Messages

at least they are polite, creating informative username, _and_ posting in the correct forum.

Yes, credit where it's due, for sure.

I'll keep the flattery, deleted the spam. 

Then someone created a Jira task for watching the eclipse to make sure we could all record our time correctly.

WIN

Saw the eclipse yesterday in Dallas, it was fantastic. Just enough breaks in the clouds to get the full effect.

Did my taxes today and got a noice refund because of solar panels. 

That will pay off some other home improvements at higher interest rates and I get a snowball running that way. (SNOWBALL: taking what was paid for one account that is closed out and applying it to the next one. Start with highest interest rates and work down. Best benefit is on accounts where paying off the principal early reduces total interest paid.)

Gonna epic gravedig and just make this thread about stuff and things in general.

Big storm here last night, I'm all right as is my family and property. But it was a big ol' line of thunderstorms, I tell you what!

Taking a pair of sick days because I'm feeling run down from the last few weeks of travel and work and not having enough time for rest.

We had gig speeds on PCs 10 years ago. Yours should be fine - it's not the processor that limits speed.

Your Internet provider would have you test speed directly from the modem, with no device in between.

For my Internet, I'm getting 600-700 Mbps down and 30-40 up, as it's cable internet. If you are on fiber it should be very close to 1Gbps up and down UNLESS there are lots of other households sharing the line. If you get faster speeds when everyone in your neighborhood is asleep, then you have a shared connection that impacts performance.

If you know the external IP address ranges you'll use for your logins, that makes it much more secure if they're the only ones you permit to make a VPN connection from.

Setting up the Frontier router should be something in the user guide for the equipment, would likely be in the user interface under "security" or "networking". May also be a help file on their website on how to do it, as it's a common ask for things like gaming and media servers.

Do you need full access on all ports or do you only need access for a specific function? For example, is this Mac Mini performing a wide range of functions, or do you only need to use it as a file share?

This can provide an additional layer of security if you lock off access on areas you don't need to use.

The diagram looks good, assuming it's home use, so you won't need commercial-grade gear for the setup. With that in mind, will the manufacturer keep the gear up to date with updates? That will be important for the sake of security.

You'll also need the ability to set up a VPN to the VPN router, which means opening up inbound ports on the modem - and that means the ports are open for the entire world. If there is an ability to authenticate with multiple factor authentication in order to open up the ports, that would be preferable.

Give all the offices a /24 like 10.0.1.X, 10.0.2.X,... 10.0.17.X.

Internal servers should also be divided. Then only the admin/finance have access to admin/finance server resources in the ACL. Instead of an ACL, another method is to use identity-based security with a tool like CyberArk, Okta, or something similar. Make sure you have multi-factor authentication in place, as username/password is barely any security at all.

Yes to better the Fortinet than the Cisco for DHCP.

Segmentation is done for two reasons - network traffic distribution and security.

Having separate offices in their own VLANs provides a level of organization in knowing which location is where based on IP address. IPv4 is easier to read than IPv6, but both can be managed to make human-readable address ranges. However...

... different device types have different security considerations. Printers and IoT devices are not as well-managed as PCs, typically, and present a two-way security risk. They can host malware that one does not have tools to remove other than a complete factory reset - or in some cases, replacement - and are also vulnerable to malware coming at them from more resilient PCs. One can also argue that such devices should have zero or limited Internet connectivity to complete their functions. In such cases, having those devices on their own VLAN means that the security of those VLANs can be managed.

Combining the two means separate VLANs for different devices at all locations, which may be impractical for smaller locations. In such a case, a microsegmentation solution that works with the firewall would be appropriate for handling different device types. That means getting a visibility solution into the picture and a lot more complexity than the first questions you ask.

So let's answer those questions from a routing and switching perspective and set aside the security. The L3 router is where I would have the VLANs created and live. For DHCP, I would get it off of the firewall and stand up a separate group of servers to provide resilience and better flexibility for DHCP service. DO NOT RUN DHCP ON PRODUCTION CISCO GEAR. Even Cisco advises against doing so.

Any time those breach announcements comes out, we need to have HOW that breach happened.

Secure file transfer: that's where you have a system where USB drives are created and tagged with the secure file transfer system, then they are checked in at a kiosk prior to installation on the endpoint. If the endpoint has an interactive OS, the kiosk can be a service running locally that blocks untagged USBs or tagged USBs whose contents don't match the file manifest. For headless devices, a hardware kiosk would serve that function at the entry point to the secured area.

Wait, so you don't want to use your neighbor's wireless? I'm confused... 

The answer is that yes, we do both. If all we had was one switch, everything would be end-to-end and no more. But because we can't connect everything to one switch and because we don't necessarily want all traffic in an organization going to every other endpoint in the organization, we have multiple switches with multiple subnets to control traffic. And even if we did want that, the fact that electrical signals only travel so far before they need to be repeated means that for network traffic to span distances such as across a large campus or between cities or nations, we will need multiple devices to carry the signal, each acting as hops.

To get traffic from one subnet to another, we need to know which route to take. Because the route will traverse multiple devices, we will need to determine the hops that will collectively form the end-to-end route. When we consider the billions of devices connected to networks with Internet access, we need to have methods of summarizing how traffic moves locally, to indicate if the traffic will stay in our organizational networks or go out across the Internet.