignore anything not directly related to the objective. See a misconfiguration, determine relevance to the objective and ignore it if none. Documentation, knowledge transfer – skip it. Recommendation for improvements – no time.

Even when you know exactly what you are getting for your money, you will never know what you’re compromising with the savings.

– by “The Resource”
11/16/2019

Voice over IP solutions for the SMB

Converged network, those that provide voice along side data, have been around for a long time now. So long that they’ve evolved a few times over. It used to be that technologies were developed to allow data to ride on top of voice networks – think fax, dial-up modems & ADSL. Then later voice to be managed on the data network – think VoIP & Skype. And now in its newest iteration of it doesn’t matter – just plug it in.

The latest incarnation is the cloud hosted voice services. In this era its no longer about slow or low quality transmissions, nor is it about expensive gear, proprietary systems and complicated networking. Now its only about getting connected – give me an IP address and a gateway and you’ll get a feature rich high quality telephone service for your home or you international enterprise.

Bugs Byte has supported enterprise VoIP solutions from Cisco UCS and ShoreTel. However these solutions are out of reach for many of today’s small business. However the VoIP solutions making headlines today will scale very well to the enterprise, the corporations entrenched in these high end solutions have enjoyed reliable and uninterrupted voice service for a long time on their platforms. In the mean time hosted VoIP will continue to dominate in the SMB space until they’re proven to scale and enterprises begin to trim their voice and telco budgets.

8×8

8×8 provides hosted VoIP service to desk sets as well as soft-phones for computes and mobile devices. The solution is resold by many value added re-sellers around the world for a full service solution. However, it can also be setup and managed by a companies IT staff. 8×8 is a very cost competitive solutions however is not as well marketed to the retail consumer as its competition on account of the channel programs offered to its re-sellers.

In our experience we’ve found 8×8 to have a more reliable product and the best support. The management portals and features will allow self-service administration for any situation – but the interface is not intuitive enough for someone that isn’t routinely working in the portals. While the interface is not very intuitive – neither is that of its competition. So compared to par, its better than most.

See upcoming posts for RingCentral & MegaPath in future posts.

We’d like to evaluate solutions from Vonage, Meraki and Ubiquiti if we can get demos from them.

Ubiquiti Unifi Software Defined Networking

Ubiquiti provides a stack of IT solutions to the prosumer (Professional Consumer) and the small to medium sized business. Ubiquiti stack of solutions offers networking (Unifi), video and voice, all with software management and cloud integration.

Bugs Byte has just delivered a solution from Ubiquiti for Dayton Place. In this deployment Dayton Place can now have complete visibility to their internal network and video security from anywhere with Internet access.

Management

The Ubquiti Cloud Key is at the heart of the Ubiquiti Unifi solution to software defined networking (SDN). The Cloud Key is the local software that ties in the management of the entire Unifi solution – including wireless, connectivity, security and monitoring. The Cloud Key software can be installed on any computer (Window, Mac and Linux); however, is also sold as a PoE powered appliance needing only connected by one port to a PoE switch. With properly configured network and security settings, a Cloud Key can reside on any connected network and manage equipment at remote Internet connected sites. Once the Cloud Key is paired up with a Unifi cloud account, all of its management and monitoring features are accessible in the cloud.

All of the Ubiquiti services, video, voice and networking, are available to be installed on computers of various operating systems (PC, Mac etc.), but also provide decentralized management through apps for IOS and Android (sorry BlackBerry). In the Dayton Place application the Cloud Key and Network Video Recorder (NVR) appliances were selected  for their relative low cost and compatibility when comparing to Windows/Intel implementation.

The Cloud Key when connected to a Unifi account enables cloud access to settings, monitoring and firmware updates for WiFi, ethernet and firewall equipment.

Wireless

Ubiquiti Access points (UAP) were installed to provide up to four independant SSIDs each. Ubiquiti offers a range of wireless access points (WAP) in two distinct applications. The range of coverages offered start with the residential customer in homes and scale up to the wireless fiber for line-of-site connection between distant buildings. Applications include conventional ceiling and wall mount as well as an innovative recepticle design. The receptical design replaces a convential ethernet wall jack with with and all-in-one PoE powered WAP and RJ45 jack with PoE pass-thru.

During this process it was learned that the UAPs required a legacy version of PoE (24-volt passive) that is not supported by current Ubiquiti switches. in essence, current PoE standards (802.11at) incorporate a power negotiation between the device providing the power and the device consuming it. While some lines of Ubiquiti switches have maintained support for legacy PoE, Ubuquiti has committed to phasing it out entirely. In the mean time, the legacy PoE is available with the in-box PoE injector as well as in-line converters from the current standards to the legacy. Using the converters will allow remote power cycling devices via the switch port management where as the injector will require hands-on effort.

The current WiFi implementation provides conventional password protected (WPA-PSK) access to WiFi. Additionally the solution does offer custom portals, walled gardens, hot spots and other guest access features.

This solution is planned to segment SSIDs for each tenant/guest as well as to implement guest services feature for transient use without needing to provide a password.

Broadband

Dayton Place is serviced by RCN cable internet broadband for its internet up-link. The service installed includes 155Mb download and 25Mb upload with a dynamically assigned IP address.

The Arris Gateway was provided by RCN and set to bridged mode. This will pass expose any downstream device to public Internet. In this mode the all routing, NATing and firwall functions can be handed off to the downstream device – Ubiquiti Secure Gateway in this case.

An unexpected condition occurred with this particular Arris gateway once set to bridge mode – The WiFi remained enabled but now handed out public IP addresses to wireless clients. And there is evidence that settings for dynamic DNS (DDNS) were retained after factory reset and despite bridge mode.

The gateway is planned to be replaced with a customer owned device in order for a 4-month return on investment (ROI).

… See more about the video, switch and firewall implementations in the next post.