Basic security for small offices

Recently I received a couple of questions regarding proper corporate security for a small business and a couple of friends. It made me decide to make a write up of some advice to create a certain level and form of security, with minimal investment and low maintenance. And at the same time, realize a reasonable level of security that fits SOHO (Small Offices / Home Offices).

This write up is aimed at system administrators or similar knowledge.
For the firewall rules, I only looked at the basic rules, to make the examples less complex.

Be aware this is not a definitive guide. And there is more then this list to create a proper environment, that is safe and manageable. But it can give you a head start for your network or for your customers.

One can achieve security with a combination of security measures and sanitation.
– Perimeter (firewall)
– Device management
– Maintenance

Perimeter (firewall)

First of all, your firewall is the most important factor to create a secure network.
A couple of ground rules:

  • Always make sure it’s still supported and up to date.
    Regularly check this!
  • Limit outgoing DNS to your upstream DNS service provider.
    • For example with OpenDNS:
      Allow: from 192.168.1.* to 208.67.222.123, 208.67.220.123, TCP port 53
      Block: from * to *, TCP port 53
    • Or if you have your own local DNS service running, limit it to that server:
      Allow: from 192.168.1.10 to 208.67.222.123, 208.67.220.123, TCP port 53
      Block: from * to *, TCP port 53
  • Take a look at limiting the following ports in the same manner:
    • Port 19/UDP – Debugging
    • Port 25/TCP – SMTP
    • Port 68/UDP – DHCP
    • Port 123/UDP – NTP
    • Port 135/TCP – NetBIOS
    • Port 139/TCP – NetBIOS
    • Port 445/TCP – NetBIOS
    • Port 465/TCP – SMTP
    • Port 520/UDP – RIPv1
    • Port 587/TCP – SMTP
    • Port 1900/UDP – Universal Plug and Play (UPnP)
    • Port 2525/TCP – SMTP
    • Port 3479/TCP TWRPC protocol (remote management)
    • Port 7547/TCP CPE WAN Management Protocol (CWMP)
    • Port 61001/TCP Internet Protocol Detail Record (IPDR)
  • SMTP ports to your mail service provider.
    TCP Port 25, 587, 465, and 2525
    For Office 365:
    https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
  • If you can, buy a better firewall with malware scanning.
    For example:
    • Fortigate ATP Bundle
    • Cisco Meraki MX series + Advanced malware protection
    • Sophos SG serie with TotalProtect

Network design

  • For growing companies, design a bigger subnet to start with
    Lots of times, growing companies need to revert to complex multiple subnets design, because they started with a limited subnet. My advice: Start with a bigger subnet than you need to. And if you want to use VLAN’s (yes, you want to do this!), you can easily line up the VLAN’s with your subnet. For example:
    • 10.00.10.0/22 for VLAN 10
    • 10.12.34.0/22 for VLAN 1234
    • etc
  • If you are using web-facing services or servers, put them in a proper double firewalled DMZ.
    More then once, I see that the concept of a DMZ is not used like it could be. A different subnet is used and it’s not shielded well enough from the local network. The whole idea behind a DMZ is the notion that the service inside the DMZ could be compromised. That happens… So you want to secure your network for such events.
    See this example, with both a regular LAN network and a separate DMZ:
    In the image 3 separate firewalls are displayed, this can be configured into a single firewall.
Proper DMZ example

In this example, there are 3 firewalls:

Firewall 1:
Regular LAN network, nothing special
See previous advise regarding firewall rules

Firewall 2:
Entry firewall for the DMZ, internet site facing.
Only allows HTTP and HTTPS traffic to the web server.
Allow: from *, TCP port 80,443 to 10.02.10.20, TCP port 80, 443
Block: from * to *

Firewall 3:
Exit firewall for the DMZ, LAN facing.
Only allows a database connection and perhaps and RDP connection to a management server.
Limited on IP and port, for example:
Allow: from 10.02.10.20, TCP port * to 10.01.01.50, TCP port 1434
Block: from * to *

Now, should the web server get compromised, letting a hacker get full control over it.
It is still very limited in what it can do. It can now only talk over a certain port to the database server.

  • Configure DHCP:
    • Set DNS service to OpenDNS
      https://www.opendns.com/home-internet-security/
    • Time service:
      pool.ntp.org
      Or country specific, in this case The Netherlands:
      nl.pool.ntp.org

Device management

Just a few tips:

  • Patch regularly and check it.
    For Windows, push a GPO and configure it locally, to always install the latest Windows updates.
  • Prevent local admin access, or use a different accounts especially for those jobs
  • Install proper antivirus software with a management solution.
    Take a look at Sophos or Sophos home, I’m really positive about them.
  • Patch third party apps regularly.
    Run Ninite or chocolatey daily. Or take a look at the Ninite Pro offering.
  • If you have a Office 365 subscription, manage them with InTune!
  • Take a subscription for your users for a password management tool, such as 1password.
  • If you are using Windows servers, regularly run the best practice analyzer:
    https://docs.microsoft.com/en-us/windows-server/administration/server-manager/run-best-practices-analyzer-scans-and-manage-scan-results

Cloud Services

  • If you use Office 365, make sure it’s scanned for viruses, including phishing links.
  • Limit applications
  • Enable basic security configuration including MFA (and disable legacy authentication)
  • Use a different admin account then your regular account
  • Configure Microsoft best practices, take a regular look at the secure score.

READ MORE

ESP8266 with ESP Easy

Step-by-step how-to guide install the ESP Easy firmware on a ESP8266 based ESP-01.

ESPEasy offers a very intuitive interface for configuring sensors that can be linked to Home Automation platforms, such as (but not limited to) Domoticz, OpenHab, Home Assistant. It can also be configured to function autonomously without depending on additional platforms or software. For example, with ESPEasy it becomes extremely easy to hook up sensors to Domoticz with JSON or MQTT.

What is ESPEasy?

ESP Easy is a free and open source MCU firmware for the Internet of things (IoT) and originally developed by the LetsControlIt.com community (formerly known as ESP8266.nu community). It runs on ESP8266 Wi-Fi based MCU (microcontroller unit) platforms for IoT from Espressif Systems. The name “ESP Easy,” by default, refers to the firmware rather than the hardware on which it runs. At a low level, the ESP Easy firmware works the same as the NodeMCU firmware and also provides a very simple operating system on the ESP8266.
Source: https://en.wikipedia.org/wiki/ESP_Easy

ESPEasy releases

The ESPEasy project was a bit dormant until recently 2 developers (grovkillen and TD-er) revived this project recently. We expect a new stabe release soon but until that moment, we can work with the Github releases.
The downside is that these release could contain ‘features’ and as such, not yet ready for a production environment. Please be aware that the latest releases are only suited for the ESP-01S and not the ESP-01 model due to the minimal memory constriction of 1MB. The ESP-01 is only equipped with 512KB of memory and not suited for the latest ESP Easy release.

ESP-01 and ESP-01s

The ESP8266 is a low-cost Wi-Fi microchip, with a full TCP/IP stack and microcontroller capability, produced by Espressif Systems in Shanghai, China. It’s called a SoC: System On a Chip. The chip first came to the attention of Western makers in August 2014 with the ESP-01 module, made by a third-party manufacturer Ai-Thinker.

The ESP-01 comes in 3 different models:
– ESP-01 Blue (this is the original ESP-01)
– ESP-01 Black
– ESP-01S Black

LED differences between the ESP-01 and the ESP-01S
LED differences between the ESP-01 and the ESP-01S
Source: https://www.esp8266.com/viewtopic.php?f=13&t=13659

These are the relevant differences:

  • Functional these models are not different. The work in the same way, have the same SOC ESP8266 chip, same power requirements, etc.
  • There is no difference between the ESP-01 blue model and the ESP-01 black model. But keep in mind that the ESP-01 and the ESP-01S are both black.
  • The main difference is that the ‘new’ ESP-01S model has 1MB memory instead of 512KB.
  • With the ESP-01S the power red LED is removed, and the blue LED is on pin 2 now.
    ESP-01: Blue LED on TX
    ESP-01S: Blue LED on GPIO2 (low = on)
  • To get the ESP-01 to boot from flash, you need to supply 3.3V to the CH_PD pin to boot correctly and able to flash the ESP. With the new ESP-01S you no longer have to do this, only VCC and GND is sufficient.
  • The stability and wifi range slightly improved with the new ESP-01S.
  • Because the ESP-01 model is only equipped with 512KB of memory, these models are not suited for the latest ESPEasy releases. You can either upgrade the memory (with W25Q32FVSSIG for example) or use the ESP-01S model.

For a complete overview of the ESP-01 (not the ESP-01S) you can view the cheat sheet below. Be aware that the ESP-01S is a bit different, as stated earlier, but for the most these specs are similar to the ESP-01. It’s still the same SOC.

ESP8266 ESP-01 Cheat Sheet
ESP8266 ESP-01 Cheat Sheet
Source: https://www.instructables.com/id/Definitive-Guide-to-Setting-Up-Your-New-ESP01-Modu/

Programming the ESP-01(S)

ESP-01(S) USB UART programmer
ESP-01(S) USB UART programmer

To program the ESP-01(S) we can use a special programmer tool that we can use in China. This is a much easier method then hooking up the ESP to a serial interface, where we need a breadboard or solder to connect the ESP and program it. This way, you can easily reprogram the ESP without rerouting or adapting your setups.

These nifty programmers come in 2 models, with a CH340G and and CP2102/CP2104 USB to serial USB bus converter chip. The CP210X chip has much better driver support for Windows then the CH340G, but as a trade-off they are a bit more expensive (just a few cents). This is why I recommend that, if you are working with Windows, to use CP210X based devices.

Not relevant to this specific post but in general when buying in China, watch out with FT230 based devices. The (Chinese) market is flooded with a lot of counterfeit FTDI FT230 chips and the manufacturer kills these chips with a driver update. I unfortunately learned this the hard way, (about 4 chips/devices later). For more information about this, check this Hackaday article: https://hackaday.com/2014/10/22/watch-that-windows-update-ftdi-drivers-are-killing-fake-chips/

Prerequisites

Tested with

  • ESP-01S
  • Windows 10, version 1909
  • ESP Easy, release mega-20200608

Step 1: Download the latest ESPEasy firmware

Go to the Github page of the ESPEasy project and download the latest MEGA release. Download the one starting with “ESPEasy_ESP82xx_”. After downloading, unzip the file to your favorite location.

Yes, these downloads are a bit ‘fat’ with 60~70MB, but they include a range of different firmware, tools and source code. But it still fits on a single zipdisk (or about 200+ floppies), should the need arise.

https://github.com/letscontrolit/ESPEasy/releases

Step 2: Connect ESP programmer with ESP-01S

Next step is to plug in the ESP Programmer with a ESP01S attached to it. Always, first plug in the ESP in the programmer, then connect the programmer to your computer. After connecting the programmer to your system, wait a bit so your system can properly recognize the programmer and connect it as a serial port. This can take up to 1-2 minutes.

If you have more then one serial port on your device, you can gain more insight with the Windows Device Manager:

  1. Open the Device Manager by pressing the Windows Key + R. Type “devmgmt.msc” (without the “”) and press Enter.
  2. Expand the Ports (COM & LPT) section.
  3. Find the USB Programmer and make a note of the correct COM port (That’s the serial port).

Step 3: Start ESP Easy Flasher

Next is to start the ESP.Easy.Flasher.exe application. You will receive a UAC (User Account Control) warning, which you can safely accept and continue. After a few seconds, the application will start.

Step 4: Flash the ESP-01S

Once the ESP Easy Flasher application has started, it will search your system for serial ports. Once it has found the port (or if you have more then one serial port, select the correct serial port), you can continue to select the correct firmware.

Select the following firmware for your ESP-01S:
ESP_Easy_mega_<date>_normal_ESP8266_1M.bin
In this case, I selected the following firmware:

Selecting the correct firmware for the ESP-01S with the ESP Easy Flasher tool
Selecting the correct firmware for the ESP-01S with the ESP Easy Flasher tool

Next is to press the “Flash ESP Easy FW” button. And then it’s flashing, see that little blue led getting a hart-attack for a few seconds. Lovely.

After flashing the the ESP-01, you can press the button on the side of the programmer tool to reset, or just uplug the whole thing and plug it back in. From this moment onward, the ESP-01 only need power (and occasionally a bit of tough love).

Once the ESP-01 is booted back up, you need to connect to it using WiFi. Just look at the available wireless networks and you should find an network called “ESP-Easy”. The password is “configesp” (without the ” “).

Connect to the ESP-Easy wifi network…

Windows can take a bit of time for figuring out the the connection, but eventually it should get the status “No Internet, secured”. That’s perfectly fine.

If your browser does not automatically kick in, you can open your browser and open the URL http://192.168.4.1. This should bring you to the ESP Easy wifi page, where we can hook up the ESP-01 to our home network. Select your wifi network and fill in the corresponding password below. Click on Connect and let the magic happen.

Magic sometimes takes a few seconds!

Once its connected, the status will update with the current network configuration. In my case, it received the IP address 10.1.3.71 (I have a bit odd home network). This is the moment you can disconnect from the ESP Easy wifi network and reconnect to your regular network.

ESP Easy perfectly connected to the home wifi network!

Now, we have a working ESP-01 with the latest ESP Easy firmware…
Enjoy!

More Information:

READ MORE
Inside-the-Eufy-HomeBase-2

Inside the Eufy HomeBase 2

Most who know me know that I love to open up new devices, break them soon or later and fix them again. That’s probably why my family requests me to fix things only when they exhausted all other options. But hey, it’s probably in my nature, I cant help myself ;-).

Eufy HomeBase2
Eufy HomeBase2

So this time, I got my hands on the Eufy HomeBase 2. At as information about this lovely piece of technology is limited on the internet, it’s my time to share!

So here we go, this is what you need:

  • Eufy HomeBase 2
  • guitar pick
  • Small and thin Philips screwdriver
  • Steady hands

First, we need to open up the bottom case with the guitar pick. On one side, there is a small notch where we can start.

Next, we need to separate the bracket from the outer shell. It’s attached with 4 screw that are a bit buried. So you need a small and fine screwdriver with a sleek head.

Now, we can see the bracket with it’s 3 wifi antenna’s.
I made some pictures of the top and bottom:

Regarding the chips, this is what I found out:

Top:

Top of the Eufy HomeBase 2 PCB
Top of the Eufy HomeBase 2 PCB board
  1. Network Signal Transformer
    Print: XZ i933-G / H1102NL
    Datasheet: LINK
  2. ?
    Print: F488 / 7662 / 11951
  3. ?
    Print: F488 / 7662 / 11951
  4. ?
    Print: WX01 / HD804004
  5. USB audio
    Print: HS-100B / CFW32878.1 / SHH1BNCZ-GS / 1938
  6. USB Hub
    Print: GL850G / HH4JB05Y22 / 950SRC8611
  7. Wifi antenna’s:
    Print: AT&G-T8010 / WiFi-2-V1

Bottom:

Bottom of the Eufy HomeBase 2 PCB board
Bottom of the Eufy HomeBase 2 PCB board
  1. Samsung 16GB NAND Flash Memory
    Print: SEC 940 / B041 / KLMAG1JETD / SA57ZZIUS
    Datasheet: LINK
  2. Macronix Int. 256MB Flash memory
    Print: MXIC L194611 / MX25L25635FZ2I-10G / 8F652400

Due to limited time, I haven’t got around to working out every details.
However, I hope you gained some insights into the ‘inner guts’ of the Eufy HomeBase 2! If you have any more question, just send me a message or reply to the post. Thanks for reading!

READ MORE