|
Short version: What are the best resources for learning networking/network security so I can be confident I’ve made our shop as secure as practicable? Happy to invest 40-120 hours. Longer: I’m a Mech e and self taught programmer who set up our office network by googling each setting in the router and choosing the more secure one, blocking internet on any copiers/IoT. I’ve got a few hundred hours of wrangling various AWS connections but again all through Google. Needs are changing, I’m switching us to a UniFi dream router (current routers last firmware update was 2020) and the settings are more complicated than I can feel comfortable setting plus we need to add some insecure IoT devices behind home assistant. I’ve watched YouTubr tutorials on setting up VLANs with UniFi and am comfortableish with kali/nmap to see what’s publicly open (only a voip port from the ISP) but feel like I don’t understand the base concepts to ensure insecure devices aren’t tunneling out/phoning home. I want to make sure the home assistant RPi is the only IoT that can talk to the internet or scan the IoT network and that each of the IoT devices is treated as local access only and only from the Home Assistant. So, what should I study to make sure this is set up correctly? CarForumPoster fucked around with this message at 14:28 on Oct 20, 2023 |
#
?
Oct 20, 2023 14:11
|
|
|
|
| # ? Apr 27, 2024 21:03 |
|
|
First question(s) is always "What's your budget (total)" and "what's your budget (ongoing/per user)". Assuming it's as close to zero/zero as you can (as this is the SMB thread), it's always a case of making sure your OS/software is constantly being updated (auto update is preferred) and standardize as much as possible. Firewalls are really just a way of cutting down the crap from the internet with a filter, as realistically you'll get nailed by someone downloading a malicious PDF or hitting a website that pops up an alert saying they've been hacked and call 1-800-gently caress-you with their credit card. All this is basically ITsec way saying "secure the endpoints". You can spend lots on more powerful firewalls, but for the average office, the firewall/router provided by the ISP is just as good as the next one (until you get into content inspection, which has it's own issues), and really just have extra features/better web interfaces. If you have ongoing budget, and a windows house - look into MS365 business premium, which'll include all your email hosting and the upgraded security packages from microsoft. Also, if you do have an incident, you can get ahold of one of many MSPs and it's an interface that they already know and should be used to unfucking fairly quickly. unknown fucked around with this message at 14:56 on Oct 20, 2023 |
|
#
?
Oct 20, 2023 14:51
|
|
|
Good point. We autoupdate, use LastPass, use Rippling to manage devices which handles a few thing like bitlocker and device management, and have a bunch of mail rules that do decent of at blocking the bulk of those types of emails but stuff still gets through. Thank you for the MS365 Premium tip. We use 365 Business Standard currently, it looks like business premium is less than $10/user/mo so thats certainly an option. Our users are mostly remote but we have some one drive files that sync so there’s still a vector in once one gets infected. That said I still wanna learn the details of networking/network security. The “IoT” is part of a machine and is known to have glaringly bad CVEs. Still, certain notifications/data need to be sent out over the internet and we’re gonna use home assistant to do that, so going to network school is still a prime option.
|
|
#
?
Oct 20, 2023 15:04
|
|
|
For iot devices - Create a vlan for the devices, and in the wifi setup of the new ssid, you should be able to turn on device isolation so that data can only go out to the network (ie: router) and they can't see other wifi devices. (Basically the same as you'd do for a wifi guest network). 365Premium is a massive step up in features - you even get intune for managing endpoints and things like on the fly link checking and all those goodies. Basically replacing your rippling IT setup (as I see it integrates with HR, so maybe you can't). That being said, it can be complicated as hell since it scales to enterprise levels/sizes. For general education: best I've seen for free learning is videos on youtube - search for whatever specific software/scenarios (like intune) - there's a ton of educational ones there, but watch out that many "age out" as it can be for older versions of the software.
|
|
#
?
Oct 20, 2023 16:17
|
|
|
We are merging with another company, and for the first year or so we'll be working as two separate 365 tenants (for business reasons or whatever, I dunno, that's above me). I know Microsoft has a preview feature called "multi-tenant organization" which would be perfect for us to avoid all the headaches of Teams/Sharepoint/Office sharing between the two halves of our org. But the C-levels are against using something that's in "preview" channel. Is there anything else I have as options for Teams and Sharepoint and file collaboration? I know of: - Shared Teams - Exchange free/busy time sharing But like... that's not much. Sorry if all that is a little vague, but I'm just trying to do some info gathering, but the Microsoft docs are a little sparse or circuitous.
|
|
#
?
Oct 25, 2023 21:29
|
|
|
B2B Direct Connect is GA https://learn.microsoft.com/en-us/entra/external-id/b2b-direct-connect-overview
|
|
#
?
Oct 26, 2023 12:30
|
|
|
Waiting for gov cloud support.
|
|
#
?
Oct 26, 2023 15:52
|
|
|
Another dumb question, but Google is showing me lots of unrelated stuff. User had jdoe@company1.com, and now has jdoe@company2.com (both on separate O365 tenants). User wants all of their emails/folders/etc. copied over to the new email address, is there a way (or a recommended tool) to do that on the backend? This is the least tech-savvy person I've ever met, so walking them through backing up a PST isn't really an option, and they do everything through OWA. 
|
|
#
?
Oct 26, 2023 16:22
|
|
|
I would not aid someone in extracting their old company data. That is something that should be provided by the old company if he has rights to it. Otherwise a migration tool that has the correct permissions. I forgot if user level access can work for a single mailbox or if you need exchange impersonation.
|
|
#
?
Oct 26, 2023 16:47
|
|
|
Count Thrashula posted:Another dumb question, but Google is showing me lots of unrelated stuff. If they have current access to both accounts, they can add them both to outlook and move stuff around to their hearts content. but, this Submarine Sandpaper posted:I would not aid someone in extracting their old company data. That is something that should be provided by the old company if he has rights to it.
|
|
#
?
Oct 26, 2023 16:53
|
|
|
Oh, to be clear, my company bought the other company, so I have 365 admin creds on both sides, and we own the data/domains on both sides.
|
|
#
?
Oct 26, 2023 17:02
|
|
|
Give money to Migrationwiz and let them handle it, it's a great product
|
|
#
?
Oct 26, 2023 17:25
|
|
|
3 years ago that'd be like a 10 buck license for a single mailbox and probably hasn't climbed much. Well worth not having to deal with anything. If company won't give 10 bucks the user can't be helped.
|
|
#
?
Oct 26, 2023 17:58
|
|
|
Hell yeah that looks perfect. I'd even pay 10 bucks out of my own pocket to not have to deal with it.
|
|
#
?
Oct 26, 2023 18:03
|
|
|
I get this is just a figure of speech but don't do that, everything the company wants the company can pay for
|
|
#
?
Oct 26, 2023 18:39
|
|
|
So I need a SSO option to connect our AD to a lab notebook located on AWS. Our local network have no external exposure except a VPN port. Our local IT shop just set us up with an new server for Veeam and I thought I would also use the server as an ADFS server, which was one of supported options for the notebook. However after some time configuring the adfs server I kinda realised I would need to expose a proxy server to the internet. Anyone have any experience with my other options which are Okta or Onelogin (in theory Azure as well, but my boss hates Microsoft with passion and of course we are a Mac company) Btw anyone used Veeam as an alternative option to Timemachine (which doesn’t scale well with the number of users)?
|
|
#
?
Oct 26, 2023 18:41
|
|
|
I recently learned about a new thing from Microsoft called "Incident Response Retainer". From this video, it seems like you pay a regular amount and if you don't use it, you get some proactive advice on how to manage security. I also found this blog post and this website. This seems like an interesting thing for a small organization like mine, so I was trying to find pricing. But, I could not. I opened a support ticket with Microsoft and they pointed me to this link, with a filter applied. I am so confused - did Microsoft release a "product" that is really just a professional service that other MSPs offer? Or am I missing something?
|
|
#
?
Oct 26, 2023 18:57
|
|
|
Help settle a bet.. Can FreePBX take an inbound call from an external number and have someone be able to transfer that call to an external number (cell phone for service people in the field). Anyone done this without using a soft phone ext on their cell phones? Just looking for a high level prove/disprove. Thank you
|
|
#
?
Nov 11, 2023 21:58
|
|
|
Every PBX will be able to do a transfer using a shortcode if someone can’t install an app or doesn’t want to use one. A mobile phone is a horrible device to use if people are expected to be transferring calls regularly though.
|
|
#
?
Nov 11, 2023 22:03
|
|
|
Yes it can be done. Freepbx defaults make it a bit of a pain to do for security reasons though.
|
|
#
?
Nov 11, 2023 22:47
|
|
|
Absolutely trivial. Press transfer on the phone, dial the destination number. I have no idea why anyone would ever think otherwise, much less take it to a bet.unknown posted:Yes it can be done. Freepbx defaults make it a bit of a pain to do for security reasons though.
|
|
#
?
Nov 11, 2023 23:47
|
|
|
Thank you all, and you'll have to forgive the question. The disbelief on behalf of one of our.. engineers was that they didn't think it was possible due to errors on the FreePBX instance they were playing with. ... Turns out, "insuffcient_callpath" means exactly that. They'd only one channel. Good lord. Thank you all for the quick validation. This person won't be in charge of this project going forward, thank heavens.
|
|
#
?
Nov 13, 2023 00:10
|
|
|
Are airconsole devices from https://www.get-console.com/shop/ reliable? It's hard to find much information about them but we're looking at trying out one of the 4 port models as they seem to fit our need
|
|
#
?
Nov 14, 2023 22:35
|
|
|
Any recommendations for ticketing software that's open source and preferably free? My company (20 people onsite, 30 offsite) uses a combination of two programs that have their plusses, but the minuses are starting to overweigh them: SolarWind's WebHelpDesk: + Great UI + Can add parts and labor times to tickets very easily, in case of sending charges to clients. - Pain in the rear end to update (we're using a custom image in a Kubernetes setup) - Company is under SEC review. Request Tracker: + Free - God the UI sucks. - Hard to search for a ticket. - God the UI sucks. - Is it even really maintained anymore? So basically I want everyone on the same ticketing software. From stuff that deals with clients, tickets for the software developers/Infrastructure people to put their work into, and a way to tally up hours/replacement parts for billing. Inventory management would be a huge plus, and reports. There's a lot of options out there, so it's a bit overwhelming, and I don't know which one would have all the features we need.
|
|
#
?
Nov 16, 2023 16:55
|
|
|
Freshdesk
|
|
#
?
Nov 16, 2023 17:05
|
|
|
We use Accelo and its UI sucks poo poo and it's slow as gently caress. It also is bad at searching sometimes and wants exact strings and it takes forever to populate the ticket with request info when creating or merging tickets together (which merging is done unintuitively)
|
|
#
?
Nov 16, 2023 17:48
|
|
|
I have a colleague that really likes Zammad for ticketing. Ditched the paid freshdesk for it, but they were having money troubles
|
|
#
?
Nov 16, 2023 17:57
|
|
|
We use Freshdesk, because it does simple ticketing well and is affordable. This is without the ITSM stuff you can get as an add-on and we're OK with using other tools for internal development efforts, so it might not be what you're looking for. Stay the gently caress away from Sysaid.
|
|
#
?
Nov 16, 2023 18:10
|
|
|
If I ever worked somewhere that moved off Freshdesk because the price was too high then I'd be desperately finding a new job before I learnt that I wasn't getting paid that month.
|
|
#
?
Nov 16, 2023 21:30
|
|
|
Lol that literally happened, furloughed for two days out of every week for about 4 months. It was more of a case of having to move off because finance ain't paying the bills, so that they could make payroll. It's a little better now
|
|
#
?
Nov 16, 2023 21:42
|
|
|
Sixfools posted:Are airconsole devices from https://www.get-console.com/shop/ reliable? It's hard to find much information about them but we're looking at trying out one of the 4 port models as they seem to fit our need We have used these a few times. The wifi broadcast range wasn't very great, like the server room is across from my office and separated only by plexiglass window, maybe 15 feet of travel... and it was dropping quite a few packets and had to be reconnected a few times. On the other hand it beats having to bring a laptop into the server room to hook up a console cable, so overall I was glad to have it.
|
|
#
?
Nov 17, 2023 15:23
|
|
|
YarPirate posted:We have used these a few times. The wifi broadcast range wasn't very great, like the server room is across from my office and separated only by plexiglass window, maybe 15 feet of travel... and it was dropping quite a few packets and had to be reconnected a few times.
|
|
#
?
Nov 17, 2023 22:30
|
|
|
YarPirate posted:We have used these a few times. The wifi broadcast range wasn't very great, like the server room is across from my office and separated only by plexiglass window, maybe 15 feet of travel... and it was dropping quite a few packets and had to be reconnected a few times. Ah thanks for the info, it's good to know people have used them. I don't think distance should be an issue as we're planning on using the multi-port device server model with a Cradlepoint LTE connection on the rack for out of band management to some Cisco C1000s and PA firewalls at remote locations. I know Opengear is the real answer to what we need but budgets are tight currently.
|
|
#
?
Nov 18, 2023 04:22
|
|
|
Sorry if this was better off in the general questions megathread but what's the best way to go about getting an SSL Certificate (organization-level validation probably, we have lead-capturing features) for a single-domain website? GoDaddy looked reasonably-priced but there also seems to be a gazillion free(?) options my boss wants me to check into. We're on WordPress hosted on Google cloud. Is paying for SSL a scam or is free too good to be true?
|
|
#
?
Nov 22, 2023 07:34
|
|
|
If you can use LetsEncrypt you should. Otherwise, they are more or less all the same.
|
|
#
?
Nov 22, 2023 07:36
|
|
|
Yea, WordPress should be able to do LetsEncrypt either natively or via a plugin or possibly a GCP component. If you actually need full OV, the only difference between tier 1 providers is price. LetsEncrypt functionally requires automation, so follow that path instead of dropping out and moving on as soon as you have a cert. LE certs are only valid for 90 days, and expect quick rotation.
|
|
#
?
Nov 22, 2023 10:41
|
|
|
Thanks very much. One of the options we were considering included LetsEncrypt so I can confidently go ahead with that.. once we get the site off Debian 8 which apparently lost support three years ago. Little by little I'll discover everything that needs doing to get this website back in business.
|
|
#
?
Nov 22, 2023 21:09
|
|
|
Hey dumb question re: internet connections: we might end up in a situation where we would benefit from a big fat pipe to GCP. Option 1 is of course to just call up local ISP and price out a 10Gbit fiber connection, but what does one need to ask about if we're interested in specific guaranteed speed to the big cloud players?
|
|
#
?
Jan 9, 2024 10:04
|
|
|
At that sort of level they should be more than happy to talk about peering links and the capacity they have on them. If you’re buying 10Gb and want that capacity into GCP then you probably also want your provider to be doing Partner Interconnect rather than having everything treated as internet traffic. Thanks Ants fucked around with this message at 10:42 on Jan 9, 2024 |
|
#
?
Jan 9, 2024 10:40
|
|
|
|
| # ? Apr 27, 2024 21:03 |
|
|
Dear small shop computer inventory Janitors: I'm looking for some software to keep track of a very simple inventory, namely, a whole bunch of computers, and some basic information on them, such as: -An automatically incrementing inventory number -The device serial number -The device description -The hard drive serial number -A freehand notes section. Now, I know this could be knocked together in Microsoft Access (Its currently being tracked in a very unweildy excel sheet), but I'd like it to be something web-based if possible (either cloud or self-hosted), and have either an android app, or work well on android in the browser. I have some Zebra scanners that I am using to do inventory that run Android 8.1 (I believe). In an ideal world, I'd like to just be able to load an app/webpage, scan the computers barcode or QR code to fill in the serial number, same with the hard drive, and I can either speech-to-text the description and notes, or type them in on the android keyboard. Right now I'm fighting my way through aforementioned unweildy spreadsheet on the tiny Zebra screen in Office 365 online. It works but its tough. This is a small project, so the cheaper the better. Any suggestions?
|
|
#
?
Mar 15, 2024 23:09
|
|
