Now it’s time to really network, and take control of it like a boss!

TITLE: Now it’s time to really network, and take control of it like a boss!


Hello there, family and friends!


Well, you got this far! You’ve learned everything you need to build your business network, but here you are, back for more! Well, it’s your lucky day! I’m going to give you more!


So, as they say, I’ll show you just how far this rabbit hole really goes! You’ll come out of reading this post knowing more than enough to hack the Gibson! (Check that movie out one day!)

With that said, let’s get started:


ALL ABOUT THE FIREWALL: Let’s start with an important piece of your network, a firewall. While your router provides it’s own firewall, which can work reasonably well, there’s times where you’ll need or want something more powerful. Your business could be in an industry that requires some insanely tight security (Banking, finance, anything with extremely sensitive data), Or maybe you just want something that gives you more control over your network than a traditional router does. Let’s get into the different versions of firewalls:

– Software Firewall: These are extremely common, mostly in the form of Windows Defender, but are also included with most antivirus solutions. These generally only protect the device they are running on.
– Hardware Firewall: These are also common, in the form of your router, although it’s enterprise grade firewalls, such as Cisco, Juniper, Netgate, Watchguard and FortiNet that have the strongest protections with the best customizations. Hardware firewalls protect ALL devices on your network. Enterprise grade firewalls can also perform other duties, such as VLAN routing, port redirection and much more.
– Cloud based Firewall: These aren’t as common. They do not require an on-site device, but also do not offer a lot of control, and can become expensive very fast.

Then there’s two types of firewall:

– Stateless Packet Filtering: This is true of the majority of routers out there. Stateless firewalls do not use connection information to do it’s job, but rather some predefined rule sets. Stateless firewalls are not as strong as stateful, but are quite speedy. (All home routers are Stateless)

– Stateful Packet Filtering: This is true of most enterprise grade firewalls. Stateful firewalls filter based on the context of the connection (Source, Destination, protocol, etc). Stateful firewalls are extremely powerful and customizable, but do sacrifice a little performance to do the job.

What you use for your business in this regard is down to your preference. I prefer pfSense, which is a Netgate product. I can guide you through the interface on that all day, however, there are other popular brands of firewall appliance out there, such as:

– Fortinet
– Cisco
– Juniper
– Watchguard
– Sonicwall
– Palo Alto Networks
– Barracuda

Whichever one you decide to implement is up to you.


IP ADDRESSES: THE PHONE NUMBERS OF THE INTERNET: Of course, in a modern, connected world, the majority of devices communicate with each other using a protocol called TCP/IP, or Transmission Control Protocol over Internet Protocol. For this to work, each device needs what is called an IP address. Think of this as a phone number for your device, but instead of people calling it, other devices will call it. In the last networking post, we discussed the various IPv4 ranges that are usable for private networks. In this post, we will dig deeper into a process called Subnetting, as well as the next generation of addressing known as IPv6.


Subnets: Subnets are the base of a network setup. These define how many devices can use a particular range of IP addresses. These are defined in two ways:

– By subnet IP. An example of this is 255.255.255.0, which allows hosts to use a range of IPs starting with x.x.x.1 to x.x.x.254. Note that .0 and .255 cannot be assigned to devices in this range. .1 is commonly assigned to the router.

– By CIDR notation. This is usually a number like /24, which denotes 255.255.255.0

Let’s dive into each IPv4 subnet, and how many usable IP addresses it will have. We will display the most common ones:

In this example, we will use the 10.x.x.x private range, which allows for the greatest flexibility. This will be formatted as: CIDR – Subnet – Range


/32 – 255.255.255.255 – 1 IP usable – Commonly found on Internet (WAN) connections.
/24 – 255.255.255.0 – 10.0.0.1 to 10.0.0.254 – 253 usable IP addresses – Most common LAN configuration, usually a 192.168 IP
/16 – 255.255.0.0 – 10.0.0.1 to 10.0.254.254 – 65,534 usable IP addresses – Commonly found as 172.16 IPs
/8 – 255.0.0.0 – 10.0.0.1 to 10.254.254.254 – 16,777,214 usable IP addresses – This is the technical proper use of the 10.x IP range.

NOTE: All devices must be within the same subnet to communicate with each other UNLESS you have configured subnet routing on your network. This is normally done at the firewall. It IS possible to divide a /24 subnet by setting it up as a /25, however, if a device is on 192.168.0.126, and another device is on 192.168.0.129, unless they are both in the same subnet, they will not be able to communicate with each other. (Note that on a /25, .126 is the final usable IP, whereas .129 would be the first usable IP of the SECOND subnet.

Each IP range has two unusable addresses. In a /24, this is usually .0 and .255. In this case, .0 is known as the Network Address, and .255 is known as the Broadcast Address. The Broadcast Address is used mainly for device discovery, where data sent to this IP is then sent out to all connected devices. As for usable addresses, .1 is almost always going to be your router, although I have seen some use .254 for that.


IPv6 ADDRESSES: THE FUTURE IS HERE:  As you dive deeper into IP Addresses, you’ll notice something: There’s a limited number of them! While this will never be an issue on a local network (LAN), this is an issue on the wider internet, where millions, if not billions of devices interact. That’s where IPv6 comes in. IPv6 is a newer standard created in the early to mid-2000s to address the growing number of devices on the global internet. Fast forward to the modern day, with everything having internet connectivity, and you can see just how fast the older IPv4 address get used up. Enter IPv6.

An IPv6 address is formatted as such: 2001::6c0:0123:4567::0:1234:9876:abcd

In IPv6, there are EIGHT sets of octets, formed from 4 hexadecimal characters known as quartets, and separated by colons. (0-9, A-F)

If you look at the provided example, you’ll see double colons in places. This denotes a leading 0. (Of course, you can also use zeroes, eg 2001:06c0:0123:4567:0000:1234:9876:abcd, either way works!)

You can also do a really short IPv6 address such as 2001::8a4 – This is essentially 2001:0000:0000:0000:0000:0000:0000:08a4

As you can see here, IPv6 allows for a near infinite number of devices in one single range. Note that while you won’t really use IPv6 on a local network, it’s best to have it so that devices can communicate with IPv6 based internet services. IPv6 subnets are usually defined by what is known as Prefix Length. This is notated in the same way as the CIDR notation for IPv4 (/64)

For IPv6, subnets go from /1 to /128, with /1 covering every single IPv6 address in existence, and /128 just being one single IPv6 address. The most common delegation however, is /64. What’s interesting here is that unlike IPv4 addresses, which are assigned by your router/firewall, your device will pull it’s IPv6 address directly from your service provider. You can however, use local IPv6 addresses if you wish to control this access. There are LAN IPv6 address ranges. These generally start at fc00:: and go on from there.

WATCH OUT: The IPv6 address your device will get from the service provider IS PUBLICALLY ACCESSIBLE. This is the case for most home routers. You can activate firewall protections on IPv6 using your appliance. Otherwise, it’s best to use an on-device firewall. If the V6 address you get does NOT start with F, assume it’s a public one!

And just HOW MANY addresses can you get on V6?? On a common /64, you get……….OVER 18 QUINTILLION! Yes you read that right….QUINTILLION! To be exact, 18,446,744,073,709,551,616 IPv6 addresses. Compare this to just a little over a million on IPv4…..You can see why this is the way to go, and there does exist services and devices that ONLY work with IPv6.

NOTE: IPv6 address beginning with fe80: are known as link-local addresses, similar to the 169.254. IPv4 addresses you get if there’s no DHCP server on the network. IPv6 capable devices will create their own V6 network on your LAN if one does not exist. (In fact, Windows 7’s Homegroups feature uses IPv6 exclusively). This will NOT interfere with the normal operation of your network at all.


PORTS: WHICH WAY DO I GO?: IP Addresses are one thing, but truth is, an IP address doesn’t constitute a service. A device can host a number of different types of services behind a single IP address. For this, there’s what is known as a port. Ports are another set of numbers that define where data should be sent on a device. Everything related to internet and network connectivity relies on port assignments. Port assignments range from 1 to 65535. While there is a port 0, this is considered an invalid port and should never be assigned to anything. Below, we will list the most commonly used ports, along with others for common services (Don’t worry! I will explain more on these services later):

First, the every day ports:

53 – DNS – This is the phonebook of the internet.
67 – DHCP – Automatic network configuration utility – Your router/firewall uses this to automatcially assign IPv4 addresses to clients. Some use this as an HTTP proxy port.
80 – HTTP – Standard web browsing – While not widely used as much, it does still serve a purpose in the modern age.
123 – NTP – Network Time Protocol – Used for setting the time on devices
443 – HTTPS – Secure version of the HTTP protocol – This is the most common used port. Hundreds of other services, including VPNs also use this port. (More later)
445 – Microsoft-DS – Used for SMB2/3. Exclusively used in Windows environments.
465 – SMTP over TLS – Used for securely sending emails
546 – DHCPv6 – Used to assign IPv6 addresses to clients
587 – SMTP over STARTTLS – Used for securely sending emails – Commonly used by GMail and Outlook.
853 – DNS-over-TLS – A newer, secure version of the DNS system. Known as Private DNS on Android devices.
995 – Secure POP3.
1194 – OpenVPN – Common VPN protocol used by many online VPN services.
3389 – Remote Desktop Protocol (RDP) – Used mostly for remote access on Windows systems.
3478 – STUN – Commonly used in SIP/VoIP environments, as well as online voice/video chat services.
4500 – IPsec NAT-T – An extension of the IPsec protocol – This is included here as it is commonly used by cell carriers for WiFi calling.
25565 – Minecraft – Common port for multiplayer Minecraft.

Next: Common, but not everyday used ports.

22 – SSH – Short for Secure Shell Protocol. This is most commonly used in Unix/Linux environments for remote command shell, but can also be used for tunneling as well as file transfer.
113 – IDENT – Used primarily for device identification. (Those of you who have used IRC will be familiar with this!)
500 – IPsec – VPN protocol. Not commonly used unlike IPSEC NAT-T.
6660-6669 – Internet Relay Chat (IRC) – A simple chat protocol. (NOTE: Some trojans also use IRC for a C2 network)
6697 – IRC SSL – Encrypted IRC port.

There’s the obsolete ones:

21 – FTP – Unencrypted File Transfer. In most cases, this is superceded by FTP over SSH (Known as SFTP). Still found in older networks.
23 – Telnet – Unencrypted remote terminal protocol. Largely replaced by SSH, but is still found in older networks.
25 – SMTP – Unencrypted SMTP protocol. This port is blocked by most providers due to spam abuse.
70 – Gopher – Older, pre-HTTP internet protocol.
110 – POP3 – Unencrypted email protocol – Superseded by Secure POP3.
135-139 – NetBIOS/SMB v1 – Used mainly in older systems. Depreciated on modern devices. (Remember getting weird spam popups back in the late 90s? Yeah that came in on these ports. All ISPs block these now)
1723 – PPTP – An unencrypted, obsolete VPN protocol. Replaced by IPsec, OpenVPN, Wireguard, etc
5190 – AIM/ICQ protocol – Obsolete as these messenger services have shut down. Messengers today mostly use the common HTTPS port.


And then, there’s the ports that are usually associated with not good, very bad things:

1337 – Associated mainly with Remote Access Trojans (RAT)
21554 – Associated mainly with Remote Access Trojans (RAT)
31337 – Associated mainly with Remote Access Trojans such as NetBus, SubSeven, etc (RAT)


Ports commonly used by proxy servers:

808 – CCProxy HTTP Proxy
1080 – SOCKS Proxy
3128 – Squid HTTP Proxy
6588 – AnalogX HTTP Proxy
8000 – Alternate HTTP Proxy port
8080 – Common HTTP proxy – Also used as an alternate HTTP web port
8081 – Alternate HTTP Proxy port
9050 – HTTP Proxy port used by the TOR client. (Allows applications to tunnel through the TOR network)

For the most part, apps and sites you interact with will mostly use port 443.


Now, onto connectivity protocols: There’s many different protocols in networking, but we will discuss the main three: TCP, UDP and ICMP.

TCP: Known as Transmission Control Protocol, this is the most commonly used protocol on the internet.

UDP: Known as User Datagram Protocol, this is another commonly used protocol. UDP is built for speed, and is used in applications where fast connectivity is a must. A newer web standard called QUIC is built on top of UDP. Regular DNS also uses UDP for it’s connectivity.

ICMP: Internet Control Message Protocol: Most common use of ICMP is simple ping tests. Route tracing (through command line programs like tracert (Windows) and traceroute (Linux) also use ICMP packets.


Next: Let’s talk about services:

DNS: Known as Domain Name System, this is the phonebook of the internet. DNS is used for converting human-readable names (google.com) into IP addresses that the device can use to access services. As normal DNS is generally unencrypted, Two newer versions of DNS, known as DNS-over-TLS and DNS-over-HTTPS encrypt these requests. This has the effect of preventing man-in-the-middle attacks, and can also work around most forms of DNS-based internet filtering. (In those cases, many firewalls have methods to prevent use of these newer services)

DNS itself operates on UDP port 53. DNS-over-TLS operates on TCP port 853. DNS-over-HTTPS operates on TCP port 443 (Same as HTTPS)


DHCP: Known as Dynamic Host Configuration Protocol, this is responsible for configuring devices for network connectivity. DHCP pushes the following settings to a device:

– Device IP address
– Subnet Address
– Gateway (Usually the router itself)
– DNS server (Router itself OR whatever is specified in the router’s config)
– Search domains (if any)

DHCP operates on UDP port 67. The newer version for IPv6, DHCPv6, operates on UDP port 546.

HTTP & HTTPS: Known as HyperText Transfer Protocol, this is the most commonly used protocol. HTTP is the base of the internet, and is used whenever you visit a website. HTTPS is the encrypted version of HTTP, and is the most used protocol today.

HTTP operates on TCP port 80. HTTPS operates on TCP port 443. QUIC, the UDP extension of HTTPS, operates on UDP port 443. (I’ll talk more about 443 shortly)

SMTP: Known as Simple Mail Transfer Protocol, this is mainly used for sending email. Original SMTP uses no encryption, and is obsolete. Current SMTP services use either SSL/TLS, or STARTTLS.

SMTP runs on TCP port 25 (Blocked by most, if not all ISPs). SSL/TLS operates on TCP port 465, and STARTTLS operates on TCP port 587

POP3: Post Office Protocol 3, is used for receiving mail. There is an original version of POP3, which is obsolete as it is unencrypted.

POP3 operates on TCP port 110. Secure POP3 operates on TCP port 995.


Much ado about port 443: So, you are wondering why I want to talk more about this particular port? Well, that’s because it’s the #1 used port on the internet. Without this port, there really is no modern web. Filtering this port on your network would take out 97% of internet access.

However, free access on this port has it’s drawbacks. Not everything operating on this port is going to be a web site. It’s actually very common to hide VPNs, proxies and tunnels on this port, and is actually very commonly done to help get connectivity through a restrictive firewall. This would allow one to break free of network restrictions, and gain access to the wider, unfiltered internet.

Most firewall appliances have methods of detecting and blocking non-HTTPS traffic on this port, however, there are also tools that help disguise a tunnel as standard HTTPS traffic to overcome this very challenge. It’s not a huge challenge to stop traffic on other ports without interfering with normal usage.

But in short, Port 443 is way more than just a web server port, and even then, it’s possible to hide a proxy server INSIDE a web server. Thanks to multiplexing, it’s possible for a server to determine what type of client is connecting to the port, and redirect it to that service. It does this by reading the packet headers on the incoming connection. Browsing to this host would likely show you a website without revealing what lies beyond that.


VPN: SAFE ENTRY FROM THE OUTSIDE:  You have seen me mention this many times in this article. VPN, short for Virtual Private Network, is a type of system that allows access to non-public resources on a remote network. Connecting to a VPN is similar to connecting your device to the server’s local network, in that you are able to access resources within the network. This is a preferred method for accessing sensitive systems from a remote location versus opening a port on your firewall to it. In the modern day, VPNs are also used as a tool to evade censorship, as well as to mask one’s location on the internet. Another growing use of VPNs is to provide a method of encryption when using a public wireless network.

A VPN is essentially a tunnel connecting your device to the remote network. In the majority of cases, all traffic to and from your device is routed through this tunnel. Modern VPN protocols support what is known as split-tunneling, where only some traffic is routed through the VPN, while the rest is routed out through your device’s normal connection to the net. All public VPN services only support full tunneling.

All data sent across this tunnel is generally encrypted. All that the host network sees from your device is a single connection to a single server. It cannot see what is happening on that connection due to the encryption. SSH also operates in this manner, and can be used to create a VPN of sorts. (This is known as the “Poor man’s VPN”. I’ll explain more later!)

As I mentioned before, the majority of VPN use today varies from circumventing internet filtering and censorship, to accessing certain resources that are only available in a given geographical location, to simply masking one’s location.

Let’s dive into some common protocols:

PPTP: Short for Point to Point Tunneling Protocol – This is one of the earliest forms of VPN, and is considered obsolete now due to the weak encryption methods provided by default, with setting up stronger methods requiring a lot of configuration to get right. This protocol uses TCP port 1723.

IPsec – Short for Internet Protocol Security – This is a protocol that’s commonly used in point to point tunnels between sites. IPsec operates on UDP port 500, and is still used today by many systems, including the Wi-Fi calling feature on most cell carriers. IPsec also uses port 4500 for NAT traversal. Supported natively on most devices.

OpenVPN – A modern, universal VPN protocol. Commonly uses UDP port 1194, but can be configured to use any port and protocol. OpenVPN supports split tunneling, and is one of two common protocols used by public VPN services. Configuration of server and client is very simple, and also offers strong encryption. OpenVPN also supports a feature called port sharing, where you can combine the server’s presence with another service, such as a web server.

This allows the VPN to operate on more common ports, such as 443. If the incoming connection is NOT from an OpenVPN client, it is simply passed on to the service (or even external server) that is configured for port sharing. Support for OpenVPN is often provided by external applications, although some newer home routers now include an OpenVPN server for secure remote access.

Wireguard – A new, more recent VPN protocol. While the normal port is UDP 51820 (A port that can easily be opened on a firewall using UPnP), Wireguard can be set up to use any port. On public VPN services, this is often set to use port 443 as it is rarely restricted. Wireguard is more lightweight than OpenVPN. Like OpenVPN, support for Wireguard is often provided by external applications.

SSH: Short for Secure Shell – While it seems weird that this is being included as a VPN protocol, it can technically be used as one thanks to it’s port forwarding capability. You have the choice of static port forwards, as well as a dynamic forward, which is really just a SOCKS proxy. Port forwards in SSH can be configured to go either way, from device to server, to access resources on the remote network, or from server to device, to enable remote access to the local device OR even to other services on the device’s local network.

Unlike other protocols, which require installation (and often times, require root/admin access), SSH does NOT require installation on client side (on PC anyways, you’ll still need an app on mobile devices), and is included with virtually all Linux installations on server side.

SSH clients also do not require root/admin level access to create port forwards, nor do any adjustments need to be made to the firewall (Unless you’re opening client to server forwards to access from the local network, and even this is often rare). As such, an SSH tunnel can be deployed virtually anywhere.

In short, this is truly why it’s often referred to as a “Poor Man’s VPN”. Some mobile apps can even use SSH as a full device VPN, giving you the same effect as a normal VPN. SSH is commonly found on TCP port 22, but, like Wireguard and OpenVPN, can be configured to work on any port, or even on multiple ports with multiple different access policies! (eg, allow password auth on 22 for local users, but require certificate auth on 2222 for external users!)

PuTTY is the most common SSH client for windows, and does support tunneling. SSH also supports secure file transfer, or SFTP, which is supported in the popular Filezilla FTP client.

There are also what is known as “Zero Config”, or “VPN-in-a-box” VPN services. These are geared more towards secure access than evading censorship, but can be used for that. All you do in this case is install the service’s software on your device and the remote device, log in to your account on both, and that’s it. No ports to expose, no IP addresses to configure, it’s that simple! Here’s the most common of those services:

Hamachi by LogMeIn – Hamachi has been around for many years now, and was one of the earliest options for a simple, VPN-in-a-box setups. It is still around today, and is free for up to 5 devices.

Tailscale – Based on the Wireguard Go protocol, Tailscale is a recent contender in the VPN-in-a-box world. Tailscale offers many features that Hamachi does not, such as Subnet routing, which lets you access devices on a given network through a Tailscale node (without having to install Tailscale on those devices), Exit Node, which lets you use a given node as a full VPN, including internet access, and internal DNS, which lets you route your device’s DNS requests through Tailscale instead of the local network.

Tailscale is FREE for upto 100 devices, and unlimited subnet routers. (Used to be 10 devices and 1 router).

Tailscale is supported on Windows, Mac, Linux (All major distros), Android, iOS, and in some firewall systems such as pfSense and OPNsense. While there is no need to open a port, having UDP port 41641 free can help as it will allow direct connections between nodes, but Tailscale does provide a network of relays around the world to work around this if needed. In exit node mode, all traffic (Including Tailscale’s heartbeats) are sent through the tunnel.

ZeroTier One – This is another name in the VPN-in-a-box ring, however this one is more geared at those who are tech savvy as it does require a little setup, namely setting up your own central node for everything to attach to.

In short, using a VPN is the best way to achieve remote access to internal resources rather than simply opening the ports on your firewall. Unlike an open firewall port to a sensitive resource, a hacker can’t really probe their way past a properly configured VPN server. There are two methods of authentication for a VPN, which the majority of protocols support:

* Username/Password based: This relies on a username and password combination to access the VPN. This is a better than nothing approach and should not be used in a critical application, as a username and password can be brute forced.

* Key based: This relies on a client & server key pair for authentication. For each user, a private key is generated from a hash of the public key. The public key resides on the server end, and is unique to the server. The private key resides on the client, and is unique to each user. Key pairs are generated using standard encryption algorithms, and are used not just for authentication, but also in encrypting the tunnel. OpenVPN and Wireguard have the best support for key pairs. IPsec also supports key pairs. As there is no username and password, this mechanism is considerably harder to break into.

MESH NETWORKING: PASS IT ON!: If you’re getting heavily into the geekery that is networking, then you’ll have likely heard of mesh networking. Mesh networks operate purely in a peer-to-peer configuration, that is with no central server to relay on for connectivity (In some cases, if one is needed, it’s usually just for an initial configuration, but this can be obtained from immediate peers through discovery packets.). Mesh networks operate by interconnecting a number of peers to each other through multiple paths.

The way this works is simple. Each peer is a node in the network, connected to other nodes in the network. If one node drops out for any reason, connectivity is instantly transferred to the remaining nodes, ensuring uninterrupted connectivity. The most common form of mesh networking is Peer-to-Peer wireless connectivity. This is used in many anti-censorship apps that allow mesh networking via Bluetooth or direct WiFi, allowing the app to work without an internet connection. Apps like this are commonly used in countries where government-mandated internet shutdowns are commonplace, as well as in emergency situations where traditional connectivity has been lost.

Wifi-based mesh networking is also a thing, and is commonplace today with mesh-based wifi routers, such as Orbi, Eero and Google Mesh WiFi. The router and pods all connect to each other via an internal mesh network. Each pod not only provides wifi connectivity for devices, but also extends the mesh network to other nearby pods.

Peer-to-Peer file sharing networks, such as Bittorrent, also operate as sort of a mesh network. Originally, to download off bittorrent, you would need a .torrent file to plug into a client. The client would then connect to the “trackers” (servers that hold information about the torrent and it’s current peers) listed in the file, then the client starts connecting to all the peers in that swarm.

This is changing though thanks to the Distributed Hash Table (DHT), which removes trackers from the equation altogether. Instead, a DHT enabled torrent will have the information it needs to simply start connecting with other peers in the network.


WATCH THOSE CABLES: Something major to look out for here, is the cables you use to build your network. It is recommended that you avoid the cheap cables at all cost. Why you may ask? Well, while sometimes, cheap can be good in some areas, it’s never a good idea to cheap out on networking. Resist the urge to buy your cables off AliExpress, Wish or TEMU, lest you want to end up with a lemon. Take a good look at the plugs on your cables.

Do you only see 4 wires inside? If you do, throw that thing out and get a real cable. Those cheap cords, which are often bundled with equally cheap routers, are not only capable of a maximum of 100MBps connectivity, but are often times wired improperly. Add to the fact that some network devices don’t like to get along with such cheaply wired cables, and the fact that they can suddenly fall apart on you… (Ask me how I know this!).

Best to buy from reputable brands such as Startech, Cable Matters, and Belkin

House brands, such as Amazon’s Amazon Basics, Home Depot’s Commercial Electric, Walmart’s ONN, Best Buy’s Insignia, and the Legrand brand from Lowe’s are also of good quality. You can also make your own cables (See the advanced networking post for information on how to do this).


LET’S TALK ROUTING: GETTING DATA FROM POINT A TO POINT B: One of the biggest things a network needs is a way to direct traffic from one network to another. This is the role of your router. A router does the work of taking data sent from a device on network A, and getting it to a device on network B. Did you know, however, that this is not a 100% direct connection between peers? Depending on where A and B are located, there can be multiple routers between the two points that the data must traverse. These routers exist at your internet provider, as well as all across the backbone of the internet.

For reliability and speed, there are multiple routes that can be used. Unlike your home or office router, these routers will send the traffic down the best path it can find to the destination. Read back to Mesh Networking, and you’ll wonder why I brought this up. Well, The internet is essentially a giant, worldwide mesh network with millions of “spokes” coming off the main hubs. These spokes are often connected to the core internet via multiple paths. This is done for both performance, and reliability reasons. (If one router goes down for whatever reason, others will be able to pick up the load.).

Open up a command prompt (Windows +R, then type “cmd” in the box). From there, type in “tracert www.google.com” and hit enter. This is the Traceroute tool, and will identify each router between you and Google. The first result in the list is usually your own local router, followed by routers belonging to your internet provider. From there, you will see routers belonging to one of the many backbone providers in the world. Eventually, you’ll start seeing Google’s routers. For major services, like Steam, Netflix, etc, ISPs will have direct peering arrangements with these companies. This basically transfers your traffic from your ISP directly to the network owned by the service, without using the core network systems.

NOTE: You may see some “timed out” errors. This is normal in some situations. If you’re getting an endless stream of these errors, that indicates the destination is either down for some reason, has a firewall that is blocking ICMP requests, or there’s a routing issue. There’s nothing you can really do to fix this.

If the source and destination systems are within the same internet provider’s network, then all of the routing will be done purely within that company’s networks. If the source and destination are on two different local networks, you will need the ability to route between LANs. (All commercial firewall appliances can do this no problem)


DDOS ATTACKS: JAMMING UP THE INFORMATION SUPERHIGHWAY: You probably heard of this at least a few times, especially if you do a lot of online gaming. DDoS stands for Distributed Denial of Service. The goal of a DDoS attack is to render a remote service inaccessible by the wider internet, or to deny an end user access to the internet. This is done by using multiple (usually compromised) source systems to send a steady, high bandwidth stream of garbage data to the destination system, therefore overloading it’s connection to the internet.

Think of a DDoS attack as a neighborhood with streets, and one path to your house. Your router acts as a gate guard, only allowing people you want coming and going to be able to get in and out fine. One day, a circus suddenly appears, and that circus starts sending clowns to your house.

Now, it’s just one circus, and a few clowns, which your guard dispatches without an issue, but, during the overnight hours, this circus starts taking over houses in multiple locations, and starts sending loads of clowns from those “houses” to your house. Your guard is trying to fend them off and keep good people coming and going, but eventually, the path to your house is just clogged up with clowns, and no one can get in or out at all. Eventually these clowns start filling the streets themselves, causing issues for other homes.

Yep, you read that right. A severe enough DDoS attack can degrade, or even completely cripple internet connectivity for other customers on your service as well. In rare cases, this may cause your ISP to disconnect your service for the benefit of their other customers. Worse yet, it’s possible for a malicious actor to take down an entire internet provider by

While this isn’t a big deal on the majority of internet services, as they will have some form of DDoS protection (Such as a service like Cloudflare that can handle and drop this deluge of junk data), this becomes a huge problem for home and business internet connections. No router or firewall can stop a DDoS attack as it isn’t aimed at any particular service. Again, the goal of these attacks is to disable the target’s internet connection.

Now, let’s discuss the various sources of DDoS attacks:

* Botnets: A botnet is a network of malware infected devices controlled by a hacker. In the early days, home and business computers were a common hotbed for botnets. While that is still a thing today, hackers are shifting to connected devices, such as cameras, appliances, mobile devices and even routers! The majority of today’s botnets are composed largely of these connected devices. Hackers will scan vast swaths of the internet, looking for devices that they can infect. Most of the time, these scans are done by already infected devices. (Think back to the Blaster worm)

* Insecure DNS resolvers: Hackers can make use of exposed resolvers (Such as Pi-Hole) to perform what is known as an amplification attack. By spoofing the IP address of the source, hackers can send large volumes of properly formed requests to these resolvers, and have the resulting traffic get sent back to the victim, thus overloading their connection. A single bot or user can carry out such an attack with minimal effort, aside from scanning for open resolvers. (Public DNS servers are hardened against these types of attacks)

* Unwitting Participants: Did you know that a DDoS attack can be carried out WITHOUT the need for infected devices or misconfigured servers? It is possible to trick unsuspecting internet users into becoming participants in someone’s twisted digital army. Hackers can inject JavaScript code into a website that will cause unsuspecting visitors to start sending endless amounts of requests to a remote resource, over and over, as many as 100 times a second. The goal of this type of attack is to overload the victim’s server resources. While attacks like these are rare, they do exist and have occurred in recent times. Worst part of it, is the participants have no clue they’re even participating. They may notice that their internet seems a bit slower than usual, but likely won’t think much of it.

AVOIDING DDOS ATTACKS AT HOME OR WORK: Inarguably, the best way to avoid ending up on the business end of a DDoS attack is to try not to make enemies online. Gamers are more prone to these types of attacks, especially in games where hackers can gain access to another player’s IP address.

Such attacks are usually carried out in retaliation. Once you end up on the receiving end of an attack, there’s really no easy way out short of just waiting it out. As stated, no router or firewall can stop a DDoS attack. The goal is to overwhelm your internet connection rather than gaining access to anything. If you can’t avoid it, at least get behind a VPN. A VPN host can take the brunt of an attack (As they likely do every day) without any severe issues.

AVOIDING DDOS ATTACKS ON A WEB SERVICE:Best thing to do here is use a service such as Cloudflare, which provides a strong layer of DDoS protection. Services such as Cloudflare have more than enough bandwidth capacity to fend off such an attack, while keeping your site/service online.


BRIDGING THE MODEM: In cases where you’re stuck using provider-owned equipment (Such as with some fiber providers, Starlink, etc) but want to use your own router, you can set up what is known as bridge mode on the provider modem. Bridge mode essentially turns the provider’s router into a straight modem. Any device you connect to the router at this point will get a publicly routable IP address rather than a private LAN address. If you are unable to do a proper bridge mode, then you can do what is referred to as a poor man’s bridge mode, which involves assigning your router a static IP address from the ISP router, then putting that IP into the DMZ on the ISP router. You’ll get all of the benefits of bridge mode (such as controlling port forwards, UPnP, etc), but anything that relies on the ISP router to function will work as normal.

ABOUT THE DMZ: WHAT IS IT: DMZ, or DeMilitarized Zone, is a function available on all routers that lets you expose one single device on your network to the wider internet. This basically puts that particular device past the router’s firewall, exposing every open port that device has. Unless you’re doing a poor man’s bridge mode with a secondary router or firewall behind it, using DMZ is a bad idea. It’s far better to use standard port forwarding.

UPnP? WHAT?: UPnP, short for Universal Plug-n-Play, is a feature available on the majority of routers out there. UPnP allows devices and apps to set their own temporary port forwards. Such a feature is popular with online multiplayer gaming, especially on game consoles. UPnP does not require administrative access to your router to accomplish this job. Unless you are doing multiplayer gaming, it’s best to disable UPnP to enhance your online security, as it’s not unheard of for malware to exploit this feature to grant a hacker access to your system.


SPOT THE ROGUE: Another thing to contend with: Rogue devices. What is a rogue device? This is usually a wireless router, access point or other device that is connected to a network, usually without the knowledge or authorization from the network owner. Rogue devices can grant outside actors access to a network’s internal services, bypassing the firewall entirely. Rogues can range from wireless routers and access points, down to small computers such as a Raspberry Pi. Rogue access points are often configured not to broadcast it’s network name, while rogue computers can create a tunnel to an outside server.

A Rogue access point is easy to track down, and can be done using any software that scans for wireless networks. Despite SSID broadcast being disabled, these devices still broadcast their MAC address (This cannot be turned off). You can look up the MAC address being sent out online and determine if it’s something of yours, or a possible rogue.

A rogue device, such as a PI, requires a little more detective work. This will require an audit of all connected devices. A good firewall with monitoring capabilities can sort out a rogue without much issue, however.

WHICH IS WORSE? If I had to pick between a rogue access point and a rogue device, I’d say the device is worse for one big reason: Unlike an AP, which would require the actor being within, or fairly close to the facility to gain access, a rogue device can create a tunnel out to an outside server, allowing access from anywhere in the world.

A rogue device can grant access to all of your network’s resources through a method known as pivoting. A Rogue access point can grant more direct access, but the actor would have to be fairly close to, or even inside your facility.

WHAT IS PIVOTING? Pivoting is the act of connecting to a device using a tunnel protocol, such as SSH, then using that device as a foothold to gain further access into the network. An attacker can launch a full network scan from this device to gain a map of services, then start attempting to gain access to those services. Your firewall is powerless to stop this sort of attack because it does not see this access happening, as everything is being done within an encrypted tunnel.

SIGNS OF A ROGUE DEVICE: Know the warning signs that you may have an imposter among you:

* Strangely named (or unnamed) wireless networks appearing.
* Strange devices showing up on network logs
* Degraded network performance (Due to interference from rogue APs or from excessive network scans)
* Degraded internet speeds (Due to rogue using your internet connection for purposes, such as launching DDoS attacks, etc)
* Excessive failed login attempts happening on internal services
* Activity on network ports that are usually unused
* Discovery of a strange device connected to a switch or wall port.
* Discovery of a strange wireless router or access point
* Discovery of an unknown computer connected and powered on

ONLY YOU CAN PREVENT ROGUES: There’s many things you can do to prevent rogue devices from infiltrating your facilities:

* Keep ALL network and server closets locked at all times. Only give access to trusted parties, such as IT.
* Disconnect and/or lock out unused wall ports. If you cannot disconnect, use a port lock such as PadJack to prevent access to open wall ports.
* Enable port security on your switch (if supported). This will cause the port to lock out if a device other than the one that should be there connects. Once the port is locked out, manual intervention is required to bring that port back online.
* Perform regular audits of your facility’s devices. Ensure all company owned or authorized devices have a security label attached. Disconnect and remove anything that does not have this label.
* Educate employees on the dangers of rogue devices, and how to spot one. Do not allow employees to connect outside devices to your network.
* Secure all cable connections to authorized devices using security locks.
* Monitor your network regularly.
* Consider turning off DHCP on your network and using static IP addresses instead.
* Block access to ports you know you won’t use, and filter access on others.


WHAT TO DO IF YOU FIND A ROGUE DEVICE: There’s a bit that needs to be done here as well.

* IMMEDIATELY disconnect the device. Avoid handling the device itself.
* Analyze server logs for failed access attempts. Note date and time of each. If you see any successful ones coming from the rogue device, make note.
* Perform a full malware scan of ALL devices on your network. Phones, Workstations, Servers, everything. If you find anything, consider that device compromised and wipe it.
* Mandate password changes company wide
* Notify law enforcement if you suspect a breach has occurred. Let them handle the device as they will likely want to check for fingerprints. Depending on the type of data your company is handling, the FBI may also get involved.
* IMEMDIATELY notify your customers IF a breach has been confirmed. Mandate password changes for customers IF they access your services online.

 

“The only winning move is not to play. How about a nice game of Chess?”