Connection Profile (aka Tunnel Group) controls the "Pre-logoin Policy"
Example flow.
Monday, 29 September 2014
VPN Profile and Policies
Connection Profile (aka Tunnel Group) controls the "Pre-logoin Policy"
Example flow.
Flex VPN
Flex VPN (IKEv2)
One of the advantages of IKEv2 is that we can use multiple options in the proposal while in IKEv1, we need to create mutiple proposals for this to happen.ciscoasa(config-ikev2-policy)# encryption aes-192 aes
ciscoasa(config-ikev2-policy)# integrity sha256 sha
ciscoasa(config-ikev2-policy)# prf sha256 sha
ciscoasa(config-ikev2-policy)# group 5 2
IKEv2
-Proposas (hagle)
-Key Ring (keys)
-Policy (VRF & address limits)/Restriction
-Profile (identities, auth methods)
IPsec
-Transforms
-Profiles
#show crypto ikev2 proposal default
#show crypto ikev2 policy default
#show crypto ikev2 profile default
#show crypto ipsec transform-set default
#show crypto ipsec profile default
#show crypto ikev2 sa
#show crypto ipsec sa
#show crypto engine connections active
Benefits of IKEv2
-DPD(dead peer detection), NAT traversal
-DoS Attack Resilience (in v1, CAC is used to limit)
-EAP, Better Sequencing
-Same engine option IPv4/IPv6
In IKEv2, only HGE(of HAGLE) are configured in IKEv2 Proposal.
A and L are configured under IKEv2 Profile. Profile also holds Key Ring.
FlexVPN "Mode Configuration"
Added Componenets on HubAAA network Authorization method list
IKEv2 Authorization policy
IP local pool(for demo)
Add Author Policy to IKEv2 Profile
FlexVPN Clients
Added to Spokes:AAA Network Authorization method list
ACL to ID Routes to Push to Server
IKEv2 Authorization Policy to Call on ACL
Add Author Policy to IKEv2 Profile
Tunnel destination Dynamic
Create FlexVPN "Client" config
show crypto ikev2 client flexvpn
Sunday, 28 September 2014
Dynamic Multipoint VPN (DMVPN)
Dynamic Multipoint VPN (DMVPN)
Mechanics of DMVPN-mGRE Tunnel Interfaces
-Static & Dynamic IPs
-Routing Protocol
-Next Hop Resolution Protocol(NHRP) for Spoke discovery
-The Hub needs a static IP but spokes do not
By default, on a tunnel interface, GRE is used.
Tunnel key, nhrp network id,nhrp authentication password,
show ip nhrp, show dmvpn (12.9 or later)
GRE Protocol number = 47
Configuration
Phase 1 - isakmp policy (HAGLE - 5 elements to negotiate with peer)-H = Hash (data integrity check)
-A = Authentication (validate the peer at the other side)
-G = Deffie Helman Group (algorithm to run between 2 devices to setup a set of shared secret key material)
-L = Lifetime (how long this tunnel is up)
-E = Encryption (confidentiality)
Phase 2 - IPsec transform-set
crypto isakmp policy 5
hash sha
authen pre-share
group 5
encryp aes 128
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set OURSET esp-aes esp-sha-hmac
mode transport
crypto ipsec profile OUR_IPSec_PROFILE
set transform-set OURSET
//On HUB
interface Tunnel0
description DMVPN
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 777
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 777
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 6783
tunnel protection ipsec profile OUR_IPSec_PROFILE
end
//On Spoke
interface Tunnel0
description DMVPN
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 6783
tunnel protection ipsec profile OUR_IPSec_PROFILE
end
DMVPN IKE Call Admission Control (CAC) - Upper limits & Clipping
CAC Protection
-In-negotiation limit
-SA limit
R1#show crypto call admission statistics (look at Max IKE SAs, Max in nego:)
(config)#crypto call admission limit ike sa 2 //to set max number of sa
(config)#crypto call admission limit ike in-negotiation-sa 10 //to set max in nego
Sunday, 7 September 2014
Shares and NTFS Permissions, Offline Files, VSS, Work Folders
Share Permissions
Network Only
1st line of defense
Read, Change, Full Control
Folders only
Effective permission with multiple group membership
Deny always wins
Combine with NTFS
Administrative shares
Configuring Access-based enumeration which displays only the files & folders that a user has permissions to access.If a user does not have Read(or equivalent)permission to a folder,windows hides the folder from the user's view.
NTFS Permissions
Primary tool for access control
Files and folders
Applies locally + Remotely
Inheritance applies
-can block parent
-can reapply parent
Standard Permission:Full contorl,modify,R+W,R,W,list
Advanced permissions
Order of inheritance (bottom to top)
1.Explicit Deny
2.Explicit allow
3.Inherited deny
4.Inherited allow
Effective access in Advanced security settings - provide what if scenario
Offline Files
Network Shares (offline settings)
Files available when disconnected or "Work Offline"
Very good sync mechanism
Configure with "Offline settings"(caching) or GPO (Computer Cfg-Admin Templates-Network-Offline files)
Disk Quotas
Limit Disk usage
configuration
-windows explorer
-templates
-soft or hard
-drive only in explorer
-set quota for folders in File server resource manager(FSRM) -very useful for file servers
Data Deduplication
Volume Shadow Copy
VSS Useful for
-VM Snapshots
-Backup operations(VSSAdmin alone is not Backup)
-File recovery
File Recovery
-On the fly restore
-Schedule shadow copies
-Not limited to shares
-Monitor large restore jobs
VSSAdmin query reverts /For=Volume, /All
To configure, right click on the drive->configure shadow copies->Enable
Work Folders
Access to User's own work files
-SMB/Mapped
-Domai joined worktation
-Non-domain joined workstation, bring your own devices(these are advantages over offline files)
Available when connected or not
Offline changes automatically synced when reconnected
Transparent conflict resolution(files will be named <name+pc name>if there is conflict)
Hub/Spoke topology
Works with file screens, classification, quotas, clustering
Grant access in setup (best with Group + fine tune with NTFS permission)
Security policies for encryption, screen lock
Can implement with existing folder redirection,offline files,home
Must be locally attached server storage
-No DFS
-No VNC source
1 work folder per user per device
Not collaborative (look to sharepoint, skydrive pro)
Server Basic Configuration Steps
-Define appropriate users-->Groups
-Add Sync server role (under Files and Storage Services)
-Configure Role
-DNS (create A record), Certs, Proxy
Client Configuration
-Control panel configuration
-Access via "work folders"
-Can enforce with GPO (computer cfg-administrative templates-windows componenets-work folders). (user cfg-administrative templates-windows componenets-work folders)
Network Only
1st line of defense
Read, Change, Full Control
Folders only
Effective permission with multiple group membership
Deny always wins
Combine with NTFS
Administrative shares
Configuring Access-based enumeration which displays only the files & folders that a user has permissions to access.If a user does not have Read(or equivalent)permission to a folder,windows hides the folder from the user's view.
NTFS Permissions
Primary tool for access control
Files and folders
Applies locally + Remotely
Inheritance applies
-can block parent
-can reapply parent
Standard Permission:Full contorl,modify,R+W,R,W,list
Advanced permissions
Order of inheritance (bottom to top)
1.Explicit Deny
2.Explicit allow
3.Inherited deny
4.Inherited allow
Effective access in Advanced security settings - provide what if scenario
Offline Files
Network Shares (offline settings)
Files available when disconnected or "Work Offline"
Very good sync mechanism
Configure with "Offline settings"(caching) or GPO (Computer Cfg-Admin Templates-Network-Offline files)
Disk Quotas
Limit Disk usage
configuration
-windows explorer
-templates
-soft or hard
-drive only in explorer
-set quota for folders in File server resource manager(FSRM) -very useful for file servers
Data Deduplication
Volume Shadow Copy
VSS Useful for
-VM Snapshots
-Backup operations(VSSAdmin alone is not Backup)
-File recovery
File Recovery
-On the fly restore
-Schedule shadow copies
-Not limited to shares
-Monitor large restore jobs
VSSAdmin query reverts /For=Volume, /All
To configure, right click on the drive->configure shadow copies->Enable
Work Folders
Access to User's own work files
-SMB/Mapped
-Domai joined worktation
-Non-domain joined workstation, bring your own devices(these are advantages over offline files)
Available when connected or not
Offline changes automatically synced when reconnected
Transparent conflict resolution(files will be named <name+pc name>if there is conflict)
Hub/Spoke topology
Works with file screens, classification, quotas, clustering
Grant access in setup (best with Group + fine tune with NTFS permission)
Security policies for encryption, screen lock
Can implement with existing folder redirection,offline files,home
Must be locally attached server storage
-No DFS
-No VNC source
1 work folder per user per device
Not collaborative (look to sharepoint, skydrive pro)
Server Basic Configuration Steps
-Define appropriate users-->Groups
-Add Sync server role (under Files and Storage Services)
-Configure Role
-DNS (create A record), Certs, Proxy
Client Configuration
-Control panel configuration
-Access via "work folders"
-Can enforce with GPO (computer cfg-administrative templates-windows componenets-work folders). (user cfg-administrative templates-windows componenets-work folders)
Saturday, 6 September 2014
Configuring Local Storage
Basic Disk
-Default Disk type, Widely compatible, Easily accessible
-Up to 4 primary or <4 with Extended + Logical
-No fault tolerance (apart from Raid controller)
Dynamic Disk
No Direct performance benefit
Volumes (not partitions)
Allows for Multi-Disk configurations
-Simple
-Spanned (2 disks or more; data faill over to 2nd disk after 1st one is full)
-Striped (RAID-0) (data is written across all available disks; if one disk fails,remaining disk has no meaningful data on them; no failover,redudancy)
-Mirrored (RAID-1) (
-Stripe set with parity (RAID-5) (3 or more diks;data is written to 2 disks with parity data written to 3rd disk.If one of the first 2 disks fail,data can still be retrieved using paritial data from remaining disk and parity data on 3rd disk)
Most Admin don't use
RAID-10 not available
File Systems
FAT/FAT32/exFAT
-No security, widely compatible
NTFS
-Security permission,encryption or compression,auditing,quotas,file tagging,large files+Vols
ReFS (Resilient File System)
-Even larger files,directories, volumes
-High resiliency: error correction, verification
-Backward compatible
Partition Types
MBR Disks
-Traditional partition table, 2TB max
GPT Disks
-128 partitions;
-partition up to 8ZB
-HD up to 18GB
Create+mount VHD, VHDX (can create VHD in Disk management,attach,online and use as a drive)
Storage Spaces (Poor Man's SAN)
SANs are very expensive + require high expertise
Win12 + Win8
Virtual Disks
-Not VHD, VHDX (virtual hard disks)
-Formed from storage pooll
Storage Pools
-1 or more disks (Internal, external, various interfaces)
-Easily extended with more unformatted disks
-Can be fault tolerant
-Can be thin provisioned (starts with minimum amount needed and still can grow as necessary)
Virtual Disk (Configuration)
Storage layout
-Simple (no redundancy)
-2 or 3 way mirror
-Parity
Provisioning
-Fixed
-Thin
Allocation
-Data Store
-Manual
-Hot Spare (in the event of one hard dik failure, hot spare disk is automatically used)
Replacement + Hot spare automatically sync
Steps-> Take physical disks and create storage pool. Then create virtual disk using that storage pool
Storage Tier (hot files<frequently accessed> and cold files)
Virtualization - Hyper V
Virtualization (Hyper-V)
Application virtualization
Service + Application isolation
Easy Deployment
-VMM (virtual machine manager) templates
-Self-service portals
Legacy Apps + OS
-Client Hyper-V
-MED-V
Server consolidation
Current hardware is under-utilized
Benefits
-Higher density
-Less or centralized management
-Optimized resources + very high ROI
-Sand boxing labs
-Efficient virus scan, Backup
-Greener
-Can replicate, migrate
Hyper-V Requirements
Win-12 Full/Core/Hyper-V server
X64 with Second level address translation (SLAT) + Data Execution Prevention (DEP)
Processing - Up to Host + Guest Requirements
Memory - Up to Host + Guest Requirements
Storage - Up to Host + Guest Requirements
-I/O is Critical
-Conisder VMs on different Disks+SAN,RAID,SSD,Hybrid SSD
-Multiple NICs
GUEST MAX
-1TB RAM, 32 CPU
Hyper-V Client Configuration:Settings
Dynamic Memory
Smart Paging
Resource metering (for billing purpose, etc)
Guest integration services
Hyper-V Settings:Storage
VHD-Original Recipe 2TB Max
VHDX
-64TB MAX,more resilient,better aligned to large sectors,larger block size(Dynamic/Diff)
Modify VHD (using powershell, we could add/remove features offline without starting OS)
Edit virtual disk wizard (VHD <--> VHDx)
Differencing drives (keeping tomorrow' data/image on different disk/drive)
Pass through disks (add external disk/drive in local OS without the need to go through Hyper-V adapter? performance increase; disk must be offine on host machine first)
Snapshots (point in time instance of the OS)
Fibre Channel Adapter
Hyper-V Settings:Network
Network Virtualization with Vlans
Configure switches (same as VM host only adapter,bridge mode, etc.)
COnfigure available MAC addresses
Synthetic + Legacy virtural network adapters
Application virtualization
Service + Application isolation
Easy Deployment
-VMM (virtual machine manager) templates
-Self-service portals
Legacy Apps + OS
-Client Hyper-V
-MED-V
Server consolidation
Current hardware is under-utilized
Benefits
-Higher density
-Less or centralized management
-Optimized resources + very high ROI
-Sand boxing labs
-Efficient virus scan, Backup
-Greener
-Can replicate, migrate
Hyper-V Requirements
Win-12 Full/Core/Hyper-V server
X64 with Second level address translation (SLAT) + Data Execution Prevention (DEP)
Processing - Up to Host + Guest Requirements
Memory - Up to Host + Guest Requirements
Storage - Up to Host + Guest Requirements
-I/O is Critical
-Conisder VMs on different Disks+SAN,RAID,SSD,Hybrid SSD
-Multiple NICs
GUEST MAX
-1TB RAM, 32 CPU
Hyper-V Client Configuration:Settings
Dynamic Memory
Smart Paging
Resource metering (for billing purpose, etc)
Guest integration services
Hyper-V Settings:Storage
VHD-Original Recipe 2TB Max
VHDX
-64TB MAX,more resilient,better aligned to large sectors,larger block size(Dynamic/Diff)
Modify VHD (using powershell, we could add/remove features offline without starting OS)
Edit virtual disk wizard (VHD <--> VHDx)
Differencing drives (keeping tomorrow' data/image on different disk/drive)
Pass through disks (add external disk/drive in local OS without the need to go through Hyper-V adapter? performance increase; disk must be offine on host machine first)
Snapshots (point in time instance of the OS)
Fibre Channel Adapter
Hyper-V Settings:Network
Network Virtualization with Vlans
Configure switches (same as VM host only adapter,bridge mode, etc.)
COnfigure available MAC addresses
Synthetic + Legacy virtural network adapters
Thursday, 4 September 2014
Group Policy - GPO
Group Policy Objects
A Group of registry settings (not security groups)
Components
-Templates (more can be added to default)
-GPO files in Sysvol(C:\windows\PolicyDefinitions\admx file)
-Linked to AD OUs, sites, domains
-Special settings
Interfaces (how/where to view/edit)
-Local Group policy
-Group policy management console (GPMC)
-Group policy management editor (GPME)
-Group policy object editor from mmc for user/group specific (Multiple local group policy - making exception to local GPO)
Local Group Policy
Applies only locally (can export/import)
Computer configuration - Applies to all users/everyone
User configuration - Applies to all unless ..
-Administrator/non-administrators policy
-User-specific policy (not groups)
Can use on any Domain or Non-domain except DC
Local processing of local GPO can be disabled via a GPO
Usefulness
-Servers with specific exceptions (Eg.diable control panel except for Admins)
-Non-Domain System
Applying Policy
Link enabled
Block Inheritance
Enforce
Refresh
-Startup (computer config policy)
-Logon (user config policy)
-90 min+random 30min, DCs 5 min
-Gpupdate
-PS invoke-gpupdate
-Right-click OU
Templates + Central Store
Template
-Acutal GPO settings
-Can get additional (e.g, office)
-Each OS releases adds new template settings
Central Store
-Previous windows clould have mismatch templates
-Already configured
-..But might have to copy most current templates from C:\windows\policyDefinitions (local) to DC@C:\windows\sysvol\domain\policies
Scope of Management
Very important
User config -link to-> User OU
Computer config -link to-> Computer OU
Multiple group policies often apply
-Settings are cumulative
-Conflicts: last policy wins
Processing Order
Local Default
|-> Site
|-> Domain
|-> OU
|-> OU
Security Filtering (to make exceptions)
A Group of registry settings (not security groups)
Components
-Templates (more can be added to default)
-GPO files in Sysvol(C:\windows\PolicyDefinitions\admx file)
-Linked to AD OUs, sites, domains
-Special settings
Interfaces (how/where to view/edit)
-Local Group policy
-Group policy management console (GPMC)
-Group policy management editor (GPME)
-Group policy object editor from mmc for user/group specific (Multiple local group policy - making exception to local GPO)
Local Group Policy
Applies only locally (can export/import)
Computer configuration - Applies to all users/everyone
User configuration - Applies to all unless ..
-Administrator/non-administrators policy
-User-specific policy (not groups)
Can use on any Domain or Non-domain except DC
Local processing of local GPO can be disabled via a GPO
Usefulness
-Servers with specific exceptions (Eg.diable control panel except for Admins)
-Non-Domain System
Applying Policy
Link enabled
Block Inheritance
Enforce
Refresh
-Startup (computer config policy)
-Logon (user config policy)
-90 min+random 30min, DCs 5 min
-Gpupdate
-PS invoke-gpupdate
-Right-click OU
Templates + Central Store
Template
-Acutal GPO settings
-Can get additional (e.g, office)
-Each OS releases adds new template settings
Central Store
-Previous windows clould have mismatch templates
-Already configured
-..But might have to copy most current templates from C:\windows\policyDefinitions (local) to DC@C:\windows\sysvol\domain\policies
Scope of Management
Very important
User config -link to-> User OU
Computer config -link to-> Computer OU
Multiple group policies often apply
-Settings are cumulative
-Conflicts: last policy wins
Processing Order
Local Default
|-> Site
|-> Domain
|-> OU
|-> OU
Security Filtering (to make exceptions)
Policies and Preferences
Both are mostly Registry punches
Policies (managed)
-Setting is permanent(eg. Grayed out UI)
-Applied at startup, logon, refresh
-Removing policy reverts to default
-Takes precedence over preference
Preferences (unmanaged)
-User can reverse setting(UI not grayed out)
-Applied+Refreshed or do not reapply
-Setting tattoos registry
-Not available for local GPO
-Often useful for desktop icons,shortcuts,URL on desktop,send to,mapped drive,
Starter GPOs
Commonly desired(not required) settings
Administrative templates only
To start, create folder
-includes canned starters
Often used for roles
-Various types of servers
-laptops
-desktops
-security sensitive
Exportable to CAB (cabinet files->compressed file)
Default GPO Permissions
Full Access
-Domain admin, Enterprise admin, Creator owner, Local system
Read/Apply: Authenticated users
Gran Additional permissions
-Create:Add to GP creator/owner
-Edit: R/W via Group policy management console(GPMC)
-Link mgmt: Delegation in GPM or Delegation of Control Wizard(DoCW)
-Modeling/Results: Delegation in GPM or Delegation of Control Wizard(DoCW)
GPO Security Settings
User Rights
Security Options
User Account Control
Audit Policy
Security Templates
Pre-configured settings for "security settings" (.inf)
Apply to single or multiple
Apply locally or GPO
Settings
-Account policies,local policies,event log,restricted group,system services,registry,file system
Configuration
-GPO, secedit.exe,security config and analysis(launch using mmc)+security template consoles, security compliance manager(download)
Locking down software
Software restriction policy
-Designed for legacy windows, fairly easy to bypass, all apps allowed by default
AppLocker
-Designed for win7/8,2008 r2,2012, less easy to bypass, all apps denied by default(GPO-Computer config-Windows settings-Security settings-Application control policies). Note: need to start "Application identity" service and this can be done via (Security settings-System services)in same policy.
Both are mostly Registry punches
Policies (managed)
-Setting is permanent(eg. Grayed out UI)
-Applied at startup, logon, refresh
-Removing policy reverts to default
-Takes precedence over preference
Preferences (unmanaged)
-User can reverse setting(UI not grayed out)
-Applied+Refreshed or do not reapply
-Setting tattoos registry
-Not available for local GPO
-Often useful for desktop icons,shortcuts,URL on desktop,send to,mapped drive,
Starter GPOs
Commonly desired(not required) settings
Administrative templates only
To start, create folder
-includes canned starters
Often used for roles
-Various types of servers
-laptops
-desktops
-security sensitive
Exportable to CAB (cabinet files->compressed file)
Default GPO Permissions
Full Access
-Domain admin, Enterprise admin, Creator owner, Local system
Read/Apply: Authenticated users
Gran Additional permissions
-Create:Add to GP creator/owner
-Edit: R/W via Group policy management console(GPMC)
-Link mgmt: Delegation in GPM or Delegation of Control Wizard(DoCW)
-Modeling/Results: Delegation in GPM or Delegation of Control Wizard(DoCW)
GPO Security Settings
User Rights
Security Options
User Account Control
Audit Policy
Security Templates
Pre-configured settings for "security settings" (.inf)
Apply to single or multiple
Apply locally or GPO
Settings
-Account policies,local policies,event log,restricted group,system services,registry,file system
Configuration
-GPO, secedit.exe,security config and analysis(launch using mmc)+security template consoles, security compliance manager(download)
Locking down software
Software restriction policy
-Designed for legacy windows, fairly easy to bypass, all apps allowed by default
AppLocker
-Designed for win7/8,2008 r2,2012, less easy to bypass, all apps denied by default(GPO-Computer config-Windows settings-Security settings-Application control policies). Note: need to start "Application identity" service and this can be done via (Security settings-System services)in same policy.
Wednesday, 3 September 2014
Active Directory notes
From powershell - adsiedit
more group memberships for a user makes longer time for user when loggin in.
_Template user account for easy copying in AD users and groups.
Offline domain join (clients)
Forest root is the first doamin in your forest.
The Global Catalog
--
What is it?
-Full copy of host domain objects
-Partial read-only of other domains in same forest
What benefit does it provide?
-Simpler searches across domains
-No need to contact source DCs
-User principle name authentication
-Validates forest objects
-Universal Group membership WFO
Single Domain - No burden
Multi-Domain - Consider added replication
To make a DC a GC server, go to AD sites and services.
under servers - DC name - NTDS settings - Properties
Four types of Trust
-External (one way forest trust, etc)
-Shortcut (within forest to avoid walking down the trees)
-Realm (between AD and kerberos realm)
-Forest
Federation (trust created for external domain user to access specific application)
SRV records - DNS "SRV" Entries - critical to proper function of AD
If deleted accidentally, in command prompt "nltest /dsregdns"
other useful commands - dcdiag /fix
http://cbt.gg/M6vHml
http://cbt.gg/MfofRw
--------------------
Active Directory Automating User accounts
MethodsLDIFDE - LDAP interchange format directory exchange
CSVDE -
DSADD (more common in future)
-DSMOD
-DSQUEM/DSGET
-DSMOVE
-DSRM
Powershell (more common in future)
AD Group types
Organizational Units
AD Object-contain users, groups, computers
-mostly for simplifying administration
-not for permission
-very powerful with GPO
Users + COmputers containers: Not OUs
Redirusr + Redircmp
Delegation
Configure OU permission to allow user/groupsome level of administration
Useful to narrow management
Prevents over permissions
Usefulness
-interns, smaller offices, limt admin scope
Monday, 1 September 2014
Basic of Finance
Eg. Bag making and selling startup
There are 3 types of expenses. The first is her startup costs which are the expenses that happened before the beginning of the business plan. The second type of expense is a fixed cost. Fixed costs are goods and services that do not depends on the number of items that she is making. Last type of expense is a variable cost. Variable costs are costs that vary based on the number of items produced.
Break-even point - the number of bags she needs to sell each month to cover her expenses.
Break-Even point Calculator
Remember to count in hidden expenses in your cost.
Income Statement-Simple
http://ohioline.osu.edu/cd-fact/1153.html
There are 3 types of expenses. The first is her startup costs which are the expenses that happened before the beginning of the business plan. The second type of expense is a fixed cost. Fixed costs are goods and services that do not depends on the number of items that she is making. Last type of expense is a variable cost. Variable costs are costs that vary based on the number of items produced.
Break-even point - the number of bags she needs to sell each month to cover her expenses.
Break-Even point Calculator
http://www.youtube.com/results?search_query=Small+Business+Finance+peter+cameron
Remember to count in hidden expenses in your cost.
Income Statement-Simple
http://ohioline.osu.edu/cd-fact/1153.html
Cash Flow - Cash flow is the measure of how much money is coming in and going out of your business during a given period of time. Cash flow is the difference between your total incoming cash and total outgoing cash. Cash flow is different from profit and loss. A business might be on track to make a profit over the course of a year but still get into trouble if the owners do not keep track of their cash flow. Cash flow will tell whether a business is on track to lose or gain money and help you to predict whether you will have enough cash to operate your business.
How can keeping track of your cash flow help your business?
A cash flow projection is a worksheet that uses financial records from your business's past to forecast the amount of incoming and outgoing cash that you can expect your business to receive. You can use a cash flow projection to estimate when your business will be busiest and to help you make decisions about when during the year you should plan to save more money or to make more investments.
Having and maintaining a cash flow projection can help you understand the general trends in your business more clearly and be better prepared for any surprises that may come your way. To create a cashflow projection, use your business's historical financial records to estimate your expected income and expenses in the future.If you do not have historical records, research the market to estimate when you can expect to experience busier or slower times in your business.
Cashflow Projection worksheet
Cashflow Projection worksheet
Online Cashflow calculator
http://www.morebusiness.com/cash-flow-problems
http://www.powerhomebiz.com/blog/2009/07/7-common-cash-flow-problems-faced-by-small-businesses/
Subscribe to:
Posts (Atom)