Contact
Contact
All Posts By

Sprint Networks

Jul 06
hack

Cyber Threat Intelligence

By Superfast IT Networks, Network Security No Comments

What should be expected from your threat intelligence?

Threat intelligence has been widely used right now, and it plays a crucial role in your security posture. If you are a cybersecurity professional, you must be familiar with the concept even though you might not fully understand how it works. It could be much more important to your various domains of cybersecurity, especially for those who are dealing with Security Information and Event Management tools or work within the incident response teams.

But, what you should be expecting when using a threat intelligence feed, especially when they need to collaborate with other security elements, such as NGFW, Email Services, WAF. Sprint Networks is partner with the leading security threat intelligence provider, Fortinet. What you should be expecting from the threat intelligence:

1. Antivirus:

Threat intelligence should deliver automated updates that protect against the latest viruses, spyware, and other content-level threats. It uses industry-leading advanced detection engines to prevent both new and evolving threats from gaining a foothold inside your network and accessing its invaluable content.

2. Intrusion Prevention (IPS):

Threat intelligence automated IPS updates provide latest defenses against network intrusions by detecting and blocking threats before they reach your network devices. You get the latest defenses against stealthy network-level threat, a comprehensive IPS Library with thousands of signatures, flexible policies that enable full control of attack detection methods to suit complex security applications, resistance to evasion techniques proved by NSS Labs and IPS signature lookup service.

3. Application Control:

Improve security and meet compliance with easy enforcement of your acceptable use policy through unmatched, real-time visibility into the applications your users are running. With FortiGuard Application Control, you can quickly create policies to allow, deny, or restrict access to applications or entire categories of applications. The sophisticated detection signatures identify Apps, DB applications, web applications and protocols; both blacklist and white list approaches can allow or deny traffic. Traffic shaping can be used to prioritize applications and flexible policies enable full control of attack detection methods.
Application Control

4. Security Rating Service:

The Security Rating Service is helps guide customers to design, implement and continually maintain the target Security Fabric security posture suited for their organization. By running Security Rating Service audit checks, security teams will be able to identify critical vulnerabilities and configuration weaknesses in their Security Fabric setup, and implement best practice recommendations.

5. IoT Service:

The IoT service helps customers significantly reduce their attack surface by enabling the Fortinet Security Fabric to automatically discover and segment IoT devices based on FortiGuard intelligence, and enforce appropriate policies against them. With the service, FortiGates can query FortiGuard servers to obtain information about unknown devices and then act accordingly based on policy
iot

6. Indicators of Compromise (IOC) :

The IOC service is an automated breach defense system that continuously monitors your network for attacks, vulnerabilities, and persistent threats. It provides protection against legitimate threats, guarding customer data and defending against fraudulent access, malware, and breaches. It also helps businesses detect and prevent fraud from compromised devices or accounts

7. Vulnerability Scan

Vulnerability scan network assets for security weaknesses, with on demand or scheduled scans. Comprehensive reports on the security to benefit from and access the intelligence, expertise, and protection delivered by FortiGuard Labs, customers simply need to add the desired security subscriptions to their Fortinet Security Fabric deployment. FortiGuard security services are designed to optimize performance and maximize protection across the Fortinet Security Fabric and are available as both individual and bundled subscriptions. Our subscriptions cover every aspect of the attack surface and includes IP reputation updates, intrusion prevention, web filtering, antivirus/anti-spyware, anti-spam, database security, virus outbreak protection service, content disarm & reconstruction, security rating services and network and web application control capabilities. Subscribe to FortiGuard to stay protected against the latest threat across all threat vectors and attack surfaces today! DATA SHEET | Fortinet Transceivers 3 FortiGuard Subscription Bundles posture of your critical assets and automated scanning of remote location FortiGates.

8. Web Application Firewall (WAF):

Automated WAF signature updates that protect against SQL injection, cross-site scripting, and various other attacks, hundreds of vulnerability scan signatures, data-type and web robot patterns, and suspicious URLs. Supports PCI DSS compliance by protecting against OWASP top 10 vulnerabilities and using WAF technology to block attacks.

9. Web Filtering:

Block and monitor web activities to assist customers with government regulations and enforcement of corporate internet usage policies. FortiGuard’s massive web content rating databases power one of the industry’s most accurate web filtering services. Granular blocking and filtering provide web categories to allow, log, or block. Comprehensive URL database provides rapid and comprehensive protection. And, Credential Stuffing Defense identifies login attempts using credentials that have been compromised using an always up-to-date feed of stolen credentials.

10. Industrial Control Systems Security:

The FortiGuard Industrial Security Service continuously updates signatures to identify and police most of the common ICS/SCADA (supervisory control and data acquisition) protocols for granular visibility and control. Additional vulnerability protection is provided for applications and devices from the major ICS manufacturers.
control System

11. Antispam:

FortiGuard Antispam provides a comprehensive and multi-layered approach to detect and filter spam processed by organizations. Dualpass detection technology can dramatically reduce spam volume at the perimeter, giving you unmatched control of email attacks and infections. Advanced anti-spam detection capabilities provide greater protection than standard real-time blacklists.

12. Cloud Sandbox:

FortiCloud Sandbox Service is an advanced threat detection solution that performs dynamic analysis to identify previously unknown malware. Actionable intelligence generated by FortiCloud Sandbox is fed back into preventive controls within your network—disarming the threat. FortiSandbox is NSS Labs Recommended for breach detection and breach prevention, and ICSA Labs certified for advanced threat defense.

Make your network intelligent against threats with Sprint Networks. We aim to secure Australian businesses and institutions from all malicious activities that can take advantage of network vulnerabilities.

If you think you are at risk!

Contact Us

If you have questions, please drop us an e-mail at info@sprintnetworks.com

Jun 25
network 1

Taking Action To Protect Your Infrastructure Against Cyber-Attack

By Network Security No Comments

Copy-Paste Compromise

In this month, Australia Cyber Security Center has announced the statement on malicious cyber activity against Australian institutions, including hospitals and state-owned utilities.

The attacker has been identified leveraging a number of POC, proof-of-concept, exploit code, shells, and other various tools from open source. These actions are primarily through the use of remote code execution vulnerabilities in unpatched versions of Telerik UI and other Microsoft IIS and Citrix vulnerabilities.

The attacker has shown the capability to find and quickly leverage exploitable public vulnerabilities and regularly conducts reconnaissance of target networks looking for vulnerable services. The attacker might potentially maintain a list of public-facing services to quickly locating the vulnerable services after future vulnerability releases.
Malware

How Is The Attack Happening

hacker
The attacker has shown the capability to find and quickly leverage exploitable public vulnerabilities and regularly conducts reconnaissance of target networks looking for vulnerable services. The attacker might potentially maintain a list of public-facing services to quickly locating the vulnerable services after future vulnerability releases.
If your company does not host any public-facing services, it does not mean your network would be one of the victims in this action. The ACSC has identified that the attack is also utilising various phishing techniques. The ACSC has advised the phishing has taken the form of:
  • links to credential harvesting websites
  • emails with links to malicious files, or with the malicious file directly attached
  • links prompting users to grant Office 365 OAuth tokens to the actor
  • use of email tracking services to identify the email opening and lure click-through events.

Sprint Networks Solution

Sprint Networks has an experienced team with comprehensive solutions to support your evolving security requirements. We have a strong partnership with leading technology providers to secure and maintain your security today and into the future.

Sprint Networks is offering Managed Email and DNS Security to strengthen your security defences with better control over all aspects of inbound, outbound emails, and suspicious traffic. To avoid becoming a victim in this attack, relying on people to keep your business safe should not be part of your options.

We are providing cloud -based Email Security solution filters all malicious email before it even hits your network components. Even though your employment received the malformed web address from other sources, we will block the requests before it even sends out from your network. The attacker will not be able to get any responses from the victims.

Protect your business from Cyber Threats with Sprint Networks. We aim to secure Australian businesses and institutions from all malicious activities that can take advantage of network vulnerabilities.

If you think you are at risk!

Contact Us

If you have questions, please drop us an e-mail at info@sprintnetworks.com

Jun 23
wifi

Sprint Networks- Bmobile SD-WAN

By Superfast IT Networks No Comments

What is SD-WAN?

A Software-defined Wide Area Network (SD-WAN) is a virtual WAN architecture that allows enterprises to leverage any combination of transport services – including Multi-Protocol Label Switching (MPLS), LTE and broadband internet services – to securely connect users to applications.
SD-WAN uses a centralised control function to securely and intelligently direct traffic across the WAN. This increases application performance, resulting in enhanced user experience, increased business productivity and reduced costs for IT.

SD-WAN For Digital Transformation

  • Intelligent traffic forwarding :  SD-WAN enables application-based traffic forwarding as well as Quality of Service (QoS) assurance, which is a prerequisite for Digital networking.
  • Simplicity at enterprise scale : Centralise cloud management to make it easy to deploy SD-WAN with security while maintaining policy across thousands of sites.
  • Transport independent secure fabric : SD-WAN’s creates an overlay fabric which is transport agnostic over different transport technologies such as cable, optical, and LTE.
  • ZTP (Zero Touch Provisioning) : Customers have the ability to provision and on-board branches with no human intervention. Simply Plug n Play.
  • Multi-link and Multi-path Loadbalancing : SD-WAN makes creating a secure WAN over either cheap Internet, 4G/5G or traditional WAN technologies a reality. Additionally, it’s ability to load-balance over these WAN technologies allows network administrators to choose the appropriate technology and transport based on the budget available for the network as part of the digital transformation road-map.
  • Right security, right place : Protect users, devices, and applications by deploying embedded or cloud security faster with the best threat intelligence.
  • Deep Application Level Visibility : See how your top priority apps are performing at any given time. See packet loss, Jitter and Latency on your WAN circuits.
  • Save on OPEX : With the 7 reasons above customers can significantly reduce their operational expense in device activation and maintenance.

Why You Should Care About SD-WAN In PNG?

More than 50% of IT budgets are spent on service providers, hoping it will improve branch up-time and overall link performances. So, enterprises in PNG use two service providers. But, these enterprises never get to use both service provider links simultaneously due to the lack in technology within their networks, resulting in losing money. This is no longer the case – thanks to Sprint Networks’ SD-WAN solution!
PNG SD WAN
PNG Revenue Loss

6 reasons To Choose Sprint Networks

1) Make the Internet your New WAN and save

Sprint Networks’ SD-WAN solution will help you to make the Internet your new WAN securely. Replace expensive WAN circuits easily with ADSL or 4G/LTE.

2) Double your Bandwidth Automatically

Sprint Networks’ SD-WAN solution will load-share across available links to maximise throughput by utilising all your WAN circuits over Digicel, Telikom, SpeedCast, BMobile, Internet, etc.

3) Secure your WAN Traffic over Telikom, Digicel, etc.

All your WAN traffic is securely encrypted using enterprise grade security tunnels. Peace-of-mind from MIM (Man-In-The-Middle attacks).

4) Prioritise your important traffic

See your network performance and analytics based on applications. Know how your business critical apps are performing.

5) Total Control of your WAN

Sprint Networks’ SD-WAN let’s you control, manage and provision your WAN network from a single pane of glass. Troubleshoot network related issues with a few clicks.

6) Eyes in to your WAN

See your network performance and analytics based on applications. Know how your business critical apps are performing.

The WAN Network You Should Have

B- mobile wan
B- mobile sd wan

Sprint Network's and Bmobile SD-WAN OFFER

Sprint Networks offered a customised package to Bmobile to suit their need. It provided Bmobile the ability to fully utilise every available feature in SD-WAN.

router

Free hardware

Complete Free Hardware upgrade at every single SD-WAN branch site and at the HQ.

Deployment

Deployment

Audit customer network and integrate the SD-WAN solution into the core environment at NO cost. Also, RMA and replacement included.

24

24x7 Monitoring

We work with customer’s ICT staff closely to monitor the network, identify any faults and report them.

optimise

WAN Optimasation

Complete Free Hardware upgrade at every single SD-WAN branch site and at the HQ.

maintain

Maintainance

Fine-tune configuration and upgrade software at NO cost.

quality

Quality of service

Provision Quality of Service on the network and prioritise business critical traffic.

Do You Know?

Sprint Networks was the first ICT company back in 2018 to introduce SD- WAN to the Pacific region, and PNG was the first to deploy it.

Get started to digitally transform your business with SD WAN managed by Sprint Networks.

SD- WAN
Offer
SD-WAN
Videos
Request
Free Trial

If you have questions, please drop us an e-mail at info@sprintnetworks.com

Jun 18
cyber

Firewall: Traditional Vs Next Generation

By Network Security, Featured No Comments

Next-Gen Firewall (NGFW) vs. Traditional Firewall

The purpose of any enterprise-grade firewall is to protect your network, internal systems and confidential data against intruders and malicious access.
They all share the same basic goal, but specific technologies, features, capabilities and level of complexity could vary immensely.
The two most basic categories for enterprise-level firewalls are traditional and next-generation. NGFW, Next-generation firewall, are the more advanced of the two types. It would offer the most robust protection for your business.
But what would be the differences between the Nest-Generation firewall and traditional firewall, how do the differences can benefit your business?

Traditional Firewall

Traditional firewalls are designed to police the traffic. The traffic in and out of a network will be controlled based on source IP address, destination IP address, port, and protocol.
When we talk about the traditional firewall, we are talking about the traditional stateful firewall. The features of the traditional firewall are limited, such as:

Stateful inspection, traffic is defined as flow instead of isolated packets. Rules can be applied to the traffic flow, and decisions can be made on the behaviours.
Virtual Private Network provides a secured entry for the network when users or systems traverse the public or untrusted network.
Packet filtering helps the network administrator to ensure both ingress and egress traffic is under inspection. Firewalls can terminate the connection initialed by suspicious source on behalf of users.

Next-Generation Firewall

A next-generation firewall does this and so much more. In addition to access control it provides more granularly rules to block modern threats. According to Gartner’s definition, a next generation firewall must have:
  • Standard firewall capabilities like stateful inspection
  • Integrated intrusion prevention
  • Application awareness and control to see and block risky apps
  • Threat intelligence sources
  • Upgrade paths to include future information feeds
  • Techniques to address evolving security threats
The next-generation firewalls should deliver 4 core benefits to your organization:
Application awareness empowers the organization to set specific rules for each application instead of IP and port number. The definition of each application is the core function of NGFW. Traditional applications are defined by port number which can be used by everyone. It is critical to use App-ID to identify traffic flow, and detect evolving threats.
Intrusion prevention system has the capability to actively detect and block intrusions. The detection would refer to the cloud database, which is dynamically updated against zero-day attack
Threat Intelligence provides the firewall and other security appliance with the latest intelligence to detect and stop emerging threats.
Deep packet inspection (DPI) ensures a thorough inspection of the packet’s contents, whereas standard packet inspection only reads the header. NGFW would look after the full context of every single packet.

Don't Leave Vulnerability In Your Network By Outdated Security Technology

Modern businesses need modern protection. The cyber threat landscape is forever expanding along with innovations in technology, which unfortunately means that cyber criminals are far from finished. If anything, their job is getting easier.

Sprint Networks provides managed NGFW service, providing multiple levels of security for your network.
As a managed security service, we take the responsibility away from your resource, empower your staff to concentrate on what you do best.
Find out more about NGFW service at info@sprintnetworks.com
Jun 09
Security

DNS Security

By Network Security No Comments

Why is DNS security critical?

From a network security perspective, Domain Name System is one of the most widely used network protocols across the Internet.
DNS is an open protocol used in 99% of internet connection. Unfortunately, it is packaged into a UDP 53 packet with plain text naturally. The open nature has made DNS become a leading pathway for ransomware and other security risks.
Now, the new DNS privacy standard is DNS over TLS, DoT. TLS, Transport Layer Security, helps the new standard to address what is the ‘last mile’ problem for DNS security. The communication between DNS client, your local DNS server or your PC, and your DNS provider, mostly would be Google, are almost always unencrypted and, therefore, subject to hijacking and other threats. DoT not only strengthens the DNS security by encrypting but also authenticating the DNS server with a digital signature.
The usual way of blocking threat is to use enterprise threat protecting mechanism against every daily threat. The most effective way to improve your security stack is to protect your network at the start point.

Trade-offs of using DoT

In the real case, the new DNS protocol makes it more difficult to be used for immoral purposes. But, it will make it challenging to get the internal security mechanism to work as well. However, enterprises always want to maintain internal security control over their DNS server. For those use cases, the new protocols come with notable security trade-offs

  • Bypassing enterprise controls: Although DoT provides the solution to gain the DNS level security by encrypting the DNS requests and response, it might unconsciously bypass enterprise contents control.
  • DNS server performance reduction: traditional DNS depends on UDP, User Datagram Protocol, and it is unreliable but more efficient. DNS over TLS will run over the TCP, Transmission Control Protocol, which needs more resources on your local DNS server. Apart from that, using TLS requires your DNS server to encrypt queries and decrypt responses, and the size of DNS packets will also increase accordingly. Adding more resources needs to be put into consideration if the same performance is required.
  • Education for end-users: DoT is in constant development, bringing challenges to the existing infrastructure. All managers and architects, whether they are running infrastructures on public cloud or private networks, should be aware of the evolution.

Best Practice

  • Choosing a reliable DNS provider, who will guarantee 100% uptime and using technology like anycast to perform resiliently.
  • Starting Looking after your security concern. Your DNS server should proactively respond to threats. You should be able to use the Internet’s infrastructure to block malicious and unwanted domains, IP addresses, and cloud applications before a connection is ever established.
  • Blocking direct DNS requests is a good place to start. Between the internal users and DNS providers on the Internet, there should be another step in the middle, like local DNS infrastructure. It would allow the administrator to comprehensively apply DNS policy without getting end-users involved.
  • Making sure all queries are accountable. Your administrator is capable of seeing logs for all DNS activity to simplify investigation. The logs will also be the reference for security decisions.

Traditional Way of DNS Resolution

DNS Resolution

DNS Resolution Process with Secured DNS Provider

DNS Security
More details on DNS security privacy and DNS security provider are available in the Managed DNS security solution. Stop blindly trust every websites without, start using Advanced Threat Intelligence to secure your DNS infrastructure. More security solutions are available on Managed Service Center. Start looking after your network security with right partner. If you’re interested to learn how more about DNS Security, contact us today at info@sprintnetworks.com
Apr 02
data2

How To Design A Secure And Stable WAN Data Networks In PNG?

By PNG No Comments
Most Pacific Networks Does NOT conform to Best Practice Network Design! They lack Stability and Security. In this article, we share how you can design your Network for optimal performance in a typical Hub and Spoke Architecture. You can use these design strategies as a blueprint in your Data Network for TPNG or Digicel provided transmission.A stable, secure and high-performing data network is essential if organisations are to operate efficiently and provide customers, partners and staff members with an enjoyable user experience. By ensuring the network that delivers data, business applications and collaboration systems are robust, Stable, Secure, Scalable and reliable; organisations can increase productivity, enhance user satisfaction and keep costs down.

So What Are The Steps Required To Build Such A Networlk

Although we work with multiple ISPs in PNG; this article has no affiliation to any ISP in PNG. The content in this document is generic and meant to be used ONLY as a guide for building best practice WAN networks.

Consider The Following Case Study:

Customer “WOW-Super” is a new superannuation company in PNG. They are building their local presence by standing up two branches in Wewak and Lae, while the head office is located in Boroko. They have intentions to have wider coverage and expand in the future.

The senior management team have contracted a reputable IT firm to design and build their WAN Data Network using best practice data solutions.

Scope Based On Customer Requirements

Build a state-of-the-art WAN Data Network with the following considerations:
  • Robust and stable using Dynamic Routing
  • Use best practise security solutions
  • Be able to scale and anticipate growth when new branches are added.
  • WAN redundancy using two services providers (example: TPNG and Digicel).
  • One service provider should be primary while the other is back up, with Automatic Failover and high availability
  • All server connectivity and Internet access will be via the Hub router(s), except for specific servers sitting behind each branch, where optimal routing should be used.
  • It has been deduced from the latency reports supplied by the two ISPs, the link at the branch in Lae has better response time over the TPNG transmission, while the link at Wewak has a better response over Digicel. (NOTE: currently TPNG uses satellite links in Wewak and has a latency of approximately 500 milliseconds; this is considerably higher than Digicel). Therefore, it is prudent to use TPNG as the primary link at Lae and Digicel as the back. And, Digicel as the primary supplier in Wewak and TPNG as the backup
  • Proactive Network Monitoring and Manage the data network during business hours.
Are you interested in our upcoming workshops to promote and educate customers’ on new data technologies across the Pacific? Would you like to learn how State-Of–The-Art Architecture, Design and Security solutions can help you to take charge of your data network?
Then email us today at sales@sprintnetworks.com for pricing and scheduling. Sprint Networks can show you how these new technologies can benefit you and enhance your data experience. These workshops are scheduled to commence soon, starting in PNG and then branching out to other Islands in the region. Sprint Networks will design these workshops around your current network needs.
High-Level Design

Figure 1: High-Level Design Overview

High-Level Design Traffic

Figure 2: High-Level Design Traffic Flow

Note: WOW-Super already has a solid core network. That is, WOW-Super has used best-practise network solutions within their LAN architecture.

Designing best practice LAN networks are not within the scope of this document. If you’re interested to learn how to “Designing best practice LAN networks” contact us today at info@sprintnetworks.com

ISP Offering

For TPNG:

The current TPNG offering is a flat layer 2 structure with VLAN based segregation for all WOW-Super braches (VPN based offerings are managed services offered by TPNG). Contiguous VLAN spaces for the branches are usually reserved.

TPNG will provision pre-defined VLANs within its core and ensure data integrity and security is maintained. At the braches and at the hub, TPNG will present all ports as access-ports. You could also request Dot1Q tunnels to have aggregated links at the hub, but this could incur separate costs
Dot1Q aggregated Link

Figure 3: Possible Dot1Q aggregated Link at the hub

For Digicel

The Digicel network provides connectivity using RF communications from remote sites to a layer 2 backbone network used to interconnect all branches with the hub. Separations of customer networks are achieved through the use of Layer2 VLANs and Layer3 VPNs on the Digicel network. Digicel will provide a PPPoE transmission end-point at the customer CPE. These end-points will have layer 3 address forming point-to-point reachability. A pre-negotiated IP subnet will be used for Layer 3 communication. (we use 172.16.1.0/24)

The Approach

The goal is to have parallel networks over TPNG and Digicel. Therefore, the two service providers (Telikom PNG and Digicel) will provide data services via two (2) distinct networks. (refer to Figure 2 ).
The Figure 2 illustrates the hub and spoke concept that is deployed over the two service providers’ networks. In order to maintain physical and logical separation, a new headend router for each service provider will be introduced at the customer HQ. These new routers will provide the added redundancy and the capability to run two data networks in parallel simultaneously. Thus, fulfilling one of the primary requirements set by the customer.
Both Telikom PNG and Digicel will create a new VPN for the WOW-Super network to provide logical separation of WOW-Super traffic from other customers and the internet.
NOTE: A pre-negotiated obligation of both ISPs should be to supply the following items listed below. It is, however, the responsibility of the customer/managed services provider to inquire about these items.
  1. Complete Layer 2 error report for both ISPs (BERT tests) and acceptable threshold
  2. Static IP allocation on the Client interface on the Digicel PPPoE links (reasons for this will be explained later in the document)
  3. Throughput tests should be performed by the customer end.
  4. Latency reports for Satellite links, fibre and radio links.
  5. Support contact details (this could be obvious but sometimes overlooked)
Some of these items could attract separate costs and therefore should be carefully assessed. This should be stipulated in writing and agreed by the customer, the ISP and the management services team. These items should be part of the ISP’s SLA agreement.

Here’s a summary of the functions that will be performed at both the hub (HQ) and each branch site for both services providers:

At the Head Office

Using TPNG

Installation and configuration of TPNG managed equipment and associated hardware into HQ. (TPNG responsibility)

Installation and configuration of WOW-Super managed equipment that will interface with the TPNG equipment. (WOW-Super responsibility)
Install and integrate the new head-end router PE1 into the WOW-Super network at HQ. This task would involve;
  • Enabling Layer 1/2 connectivity with SW1 and SW2 switches.
  • Integrating into OSPF Area 0
  • Enabling iBGP peering with the core layer devices at HQ.
  • Verifying that BGP route propagation is functioning as expected
    • Hub and branch routers have separate subnets for layer 3 connectivity;
    Between the hub and branch, a DMVPN tunnel will be established These tunnels will be transparent to TPNG. Enable DMVPN in Phase 3, so that spoke-to-spoke communication is also possible.
    Private Autonomous System Numbers (ASN) will be used;
    Each branch will have an IPSec tunnel to the hub to secure the data plane, across the TPNG network that will be used to securely transport WOW-Super production traffic.
    Over the IPSec tunnel an eBGP peering will be established

    Using Digicel

    Installation and configuration of Digicel managed equipment and associated hardware into HQ. (Digicel responsibility)
    Installation and configuration of WOW-Super managed equipment that will interface with the Digicel equipment. (WOW-Super responsibility)
    Install and integrate the new head-end router PE2 into the WOW-Super network at HQ. This task would involve;
    • Enabling Layer 1/2 connectivity with SW1 and SW2 switches.
    • Integrating into OSPF Area 0
    • Enabling iBGP peering with the core layer devices at HQ.
    • Verifying that BGP route propagation is functioning as expected
    WOW-Super HQ site (Hub2) will be PPPoE clients and the Digicel edge router within the Digicel Core network will act as the PPPoE server;
    The Digicel VPN PE routers will authenticate the PPPoE session using CHAP and pre-defined usernames and passwords. Authentication will occur against a centralised server within the Digicel network;
    To provide point-to-point reachability between the PPPoE Dialler interfaces between the hub-site in Boroko and the branch sites eBGP will be used;
    DMVPN tunnels will be established between the CPEs using the PPPoE Dialler interfaces as the endpoints (i.e. Tunnel source and destination). These tunnels will be transparent to Digicel;
    IPSec tunnels will be built over the DMVPN tunnels using the recommended encryption policies for data security, encryption and decryption, also enable DMVPN in Phase 3;
    eBGP peering between the CPEs across the IPSec tunnels will establish a secure data plane across the Digicel network that will be used to securely transport WOW-Super production traffic;
    Private Autonomous System Numbers (ASN) will be used.

    At Branch Offices

    Using TPNG
    Installation and configuration of TPNG managed equipment and associated hardware into each branch site. (TPNG responsibility)
    Installation and configuration of WOW-Super managed equipment that will interface with the TPNG equipment. (WOW-Super responsibility)
    Install and integrate the new branch routers into each WOW-Super branch network at Lae and Wewak. This connection can be performed on a collapsed distribution and access layer. This task would involve;
    • Enabling Layer 1/2 connectivity with the branch switch(es).
    Have a default-route from the branch network switches to the PE router.
    The CPE at each branch will have an eBGP peering to the HQ Hub1;
    The branches will have its own DMVPN tunnel towards Hub1 and an eBGP session will be established;
    Using BGP preference, Hub1 will be preferred over Hbu2 as the primary traffic path for the branch at Lae to exit the local network;
    Private Autonomous System Number (ASN) will be used;
    Each branch will have an IPSec tunnel to the hub to secure the data plane, across the TPNG network that will be used to securely transport WOW-Super production traffic.
    Using Digicel
    Installation and configuration of TPNG managed equipment and associated hardware into each branch site. (Digicel responsibility)
    Installation and configuration of WOW-Super managed equipment that will interface with the Digicel equipment. (WOW-Super responsibility)
    Same router as the corresponding step will be used;
    Similar PPPoE transmission connection will be performed as per the HQ, with CHAP as the authentication method;
    The CPE at each branch will have an eBGP peering to the HQ Hub2;
    The branches will have its own DMVPN tunnel towards Hub2 and an eBGP session will be established;
    Using BGP preference, Hub2 will be the preferred for data traffic at Wewak and TPNG will be the secondary path;
    Same Private Autonomous System Number (ASN) will be used;
    Each branch will have an IPSec tunnel to the hub to secure the data plane, across the Digicel network that will be used to securely transport WOW-Super production traffic.
    Mar 28
    data

    How To Overcome The Data Network Limitations In The Pacific Islands

    By Superfast IT Networks, PNG No Comments
    Lately, we were approached by a government-owned financial institution in Papua New Guinea to device a secure data solution for their branch office at Wewak, which was constantly offline due to intermittent network failures over the existing service provider. This, in turn, impacted their business and hampered productivity. Our recommendation was to use a secondary service provider with secure tunnelling as a backup with an automatic failover option. Whereby, when the primary link fails the backup link takes over the role of data transport – “automatically” and seamlessly.

    This is a fantastic solution for customers who are looking for agility, resiliency, redundancy and 100% uptime for their links between the head-office and branch officers (given there is no power failure :)). Unfortunately, you cannot buy the automatic failover solution wrapped up in a box off-the-shelf. It is something you would need to carefully design, make hardware improvements and use proven traffic engineering techniques to accomplish.

    What we have learnt over the years working with Data Networks in the Pacific Islands is as much as you want to blame the service provider(s) for the poor network performances in throughput and link instability; it is just as easy to find creative solutions. Sometimes there are situations beyond the control of the service providers. For instance, there could be a cable/fibre cut on a long-haul link or an exchange been vandalised or it could also be the RF signal has lost its line-of-sight due to harsh weather conditions. Then, there are other instances where services providers oversubscribed their links and there is constant contention on the network. This is just bad practice.

    In this article, we like to explore handful options on how to best use the technologies you currently have at your disposal to improve network stability and performance and not succumb to the limitations, not within your control.

    Automatic Failover As An Option

    By far the most effective data network solution available for all Pacific Islands right now, period. So what is this? Simply put, Automatic failover is having two service providers instead of one integrated into your network to transport data with one acting as primary and the other as secondary. Should the primary provider fail the secondary kicks in automatically and seamlessly without any intervention from your IT team?

    You could take this solution one step further and engineer those service provider links to behave in active/active mode or in more complex variations you could even load-share between the two service providers. The best part is provisioning/conditioning these service provider links; they are completely transparent to the service provider thus, you achieve complete control of your traffic flow.

    The diagram below illustrates one variation of this technology used in Papua New Guinea.
    Secure Tunnelling solution

    Figure 1: Secure Tunnelling solution with Automatic Failover.

    Secure Your WAN Links

    So how secure are your data links? Nowhere in the world, any Telco or service provider will vouch their data links are 100% secure, this is a known fact. This is no different in the Pacific Islands; in fact, the likelihood of this happening in the Pacific Islands is much greater. You’re bound to hear tales of fibre been uprooted, data centres and exchanges been vandalised. These threats are currently limited to the hardware and infrastructure build, but before long your intellectual property and data integrity will be at immense risk. So what can you do to safeguard data network right now – like today? The simplest solution is encrypting your data links. You don’t need to go buy any fancy firewall or build dedicated VPNs (although these are very valid options), but use enterprise-grade secure tunnelling. You can do this today if you have the right tools and people.
    The article ‘How To Create A Stable and Secure Data Network’ is a blueprint for building secure data networks, use it. Don’t put it off.

    Is Your Service Provider Delivering?

    You buy a 2Mbps service between your branch office and HQ. If you’re the ICT manager two questions should immediately pop up.

    Question 1: What’s the guarantee you are indeed getting the throughput you paid for?
    Answer: You just have to take their word for it.

    Question 2: Can you trust your service provider?
    Answer: The straightforward answer is; you shouldn’t!

    We talked about elements beyond the control of service providers and we also touched on how some service providers take on more than they could chew, well this is how most service providers maximise their network’s utilisation. On your 2Mbps link, what throughput can you expect? Is there a benchmark on the acceptable throughput? And how could you verify this?
    The benchmark for throughput should be part of your SLA provided by your service provider. They should also supply the average Round-Trip Times. Use an enterprise-grade network performance monitoring tool to check your TCP throughput on a regular basis.
    If your network is not equipped with a TCP throughput monitoring tool, use the following technique to get a rough estimate. We use the method and formula described in RFC 6349 (https://tools.ietf.org/html/rfc6349). By punching a few numbers into your desktop calculator and using the formula below you can come up with a value that is close to what your service provider has promised, give or take 10%.
    When using TCP to transfer data the two most important factors are the TCP window size and the round-trip latency. If you know the TCP window size and the round trip latency you can calculate the maximum possible throughput of a data transfer between two hosts, regardless of how much bandwidth you have (based on RFC 6349).

    The Formula To Calculate TCP Throughput.

    THE FORMULA TO CALCULATE TCP THROUGHPUT
    We will attempt to illustrate this using a real-life example from one of our customers in Papua New Guinea with their HQ in Port Moresby and a branch in Kavieng. Our customer uses two service providers (Telikom PNG and Digicel) with an automatic failover option.
    2Mbps Link between Port Moresby

    Figure 2: 2Mbps Link between Port Moresby, HQ and Kavieng over the Digicel Network.

    The figure above depicts the point-to-point connectivity between the HQ and the branch over a 2Mbps link with a round-trip latency of 271 milliseconds (using the Digicel service). If we try to transfer a large file from a server in Port Moresby to a server in Kavieng using FTP, what is the best throughput we can expect?

    First, let’s convert the TCP window size from bytes to bits. In this case, we are using the standard 64KB TCP window size of a Windows machine.
    64KB = 65536 Bytes. 65536 X 8 = 524288 bits

    Next, let’s take the TCP window in bits and divide it by the round trip latency of our link in seconds. So if our latency is 271 milliseconds we will use 0.271 in our calculation.
    524288 bits / 0.271 seconds = 1934642 bits per second throughput = 1.93Mbps maximum possible throughput

    As a customer, you might view this as straight point-to-point connection, but from a service provider perspective, this connection could be multiple hops away, thus adding to the latency.
    A quick “Approximation” of the round trip delay: you could use a standard Windows machine to perform a basic PING test to another Windows machine over 2Mbps service. The screenshots below illustrate the output we performed over Digicel and Telikom PNG between Kavieng and Port Moresby.
    PING test over Digicel

    Figure 2: 2Mbps Link between Port Moresby, HQ and Kavieng over the Digicel Network.

    PING test over Telikom PNG

    Figure 3: PING test over Telikom PNG

    How Solid Is Your Core LAN/WAN Design

    We were brought in by Superannuation Company to assist with a slow response problem. Our first reaction was it’s due to an ISP link issue. Then we verified the throughput, which was within SLA. Then we narrowed it down to the core infrastructure. The more we troubleshoot the problem the more we realised how poorly the core network was designed. Long story short…, the problem was due inconsistencies in the Spanning Tree protocol. The customer had a consumer grade 8 port hub/switch performing server aggregation coupled with Cisco switches and routers. Straight off the bat, this is a sign of bad network design. Worst of all there was no network diagram(s) to represent the network, creating more work and delaying the resolution.

    So the moral of the story is you cannot always control the service providers, but you can take better care of your own Network. To do that you need best practice design solutions that will scale well and accommodate growth.

    You cannot combat your companies own inertia if you keep treating your IT as just a cost centre. For IT to contribute towards organisations’ overall vision and deliver tangible value to the business it needs legs of its own. It needs people with the right technical know-how.

    It can do without the CFO who has the power to veto the ICT manager’s sound recommendation for 3 consecutive years to upgrade the WAN hardware (because WAN routers are only 8 years old) or improve redundancy by having a secondary ISP. Then turns around and blames IT for poor network performances.

    When do you “know” that your IT is falling short? You know when your marketing team comes up with the project/application to drive more business, but unable leverage the current IT capabilities. You know when you have excessive slow response times during files access locally or across the WAN.

    Even if I write a 3-page blog post on this topic, I doubt it would hardly scratch the surface. This is not a one-size fit all topic, nor there an ideal design that will be perfect 12 months from now. But, you could engineer your network using best practice network design to handle growth, minimise security risks and ease troubleshooting during a network outage together with clear concise Network diagrams.

    For aspiring ICT managers who are brave enough to take on the responsibility of redesigning your data networks use the following as a guide: Campus Wired LAN Technology Design Guide

    Let's Get Started, Shall We?

    Should you have any queries please do not hesitate to contact us, we’re just a click away! If you like to get on board, know more or to ask a question please drop us an e-mail: info@sprintnetworks.com
    ×